Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-24326

[4.14] adminpolicybasedexternalroutes CR accepts an invalid IP address

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When configuring an adminpolicybasedexternalroutes policy, if we use capital letters in the policy name, a validation test fails, blocks policy creation great:
      
      The AdminPolicyBasedExternalRoute "invalidIP" is invalid: metadata.name: Invalid value: "invalidIP": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
      
      If we forget to populate next-hope section again a validation test fails, policy isn't created again great:
      
      $ oc apply -f 4.create.abp_static_NoHope.yaml 
      The AdminPolicyBasedExternalRoute "invalid-no-nexthope-policy" is invalid: spec.nextHops: Required value
      
      
      But if we set an invalid IP address on next-hope, no validations checks the proposed IPv4/v6 address(es), confirming valid IP addresses is IMHO some worth adding, for the rare typos that might slip unnoticed.  
      

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-10-04-143709

      How reproducible:

      Every time

      Steps to Reproduce:

      1. Deploy a cluster 
      
      2. Try to create a static policy with an invalid IP address, it should fail, yet it doesn't mention any error, proceding with policy creation with an invalid IP address, I tested it on IPv4 but the same thing could also happened on IPv6.
      
      $ cat 4.create.abp_static_invalidIP.yaml
      apiVersion: k8s.ovn.org/v1
      kind: AdminPolicyBasedExternalRoute
      metadata:
        name: invalidip
      spec:
      ## gateway example
        from:
          namespaceSelector:
            matchLabels:
                kubernetes.io/metadata.name: bar
        nextHops:
          static:
            - ip: "1734.20.0.8"  <----- Invalid IP :)
      
      
      $ oc apply -f 4.create.abp_static_invalidIP.yaml 
      adminpolicybasedexternalroute.k8s.ovn.org/invalidip created  
      
      And nooooo error message/no validations, this should fail here with a user error. 
      
      
      
      [kni@provisionhost-0-0 ~]$ oc get adminpolicybasedexternalroutes.k8s.ovn.org 
      NAME        LAST UPDATE   STATUS
      invalidip                 
      [kni@provisionhost-0-0 ~]$ oc describe adminpolicybasedexternalroutes.k8s.ovn.org invalidip 
      Name:         invalidip
      Namespace:    
      Labels:       <none>
      Annotations:  <none>
      API Version:  k8s.ovn.org/v1
      Kind:         AdminPolicyBasedExternalRoute
      Metadata:
        Creation Timestamp:  2023-10-31T08:50:58Z
        Generation:          1
        Resource Version:    11128481
        UID:                 99af3e73-00dd-408b-8238-397cc9a795bc
      Spec:
        From:
          Namespace Selector:
            Match Labels:
              kubernetes.io/metadata.name:  bar
        Next Hops:
          Static:
            Bfd Enabled:  false
            Ip:           1734.20.0.8
      Events:             <none>
      
      We see above the invalid IP was consumed as-is, which is wrong the policy shouldn't have been applied to begin with. 
      
      

      Actual results:

      A policy is created despite using an invalid IP address, see above. 

      Expected results:

      Policy creation should fail, with a notification of invalid IP address, same as we get when we try an invalid policy name. 
      
      

      Additional info:

       

            jgil@redhat.com Jordi Gil
            tshefi@redhat.com Tzach Shefi
            Jean Chen Jean Chen
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: