kube-proxy: internal config: refactor ClusterCIDR

Refactor ClusterCIDR for internal configuration of kube-proxy
adhering to the v1alpha2 version specifications as detailed in
https://kep.k8s.io/784.

Signed-off-by: Daman Arora <aroradaman@gmail.com>

cmd/kube-proxy/app/options.go

@@ -87,6 +87,7 @@ type Options struct {
 	iptablesMinSyncPeriod time.Duration
 	ipvsSyncPeriod        time.Duration
 	ipvsMinSyncPeriod     time.Duration
+	clusterCIDRs          string
 }
 
 // AddFlags adds flags to fs and binds them to options.
@@ -143,7 +144,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.Var(&o.config.DetectLocalMode, "detect-local-mode", "Mode to use to detect local traffic. This parameter is ignored if a config file is specified by --config.")
 	fs.StringVar(&o.config.DetectLocal.BridgeInterface, "pod-bridge-interface", o.config.DetectLocal.BridgeInterface, "A bridge interface name. When --detect-local-mode is set to BridgeInterface, kube-proxy will consider traffic to be local if it originates from this bridge.")
 	fs.StringVar(&o.config.DetectLocal.InterfaceNamePrefix, "pod-interface-name-prefix", o.config.DetectLocal.InterfaceNamePrefix, "An interface name prefix. When --detect-local-mode is set to InterfaceNamePrefix, kube-proxy will consider traffic to be local if it originates from any interface whose name begins with this prefix.")
-	fs.StringVar(&o.config.ClusterCIDR, "cluster-cidr", o.config.ClusterCIDR, "The CIDR range of the pods in the cluster. (For dual-stack clusters, this can be a comma-separated dual-stack pair of CIDR ranges.). When --detect-local-mode is set to ClusterCIDR, kube-proxy will consider traffic to be local if its source IP is in this range. (Otherwise it is not used.) "+
+	fs.StringVar(&o.clusterCIDRs, "cluster-cidr", strings.Join(o.config.DetectLocal.ClusterCIDRs, ","), "The CIDR range of the pods in the cluster. (For dual-stack clusters, this can be a comma-separated dual-stack pair of CIDR ranges.). When --detect-local-mode is set to ClusterCIDR, kube-proxy will consider traffic to be local if its source IP is in this range. (Otherwise it is not used.) "+
 		"This parameter is ignored if a config file is specified by --config.")
 
 	fs.StringSliceVar(&o.config.NodePortAddresses, "nodeport-addresses", o.config.NodePortAddresses,
@@ -326,6 +327,9 @@ func (o *Options) processV1Alpha1Flags(fs *pflag.FlagSet) {
 	if fs.Changed("ipvs-min-sync-period") && o.config.Mode == kubeproxyconfig.ProxyModeIPVS {
 		o.config.MinSyncPeriod.Duration = o.ipvsMinSyncPeriod
 	}
+	if fs.Changed("cluster-cidr") {
+		o.config.DetectLocal.ClusterCIDRs = strings.Split(o.clusterCIDRs, ",")
+	}
 }
 
 // Validate validates all the required options.

cmd/kube-proxy/app/options_test.go

@@ -20,6 +20,8 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"reflect"
+	"strings"
 	"testing"
 	"time"
 
@@ -194,7 +196,6 @@ nodePortAddresses:
 					Kubeconfig:         "/path/to/kubeconfig",
 					QPS:                7,
 				},
-				ClusterCIDR:      tc.clusterCIDR,
 				MinSyncPeriod:    metav1.Duration{Duration: 10 * time.Second},
 				SyncPeriod:       metav1.Duration{Duration: 60 * time.Second},
 				ConfigSyncPeriod: metav1.Duration{Duration: 15 * time.Second},
@@ -228,6 +229,7 @@ nodePortAddresses:
 				DetectLocalMode:    kubeproxyconfig.LocalModeClusterCIDR,
 				DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
 					BridgeInterface:     "cbr0",
+					ClusterCIDRs:        strings.Split(tc.clusterCIDR, ","),
 					InterfaceNamePrefix: "veth",
 				},
 				Logging: logsapi.LoggingConfiguration{
@@ -444,6 +446,15 @@ func TestProcessV1Alpha1Flags(t *testing.T) {
 					config.MinSyncPeriod == metav1.Duration{Duration: 7 * time.Second}
 			},
 		},
+		{
+			name: "cluster cidr",
+			flags: []string{
+				"--cluster-cidr=2002:0:0:1234::/64,10.0.0.0/14",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return reflect.DeepEqual(config.DetectLocal.ClusterCIDRs, []string{"2002:0:0:1234::/64", "10.0.0.0/14"})
+			},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {

cmd/kube-proxy/app/server.go

@@ -25,7 +25,6 @@ import (
 	"net"
 	"net/http"
 	"os"
-	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
@@ -271,8 +270,7 @@ func checkBadConfig(s *ProxyServer) error {
 	// we can at least take note of whether there is any explicitly-dual-stack
 	// configuration.
 	anyDualStackConfig := false
-	clusterCIDRs := strings.Split(s.Config.ClusterCIDR, ",")
+	for _, config := range [][]string{s.Config.DetectLocal.ClusterCIDRs, s.Config.NodePortAddresses, s.Config.IPVS.ExcludeCIDRs, s.podCIDRs} {
-	for _, config := range [][]string{clusterCIDRs, s.Config.NodePortAddresses, s.Config.IPVS.ExcludeCIDRs, s.podCIDRs} {
 		if dual, _ := netutils.IsDualStackCIDRStrings(config); dual {
 			anyDualStackConfig = true
 			break
@@ -314,16 +312,13 @@ func checkBadIPConfig(s *ProxyServer, dualStackSupported bool) (err error, fatal
 		clusterType = fmt.Sprintf("%s-only", s.PrimaryIPFamily)
 	}
 
-	if s.Config.ClusterCIDR != "" {
+	if badCIDRs(s.Config.DetectLocal.ClusterCIDRs, badFamily) {
-		clusterCIDRs := strings.Split(s.Config.ClusterCIDR, ",")
-		if badCIDRs(clusterCIDRs, badFamily) {
 		errors = append(errors, fmt.Errorf("cluster is %s but clusterCIDRs contains only IPv%s addresses", clusterType, badFamily))
 		if s.Config.DetectLocalMode == kubeproxyconfig.LocalModeClusterCIDR && !dualStackSupported {
 			// This has always been a fatal error
 			fatal = true
 		}
 	}
-	}
 
 	if badCIDRs(s.podCIDRs, badFamily) {
 		errors = append(errors, fmt.Errorf("cluster is %s but node.spec.podCIDRs contains only IPv%s addresses", clusterType, badFamily))

cmd/kube-proxy/app/server_linux.go

@@ -26,7 +26,6 @@ import (
 	"errors"
 	"fmt"
 	goruntime "runtime"
-	"strings"
 	"time"
 
 	"github.com/google/cadvisor/machine"
@@ -477,12 +476,11 @@ func getLocalDetectors(logger klog.Logger, primaryIPFamily v1.IPFamily, config *
 
 	switch config.DetectLocalMode {
 	case proxyconfigapi.LocalModeClusterCIDR:
-		clusterCIDRs := strings.Split(strings.TrimSpace(config.ClusterCIDR), ",")
+		for family, cidrs := range proxyutil.MapCIDRsByIPFamily(config.DetectLocal.ClusterCIDRs) {
-		for family, cidrs := range proxyutil.MapCIDRsByIPFamily(clusterCIDRs) {
 			localDetectors[family] = proxyutil.NewDetectLocalByCIDR(cidrs[0].String())
 		}
 		if !localDetectors[primaryIPFamily].IsImplemented() {
-			logger.Info("Detect-local-mode set to ClusterCIDR, but no cluster CIDR specified for primary IP family", "ipFamily", primaryIPFamily, "clusterCIDR", config.ClusterCIDR)
+			logger.Info("Detect-local-mode set to ClusterCIDR, but no cluster CIDR specified for primary IP family", "ipFamily", primaryIPFamily, "clusterCIDRs", config.DetectLocal.ClusterCIDRs)
 		}
 
 	case proxyconfigapi.LocalModeNodeCIDR:

cmd/kube-proxy/app/server_linux_test.go

@@ -121,7 +121,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, single-stack IPv4 cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -133,7 +135,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, single-stack IPv6 cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -145,7 +149,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, single-stack IPv6 cluster with single-stack IPv4 config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			// This will output a warning that there is no IPv6 CIDR but it
@@ -159,7 +165,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, single-stack IPv4 cluster with single-stack IPv6 config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			// This will output a warning that there is no IPv4 CIDR but it
@@ -173,7 +181,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, dual-stack IPv4-primary cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "10.0.0.0/14,2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14", "2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -185,7 +195,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, dual-stack IPv6-primary cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64,10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64", "10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -197,7 +209,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, IPv4-primary kube-proxy / IPv6-primary config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64,10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64", "10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -209,7 +223,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, no ClusterCIDR",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{""},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -222,7 +238,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, single-stack IPv4 cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			nodePodCIDRs:    []string{"10.0.0.0/24"},
@@ -235,7 +253,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, single-stack IPv6 cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			nodePodCIDRs:    []string{"2002::1234:abcd:ffff:0:0/96"},
@@ -248,7 +268,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, single-stack IPv6 cluster with single-stack IPv4 config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			nodePodCIDRs:    []string{"10.0.0.0/24"},
@@ -263,7 +285,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, single-stack IPv4 cluster with single-stack IPv6 config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			nodePodCIDRs:    []string{"2002::1234:abcd:ffff:0:0/96"},
@@ -278,7 +302,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, dual-stack IPv4-primary cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "10.0.0.0/14,2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14", "2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			nodePodCIDRs:    []string{"10.0.0.0/24", "2002::1234:abcd:ffff:0:0/96"},
@@ -291,7 +317,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, dual-stack IPv6-primary cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64,10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64", "10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			nodePodCIDRs:    []string{"2002::1234:abcd:ffff:0:0/96", "10.0.0.0/24"},
@@ -304,7 +332,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, IPv6-primary kube-proxy / IPv4-primary config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "10.0.0.0/14,2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14", "2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			nodePodCIDRs:    []string{"10.0.0.0/24", "2002::1234:abcd:ffff:0:0/96"},
@@ -317,7 +347,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, no PodCIDRs",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{""},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			nodePodCIDRs:    []string{},
@@ -331,7 +363,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "unknown LocalMode",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalMode("abcd"),
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -344,7 +378,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeBridgeInterface",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeBridgeInterface,
-				DetectLocal:     proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "eth"},
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					BridgeInterface: "eth",
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -356,7 +392,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeBridgeInterface, strange bridge name",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeBridgeInterface,
-				DetectLocal:     proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "1234567890123456789"},
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					BridgeInterface: "1234567890123456789",
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -369,7 +407,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeInterfaceNamePrefix",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeInterfaceNamePrefix,
-				DetectLocal:     proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "eth"},
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					InterfaceNamePrefix: "eth",
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -381,7 +421,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeInterfaceNamePrefix, strange interface name",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeInterfaceNamePrefix,
-				DetectLocal:     proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "1234567890123456789"},
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					InterfaceNamePrefix: "1234567890123456789",
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{

cmd/kube-proxy/app/server_test.go

@@ -305,7 +305,9 @@ func Test_checkBadConfig(t *testing.T) {
 			name: "single-stack NodePortAddresses with single-stack config",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:       "10.0.0.0/8",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8"},
+					},
 					NodePortAddresses: []string{"192.168.0.0/24"},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
@@ -316,7 +318,9 @@ func Test_checkBadConfig(t *testing.T) {
 			name: "dual-stack NodePortAddresses with dual-stack config",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:       "10.0.0.0/8,fd09::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8", "fd09::/64"},
+					},
 					NodePortAddresses: []string{"192.168.0.0/24", "fd03::/64"},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
@@ -337,7 +341,9 @@ func Test_checkBadConfig(t *testing.T) {
 			name: "single-stack NodePortAddresses with dual-stack config",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:       "10.0.0.0/8,fd09::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8", "fd09::/64"},
+					},
 					NodePortAddresses: []string{"192.168.0.0/24"},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
@@ -348,7 +354,9 @@ func Test_checkBadConfig(t *testing.T) {
 			name: "wrong-single-stack NodePortAddresses",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:       "fd09::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"fd09::/64"},
+					},
 					NodePortAddresses: []string{"192.168.0.0/24"},
 				},
 				PrimaryIPFamily: v1.IPv6Protocol,
@@ -392,7 +400,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "ok single-stack clusterCIDR",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR: "10.0.0.0/8",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8"},
+					},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
 			},
@@ -403,7 +413,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "ok dual-stack clusterCIDR",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR: "10.0.0.0/8,fd01:2345::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8", "fd01:2345::/64"},
+					},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
 			},
@@ -414,7 +426,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "ok reversed dual-stack clusterCIDR",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR: "fd01:2345::/64,10.0.0.0/8",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"fd01:2345::/64", "10.0.0.0/8"},
+					},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
 			},
@@ -425,7 +439,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "wrong-family clusterCIDR",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR: "fd01:2345::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"fd01:2345::/64"},
+					},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
 			},
@@ -438,7 +454,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "wrong-family clusterCIDR when using ClusterCIDR LocalDetector",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:     "fd01:2345::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"fd01:2345::/64"},
+					},
 					DetectLocalMode: kubeproxyconfig.LocalModeClusterCIDR,
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,

pkg/proxy/apis/config/types.go

@@ -141,6 +141,10 @@ type DetectLocalConfiguration struct {
 	// LocalModeBridgeInterface, kube-proxy will consider traffic to be local if
 	// it originates from this bridge.
 	BridgeInterface string
+	// clusterCIDRs is the dual-stack list of CIDR ranges of the pods in the cluster. When
+	// DetectLocalMode is set to LocalModeClusterCIDR, kube-proxy will consider
+	// traffic to be local if its source IP is in the range of any given CIDR.
+	ClusterCIDRs []string
 	// interfaceNamePrefix is an interface name prefix. When DetectLocalMode is set to
 	// LocalModeInterfaceNamePrefix, kube-proxy will consider traffic to be local if
 	// it originates from any interface whose name begins with this prefix.
@@ -212,12 +216,6 @@ type KubeProxyConfiguration struct {
 	DetectLocalMode LocalMode
 	// detectLocal contains optional configuration settings related to DetectLocalMode.
 	DetectLocal DetectLocalConfiguration
-	// clusterCIDR is the CIDR range of the pods in the cluster. (For dual-stack
-	// clusters, this can be a comma-separated dual-stack pair of CIDR ranges.). When
-	// DetectLocalMode is set to LocalModeClusterCIDR, kube-proxy will consider
-	// traffic to be local if its source IP is in this range. (Otherwise it is not
-	// used.)
-	ClusterCIDR string
 
 	// nodePortAddresses is a list of CIDR ranges that contain valid node IPs, or
 	// alternatively, the single string 'primary'. If set to a list of CIDRs,

pkg/proxy/apis/config/v1alpha1/conversion.go

@@ -17,6 +17,8 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"strings"
+
 	"k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/kube-proxy/config/v1alpha1"
 	"k8s.io/kubernetes/pkg/proxy/apis/config"
@@ -48,6 +50,10 @@ func Convert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in
 		out.IPTables.SyncPeriod = in.SyncPeriod
 		out.IPTables.MinSyncPeriod = in.MinSyncPeriod
 	}
+
+	if len(in.DetectLocal.ClusterCIDRs) > 0 {
+		out.ClusterCIDR = strings.Join(in.DetectLocal.ClusterCIDRs, ",")
+	}
 	return nil
 }
 
@@ -77,6 +83,10 @@ func Convert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in
 		out.SyncPeriod = in.IPTables.SyncPeriod
 		out.MinSyncPeriod = in.IPTables.MinSyncPeriod
 	}
+
+	if len(in.ClusterCIDR) > 0 {
+		out.DetectLocal.ClusterCIDRs = strings.Split(in.ClusterCIDR, ",")
+	}
 	return nil
 }
 
@@ -94,3 +104,8 @@ func Convert_v1alpha1_KubeProxyIPVSConfiguration_To_config_KubeProxyIPVSConfigur
 func Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, scope conversion.Scope) error {
 	return autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in, out, scope)
 }
+
+// Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration is defined here, because public conversion is not auto-generated due to existing warnings.
+func Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration(in *config.DetectLocalConfiguration, out *v1alpha1.DetectLocalConfiguration, s conversion.Scope) error {
+	return autoConvert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration(in, out, s)
+}

pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go

@@ -44,11 +44,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*config.DetectLocalConfiguration)(nil), (*v1alpha1.DetectLocalConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration(a.(*config.DetectLocalConfiguration), b.(*v1alpha1.DetectLocalConfiguration), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*v1alpha1.KubeProxyConntrackConfiguration)(nil), (*config.KubeProxyConntrackConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyConntrackConfiguration(a.(*v1alpha1.KubeProxyConntrackConfiguration), b.(*config.KubeProxyConntrackConfiguration), scope)
 	}); err != nil {
@@ -84,6 +79,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*config.DetectLocalConfiguration)(nil), (*v1alpha1.DetectLocalConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration(a.(*config.DetectLocalConfiguration), b.(*v1alpha1.DetectLocalConfiguration), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*config.KubeProxyConfiguration)(nil), (*v1alpha1.KubeProxyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(a.(*config.KubeProxyConfiguration), b.(*v1alpha1.KubeProxyConfiguration), scope)
 	}); err != nil {
@@ -125,15 +125,11 @@ func Convert_v1alpha1_DetectLocalConfiguration_To_config_DetectLocalConfiguratio
 
 func autoConvert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration(in *config.DetectLocalConfiguration, out *v1alpha1.DetectLocalConfiguration, s conversion.Scope) error {
 	out.BridgeInterface = in.BridgeInterface
+	// WARNING: in.ClusterCIDRs requires manual conversion: does not exist in peer-type
 	out.InterfaceNamePrefix = in.InterfaceNamePrefix
 	return nil
 }
 
-// Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration is an autogenerated conversion function.
-func Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration(in *config.DetectLocalConfiguration, out *v1alpha1.DetectLocalConfiguration, s conversion.Scope) error {
-	return autoConvert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration(in, out, s)
-}
-
 func autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in *v1alpha1.KubeProxyConfiguration, out *config.KubeProxyConfiguration, s conversion.Scope) error {
 	out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
 	if err := componentbaseconfigv1alpha1.Convert_v1alpha1_ClientConnectionConfiguration_To_config_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil {
@@ -164,7 +160,7 @@ func autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguratio
 	if err := Convert_v1alpha1_DetectLocalConfiguration_To_config_DetectLocalConfiguration(&in.DetectLocal, &out.DetectLocal, s); err != nil {
 		return err
 	}
-	out.ClusterCIDR = in.ClusterCIDR
+	// WARNING: in.ClusterCIDR requires manual conversion: does not exist in peer-type
 	out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses))
 	// WARNING: in.OOMScoreAdj requires manual conversion: does not exist in peer-type
 	// WARNING: in.Conntrack requires manual conversion: does not exist in peer-type
@@ -206,7 +202,6 @@ func autoConvert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguratio
 	if err := Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration(&in.DetectLocal, &out.DetectLocal, s); err != nil {
 		return err
 	}
-	out.ClusterCIDR = in.ClusterCIDR
 	out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses))
 	// WARNING: in.SyncPeriod requires manual conversion: does not exist in peer-type
 	// WARNING: in.MinSyncPeriod requires manual conversion: does not exist in peer-type

pkg/proxy/apis/config/validation/validation.go

@@ -80,25 +80,6 @@ func Validate(config *kubeproxyconfig.KubeProxyConfiguration) field.ErrorList {
 	}
 	allErrs = append(allErrs, validateHostPort(config.MetricsBindAddress, newPath.Child("MetricsBindAddress"))...)
 
-	if config.ClusterCIDR != "" {
-		cidrs := strings.Split(config.ClusterCIDR, ",")
-		switch {
-		case len(cidrs) > 2:
-			allErrs = append(allErrs, field.Invalid(newPath.Child("ClusterCIDR"), config.ClusterCIDR, "only one CIDR allowed or a valid DualStack CIDR (e.g. 10.100.0.0/16,fde4:8dba:82e1::/48)"))
-		// if DualStack and two cidrs validate if there is at least one of each IP family
-		case len(cidrs) == 2:
-			isDual, err := netutils.IsDualStackCIDRStrings(cidrs)
-			if err != nil || !isDual {
-				allErrs = append(allErrs, field.Invalid(newPath.Child("ClusterCIDR"), config.ClusterCIDR, "must be a valid DualStack CIDR (e.g. 10.100.0.0/16,fde4:8dba:82e1::/48)"))
-			}
-		// if we are here means that len(cidrs) == 1, we need to validate it
-		default:
-			if _, _, err := netutils.ParseCIDRSloppy(config.ClusterCIDR); err != nil {
-				allErrs = append(allErrs, field.Invalid(newPath.Child("ClusterCIDR"), config.ClusterCIDR, "must be a valid CIDR block (e.g. 10.100.0.0/16 or fde4:8dba:82e1::/48)"))
-			}
-		}
-	}
-
 	if _, err := utilnet.ParsePortRange(config.PortRange); err != nil {
 		allErrs = append(allErrs, field.Invalid(newPath.Child("PortRange"), config.PortRange, "must be a valid port range (e.g. 300-2000)"))
 	}
@@ -107,12 +88,7 @@ func Validate(config *kubeproxyconfig.KubeProxyConfiguration) field.ErrorList {
 	allErrs = append(allErrs, validateShowHiddenMetricsVersion(config.ShowHiddenMetricsForVersion, newPath.Child("ShowHiddenMetricsForVersion"))...)
 
 	allErrs = append(allErrs, validateDetectLocalMode(config.DetectLocalMode, newPath.Child("DetectLocalMode"))...)
-	if config.DetectLocalMode == kubeproxyconfig.LocalModeBridgeInterface {
+	allErrs = append(allErrs, validateDetectLocalConfiguration(config.DetectLocalMode, config.DetectLocal, newPath.Child("DetectLocalConfiguration"))...)
-		allErrs = append(allErrs, validateInterface(config.DetectLocal.BridgeInterface, newPath.Child("InterfaceName"))...)
-	}
-	if config.DetectLocalMode == kubeproxyconfig.LocalModeInterfaceNamePrefix {
-		allErrs = append(allErrs, validateInterface(config.DetectLocal.InterfaceNamePrefix, newPath.Child("InterfacePrefix"))...)
-	}
 	allErrs = append(allErrs, logsapi.Validate(&config.Logging, effectiveFeatures, newPath.Child("logging"))...)
 
 	return allErrs
@@ -338,3 +314,41 @@ func validateInterface(iface string, fldPath *field.Path) field.ErrorList {
 	}
 	return allErrs
 }
+
+func validateDualStackCIDRStrings(cidrStrings []string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	switch {
+	case len(cidrStrings) == 0:
+		allErrs = append(allErrs, field.Invalid(fldPath, cidrStrings, "must contain at least one CIDR"))
+	case len(cidrStrings) > 2:
+		allErrs = append(allErrs, field.Invalid(fldPath, cidrStrings, "must be a either a single CIDR or dual-stack pair of CIDRs (e.g. [10.100.0.0/16, fde4:8dba:82e1::/48]"))
+	default:
+		for i, cidrString := range cidrStrings {
+			if _, _, err := netutils.ParseCIDRSloppy(cidrString); err != nil {
+				allErrs = append(allErrs, field.Invalid(fldPath.Index(i), cidrString, "must be a valid CIDR block (e.g. 10.100.0.0/16 or fde4:8dba:82e1::/48)"))
+			}
+		}
+		if len(cidrStrings) == 2 {
+			ifDualStack, err := netutils.IsDualStackCIDRStrings(cidrStrings)
+			if err == nil && !ifDualStack {
+				allErrs = append(allErrs, field.Invalid(fldPath, cidrStrings, "must be a either a single CIDR or dual-stack pair of CIDRs (e.g. [10.100.0.0/16, fde4:8dba:82e1::/48]"))
+			}
+		}
+	}
+	return allErrs
+}
+
+func validateDetectLocalConfiguration(mode kubeproxyconfig.LocalMode, config kubeproxyconfig.DetectLocalConfiguration, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	switch mode {
+	case kubeproxyconfig.LocalModeBridgeInterface:
+		allErrs = append(allErrs, validateInterface(config.BridgeInterface, fldPath.Child("InterfaceName"))...)
+	case kubeproxyconfig.LocalModeInterfaceNamePrefix:
+		allErrs = append(allErrs, validateInterface(config.InterfaceNamePrefix, fldPath.Child("InterfacePrefix"))...)
+	case kubeproxyconfig.LocalModeClusterCIDR:
+		if len(config.ClusterCIDRs) > 0 {
+			allErrs = append(allErrs, validateDualStackCIDRStrings(config.ClusterCIDRs, fldPath.Child("ClusterCIDRs"))...)
+		}
+	}
+	return allErrs
+}

pkg/proxy/apis/config/validation/validation_test.go

@@ -36,7 +36,10 @@ func TestValidateKubeProxyConfiguration(t *testing.T) {
 		BindAddress:        "192.168.59.103",
 		HealthzBindAddress: "0.0.0.0:10256",
 		MetricsBindAddress: "127.0.0.1:10249",
-		ClusterCIDR:        "192.168.59.0/24",
+		DetectLocalMode:    kubeproxyconfig.LocalModeClusterCIDR,
+		DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+			ClusterCIDRs: []string{"192.168.59.0/24"},
+		},
 		SyncPeriod:       metav1.Duration{Duration: 5 * time.Second},
 		MinSyncPeriod:    metav1.Duration{Duration: 2 * time.Second},
 		ConfigSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
@@ -82,7 +85,7 @@ func TestValidateKubeProxyConfiguration(t *testing.T) {
 				config.BindAddress = "fd00:192:168:59::103"
 				config.HealthzBindAddress = ""
 				config.MetricsBindAddress = "[::1]:10249"
-				config.ClusterCIDR = "fd00:192:168:59::/64"
+				config.DetectLocal.ClusterCIDRs = []string{"fd00:192:168:59::/64"}
 			},
 		},
 		"alternate healthz port": {
@@ -92,12 +95,12 @@ func TestValidateKubeProxyConfiguration(t *testing.T) {
 		},
 		"ClusterCIDR is wrong IP family": {
 			mutateConfigFunc: func(config *kubeproxyconfig.KubeProxyConfiguration) {
-				config.ClusterCIDR = "fd00:192:168::/64"
+				config.DetectLocal.ClusterCIDRs = []string{"fd00:192:168:59::/64"}
 			},
 		},
 		"ClusterCIDR is dual-stack": {
 			mutateConfigFunc: func(config *kubeproxyconfig.KubeProxyConfiguration) {
-				config.ClusterCIDR = "192.168.59.0/24,fd00:192:168::/64"
+				config.DetectLocal.ClusterCIDRs = []string{"192.168.59.0/24", "fd00:192:168::/64"}
 			},
 		},
 		"LocalModeInterfaceNamePrefix": {
@@ -134,18 +137,6 @@ func TestValidateKubeProxyConfiguration(t *testing.T) {
 			},
 			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("MetricsBindAddress"), "127.0.0.1", "must be IP:port")},
 		},
-		"ClusterCIDR missing subset range": {
-			mutateConfigFunc: func(config *kubeproxyconfig.KubeProxyConfiguration) {
-				config.ClusterCIDR = "192.168.59.0"
-			},
-			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("ClusterCIDR"), "192.168.59.0", "must be a valid CIDR block (e.g. 10.100.0.0/16 or fde4:8dba:82e1::/48)")},
-		},
-		"Invalid number of ClusterCIDRs": {
-			mutateConfigFunc: func(config *kubeproxyconfig.KubeProxyConfiguration) {
-				config.ClusterCIDR = "192.168.59.0/24,fd00:192:168::/64,10.0.0.0/16"
-			},
-			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("ClusterCIDR"), "192.168.59.0/24,fd00:192:168::/64,10.0.0.0/16", "only one CIDR allowed or a valid DualStack CIDR (e.g. 10.100.0.0/16,fde4:8dba:82e1::/48)")},
-		},
 		"ConfigSyncPeriod must be > 0": {
 			mutateConfigFunc: func(config *kubeproxyconfig.KubeProxyConfiguration) {
 				config.ConfigSyncPeriod = metav1.Duration{Duration: -1 * time.Second}
@@ -172,24 +163,6 @@ func TestValidateKubeProxyConfiguration(t *testing.T) {
 			},
 			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("SyncPeriod"), metav1.Duration{Duration: 5 * time.Second}, "must be greater than or equal to KubeProxyConfiguration.MinSyncPeriod")},
 		},
-		"interfacePrefix is empty": {
-			mutateConfigFunc: func(config *kubeproxyconfig.KubeProxyConfiguration) {
-				config.DetectLocalMode = kubeproxyconfig.LocalModeInterfaceNamePrefix
-				config.DetectLocal = kubeproxyconfig.DetectLocalConfiguration{
-					InterfaceNamePrefix: "",
-				}
-			},
-			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("InterfacePrefix"), "", "must not be empty")},
-		},
-		"bridgeInterfaceName is empty": {
-			mutateConfigFunc: func(config *kubeproxyconfig.KubeProxyConfiguration) {
-				config.DetectLocalMode = kubeproxyconfig.LocalModeBridgeInterface
-				config.DetectLocal = kubeproxyconfig.DetectLocalConfiguration{
-					InterfaceNamePrefix: "eth0", // we won't care about prefix since mode is not prefix
-				}
-			},
-			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("InterfaceName"), "", "must not be empty")},
-		},
 		"invalid DetectLocalMode": {
 			mutateConfigFunc: func(config *kubeproxyconfig.KubeProxyConfiguration) {
 				config.DetectLocalMode = "Guess"
@@ -764,3 +737,154 @@ func TestValidateKubeProxyExcludeCIDRs(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateDetectLocalConfiguration(t *testing.T) {
+	newPath := field.NewPath("KubeProxyConfiguration")
+
+	testCases := []struct {
+		name         string
+		mode         kubeproxyconfig.LocalMode
+		config       kubeproxyconfig.DetectLocalConfiguration
+		expectedErrs field.ErrorList
+	}{
+		{
+			name: "valid interface name prefix",
+			mode: kubeproxyconfig.LocalModeInterfaceNamePrefix,
+			config: kubeproxyconfig.DetectLocalConfiguration{
+				InterfaceNamePrefix: "vethabcde",
+			},
+			expectedErrs: field.ErrorList{},
+		},
+		{
+			name: "valid bridge interface",
+			mode: kubeproxyconfig.LocalModeBridgeInterface,
+			config: kubeproxyconfig.DetectLocalConfiguration{
+				BridgeInterface: "avz",
+			},
+			expectedErrs: field.ErrorList{},
+		},
+		{
+			name: "interfacePrefix is empty",
+			mode: kubeproxyconfig.LocalModeInterfaceNamePrefix,
+			config: kubeproxyconfig.DetectLocalConfiguration{
+				InterfaceNamePrefix: "",
+			},
+			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("DetectLocal").Child("InterfacePrefix"), "", "must not be empty")},
+		},
+		{
+			name: "bridgeInterfaceName is empty",
+			mode: kubeproxyconfig.LocalModeBridgeInterface,
+			config: kubeproxyconfig.DetectLocalConfiguration{
+				InterfaceNamePrefix: "eth0", // we won't care about prefix since mode is not prefix
+			},
+			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("DetectLocal").Child("InterfaceName"), "", "must not be empty")},
+		},
+		{
+			name: "valid cluster cidr",
+			mode: kubeproxyconfig.LocalModeClusterCIDR,
+			config: kubeproxyconfig.DetectLocalConfiguration{
+				ClusterCIDRs: []string{"192.168.59.0/24", "fd00:192:168::/64"},
+			},
+			expectedErrs: field.ErrorList{},
+		},
+		{
+			name: "invalid number of cluster cidrs",
+			mode: kubeproxyconfig.LocalModeClusterCIDR,
+			config: kubeproxyconfig.DetectLocalConfiguration{
+				ClusterCIDRs: []string{"192.168.59.0/24", "fd00:192:168::/64", "10.0.0.0/16"},
+			},
+			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("DetectLocal").Child("ClusterCIDRs"), []string{"192.168.59.0/24", "fd00:192:168::/64", "10.0.0.0/16"}, "must be a either a single CIDR or dual-stack pair of CIDRs (e.g. [10.100.0.0/16, fde4:8dba:82e1::/48]")},
+		},
+		{
+			name: "invalid cluster cidr",
+			mode: kubeproxyconfig.LocalModeClusterCIDR,
+			config: kubeproxyconfig.DetectLocalConfiguration{
+				ClusterCIDRs: []string{"192.168.59.0"},
+			},
+			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("DetectLocal").Child("ClusterCIDRs").Index(0), "192.168.59.0", "must be a valid CIDR block (e.g. 10.100.0.0/16 or fde4:8dba:82e1::/48)")},
+		},
+		{
+			name: "empty cluster cidrs with cluster cidr mode",
+			mode: kubeproxyconfig.LocalModeClusterCIDR,
+			config: kubeproxyconfig.DetectLocalConfiguration{
+				ClusterCIDRs: []string{},
+			},
+			expectedErrs: field.ErrorList{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			errs := validateDetectLocalConfiguration(tc.mode, tc.config, newPath.Child("DetectLocal"))
+			assert.Equalf(t, len(tc.expectedErrs), len(errs),
+				"expected %d errors, got %d errors: %v", len(tc.expectedErrs), len(errs), errs,
+			)
+			for i, err := range errs {
+				assert.Equal(t, tc.expectedErrs[i].Error(), err.Error())
+			}
+		})
+	}
+}
+
+func TestValidateDualStackCIDRStrings(t *testing.T) {
+	newPath := field.NewPath("KubeProxyConfiguration")
+
+	testCases := []struct {
+		name         string
+		cidrStrings  []string
+		expectedErrs field.ErrorList
+	}{
+		{
+			name:         "empty cidr string",
+			cidrStrings:  []string{},
+			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("DualStackCIDRList"), []string{}, "must contain at least one CIDR")},
+		},
+		{
+			name:         "single ipv4 cidr",
+			cidrStrings:  []string{"192.168.0.0/16"},
+			expectedErrs: field.ErrorList{},
+		},
+		{
+			name:         "single ipv6 cidr",
+			cidrStrings:  []string{"fd00:10:96::/112"},
+			expectedErrs: field.ErrorList{},
+		},
+		{
+			name:         "dual stack cidr pair",
+			cidrStrings:  []string{"172.16.200.0/24", "fde4:8dba:82e1::/48"},
+			expectedErrs: field.ErrorList{},
+		},
+		{
+			name:         "multiple ipv4 cidrs",
+			cidrStrings:  []string{"10.100.0.0/16", "192.168.0.0/16", "fde4:8dba:82e1::/48"},
+			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("DualStackCIDRList"), []string{"10.100.0.0/16", "192.168.0.0/16", "fde4:8dba:82e1::/48"}, "must be a either a single CIDR or dual-stack pair of CIDRs (e.g. [10.100.0.0/16, fde4:8dba:82e1::/48]")},
+		},
+		{
+			name:         "multiple ipv6 cidrs",
+			cidrStrings:  []string{"fd00:10:96::/112", "fde4:8dba:82e1::/48"},
+			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("DualStackCIDRList"), []string{"fd00:10:96::/112", "fde4:8dba:82e1::/48"}, "must be a either a single CIDR or dual-stack pair of CIDRs (e.g. [10.100.0.0/16, fde4:8dba:82e1::/48]")},
+		},
+		{
+			name:         "malformed ipv4 cidr",
+			cidrStrings:  []string{"fde4:8dba:82e1::/48", "172.16.200.0:24"},
+			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("DualStackCIDRList").Index(1), "172.16.200.0:24", "must be a valid CIDR block (e.g. 10.100.0.0/16 or fde4:8dba:82e1::/48)")},
+		},
+		{
+			name:         "malformed ipv6 cidr",
+			cidrStrings:  []string{"fd00:10:96::", "192.168.0.0/16"},
+			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("DualStackCIDRList").Index(0), "fd00:10:96::", "must be a valid CIDR block (e.g. 10.100.0.0/16 or fde4:8dba:82e1::/48)")},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			errs := validateDualStackCIDRStrings(tc.cidrStrings, newPath.Child("DualStackCIDRList"))
+			assert.Equalf(t, len(tc.expectedErrs), len(errs),
+				"expected %d errors, got %d errors: %v", len(tc.expectedErrs), len(errs), errs,
+			)
+			for i, err := range errs {
+				assert.Equal(t, tc.expectedErrs[i].Error(), err.Error())
+			}
+		})
+	}
+}

pkg/proxy/apis/config/zz_generated.deepcopy.go

@@ -29,6 +29,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DetectLocalConfiguration) DeepCopyInto(out *DetectLocalConfiguration) {
 	*out = *in
+	if in.ClusterCIDRs != nil {
+		in, out := &in.ClusterCIDRs, &out.ClusterCIDRs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -61,7 +66,7 @@ func (in *KubeProxyConfiguration) DeepCopyInto(out *KubeProxyConfiguration) {
 	in.IPVS.DeepCopyInto(&out.IPVS)
 	out.Winkernel = in.Winkernel
 	in.NFTables.DeepCopyInto(&out.NFTables)
-	out.DetectLocal = in.DetectLocal
+	in.DetectLocal.DeepCopyInto(&out.DetectLocal)
 	if in.NodePortAddresses != nil {
 		in, out := &in.NodePortAddresses, &out.NodePortAddresses
 		*out = make([]string, len(*in))