Add Except for Antrea-native ipBlock #6658
Conversation
Dyanngg
force-pushed
the
add-ipblock-except-antrea
branch
4 times, most recently
from
c840536
to
cd59fed
Compare
Dyanngg
changed the title
Dyanngg
force-pushed
the
add-ipblock-except-antrea
branch
2 times, most recently
from
cc5df40
to
1153d8c
Compare
Dyanngg
force-pushed
the
add-ipblock-except-antrea
branch
from
1153d8c
to
413edae
Compare
antoninbas
added
action/release-note
| ipNet := &group.IPNets[idx] | ||
| if ipNet.Contains(ip) { | ||
| for _, ipNet := range group.IPNets { | ||
| if ipNet != nil && ipNet.Contains(ip) { |
There was a problem hiding this comment.
just out-of-curiosity, is the nil case possible here (I am not asking to change the code even if this case is not possible in theory)?
There was a problem hiding this comment.
Practically no. In theory there can be the case where a bad CIDR somehow got pass openAPI validation and then net.ParseCIDR returned a nil ipNet
| } | ||
| return antreaIPBlock, nil | ||
| } | ||
|
|
||
| // computeEffectiveIPNetForIPBlocks calculates the list of net.IPNet CIDRs after the | ||
| // "except" CIDRs are subtracted from each corresponding ipBlock. | ||
| func computeEffectiveIPNetForIPBlocks(ipBlocks []crdv1beta1.IPBlock) []*net.IPNet { |
There was a problem hiding this comment.
this function should be unit tested independently
There was a problem hiding this comment.
Done. See the latest commit
| controlplaneIPNet, _ := cidrStrToIPNet(cidr) | ||
| controlplaneIPNetExcept1, _ := cidrStrToIPNet(exceptCIDR1) | ||
| controlplaneIPNetExcept2, _ := cidrStrToIPNet(exceptCIDR2) | ||
| _, controlplaneIPNetDiff, _ := net.ParseCIDR("10.0.0.192/26") |
There was a problem hiding this comment.
can we use a slightly more complicated case, where the computed controlplaneIPNetDiff is not a single cidr?
I notice that the except cidrs you have are either at the very beginning or at the very end of the IP block, which means we only ever have a single resulting cidr
There was a problem hiding this comment.
I've put a more extensive set of tests in crd_utils_test.go
| if ipb.CIDR == "" { | ||
| return "field 'cidr' is required in an ipBlock", false | ||
| } |
There was a problem hiding this comment.
We can keep this, but I assume this is guaranteed by the OpenAPI spec?
There was a problem hiding this comment.
Yes it should already be guaranteed by openAPI, just trying to keep it on par with https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/networking/validation/validation.go#L219
Signed-off-by: Dyanngg <dingyang@vmware.com>
Signed-off-by: Dyanngg <dingyang@vmware.com>
Dyanngg
force-pushed
the
add-ipblock-except-antrea
branch
from
413edae
to
1a0c157
Compare
Fixes #6428
This PR adds an "except" field for all ipBlocks in Antrea-native policies and groups. Users can exclude certain CIDRs from the ipBlock.cidr in all resources that support ipBlocks, including AntreaClusterNetworkPolicy, AntreaNetworkPolicy, ClusterGroup and Group. Group membership and IP association query logic are also updated to accommodate this change. Documentation will follow in a separate PR.