首頁 探索 說明
登入
tzeneto
/
custom-kube-scheduler
關註 1
讚好 0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: b6dd5f005d
分支列表 標籤列表
custom-kube-...
/
kubernetes
/
pkg
/
proxy
/
apis
/
config
/
validation
/
validation.go

validation.go 12 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306 
  1. /*
    2. 

  2. Copyright 2017 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package validation
    18. 

  18. 

  19. import (
    20. 

  20. 	"fmt"
    21. 

  21. 	"net"
    22. 

  22. 	"runtime"
    23. 

  23. 	"strconv"
    24. 

  24. 	"strings"
    25. 

  25. 

  26. 	utilnet "k8s.io/apimachinery/pkg/util/net"
    27. 

  27. 	"k8s.io/apimachinery/pkg/util/sets"
    28. 

  28. 	"k8s.io/apimachinery/pkg/util/validation/field"
    29. 

  29. 	utilfeature "k8s.io/apiserver/pkg/util/feature"
    30. 

  30. 	componentbaseconfig "k8s.io/component-base/config"
    31. 

  31. 	"k8s.io/component-base/metrics"
    32. 

  32. 	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
    33. 

  33. 	kubefeatures "k8s.io/kubernetes/pkg/features"
    34. 

  34. 	kubeproxyconfig "k8s.io/kubernetes/pkg/proxy/apis/config"
    35. 

  35. 	netutils "k8s.io/utils/net"
    36. 

  36. )
    37. 

  37. 

  38. // Validate validates the configuration of kube-proxy
    39. 

  39. func Validate(config *kubeproxyconfig.KubeProxyConfiguration) field.ErrorList {
    40. 

  40. 	allErrs := field.ErrorList{}
    41. 

  41. 

  42. 	newPath := field.NewPath("KubeProxyConfiguration")
    43. 

  43. 

  44. 	effectiveFeatures := utilfeature.DefaultFeatureGate.DeepCopy()
    45. 

  45. 	if err := effectiveFeatures.SetFromMap(config.FeatureGates); err != nil {
    46. 

  46. 		allErrs = append(allErrs, field.Invalid(newPath.Child("featureGates"), config.FeatureGates, err.Error()))
    47. 

  47. 	}
    48. 

  48. 

  49. 	allErrs = append(allErrs, validateKubeProxyIPTablesConfiguration(config.IPTables, newPath.Child("KubeProxyIPTablesConfiguration"))...)
    50. 

  50. 	if config.Mode == kubeproxyconfig.ProxyModeIPVS {
    51. 

  51. 		allErrs = append(allErrs, validateKubeProxyIPVSConfiguration(config.IPVS, newPath.Child("KubeProxyIPVSConfiguration"))...)
    52. 

  52. 	}
    53. 

  53. 	allErrs = append(allErrs, validateKubeProxyConntrackConfiguration(config.Conntrack, newPath.Child("KubeProxyConntrackConfiguration"))...)
    54. 

  54. 	allErrs = append(allErrs, validateProxyMode(config.Mode, newPath.Child("Mode"))...)
    55. 

  55. 	allErrs = append(allErrs, validateClientConnectionConfiguration(config.ClientConnection, newPath.Child("ClientConnection"))...)
    56. 

  56. 

  57. 	if config.OOMScoreAdj != nil && (*config.OOMScoreAdj < -1000 || *config.OOMScoreAdj > 1000) {
    58. 

  58. 		allErrs = append(allErrs, field.Invalid(newPath.Child("OOMScoreAdj"), *config.OOMScoreAdj, "must be within the range [-1000, 1000]"))
    59. 

  59. 	}
    60. 

  60. 

  61. 	if config.UDPIdleTimeout.Duration <= 0 {
    62. 

  62. 		allErrs = append(allErrs, field.Invalid(newPath.Child("UDPIdleTimeout"), config.UDPIdleTimeout, "must be greater than 0"))
    63. 

  63. 	}
    64. 

  64. 

  65. 	if config.ConfigSyncPeriod.Duration <= 0 {
    66. 

  66. 		allErrs = append(allErrs, field.Invalid(newPath.Child("ConfigSyncPeriod"), config.ConfigSyncPeriod, "must be greater than 0"))
    67. 

  67. 	}
    68. 

  68. 

  69. 	if net.ParseIP(config.BindAddress) == nil {
    70. 

  70. 		allErrs = append(allErrs, field.Invalid(newPath.Child("BindAddress"), config.BindAddress, "not a valid textual representation of an IP address"))
    71. 

  71. 	}
    72. 

  72. 

  73. 	if config.HealthzBindAddress != "" {
    74. 

  74. 		allErrs = append(allErrs, validateHostPort(config.HealthzBindAddress, newPath.Child("HealthzBindAddress"))...)
    75. 

  75. 	}
    76. 

  76. 	allErrs = append(allErrs, validateHostPort(config.MetricsBindAddress, newPath.Child("MetricsBindAddress"))...)
    77. 

  77. 

  78. 	if config.ClusterCIDR != "" {
    79. 

  79. 		cidrs := strings.Split(config.ClusterCIDR, ",")
    80. 

  80. 		dualStackEnabled := effectiveFeatures.Enabled(kubefeatures.IPv6DualStack)
    81. 

  81. 

  82. 		switch {
    83. 

  83. 		// if DualStack only valid one cidr or two cidrs with one of each IP family
    84. 

  84. 		case dualStackEnabled && len(cidrs) > 2:
    85. 

  85. 			allErrs = append(allErrs, field.Invalid(newPath.Child("ClusterCIDR"), config.ClusterCIDR, "only one CIDR allowed or a valid DualStack CIDR (e.g. 10.100.0.0/16,fde4:8dba:82e1::/48)"))
    86. 

  86. 		// if DualStack and two cidrs validate if there is at least one of each IP family
    87. 

  87. 		case dualStackEnabled && len(cidrs) == 2:
    88. 

  88. 			isDual, err := netutils.IsDualStackCIDRStrings(cidrs)
    89. 

  89. 			if err != nil || !isDual {
    90. 

  90. 				allErrs = append(allErrs, field.Invalid(newPath.Child("ClusterCIDR"), config.ClusterCIDR, "must be a valid DualStack CIDR (e.g. 10.100.0.0/16,fde4:8dba:82e1::/48)"))
    91. 

  91. 			}
    92. 

  92. 		// if not DualStack only one CIDR allowed
    93. 

  93. 		case !dualStackEnabled && len(cidrs) > 1:
    94. 

  94. 			allErrs = append(allErrs, field.Invalid(newPath.Child("ClusterCIDR"), config.ClusterCIDR, "only one CIDR allowed (e.g. 10.100.0.0/16 or fde4:8dba:82e1::/48)"))
    95. 

  95. 		// if we are here means that len(cidrs) == 1, we need to validate it
    96. 

  96. 		default:
    97. 

  97. 			if _, _, err := net.ParseCIDR(config.ClusterCIDR); err != nil {
    98. 

  98. 				allErrs = append(allErrs, field.Invalid(newPath.Child("ClusterCIDR"), config.ClusterCIDR, "must be a valid CIDR block (e.g. 10.100.0.0/16 or fde4:8dba:82e1::/48)"))
    99. 

  99. 			}
    100. 

  100. 		}
    101. 

  101. 	}
    102. 

  102. 

  103. 	if _, err := utilnet.ParsePortRange(config.PortRange); err != nil {
    104. 

  104. 		allErrs = append(allErrs, field.Invalid(newPath.Child("PortRange"), config.PortRange, "must be a valid port range (e.g. 300-2000)"))
    105. 

  105. 	}
    106. 

  106. 

  107. 	allErrs = append(allErrs, validateKubeProxyNodePortAddress(config.NodePortAddresses, newPath.Child("NodePortAddresses"))...)
    108. 

  108. 	allErrs = append(allErrs, validateShowHiddenMetricsVersion(config.ShowHiddenMetricsForVersion, newPath.Child("ShowHiddenMetricsForVersion"))...)
    109. 

  109. 

  110. 	return allErrs
    111. 

  111. }
    112. 

  112. 

  113. func validateKubeProxyIPTablesConfiguration(config kubeproxyconfig.KubeProxyIPTablesConfiguration, fldPath *field.Path) field.ErrorList {
    114. 

  114. 	allErrs := field.ErrorList{}
    115. 

  115. 

  116. 	if config.MasqueradeBit != nil && (*config.MasqueradeBit < 0 || *config.MasqueradeBit > 31) {
    117. 

  117. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("MasqueradeBit"), config.MasqueradeBit, "must be within the range [0, 31]"))
    118. 

  118. 	}
    119. 

  119. 

  120. 	if config.SyncPeriod.Duration <= 0 {
    121. 

  121. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("SyncPeriod"), config.SyncPeriod, "must be greater than 0"))
    122. 

  122. 	}
    123. 

  123. 

  124. 	if config.MinSyncPeriod.Duration < 0 {
    125. 

  125. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("MinSyncPeriod"), config.MinSyncPeriod, "must be greater than or equal to 0"))
    126. 

  126. 	}
    127. 

  127. 

  128. 	if config.MinSyncPeriod.Duration > config.SyncPeriod.Duration {
    129. 

  129. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("SyncPeriod"), config.MinSyncPeriod, fmt.Sprintf("must be greater than or equal to %s", fldPath.Child("MinSyncPeriod").String())))
    130. 

  130. 	}
    131. 

  131. 

  132. 	return allErrs
    133. 

  133. }
    134. 

  134. 

  135. func validateKubeProxyIPVSConfiguration(config kubeproxyconfig.KubeProxyIPVSConfiguration, fldPath *field.Path) field.ErrorList {
    136. 

  136. 	allErrs := field.ErrorList{}
    137. 

  137. 

  138. 	if config.SyncPeriod.Duration <= 0 {
    139. 

  139. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("SyncPeriod"), config.SyncPeriod, "must be greater than 0"))
    140. 

  140. 	}
    141. 

  141. 

  142. 	if config.MinSyncPeriod.Duration < 0 {
    143. 

  143. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("MinSyncPeriod"), config.MinSyncPeriod, "must be greater than or equal to 0"))
    144. 

  144. 	}
    145. 

  145. 

  146. 	if config.MinSyncPeriod.Duration > config.SyncPeriod.Duration {
    147. 

  147. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("SyncPeriod"), config.MinSyncPeriod, fmt.Sprintf("must be greater than or equal to %s", fldPath.Child("MinSyncPeriod").String())))
    148. 

  148. 	}
    149. 

  149. 

  150. 	allErrs = append(allErrs, validateIPVSSchedulerMethod(kubeproxyconfig.IPVSSchedulerMethod(config.Scheduler), fldPath.Child("Scheduler"))...)
    151. 

  151. 	allErrs = append(allErrs, validateIPVSExcludeCIDRs(config.ExcludeCIDRs, fldPath.Child("ExcludeCidrs"))...)
    152. 

  152. 

  153. 	return allErrs
    154. 

  154. }
    155. 

  155. 

  156. func validateKubeProxyConntrackConfiguration(config kubeproxyconfig.KubeProxyConntrackConfiguration, fldPath *field.Path) field.ErrorList {
    157. 

  157. 	allErrs := field.ErrorList{}
    158. 

  158. 

  159. 	if config.MaxPerCore != nil && *config.MaxPerCore < 0 {
    160. 

  160. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("MaxPerCore"), config.MaxPerCore, "must be greater than or equal to 0"))
    161. 

  161. 	}
    162. 

  162. 

  163. 	if config.Min != nil && *config.Min < 0 {
    164. 

  164. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("Min"), config.Min, "must be greater than or equal to 0"))
    165. 

  165. 	}
    166. 

  166. 

  167. 	if config.TCPEstablishedTimeout.Duration < 0 {
    168. 

  168. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("TCPEstablishedTimeout"), config.TCPEstablishedTimeout, "must be greater than or equal to 0"))
    169. 

  169. 	}
    170. 

  170. 

  171. 	if config.TCPCloseWaitTimeout.Duration < 0 {
    172. 

  172. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("TCPCloseWaitTimeout"), config.TCPCloseWaitTimeout, "must be greater than or equal to 0"))
    173. 

  173. 	}
    174. 

  174. 

  175. 	return allErrs
    176. 

  176. }
    177. 

  177. 

  178. func validateProxyMode(mode kubeproxyconfig.ProxyMode, fldPath *field.Path) field.ErrorList {
    179. 

  179. 	if runtime.GOOS == "windows" {
    180. 

  180. 		return validateProxyModeWindows(mode, fldPath)
    181. 

  181. 	}
    182. 

  182. 

  183. 	return validateProxyModeLinux(mode, fldPath)
    184. 

  184. }
    185. 

  185. 

  186. func validateProxyModeLinux(mode kubeproxyconfig.ProxyMode, fldPath *field.Path) field.ErrorList {
    187. 

  187. 	validModes := sets.NewString(
    188. 

  188. 		string(kubeproxyconfig.ProxyModeUserspace),
    189. 

  189. 		string(kubeproxyconfig.ProxyModeIPTables),
    190. 

  190. 		string(kubeproxyconfig.ProxyModeIPVS),
    191. 

  191. 	)
    192. 

  192. 

  193. 	if mode == "" || validModes.Has(string(mode)) {
    194. 

  194. 		return nil
    195. 

  195. 	}
    196. 

  196. 

  197. 	errMsg := fmt.Sprintf("must be %s or blank (blank means the best-available proxy [currently iptables])", strings.Join(validModes.List(), ","))
    198. 

  198. 	return field.ErrorList{field.Invalid(fldPath.Child("ProxyMode"), string(mode), errMsg)}
    199. 

  199. }
    200. 

  200. 

  201. func validateProxyModeWindows(mode kubeproxyconfig.ProxyMode, fldPath *field.Path) field.ErrorList {
    202. 

  202. 	validModes := sets.NewString(
    203. 

  203. 		string(kubeproxyconfig.ProxyModeUserspace),
    204. 

  204. 		string(kubeproxyconfig.ProxyModeKernelspace),
    205. 

  205. 	)
    206. 

  206. 

  207. 	if mode == "" || validModes.Has(string(mode)) {
    208. 

  208. 		return nil
    209. 

  209. 	}
    210. 

  210. 

  211. 	errMsg := fmt.Sprintf("must be %s or blank (blank means the most-available proxy [currently userspace])", strings.Join(validModes.List(), ","))
    212. 

  212. 	return field.ErrorList{field.Invalid(fldPath.Child("ProxyMode"), string(mode), errMsg)}
    213. 

  213. }
    214. 

  214. 

  215. func validateClientConnectionConfiguration(config componentbaseconfig.ClientConnectionConfiguration, fldPath *field.Path) field.ErrorList {
    216. 

  216. 	allErrs := field.ErrorList{}
    217. 

  217. 	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(config.Burst), fldPath.Child("Burst"))...)
    218. 

  218. 	return allErrs
    219. 

  219. }
    220. 

  220. 

  221. func validateHostPort(input string, fldPath *field.Path) field.ErrorList {
    222. 

  222. 	allErrs := field.ErrorList{}
    223. 

  223. 

  224. 	hostIP, port, err := net.SplitHostPort(input)
    225. 

  225. 	if err != nil {
    226. 

  226. 		allErrs = append(allErrs, field.Invalid(fldPath, input, "must be IP:port"))
    227. 

  227. 		return allErrs
    228. 

  228. 	}
    229. 

  229. 

  230. 	if ip := net.ParseIP(hostIP); ip == nil {
    231. 

  231. 		allErrs = append(allErrs, field.Invalid(fldPath, hostIP, "must be a valid IP"))
    232. 

  232. 	}
    233. 

  233. 

  234. 	if p, err := strconv.Atoi(port); err != nil {
    235. 

  235. 		allErrs = append(allErrs, field.Invalid(fldPath, port, "must be a valid port"))
    236. 

  236. 	} else if p < 1 || p > 65535 {
    237. 

  237. 		allErrs = append(allErrs, field.Invalid(fldPath, port, "must be a valid port"))
    238. 

  238. 	}
    239. 

  239. 

  240. 	return allErrs
    241. 

  241. }
    242. 

  242. 

  243. func validateIPVSSchedulerMethod(scheduler kubeproxyconfig.IPVSSchedulerMethod, fldPath *field.Path) field.ErrorList {
    244. 

  244. 	supportedMethod := []kubeproxyconfig.IPVSSchedulerMethod{
    245. 

  245. 		kubeproxyconfig.RoundRobin,
    246. 

  246. 		kubeproxyconfig.WeightedRoundRobin,
    247. 

  247. 		kubeproxyconfig.LeastConnection,
    248. 

  248. 		kubeproxyconfig.WeightedLeastConnection,
    249. 

  249. 		kubeproxyconfig.LocalityBasedLeastConnection,
    250. 

  250. 		kubeproxyconfig.LocalityBasedLeastConnectionWithReplication,
    251. 

  251. 		kubeproxyconfig.SourceHashing,
    252. 

  252. 		kubeproxyconfig.DestinationHashing,
    253. 

  253. 		kubeproxyconfig.ShortestExpectedDelay,
    254. 

  254. 		kubeproxyconfig.NeverQueue,
    255. 

  255. 		"",
    256. 

  256. 	}
    257. 

  257. 	allErrs := field.ErrorList{}
    258. 

  258. 	var found bool
    259. 

  259. 	for i := range supportedMethod {
    260. 

  260. 		if scheduler == supportedMethod[i] {
    261. 

  261. 			found = true
    262. 

  262. 			break
    263. 

  263. 		}
    264. 

  264. 	}
    265. 

  265. 	// Not found
    266. 

  266. 	if !found {
    267. 

  267. 		errMsg := fmt.Sprintf("must be in %v, blank means the default algorithm method (currently rr)", supportedMethod)
    268. 

  268. 		allErrs = append(allErrs, field.Invalid(fldPath.Child("Scheduler"), string(scheduler), errMsg))
    269. 

  269. 	}
    270. 

  270. 	return allErrs
    271. 

  271. }
    272. 

  272. 

  273. func validateKubeProxyNodePortAddress(nodePortAddresses []string, fldPath *field.Path) field.ErrorList {
    274. 

  274. 	allErrs := field.ErrorList{}
    275. 

  275. 

  276. 	for i := range nodePortAddresses {
    277. 

  277. 		if _, _, err := net.ParseCIDR(nodePortAddresses[i]); err != nil {
    278. 

  278. 			allErrs = append(allErrs, field.Invalid(fldPath, nodePortAddresses, "must be a valid IP block"))
    279. 

  279. 			break
    280. 

  280. 		}
    281. 

  281. 	}
    282. 

  282. 

  283. 	return allErrs
    284. 

  284. }
    285. 

  285. 

  286. func validateIPVSExcludeCIDRs(excludeCIDRs []string, fldPath *field.Path) field.ErrorList {
    287. 

  287. 	allErrs := field.ErrorList{}
    288. 

  288. 

  289. 	for i := range excludeCIDRs {
    290. 

  290. 		if _, _, err := net.ParseCIDR(excludeCIDRs[i]); err != nil {
    291. 

  291. 			allErrs = append(allErrs, field.Invalid(fldPath, excludeCIDRs, "must be a valid IP block"))
    292. 

  292. 		}
    293. 

  293. 	}
    294. 

  294. 	return allErrs
    295. 

  295. }
    296. 

  296. 

  297. func validateShowHiddenMetricsVersion(version string, fldPath *field.Path) field.ErrorList {
    298. 

  298. 	allErrs := field.ErrorList{}
    299. 

  299. 	errs := metrics.ValidateShowHiddenMetricsVersion(version)
    300. 

  300. 	for _, e := range errs {
    301. 

  301. 		allErrs = append(allErrs, field.Invalid(fldPath, version, e.Error()))
    302. 

  302. 	}
    303. 

  303. 

  304. 	return allErrs
    305. 

  305. }
    306. 

  306.