From 667dc64e79ca7b7896108e477b045f991173c5e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= <lucas@weave.works>
Date: Mon, 6 Feb 2017 19:34:06 +0200
Subject: [PATCH] Validate the minimum subnet cidr so there are always 10
 available addresses

---
 cmd/kubeadm/app/apis/kubeadm/validation/BUILD  |  1 +
 .../app/apis/kubeadm/validation/validation.go  | 18 ++++++++++++++++++
 cmd/kubeadm/app/constants/constants.go         |  4 ++++
 3 files changed, 23 insertions(+)

diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/BUILD b/cmd/kubeadm/app/apis/kubeadm/validation/BUILD
index bbf096babf..f1cc58fe17 100644
--- a/cmd/kubeadm/app/apis/kubeadm/validation/BUILD
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/BUILD
@@ -13,6 +13,7 @@ go_library(
     tags = ["automanaged"],
     deps = [
         "//cmd/kubeadm/app/apis/kubeadm:go_default_library",
+        "//cmd/kubeadm/app/constants:go_default_library",
         "//vendor:k8s.io/apimachinery/pkg/util/validation/field",
     ],
 )
diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
index 3de5a0c0aa..0fc7805411 100644
--- a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
@@ -17,13 +17,18 @@ limitations under the License.
 package validation
 
 import (
+	"math"
+	"net"
+
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
+	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 )
 
 func ValidateMasterConfiguration(c *kubeadm.MasterConfiguration) field.ErrorList {
 	allErrs := field.ErrorList{}
 	allErrs = append(allErrs, ValidateDiscovery(&c.Discovery, field.NewPath("discovery"))...)
+	allErrs = append(allErrs, ValidateDiscovery(&c.Discovery, field.NewPath("service subnet"))...)
 	return allErrs
 }
 
@@ -68,3 +73,16 @@ func ValidateTokenDiscovery(c *kubeadm.TokenDiscovery, fldPath *field.Path) fiel
 	allErrs := field.ErrorList{}
 	return allErrs
 }
+
+func ValidateServiceSubnet(subnet string, fldPath *field.Path) field.ErrorList {
+	_, svcSubnet, err := net.ParseCIDR(subnet)
+	if err != nil {
+		return field.ErrorList{field.Invalid(fldPath, nil, "couldn't parse the service subnet")}
+	}
+	cidrBytesMask, _ := svcSubnet.Mask.Size()
+	numAddresses := int32(math.Pow(2, float64(32-cidrBytesMask)))
+	if numAddresses < kubeadmconstants.MinimumAddressesInServiceSubnet {
+		return field.ErrorList{field.Invalid(fldPath, nil, "service subnet is too small")}
+	}
+	return field.ErrorList{}
+}
diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go
index fb69147aef..b1ce960942 100644
--- a/cmd/kubeadm/app/constants/constants.go
+++ b/cmd/kubeadm/app/constants/constants.go
@@ -48,4 +48,8 @@ const (
 
 	// APICallRetryInterval defines how long kubeadm should wait before retrying a failed API operation
 	APICallRetryInterval = 500 * time.Millisecond
+
+	// Minimum amount of nodes the Service subnet should allow.
+	// We need at least ten, because the DNS service is always at the tenth cluster clusterIP
+	MinimumAddressesInServiceSubnet = 10
 )