Fix the validation of the policy's EIP format (#944)

Signed-off-by: bzsuni <[email protected]>
spidernet-io · Nov 7, 2023 · 53fbfbf · 53fbfbf
1 parent 87b1d9f
commit 53fbfbf
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 4 deletions.
diff --git a/pkg/controller/webhook/validate.go b/pkg/controller/webhook/validate.go
@@ -75,6 +75,13 @@ func validateEgressPolicy(ctx context.Context, client client.Client, req webhook
 		}
 	}
 
+	if len(egp.Spec.EgressIP.IPv4) != 0 && !isIPv4(egp.Spec.EgressIP.IPv4) {
+		return webhook.Denied("invalid ipv4 format")
+	}
+	if len(egp.Spec.EgressIP.IPv6) != 0 && !isIPv6(egp.Spec.EgressIP.IPv6) {
+		return webhook.Denied("invalid ipv6 format")
+	}
+
 	if egp.Spec.AppliedTo.PodSelector != nil && len(egp.Spec.AppliedTo.PodSelector.MatchLabels) != 0 && len(egp.Spec.AppliedTo.PodSubnet) != 0 {
 		return webhook.Denied("podSelector and podSubnet cannot be used together")
 	}
@@ -145,6 +152,13 @@ func validateEgressClusterPolicy(ctx context.Context, client client.Client, req
 		}
 	}
 
+	if len(policy.Spec.EgressIP.IPv4) != 0 && !isIPv4(policy.Spec.EgressIP.IPv4) {
+		return webhook.Denied("invalid ipv4 format")
+	}
+	if len(policy.Spec.EgressIP.IPv6) != 0 && !isIPv6(policy.Spec.EgressIP.IPv6) {
+		return webhook.Denied("invalid ipv6 format")
+	}
+
 	if (policy.Spec.AppliedTo.PodSelector != nil && len(policy.Spec.AppliedTo.PodSelector.MatchLabels) != 0) &&
 		(policy.Spec.AppliedTo.PodSubnet != nil && len(*policy.Spec.AppliedTo.PodSubnet) != 0) {
 		return webhook.Denied("podSelector and podSubnet cannot be used together")
@@ -323,3 +337,17 @@ func validateSubnet(subnet []string) webhook.AdmissionResponse {
 	}
 	return webhook.Allowed("checked")
 }
+
+func isIPv4(ip string) bool {
+	if netIP := net.ParseIP(ip); netIP != nil && netIP.To4() != nil {
+		return true
+	}
+	return false
+}
+
+func isIPv6(ip string) bool {
+	if netIP := net.ParseIP(ip); netIP != nil && netIP.To4() == nil && netIP.To16() != nil {
+		return true
+	}
+	return false
+}
diff --git a/test/e2e/egresspolicy/egresspolicy_test.go b/test/e2e/egresspolicy/egresspolicy_test.go
@@ -245,8 +245,7 @@ var _ = Describe("EgressPolicy", Ordered, func() {
 				Expect(err).NotTo(HaveOccurred())
 			}
 		},
-			// todo @bzsuni waiting for the bug be fixed
-			PEntry("should fail when the policy is set with invalid `EgressIP`", Label("P00001"), true, func(egp *egressv1.EgressPolicy) {
+			Entry("should fail when the policy is set with invalid `EgressIP`", Label("P00001"), true, func(egp *egressv1.EgressPolicy) {
 				egp.Spec.EgressGatewayName = egw.Name
 				egp.Spec.AppliedTo.PodSubnet = []string{"10.10.0.0/16"}
 				if egressConfig.EnableIPv4 {
@@ -302,8 +301,7 @@ var _ = Describe("EgressPolicy", Ordered, func() {
 				Expect(err).NotTo(HaveOccurred())
 			}
 		},
-			// todo @bzsuni waiting for the bug be fixed
-			PEntry("should fail when the cluster-policy is set with invalid `EgressIP`", Label("P00001"), true, func(egcp *egressv1.EgressClusterPolicy) {
+			Entry("should fail when the cluster-policy is set with invalid `EgressIP`", Label("P00001"), true, func(egcp *egressv1.EgressClusterPolicy) {
 				egcp.Spec.EgressGatewayName = egw.Name
 				egcp.Spec.AppliedTo.PodSubnet = &[]string{"10.10.0.0/16"}
 				if egressConfig.EnableIPv4 {