Filter pods that have out of range IP

Filter pods have IPs outside of the corresponding nodes' IP ranges.
kubernetes · Feb 21, 2023 · 963f048 · 963f048
1 parent 66a45e6
commit 963f048
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/pkg/neg/syncers/transaction.go b/pkg/neg/syncers/transaction.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"strings"
 	"sync"
@@ -47,6 +48,7 @@ import (
 	svcnegclient "k8s.io/ingress-gce/pkg/svcneg/client/clientset/versioned"
 	"k8s.io/ingress-gce/pkg/utils/patch"
 	"k8s.io/klog/v2"
+	netset "k8s.io/utils/net"
 )
 
 type transactionSyncer struct {
@@ -330,6 +332,7 @@ func (s *transactionSyncer) syncInternalImpl() error {
 // 1. doesn't exist
 // 2. is in terminal state
 // 3. corresponds to a non-existent node
+// 4. have an IP that is outside of the node's allocated IP range
 func (s *transactionSyncer) isValidPod(pod *apiv1.Pod) bool {
 	// Terminal Pod means a pod is in PodFailed or PodSucceeded phase
 	if pod.Status.Phase == corev1.PodFailed || pod.Status.Phase == corev1.PodSucceeded {
@@ -339,10 +342,15 @@ func (s *transactionSyncer) isValidPod(pod *apiv1.Pod) bool {
 	if err != nil || !exists {
 		return false
 	}
-	_, isNode := obj.(*apiv1.Node)
+	node, isNode := obj.(*apiv1.Node)
 	if !isNode {
 		return false
 	}
+	_, podCIDR, err := netset.ParseCIDRSloppy(node.Spec.PodCIDR)
+	podIP := net.ParseIP(pod.Status.PodIP)
+	if !podCIDR.Contains(podIP) {
+		return false
+	}
 	return true
 }
 

diff --git a/pkg/neg/syncers/transaction_test.go b/pkg/neg/syncers/transaction_test.go
@@ -2354,10 +2354,16 @@ func TestIsValidPod(t *testing.T) {
 	_, ts := newTestTransactionSyncer(negtypes.NewAdapter(gce.NewFakeGCECloud(gce.DefaultTestClusterValues())), negtypes.VmIpPortEndpointType, false, true)
 	testNode1 := "node1"
 	testNodeNonExistent := "node-non-existent"
+	podCIDR := "192.0.2.0/24"
+	validIP := "192.0.2.1"
+	invalidIP := "192.0.3.1"
 	ts.nodeLister.Add(&corev1.Node{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: testNode1,
 		},
+		Spec: corev1.NodeSpec{
+			PodCIDR: podCIDR,
+		},
 	})
 
 	testCases := []struct {
@@ -2374,6 +2380,7 @@ func TestIsValidPod(t *testing.T) {
 				},
 				Status: corev1.PodStatus{
 					Phase: corev1.PodRunning,
+					PodIP: validIP,
 				},
 				Spec: corev1.PodSpec{
 					NodeName: testNode1,
@@ -2390,6 +2397,7 @@ func TestIsValidPod(t *testing.T) {
 				},
 				Status: corev1.PodStatus{
 					Phase: corev1.PodFailed,
+					PodIP: validIP,
 				},
 				Spec: corev1.PodSpec{
 					NodeName: testNode1,
@@ -2406,6 +2414,7 @@ func TestIsValidPod(t *testing.T) {
 				},
 				Status: corev1.PodStatus{
 					Phase: corev1.PodSucceeded,
+					PodIP: validIP,
 				},
 				Spec: corev1.PodSpec{
 					NodeName: testNode1,
@@ -2422,13 +2431,31 @@ func TestIsValidPod(t *testing.T) {
 				},
 				Status: corev1.PodStatus{
 					Phase: corev1.PodSucceeded,
+					PodIP: validIP,
 				},
 				Spec: corev1.PodSpec{
 					NodeName: testNodeNonExistent,
 				},
 			},
 			expect: false,
 		},
+		{
+			desc: "pod with IP out of node's PodCIDR range",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: testNamespace,
+					Name:      "pod5",
+				},
+				Status: corev1.PodStatus{
+					Phase: corev1.PodRunning,
+					PodIP: invalidIP,
+				},
+				Spec: corev1.PodSpec{
+					NodeName: testNode1,
+				},
+			},
+			expect: false,
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {