Filter pods that have out of range IP

Filter pods have IPs outside of the corresponding nodes' IP ranges.
kubernetes · Mar 15, 2023 · b37cf85 · b37cf85
1 parent 20b36a9
commit b37cf85
Showing 1 changed file with 140 additions and 21 deletions.
diff --git a/pkg/neg/syncers/utils_test.go b/pkg/neg/syncers/utils_test.go
@@ -25,7 +25,6 @@ import (
 
 	"github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud"
 	"github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud/meta"
-	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
 	discovery "k8s.io/api/discovery/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -1203,10 +1202,14 @@ func TestToZoneNetworkEndpointMapDegradedMode(t *testing.T) {
 
 	nodeLister := testContext.NodeInformer.GetIndexer()
 	for i := 1; i <= 4; i++ {
-		nodeLister.Add(&corev1.Node{
+		nodeLister.Add(&v1.Node{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: fmt.Sprintf("instance%v", i),
 			},
+			Spec: v1.NodeSpec{
+				PodCIDR:  fmt.Sprintf("10.100.%v.0/24", i),
+				PodCIDRs: []string{fmt.Sprintf("200%v:db8::/48", i), fmt.Sprintf("10.100.%v.0/24", i)},
+			},
 		})
 	}
 
@@ -1345,16 +1348,20 @@ func TestValidateAndAddEndpoints(t *testing.T) {
 			PodIP: "10.100.1.1",
 			PodIPs: []v1.PodIP{
 				{IP: "10.100.1.1"},
-				{IP: "2001:db8::68"},
+				{IP: "2001:db8::2:1"},
 			},
 		},
 	})
 
 	nodeLister := testContext.NodeInformer.GetIndexer()
-	nodeLister.Add(&corev1.Node{
+	nodeLister.Add(&v1.Node{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: instance1,
 		},
+		Spec: v1.NodeSpec{
+			PodCIDR:  "10.100.1.0/24",
+			PodCIDRs: []string{"2001:db8::/48", "10.100.1.0/24"},
+		},
 	})
 
 	testCases := []struct {
@@ -1365,11 +1372,11 @@ func TestValidateAndAddEndpoints(t *testing.T) {
 		expectedPodMap      negtypes.EndpointPodMap
 	}{
 		{
-			desc: "endpoint with nodeName",
+			desc: "valid endpoint with IPv4 address",
 			ep: negtypes.AddressData{
 				Addresses: []string{"10.100.1.1"},
 				NodeName:  &instance1,
-				TargetRef: &corev1.ObjectReference{
+				TargetRef: &v1.ObjectReference{
 					Namespace: testNamespace,
 					Name:      "pod1",
 				},
@@ -1379,12 +1386,32 @@ func TestValidateAndAddEndpoints(t *testing.T) {
 			expectedEndpointMap: endpointMap,
 			expectedPodMap:      podMap,
 		},
+		{
+			desc: "valid endpoint with IPv6 address",
+			ep: negtypes.AddressData{
+				Addresses: []string{"2001:db8::2:1"},
+				NodeName:  &instance1,
+				TargetRef: &v1.ObjectReference{
+					Namespace: testNamespace,
+					Name:      "pod1",
+				},
+				Ready: ready,
+			},
+			endpointType: negtypes.VmIpPortEndpointType,
+			expectedEndpointMap: map[string]negtypes.NetworkEndpointSet{
+				negtypes.TestZone1: negtypes.NewNetworkEndpointSet(
+					networkEndpointFromEncodedEndpoint("2001:db8::2:1||instance1||80")),
+			},
+			expectedPodMap: negtypes.EndpointPodMap{
+				networkEndpointFromEncodedEndpoint("2001:db8::2:1||instance1||80"): types.NamespacedName{Namespace: testNamespace, Name: "pod1"},
+			},
+		},
 		{
 			desc: "endpoint without nodeName, nodeName should be filled",
 			ep: negtypes.AddressData{
 				Addresses: []string{"10.100.1.1"},
 				NodeName:  nil,
-				TargetRef: &corev1.ObjectReference{
+				TargetRef: &v1.ObjectReference{
 					Namespace: testNamespace,
 					Name:      "pod1",
 				},
@@ -1399,7 +1426,7 @@ func TestValidateAndAddEndpoints(t *testing.T) {
 			ep: negtypes.AddressData{
 				Addresses: []string{"10.100.1.1"},
 				NodeName:  &emptyNodeName,
-				TargetRef: &corev1.ObjectReference{
+				TargetRef: &v1.ObjectReference{
 					Namespace: testNamespace,
 					Name:      "pod1",
 				},
@@ -1409,10 +1436,40 @@ func TestValidateAndAddEndpoints(t *testing.T) {
 			expectedEndpointMap: endpointMap,
 			expectedPodMap:      podMap,
 		},
+		{
+			desc: "endpoint with IPv4 IP address doesn't correspond to any podIP(s)",
+			ep: negtypes.AddressData{
+				Addresses: []string{"10.100.1.2"},
+				NodeName:  &instance1,
+				TargetRef: &v1.ObjectReference{
+					Namespace: testNamespace,
+					Name:      "pod1",
+				},
+				Ready: ready,
+			},
+			endpointType:        negtypes.VmIpPortEndpointType,
+			expectedEndpointMap: map[string]negtypes.NetworkEndpointSet{},
+			expectedPodMap:      negtypes.EndpointPodMap{},
+		},
+		{
+			desc: "endpoint with IPv6 IP address doesn't correspond to any podIP(s)",
+			ep: negtypes.AddressData{
+				Addresses: []string{"2001:db8::2:2"},
+				NodeName:  &instance1,
+				TargetRef: &v1.ObjectReference{
+					Namespace: testNamespace,
+					Name:      "pod1",
+				},
+				Ready: ready,
+			},
+			endpointType:        negtypes.VmIpPortEndpointType,
+			expectedEndpointMap: map[string]negtypes.NetworkEndpointSet{},
+			expectedPodMap:      negtypes.EndpointPodMap{},
+		},
 		{
 			desc: "Non-GCP network endpoint",
 			ep: negtypes.AddressData{
-				TargetRef: &corev1.ObjectReference{
+				TargetRef: &v1.ObjectReference{
 					Namespace: testNamespace,
 					Name:      "pod1",
 				},
@@ -1453,43 +1510,69 @@ func TestValidatePod(t *testing.T) {
 	testNodeNonExistent := "node-non-existent"
 	testContext := negtypes.NewTestContext()
 	nodeLister := testContext.NodeInformer.GetIndexer()
-	nodeLister.Add(&corev1.Node{
+	testPodIPv4 := "10.100.1.1"
+	testPodIPv6 := "2001:db8::2:1"
+
+	nodeLister.Add(&v1.Node{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: instance1,
 		},
+		Spec: v1.NodeSpec{
+			PodCIDR:  "10.100.1.0/24",
+			PodCIDRs: []string{"2001:db8::/48", "10.100.1.0/24"},
+		},
 	})
 	testCases := []struct {
 		desc   string
 		pod    *v1.Pod
 		expect bool
 	}{
 		{
-			desc: "a valid pod with phase running",
+			desc: "a valid pod with IPv4 address and phase running",
 			pod: &v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace: testNamespace,
 					Name:      "pod1",
 				},
 				Status: v1.PodStatus{
 					Phase: v1.PodRunning,
+					PodIP: testPodIPv4,
 				},
-				Spec: corev1.PodSpec{
+				Spec: v1.PodSpec{
 					NodeName: instance1,
 				},
 			},
 			expect: true,
 		},
 		{
-			desc: "a terminal pod with phase failed",
+			desc: "a valid pod with IPv6 address and phase running",
 			pod: &v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace: testNamespace,
 					Name:      "pod2",
 				},
+				Status: v1.PodStatus{
+					Phase: v1.PodRunning,
+					PodIP: testPodIPv6,
+				},
+				Spec: v1.PodSpec{
+					NodeName: instance1,
+				},
+			},
+			expect: true,
+		},
+		{
+			desc: "a terminal pod with phase failed",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: testNamespace,
+					Name:      "pod3",
+				},
 				Status: v1.PodStatus{
 					Phase: v1.PodFailed,
+					PodIP: testPodIPv4,
 				},
-				Spec: corev1.PodSpec{
+				Spec: v1.PodSpec{
 					NodeName: instance1,
 				},
 			},
@@ -1500,33 +1583,69 @@ func TestValidatePod(t *testing.T) {
 			pod: &v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace: testNamespace,
-					Name:      "pod3",
+					Name:      "pod4",
 				},
 				Status: v1.PodStatus{
 					Phase: v1.PodSucceeded,
+					PodIP: testPodIPv4,
 				},
-				Spec: corev1.PodSpec{
+				Spec: v1.PodSpec{
 					NodeName: instance1,
 				},
 			},
 			expect: false,
 		},
 		{
 			desc: "a pod from non-existent node",
-			pod: &corev1.Pod{
+			pod: &v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace: testNamespace,
-					Name:      "pod4",
+					Name:      "pod5",
 				},
-				Status: corev1.PodStatus{
-					Phase: corev1.PodRunning,
+				Status: v1.PodStatus{
+					Phase: v1.PodRunning,
+					PodIP: testPodIPv4,
 				},
-				Spec: corev1.PodSpec{
+				Spec: v1.PodSpec{
 					NodeName: testNodeNonExistent,
 				},
 			},
 			expect: false,
 		},
+		{
+			desc: "a pod with IPv4 IP adress outside of the node's allocated pod range",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: testNamespace,
+					Name:      "pod6",
+				},
+				Status: v1.PodStatus{
+					Phase: v1.PodRunning,
+					PodIP: "10.101.1.1",
+				},
+				Spec: v1.PodSpec{
+					NodeName: instance1,
+				},
+			},
+			expect: false,
+		},
+		{
+			desc: "a pod with IPv6 IP address outside of the node's allocated pod range",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: testNamespace,
+					Name:      "pod7",
+				},
+				Status: v1.PodStatus{
+					Phase: v1.PodRunning,
+					PodIP: "2001:db9::2:1",
+				},
+				Spec: v1.PodSpec{
+					NodeName: instance1,
+				},
+			},
+			expect: false,
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {