-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Except for Antrea-native ipBlock #6658
base: main
Are you sure you want to change the base?
Conversation
c840536
to
cd59fed
Compare
cc5df40
to
1153d8c
Compare
1153d8c
to
413edae
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ipNet := &group.IPNets[idx] | ||
if ipNet.Contains(ip) { | ||
for _, ipNet := range group.IPNets { | ||
if ipNet != nil && ipNet.Contains(ip) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just out-of-curiosity, is the nil
case possible here (I am not asking to change the code even if this case is not possible in theory)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Practically no. In theory there can be the case where a bad CIDR somehow got pass openAPI validation and then net.ParseCIDR
returned a nil ipNet
} | ||
return antreaIPBlock, nil | ||
} | ||
|
||
// computeEffectiveIPNetForIPBlocks calculates the list of net.IPNet CIDRs after the | ||
// "except" CIDRs are subtracted from each corresponding ipBlock. | ||
func computeEffectiveIPNetForIPBlocks(ipBlocks []crdv1beta1.IPBlock) []*net.IPNet { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this function should be unit tested independently
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. See the latest commit
controlplaneIPNet, _ := cidrStrToIPNet(cidr) | ||
controlplaneIPNetExcept1, _ := cidrStrToIPNet(exceptCIDR1) | ||
controlplaneIPNetExcept2, _ := cidrStrToIPNet(exceptCIDR2) | ||
_, controlplaneIPNetDiff, _ := net.ParseCIDR("10.0.0.192/26") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we use a slightly more complicated case, where the computed controlplaneIPNetDiff
is not a single cidr?
I notice that the except cidrs you have are either at the very beginning or at the very end of the IP block, which means we only ever have a single resulting cidr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've put a more extensive set of tests in crd_utils_test.go
if ipb.CIDR == "" { | ||
return "field 'cidr' is required in an ipBlock", false | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can keep this, but I assume this is guaranteed by the OpenAPI spec?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it should already be guaranteed by openAPI, just trying to keep it on par with https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/networking/validation/validation.go#L219
Signed-off-by: Dyanngg <dingyang@vmware.com>
Signed-off-by: Dyanngg <dingyang@vmware.com>
413edae
to
1a0c157
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Fixes #6428
This PR adds an "except" field for all ipBlocks in Antrea-native policies and groups. Users can exclude certain CIDRs from the ipBlock.cidr in all resources that support ipBlocks, including AntreaClusterNetworkPolicy, AntreaNetworkPolicy, ClusterGroup and Group. Group membership and IP association query logic are also updated to accommodate this change. Documentation will follow in a separate PR.