From 037623ddecd0517abb6f9aa21565bed580e84a67 Mon Sep 17 00:00:00 2001 From: Fabio Falzoi Date: Tue, 4 Jun 2024 11:10:44 +0200 Subject: [PATCH] egressgw: Stop CEGP parsing in case of non-empty invalid EgressIP EgressIP field of CiliumEgressGatewayPolicy spec is optional, but if specified, it is used to SNAT egress traffic. Being an optional parameter, no error is logged in case the conversion to netip.Addr fails, and the field is silently ignored. To inform the user of the failure in setting the requested egress IP, fail the CEGP parsing in case of an invalid non-empty egress IP. Signed-off-by: Fabio Falzoi --- pkg/egressgateway/policy.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg/egressgateway/policy.go b/pkg/egressgateway/policy.go index 50394a350fddc..d7671cd3303c6 100644 --- a/pkg/egressgateway/policy.go +++ b/pkg/egressgateway/policy.go @@ -230,12 +230,17 @@ func ParseCEGP(cegp *v2.CiliumEgressGatewayPolicy) (*PolicyConfig, error) { return nil, fmt.Errorf("gateway configuration can't specify both an interface and an egress IP") } - // EgressIP is not a required field, ignore the error if unable to parse. - addr, _ := netip.ParseAddr(egressGateway.EgressIP) policyGwc := &policyGatewayConfig{ nodeSelector: api.NewESFromK8sLabelSelector("", egressGateway.NodeSelector), iface: egressGateway.Interface, - egressIP: addr, + } + // EgressIP is not a required field, validate and parse it only if non-empty + if egressGateway.EgressIP != "" { + addr, err := netip.ParseAddr(egressGateway.EgressIP) + if err != nil { + return nil, fmt.Errorf("failed to parse egress IP %s: %w", egressGateway.EgressIP, err) + } + policyGwc.egressIP = addr } for _, cidrString := range destinationCIDRs {