github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Validate NetworkPolicy Ports 

Protocol must be "TCP", "UDP", or nil.
Integer-valued port must be 1-65535.
String-valued port must be a syntactically valid ContainerPort name.
pull/6/head
Dan Winship 2017-01-11 17:41:20 -05:00
parent 83ac613b89
commit 1f6735c518
2 changed files with 99 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/apis/extensions/validation/validation.go
View File

@ -830,6 +830,23 @@ func ValidateNetworkPolicySpec(spec *extensions.NetworkPolicySpec, fldPath *fiel
// Validate ingress rules.
for i, ingress := range spec.Ingress {
ingressPath := fldPath.Child("ingress").Index(i)
for i, port := range ingress.Ports {
portPath := ingressPath.Child("ports").Index(i)
if port.Protocol != nil && *port.Protocol != api.ProtocolTCP && *port.Protocol != api.ProtocolUDP {
allErrs = append(allErrs, field.NotSupported(portPath.Child("protocol"), *port.Protocol, []string{string(api.ProtocolTCP), string(api.ProtocolUDP)}))
}
if port.Port != nil {
if port.Port.Type == intstr.Int {
for _, msg := range validation.IsValidPortNum(int(port.Port.IntVal)) {
allErrs = append(allErrs, field.Invalid(portPath.Child("port"), port.Port.IntVal, msg))
}
} else {
for _, msg := range validation.IsValidPortName(port.Port.StrVal) {
allErrs = append(allErrs, field.Invalid(portPath.Child("port"), port.Port.StrVal, msg))
}
}
}
}
// TODO: Update From to be a pointer to slice as soon as auto-generation supports it.
for i, from := range ingress.From {
fromPath := ingressPath.Child("from").Index(i)

82
pkg/apis/extensions/validation/validation_test.go
View File

@ -2031,6 +2031,10 @@ func TestValidatePSPVolumes(t *testing.T) {
}
func TestValidateNetworkPolicy(t *testing.T) {
protocolTCP := api.ProtocolTCP
protocolUDP := api.ProtocolUDP
protocolICMP := api.Protocol("ICMP")
successCases := []extensions.NetworkPolicy{
{
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
@ -2055,6 +2059,36 @@ func TestValidateNetworkPolicy(t *testing.T) {
},
},
},
{
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
Spec: extensions.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchLabels: map[string]string{"a": "b"},
},
Ingress: []extensions.NetworkPolicyIngressRule{
{
Ports: []extensions.NetworkPolicyPort{
{
Protocol: nil,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80},
},
{
Protocol: &protocolTCP,
Port: nil,
},
{
Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 443},
},
{
Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.String, StrVal: "dns"},
},
},
},
},
},
},
{
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
Spec: extensions.NetworkPolicySpec{
@ -2145,6 +2179,54 @@ func TestValidateNetworkPolicy(t *testing.T) {
},
},
},
"invalid ingress.ports.protocol": {
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
Spec: extensions.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{},
Ingress: []extensions.NetworkPolicyIngressRule{
{
Ports: []extensions.NetworkPolicyPort{
{
Protocol: &protocolICMP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80},
},
},
},
},
},
},
"invalid ingress.ports.port (int)": {
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
Spec: extensions.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{},
Ingress: []extensions.NetworkPolicyIngressRule{
{
Ports: []extensions.NetworkPolicyPort{
{
Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 123456789},
},
},
},
},
},
},
"invalid ingress.ports.port (str)": {
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
Spec: extensions.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{},
Ingress: []extensions.NetworkPolicyIngressRule{
{
Ports: []extensions.NetworkPolicyPort{
{
Protocol: &protocolTCP,
Port: &intstr.IntOrString{Type: intstr.String, StrVal: "!@#$"},
},
},
},
},
},
},
"invalid ingress.from.podSelector": {
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
Spec: extensions.NetworkPolicySpec{