From e0a12335639cb217b6cdd570b3d326367849c072 Mon Sep 17 00:00:00 2001 From: David Cheung Date: Fri, 10 Mar 2023 19:49:34 +0000 Subject: [PATCH] Filter pods that have out of range IP Filter pods have IPs outside of the corresponding nodes' IP ranges. --- pkg/neg/syncers/utils_test.go | 161 +++++++++++++++++++++++++++++----- 1 file changed, 140 insertions(+), 21 deletions(-) diff --git a/pkg/neg/syncers/utils_test.go b/pkg/neg/syncers/utils_test.go index 09047f2bb7..be33be1b4d 100644 --- a/pkg/neg/syncers/utils_test.go +++ b/pkg/neg/syncers/utils_test.go @@ -25,7 +25,6 @@ import ( "github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud" "github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud/meta" - corev1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1" discovery "k8s.io/api/discovery/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -1203,10 +1202,14 @@ func TestToZoneNetworkEndpointMapDegradedMode(t *testing.T) { nodeLister := testContext.NodeInformer.GetIndexer() for i := 1; i <= 4; i++ { - nodeLister.Add(&corev1.Node{ + nodeLister.Add(&v1.Node{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("instance%v", i), }, + Spec: v1.NodeSpec{ + PodCIDR: fmt.Sprintf("10.100.%v.0/24", i), + PodCIDRs: []string{fmt.Sprintf("200%v:db8::/48", i), fmt.Sprintf("10.100.%v.0/24", i)}, + }, }) } @@ -1345,16 +1348,20 @@ func TestValidateAndAddEndpoints(t *testing.T) { PodIP: "10.100.1.1", PodIPs: []v1.PodIP{ {IP: "10.100.1.1"}, - {IP: "2001:db8::68"}, + {IP: "2001:db8::2:1"}, }, }, }) nodeLister := testContext.NodeInformer.GetIndexer() - nodeLister.Add(&corev1.Node{ + nodeLister.Add(&v1.Node{ ObjectMeta: metav1.ObjectMeta{ Name: instance1, }, + Spec: v1.NodeSpec{ + PodCIDR: "10.100.1.0/24", + PodCIDRs: []string{"2001:db8::/48", "10.100.1.0/24"}, + }, }) testCases := []struct { @@ -1365,11 +1372,11 @@ func TestValidateAndAddEndpoints(t *testing.T) { expectedPodMap negtypes.EndpointPodMap }{ { - desc: "endpoint with nodeName", + desc: "valid endpoint with IPv4 address", ep: negtypes.AddressData{ Addresses: []string{"10.100.1.1"}, NodeName: &instance1, - TargetRef: &corev1.ObjectReference{ + TargetRef: &v1.ObjectReference{ Namespace: testNamespace, Name: "pod1", }, @@ -1379,12 +1386,32 @@ func TestValidateAndAddEndpoints(t *testing.T) { expectedEndpointMap: endpointMap, expectedPodMap: podMap, }, + { + desc: "valid endpoint with IPv6 address", + ep: negtypes.AddressData{ + Addresses: []string{"2001:db8::2:1"}, + NodeName: &instance1, + TargetRef: &v1.ObjectReference{ + Namespace: testNamespace, + Name: "pod1", + }, + Ready: ready, + }, + endpointType: negtypes.VmIpPortEndpointType, + expectedEndpointMap: map[string]negtypes.NetworkEndpointSet{ + negtypes.TestZone1: negtypes.NewNetworkEndpointSet( + networkEndpointFromEncodedEndpoint("2001:db8::2:1||instance1||80")), + }, + expectedPodMap: negtypes.EndpointPodMap{ + networkEndpointFromEncodedEndpoint("2001:db8::2:1||instance1||80"): types.NamespacedName{Namespace: testNamespace, Name: "pod1"}, + }, + }, { desc: "endpoint without nodeName, nodeName should be filled", ep: negtypes.AddressData{ Addresses: []string{"10.100.1.1"}, NodeName: nil, - TargetRef: &corev1.ObjectReference{ + TargetRef: &v1.ObjectReference{ Namespace: testNamespace, Name: "pod1", }, @@ -1399,7 +1426,7 @@ func TestValidateAndAddEndpoints(t *testing.T) { ep: negtypes.AddressData{ Addresses: []string{"10.100.1.1"}, NodeName: &emptyNodeName, - TargetRef: &corev1.ObjectReference{ + TargetRef: &v1.ObjectReference{ Namespace: testNamespace, Name: "pod1", }, @@ -1409,10 +1436,40 @@ func TestValidateAndAddEndpoints(t *testing.T) { expectedEndpointMap: endpointMap, expectedPodMap: podMap, }, + { + desc: "endpoint with IPv4 IP address doesn't correspond to any podIP(s)", + ep: negtypes.AddressData{ + Addresses: []string{"10.100.1.2"}, + NodeName: &instance1, + TargetRef: &v1.ObjectReference{ + Namespace: testNamespace, + Name: "pod1", + }, + Ready: ready, + }, + endpointType: negtypes.VmIpPortEndpointType, + expectedEndpointMap: map[string]negtypes.NetworkEndpointSet{}, + expectedPodMap: negtypes.EndpointPodMap{}, + }, + { + desc: "endpoint with IPv6 IP address doesn't correspond to any podIP(s)", + ep: negtypes.AddressData{ + Addresses: []string{"2001:db8::2:2"}, + NodeName: &instance1, + TargetRef: &v1.ObjectReference{ + Namespace: testNamespace, + Name: "pod1", + }, + Ready: ready, + }, + endpointType: negtypes.VmIpPortEndpointType, + expectedEndpointMap: map[string]negtypes.NetworkEndpointSet{}, + expectedPodMap: negtypes.EndpointPodMap{}, + }, { desc: "Non-GCP network endpoint", ep: negtypes.AddressData{ - TargetRef: &corev1.ObjectReference{ + TargetRef: &v1.ObjectReference{ Namespace: testNamespace, Name: "pod1", }, @@ -1453,10 +1510,17 @@ func TestValidatePod(t *testing.T) { testNodeNonExistent := "node-non-existent" testContext := negtypes.NewTestContext() nodeLister := testContext.NodeInformer.GetIndexer() - nodeLister.Add(&corev1.Node{ + testPodIPv4 := "10.100.1.1" + testPodIPv6 := "2001:db8::2:1" + + nodeLister.Add(&v1.Node{ ObjectMeta: metav1.ObjectMeta{ Name: instance1, }, + Spec: v1.NodeSpec{ + PodCIDR: "10.100.1.0/24", + PodCIDRs: []string{"2001:db8::/48", "10.100.1.0/24"}, + }, }) testCases := []struct { desc string @@ -1464,7 +1528,7 @@ func TestValidatePod(t *testing.T) { expect bool }{ { - desc: "a valid pod with phase running", + desc: "a valid pod with IPv4 address and phase running", pod: &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Namespace: testNamespace, @@ -1472,24 +1536,43 @@ func TestValidatePod(t *testing.T) { }, Status: v1.PodStatus{ Phase: v1.PodRunning, + PodIP: testPodIPv4, }, - Spec: corev1.PodSpec{ + Spec: v1.PodSpec{ NodeName: instance1, }, }, expect: true, }, { - desc: "a terminal pod with phase failed", + desc: "a valid pod with IPv6 address and phase running", pod: &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Namespace: testNamespace, Name: "pod2", }, + Status: v1.PodStatus{ + Phase: v1.PodRunning, + PodIP: testPodIPv6, + }, + Spec: v1.PodSpec{ + NodeName: instance1, + }, + }, + expect: true, + }, + { + desc: "a terminal pod with phase failed", + pod: &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testNamespace, + Name: "pod3", + }, Status: v1.PodStatus{ Phase: v1.PodFailed, + PodIP: testPodIPv4, }, - Spec: corev1.PodSpec{ + Spec: v1.PodSpec{ NodeName: instance1, }, }, @@ -1500,12 +1583,13 @@ func TestValidatePod(t *testing.T) { pod: &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Namespace: testNamespace, - Name: "pod3", + Name: "pod4", }, Status: v1.PodStatus{ Phase: v1.PodSucceeded, + PodIP: testPodIPv4, }, - Spec: corev1.PodSpec{ + Spec: v1.PodSpec{ NodeName: instance1, }, }, @@ -1513,20 +1597,55 @@ func TestValidatePod(t *testing.T) { }, { desc: "a pod from non-existent node", - pod: &corev1.Pod{ + pod: &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Namespace: testNamespace, - Name: "pod4", + Name: "pod5", }, - Status: corev1.PodStatus{ - Phase: corev1.PodRunning, + Status: v1.PodStatus{ + Phase: v1.PodRunning, + PodIP: testPodIPv4, }, - Spec: corev1.PodSpec{ + Spec: v1.PodSpec{ NodeName: testNodeNonExistent, }, }, expect: false, }, + { + desc: "a pod with IPv4 IP adress outside of the node's allocated pod range", + pod: &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testNamespace, + Name: "pod6", + }, + Status: v1.PodStatus{ + Phase: v1.PodRunning, + PodIP: "10.101.1.1", + }, + Spec: v1.PodSpec{ + NodeName: instance1, + }, + }, + expect: false, + }, + { + desc: "a pod with IPv6 IP address outside of the node's allocated pod range", + pod: &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testNamespace, + Name: "pod7", + }, + Status: v1.PodStatus{ + Phase: v1.PodRunning, + PodIP: "2001:db9::2:1", + }, + Spec: v1.PodSpec{ + NodeName: instance1, + }, + }, + expect: false, + }, } for _, tc := range testCases { t.Run(tc.desc, func(t *testing.T) {