Add legacy versions of IsValidIP/IsValidCIDR

Add validation.IsValidIPForLegacyField and validation.IsValidCIDRForLegacyField, which validate "legacy" IP/CIDR fields correctly. Use them for all such fields (indirectly, via a wrapper in pkg/apis/core/validation that handles the StrictIPCIDRValidation feature gate correctly). Change IsValidIP and IsValidCIDR to require strict parsing and canonical form, and update the IPAddr, ServiceCIDR, and NetworkDeviceData validation to make use of them.
2025-10-31 18:28:13 +00:00 · 2025-02-28 17:41:10 -05:00
parent ba189de78f
commit 692785d25b
11 changed files with 709 additions and 88 deletions
--- a/pkg/apis/discovery/validation/validation_test.go
+++ b/pkg/apis/discovery/validation/validation_test.go
@@ -23,8 +23,11 @@ import (

 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/discovery"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/utils/ptr"
 )

@@ -36,6 +39,7 @@ func TestValidateEndpointSlice(t *testing.T) {

 	testCases := map[string]struct {
 		expectedErrors int
+		legacyIPs      bool
 		endpointSlice  *discovery.EndpointSlice
 	}{
 		"good-slice": {
@@ -235,6 +239,22 @@ func TestValidateEndpointSlice(t *testing.T) {
 				}},
 			},
 		},
+		"legacy-ip-with-legacy-validation": {
+			expectedErrors: 0,
+			legacyIPs:      true,
+			endpointSlice: &discovery.EndpointSlice{
+				ObjectMeta:  standardMeta,
+				AddressType: discovery.AddressTypeIPv4,
+				Ports: []discovery.EndpointPort{{
+					Name:     ptr.To("http"),
+					Protocol: ptr.To(api.ProtocolTCP),
+				}},
+				Endpoints: []discovery.Endpoint{{
+					Addresses: []string{"012.034.056.078"},
+					Hostname:  ptr.To("valid-123"),
+				}},
+			},
+		},

 		// expected failures
 		"duplicate-port-name": {
@@ -422,6 +442,21 @@ func TestValidateEndpointSlice(t *testing.T) {
 				}},
 			},
 		},
+		"legacy-ip-with-strict-validation": {
+			expectedErrors: 1,
+			endpointSlice: &discovery.EndpointSlice{
+				ObjectMeta:  standardMeta,
+				AddressType: discovery.AddressTypeIPv4,
+				Ports: []discovery.EndpointPort{{
+					Name:     ptr.To("http"),
+					Protocol: ptr.To(api.ProtocolTCP),
+				}},
+				Endpoints: []discovery.Endpoint{{
+					Addresses: []string{"012.034.056.078"},
+					Hostname:  ptr.To("valid-123"),
+				}},
+			},
+		},
 		"bad-ipv4": {
 			expectedErrors: 2,
 			endpointSlice: &discovery.EndpointSlice{
@@ -601,6 +636,7 @@ func TestValidateEndpointSlice(t *testing.T) {

 	for name, testCase := range testCases {
 		t.Run(name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StrictIPCIDRValidation, !testCase.legacyIPs)
 			errs := ValidateEndpointSlice(testCase.endpointSlice)
 			if len(errs) != testCase.expectedErrors {
 				t.Errorf("Expected %d errors, got %d errors: %v", testCase.expectedErrors, len(errs), errs)