Merged by openshift-bot
OpenShift Bot authored on 2016/08/20 05:20:10... | ... |
@@ -92,6 +92,16 @@ func fuzzInternalObject(t *testing.T, forVersion unversioned.GroupVersion, item |
92 | 92 |
} |
93 | 93 |
} |
94 | 94 |
|
95 |
+ // TODO stop duplicating the conversion in the test. |
|
96 |
+ kubeConfig := obj.KubernetesMasterConfig |
|
97 |
+ noCloudProvider := kubeConfig != nil && (len(kubeConfig.ControllerArguments["cloud-provider"]) == 0 || kubeConfig.ControllerArguments["cloud-provider"][0] == "") |
|
98 |
+ if noCloudProvider && len(obj.NetworkConfig.IngressIPNetworkCIDR) == 0 { |
|
99 |
+ cidr := "172.46.0.0/16" |
|
100 |
+ if !(configapi.CIDRsOverlap(cidr, obj.NetworkConfig.ClusterNetworkCIDR) || configapi.CIDRsOverlap(cidr, obj.NetworkConfig.ServiceNetworkCIDR)) { |
|
101 |
+ obj.NetworkConfig.IngressIPNetworkCIDR = cidr |
|
102 |
+ } |
|
103 |
+ } |
|
104 |
+ |
|
95 | 105 |
// Historically, the clientCA was incorrectly used as the master's server cert CA bundle |
96 | 106 |
// If missing from the config, migrate the ClientCA into that field |
97 | 107 |
if obj.OAuthConfig != nil && obj.OAuthConfig.MasterCA == nil { |
... | ... |
@@ -73,6 +73,17 @@ func addDefaultingFuncs(scheme *runtime.Scheme) { |
73 | 73 |
} |
74 | 74 |
} |
75 | 75 |
|
76 |
+ // TODO Detect cloud provider when not using built-in kubernetes |
|
77 |
+ kubeConfig := obj.KubernetesMasterConfig |
|
78 |
+ noCloudProvider := kubeConfig != nil && (len(kubeConfig.ControllerArguments["cloud-provider"]) == 0 || kubeConfig.ControllerArguments["cloud-provider"][0] == "") |
|
79 |
+ |
|
80 |
+ if noCloudProvider && len(obj.NetworkConfig.IngressIPNetworkCIDR) == 0 { |
|
81 |
+ cidr := "172.46.0.0/16" |
|
82 |
+ if !(internal.CIDRsOverlap(cidr, obj.NetworkConfig.ClusterNetworkCIDR) || internal.CIDRsOverlap(cidr, obj.NetworkConfig.ServiceNetworkCIDR)) { |
|
83 |
+ obj.NetworkConfig.IngressIPNetworkCIDR = cidr |
|
84 |
+ } |
|
85 |
+ } |
|
86 |
+ |
|
76 | 87 |
// Historically, the clientCA was incorrectly used as the master's server cert CA bundle |
77 | 88 |
// If missing from the config, migrate the ClientCA into that field |
78 | 89 |
if obj.OAuthConfig != nil && obj.OAuthConfig.MasterCA == nil { |
... | ... |
@@ -638,37 +638,36 @@ func ValidateAdmissionPluginConfigConflicts(masterConfig *api.MasterConfig) Vali |
638 | 638 |
return validationResults |
639 | 639 |
} |
640 | 640 |
|
641 |
-func ValidateIngressIPNetworkCIDR(config *api.MasterConfig, fldPath *field.Path) field.ErrorList { |
|
642 |
- errors := field.ErrorList{} |
|
643 |
- |
|
641 |
+func ValidateIngressIPNetworkCIDR(config *api.MasterConfig, fldPath *field.Path) (errors field.ErrorList) { |
|
644 | 642 |
cidr := config.NetworkConfig.IngressIPNetworkCIDR |
645 |
- |
|
646 | 643 |
if len(cidr) == 0 { |
647 |
- return errors |
|
644 |
+ return |
|
648 | 645 |
} |
649 | 646 |
|
650 | 647 |
addError := func(errMessage string) { |
651 | 648 |
errors = append(errors, field.Invalid(fldPath, cidr, errMessage)) |
652 | 649 |
} |
653 | 650 |
|
651 |
+ _, ipNet, err := net.ParseCIDR(cidr) |
|
652 |
+ if err != nil { |
|
653 |
+ addError("must be a valid CIDR notation IP range (e.g. 172.46.0.0/16)") |
|
654 |
+ return |
|
655 |
+ } |
|
656 |
+ |
|
654 | 657 |
// TODO Detect cloud provider when not using built-in kubernetes |
655 | 658 |
kubeConfig := config.KubernetesMasterConfig |
656 | 659 |
noCloudProvider := kubeConfig != nil && (len(kubeConfig.ControllerArguments["cloud-provider"]) == 0 || kubeConfig.ControllerArguments["cloud-provider"][0] == "") |
657 | 660 |
|
658 | 661 |
if noCloudProvider { |
659 |
- if _, ipNet, err := net.ParseCIDR(cidr); err != nil || ipNet.IP.IsUnspecified() { |
|
660 |
- addError("must be a valid CIDR notation IP range (e.g. 172.30.0.0/16)") |
|
661 |
- } else { |
|
662 |
- if api.CIDRsOverlap(cidr, config.NetworkConfig.ClusterNetworkCIDR) { |
|
663 |
- addError("conflicts with cluster network CIDR") |
|
664 |
- } |
|
665 |
- if api.CIDRsOverlap(cidr, config.NetworkConfig.ServiceNetworkCIDR) { |
|
666 |
- addError("conflicts with service network CIDR") |
|
667 |
- } |
|
662 |
+ if api.CIDRsOverlap(cidr, config.NetworkConfig.ClusterNetworkCIDR) { |
|
663 |
+ addError("conflicts with cluster network CIDR") |
|
668 | 664 |
} |
669 |
- } else { |
|
665 |
+ if api.CIDRsOverlap(cidr, config.NetworkConfig.ServiceNetworkCIDR) { |
|
666 |
+ addError("conflicts with service network CIDR") |
|
667 |
+ } |
|
668 |
+ } else if !ipNet.IP.IsUnspecified() { |
|
670 | 669 |
addError("should not be provided when a cloud-provider is enabled") |
671 | 670 |
} |
672 | 671 |
|
673 |
- return errors |
|
672 |
+ return |
|
674 | 673 |
} |
... | ... |
@@ -435,34 +435,38 @@ func TestValidateIngressIPNetworkCIDR(t *testing.T) { |
435 | 435 |
testName: "No CIDR", |
436 | 436 |
}, |
437 | 437 |
{ |
438 |
- testName: "No cloud provider and invalid cidr", |
|
438 |
+ testName: "Invalid CIDR", |
|
439 | 439 |
cidr: "foo", |
440 | 440 |
errorCount: 1, |
441 | 441 |
}, |
442 | 442 |
{ |
443 |
- testName: "No cloud provider and unspecified cidr", |
|
444 |
- cidr: "0.0.0.0/32", |
|
445 |
- errorCount: 1, |
|
446 |
- }, |
|
447 |
- { |
|
448 |
- testName: "No cloud provider and conflicting cidrs", |
|
443 |
+ testName: "No cloud provider and conflicting CIDRs", |
|
449 | 444 |
cidr: "172.16.0.0/16", |
450 | 445 |
serviceCIDR: "172.16.0.0/16", |
451 | 446 |
clusterCIDR: "172.16.0.0/16", |
452 | 447 |
errorCount: 2, |
453 | 448 |
}, |
454 | 449 |
{ |
455 |
- testName: "CIDR specified but cloud provider enabled", |
|
456 |
- cidr: "172.16.0.0/16", |
|
457 |
- cloudProvider: "foo", |
|
458 |
- errorCount: 1, |
|
450 |
+ testName: "No cloud provider and unspecified CIDR", |
|
451 |
+ cidr: "0.0.0.0/32", |
|
459 | 452 |
}, |
460 | 453 |
{ |
461 |
- testName: "No cloud provider and valid, non-conflicting cidr", |
|
454 |
+ testName: "No cloud provider and non-conflicting CIDR", |
|
462 | 455 |
cidr: "172.16.0.0/16", |
463 | 456 |
serviceCIDR: "172.17.0.0/16", |
464 | 457 |
clusterCIDR: "172.18.0.0/16", |
465 | 458 |
}, |
459 |
+ { |
|
460 |
+ testName: "Cloud provider and unspecified CIDR", |
|
461 |
+ cidr: "0.0.0.0/32", |
|
462 |
+ cloudProvider: "foo", |
|
463 |
+ }, |
|
464 |
+ { |
|
465 |
+ testName: "Cloud provider and CIDR", |
|
466 |
+ cidr: "172.16.0.0/16", |
|
467 |
+ cloudProvider: "foo", |
|
468 |
+ errorCount: 1, |
|
469 |
+ }, |
|
466 | 470 |
} |
467 | 471 |
for _, test := range testCases { |
468 | 472 |
config := &configapi.MasterConfig{ |
... | ... |
@@ -5,6 +5,7 @@ import ( |
5 | 5 |
"crypto/x509" |
6 | 6 |
"errors" |
7 | 7 |
"fmt" |
8 |
+ "net" |
|
8 | 9 |
"path" |
9 | 10 |
"reflect" |
10 | 11 |
"strings" |
... | ... |
@@ -488,7 +489,10 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu |
488 | 488 |
// should have been caught with validation |
489 | 489 |
return nil, err |
490 | 490 |
} |
491 |
- allowIngressIP := len(options.NetworkConfig.IngressIPNetworkCIDR) > 0 |
|
491 |
+ allowIngressIP := false |
|
492 |
+ if _, ipNet, err := net.ParseCIDR(options.NetworkConfig.IngressIPNetworkCIDR); err == nil && !ipNet.IP.IsUnspecified() { |
|
493 |
+ allowIngressIP = true |
|
494 |
+ } |
|
492 | 495 |
plugins = append(plugins, serviceadmit.NewExternalIPRanger(reject, admit, allowIngressIP)) |
493 | 496 |
|
494 | 497 |
case serviceadmit.RestrictedEndpointsPluginName: |
... | ... |
@@ -531,6 +531,9 @@ func (c *MasterConfig) RunIngressIPController(client *kclient.Client) { |
531 | 531 |
// should have been caught with validation |
532 | 532 |
glog.Fatalf("Unable to start ingress ip controller: %v", err) |
533 | 533 |
} |
534 |
+ if ipNet.IP.IsUnspecified() { |
|
535 |
+ return |
|
536 |
+ } |
|
534 | 537 |
ingressIPController := ingressip.NewIngressIPController(client, ipNet, defaultIngressIPSyncPeriod) |
535 | 538 |
go ingressIPController.Run(utilwait.NeverStop) |
536 | 539 |
} |