@@ -568,3 +568,15 @@ func HasKubernetesAPIVersion(config KubernetesMasterConfig, groupVersion unversi

 	enabledVersions := GetEnabledAPIVersionsForGroup(config, groupVersion.Group)

 	return sets.NewString(enabledVersions...).Has(groupVersion.Version)

 }

+

+func CIDRsOverlap(cidr1, cidr2 string) bool {

+	_, ipNet1, err := net.ParseCIDR(cidr1)

+	if err != nil {

+		return false

+	}

+	_, ipNet2, err := net.ParseCIDR(cidr2)

+	if err != nil {

+		return false

+	}

+	return ipNet1.Contains(ipNet2.IP) || ipNet2.Contains(ipNet1.IP)

+}

@@ -157,12 +157,8 @@ func ValidateMasterConfig(config *api.MasterConfig, fldPath *field.Path) Validat

 			}

 		}

 	}

-	if len(config.NetworkConfig.IngressIPNetworkCIDR) > 0 {

-		cidr := config.NetworkConfig.IngressIPNetworkCIDR

-		if _, ipNet, err := net.ParseCIDR(cidr); err != nil || ipNet.IP.IsUnspecified() {

-			validationResults.AddErrors(field.Invalid(fldPath.Child("networkConfig", "ingressIPNetworkCIDR").Index(0), cidr, "must be a valid CIDR notation IP range (e.g. 172.30.0.0/16)"))

-		}

-	}

+

+	validationResults.AddErrors(ValidateIngressIPNetworkCIDR(config, fldPath.Child("networkConfig", "ingressIPNetworkCIDR").Index(0))...)

 	validationResults.AddErrors(ValidateKubeConfig(config.MasterClients.OpenShiftLoopbackKubeConfig, fldPath.Child("masterClients", "openShiftLoopbackKubeConfig"))...)

@@ -641,3 +637,38 @@ func ValidateAdmissionPluginConfigConflicts(masterConfig *api.MasterConfig) Vali

 	return validationResults

 }

+

+func ValidateIngressIPNetworkCIDR(config *api.MasterConfig, fldPath *field.Path) field.ErrorList {

+	errors := field.ErrorList{}

+

+	cidr := config.NetworkConfig.IngressIPNetworkCIDR

+

+	if len(cidr) == 0 {

+		return errors

+	}

+

+	addError := func(errMessage string) {

+		errors = append(errors, field.Invalid(fldPath, cidr, errMessage))

+	}

+

+	// TODO Detect cloud provider when not using built-in kubernetes

+	kubeConfig := config.KubernetesMasterConfig

+	noCloudProvider := kubeConfig != nil && (len(kubeConfig.ControllerArguments["cloud-provider"]) == 0 || kubeConfig.ControllerArguments["cloud-provider"][0] == "")

+

+	if noCloudProvider {

+		if _, ipNet, err := net.ParseCIDR(cidr); err != nil || ipNet.IP.IsUnspecified() {

+			addError("must be a valid CIDR notation IP range (e.g. 172.30.0.0/16)")

+		} else {

+			if api.CIDRsOverlap(cidr, config.NetworkConfig.ClusterNetworkCIDR) {

+				addError("conflicts with cluster network CIDR")

+			}

+			if api.CIDRsOverlap(cidr, config.NetworkConfig.ServiceNetworkCIDR) {

+				addError("conflicts with service network CIDR")

+			}

+		}

+	} else {

+		addError("should not be provided when a cloud-provider is enabled")

+	}

+

+	return errors

+}

@@ -421,3 +421,66 @@ func TestValidateAdmissionPluginConfigConflicts(t *testing.T) {

 		}

 	}

 }

+

+func TestValidateIngressIPNetworkCIDR(t *testing.T) {

+	testCases := []struct {

+		testName      string

+		cidr          string

+		serviceCIDR   string

+		clusterCIDR   string

+		cloudProvider string

+		errorCount    int

+	}{

+		{

+			testName: "No CIDR",

+		},

+		{

+			testName:   "No cloud provider and invalid cidr",

+			cidr:       "foo",

+			errorCount: 1,

+		},

+		{

+			testName:   "No cloud provider and unspecified cidr",

+			cidr:       "0.0.0.0/32",

+			errorCount: 1,

+		},

+		{

+			testName:    "No cloud provider and conflicting cidrs",

+			cidr:        "172.16.0.0/16",

+			serviceCIDR: "172.16.0.0/16",

+			clusterCIDR: "172.16.0.0/16",

+			errorCount:  2,

+		},

+		{

+			testName:      "CIDR specified but cloud provider enabled",

+			cidr:          "172.16.0.0/16",

+			cloudProvider: "foo",

+			errorCount:    1,

+		},

+		{

+			testName:    "No cloud provider and valid, non-conflicting cidr",

+			cidr:        "172.16.0.0/16",

+			serviceCIDR: "172.17.0.0/16",

+			clusterCIDR: "172.18.0.0/16",

+		},

+	}

+	for _, test := range testCases {

+		config := &configapi.MasterConfig{

+			KubernetesMasterConfig: &configapi.KubernetesMasterConfig{

+				ControllerArguments: configapi.ExtendedArguments{

+					"cloud-provider": []string{test.cloudProvider},

+				},

+			},

+			NetworkConfig: configapi.MasterNetworkConfig{

+				IngressIPNetworkCIDR: test.cidr,

+				ServiceNetworkCIDR:   test.serviceCIDR,

+				ClusterNetworkCIDR:   test.clusterCIDR,

+			},

+		}

+		errors := ValidateIngressIPNetworkCIDR(config, nil)

+		errorCount := len(errors)

+		if test.errorCount != errorCount {

+			t.Errorf("%s: expected %d errors, got %d", test.testName, test.errorCount, errorCount)

+		}

+	}

+}

@@ -482,7 +482,6 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu

 				// should have been caught with validation

 				return nil, err

 			}

-			// TODO need to disallow if a cloud provider is configured

 			allowIngressIP := len(options.NetworkConfig.IngressIPNetworkCIDR) > 0

 			plugins = append(plugins, serviceadmit.NewExternalIPRanger(reject, admit, allowIngressIP))

@@ -530,7 +530,6 @@ func (c *MasterConfig) RunClusterQuotaReconciliationController() {

 // RunIngressIPController starts the ingress ip controller if IngressIPNetworkCIDR is configured.

 func (c *MasterConfig) RunIngressIPController(client *kclient.Client) {

-	// TODO need to disallow if a cloud provider is configured

 	if len(c.Options.NetworkConfig.IngressIPNetworkCIDR) == 0 {

 		return

 	}