validation.go

Documentation: k8s.io/kubernetes/cmd/kube-apiserver/app/options

     1  /*
     2  Copyright 2014 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package options
    18  
    19  import (
    20  	"errors"
    21  	"fmt"
    22  	"net"
    23  	"strings"
    24  
    25  	genericoptions "k8s.io/apiserver/pkg/server/options"
    26  	utilfeature "k8s.io/apiserver/pkg/util/feature"
    27  	netutils "k8s.io/utils/net"
    28  
    29  	controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver/options"
    30  	"k8s.io/kubernetes/pkg/controlplane/reconcilers"
    31  	"k8s.io/kubernetes/pkg/features"
    32  )
    33  
    34  // TODO: Longer term we should read this from some config store, rather than a flag.
    35  // validateClusterIPFlags is expected to be called after Complete()
    36  func validateClusterIPFlags(options Extra) []error {
    37  	var errs []error
    38  	// maxCIDRBits is used to define the maximum CIDR size for the cluster ip(s)
    39  	maxCIDRBits := 20
    40  
    41  	// validate that primary has been processed by user provided values or it has been defaulted
    42  	if options.PrimaryServiceClusterIPRange.IP == nil {
    43  		errs = append(errs, errors.New("--service-cluster-ip-range must contain at least one valid cidr"))
    44  	}
    45  
    46  	serviceClusterIPRangeList := strings.Split(options.ServiceClusterIPRanges, ",")
    47  	if len(serviceClusterIPRangeList) > 2 {
    48  		errs = append(errs, errors.New("--service-cluster-ip-range must not contain more than two entries"))
    49  	}
    50  
    51  	// Complete() expected to have set Primary* and Secondary
    52  	if !utilfeature.DefaultFeatureGate.Enabled(features.MultiCIDRServiceAllocator) {
    53  		// primary CIDR validation
    54  		if err := validateMaxCIDRRange(options.PrimaryServiceClusterIPRange, maxCIDRBits, "--service-cluster-ip-range"); err != nil {
    55  			errs = append(errs, err)
    56  		}
    57  	}
    58  
    59  	secondaryServiceClusterIPRangeUsed := (options.SecondaryServiceClusterIPRange.IP != nil)
    60  	// note: While the cluster might be dualstack (i.e. pods with multiple IPs), the user may choose
    61  	// to only ingress traffic within and into the cluster on one IP family only. this family is decided
    62  	// by the range set on --service-cluster-ip-range. If/when the user decides to use dual stack services
    63  	// the Secondary* must be of different IPFamily than --service-cluster-ip-range
    64  	if secondaryServiceClusterIPRangeUsed {
    65  		// Should be dualstack IPFamily(PrimaryServiceClusterIPRange) != IPFamily(SecondaryServiceClusterIPRange)
    66  		dualstack, err := netutils.IsDualStackCIDRs([]*net.IPNet{&options.PrimaryServiceClusterIPRange, &options.SecondaryServiceClusterIPRange})
    67  		if err != nil {
    68  			errs = append(errs, fmt.Errorf("error attempting to validate dualstack for --service-cluster-ip-range value error:%v", err))
    69  		}
    70  
    71  		if !dualstack {
    72  			errs = append(errs, errors.New("--service-cluster-ip-range[0] and --service-cluster-ip-range[1] must be of different IP family"))
    73  		}
    74  		if !utilfeature.DefaultFeatureGate.Enabled(features.MultiCIDRServiceAllocator) {
    75  			if err := validateMaxCIDRRange(options.SecondaryServiceClusterIPRange, maxCIDRBits, "--service-cluster-ip-range[1]"); err != nil {
    76  				errs = append(errs, err)
    77  			}
    78  		}
    79  	}
    80  
    81  	return errs
    82  }
    83  
    84  func validateMaxCIDRRange(cidr net.IPNet, maxCIDRBits int, cidrFlag string) error {
    85  	// Should be smallish sized cidr, this thing is kept in etcd
    86  	// bigger cidr (specially those offered by IPv6) will add no value
    87  	// significantly increase snapshotting time.
    88  	var ones, bits = cidr.Mask.Size()
    89  	if bits-ones > maxCIDRBits {
    90  		return fmt.Errorf("specified %s is too large; for %d-bit addresses, the mask must be >= %d", cidrFlag, bits, bits-maxCIDRBits)
    91  	}
    92  
    93  	return nil
    94  }
    95  
    96  func validateServiceNodePort(options Extra) []error {
    97  	var errs []error
    98  
    99  	if options.KubernetesServiceNodePort < 0 || options.KubernetesServiceNodePort > 65535 {
   100  		errs = append(errs, fmt.Errorf("--kubernetes-service-node-port %v must be between 0 and 65535, inclusive. If 0, the Kubernetes master service will be of type ClusterIP", options.KubernetesServiceNodePort))
   101  	}
   102  
   103  	if options.KubernetesServiceNodePort > 0 && !options.ServiceNodePortRange.Contains(options.KubernetesServiceNodePort) {
   104  		errs = append(errs, fmt.Errorf("kubernetes service node port range %v doesn't contain %v", options.ServiceNodePortRange, options.KubernetesServiceNodePort))
   105  	}
   106  	return errs
   107  }
   108  
   109  func validatePublicIPServiceClusterIPRangeIPFamilies(extra Extra, generic genericoptions.ServerRunOptions) []error {
   110  	// The "kubernetes.default" Service is SingleStack based on the configured ServiceIPRange.
   111  	// If the bootstrap controller reconcile the kubernetes.default Service and Endpoints, it must
   112  	// guarantee that the Service ClusterIPRepairConfig and the associated Endpoints have the same IP family, or
   113  	// it will not work for clients because of the IP family mismatch.
   114  	// TODO: revisit for dual-stack https://github.com/kubernetes/enhancements/issues/2438
   115  	if reconcilers.Type(extra.EndpointReconcilerType) != reconcilers.NoneEndpointReconcilerType {
   116  		serviceIPRange, _, err := controlplaneapiserver.ServiceIPRange(extra.PrimaryServiceClusterIPRange)
   117  		if err != nil {
   118  			return []error{fmt.Errorf("error determining service IP ranges: %w", err)}
   119  		}
   120  		if netutils.IsIPv4CIDR(&serviceIPRange) != netutils.IsIPv4(generic.AdvertiseAddress) {
   121  			return []error{fmt.Errorf("service IP family %q must match public address family %q", extra.PrimaryServiceClusterIPRange.String(), generic.AdvertiseAddress.String())}
   122  		}
   123  	}
   124  
   125  	return nil
   126  }
   127  
   128  // Validate checks ServerRunOptions and return a slice of found errs.
   129  func (s CompletedOptions) Validate() []error {
   130  	var errs []error
   131  
   132  	errs = append(errs, s.CompletedOptions.Validate()...)
   133  	errs = append(errs, s.CloudProvider.Validate()...)
   134  	errs = append(errs, validateClusterIPFlags(s.Extra)...)
   135  	errs = append(errs, validateServiceNodePort(s.Extra)...)
   136  	errs = append(errs, validatePublicIPServiceClusterIPRangeIPFamilies(s.Extra, *s.GenericServerRunOptions)...)
   137  
   138  	if s.MasterCount <= 0 {
   139  		errs = append(errs, fmt.Errorf("--apiserver-count should be a positive number, but value '%d' provided", s.MasterCount))
   140  	}
   141  
   142  	return errs
   143  }
   144
View as plain text