service: fix IPFamily validation and defaulting problems

If the dual-stack flag is enabled and the cluster is single stack IPv6, the allocator logic for service clusterIP does not properly handle rejecting a request for an IPv4 family. Return a 422 Invalid on the ipFamily field when the dual stack flag is on (as it would when it hits beta) and the cluster is configured for single-stack IPv6. The family is now defaulted or cleared in BeforeCreate/BeforeUpdate, and is either inherited from the previous object (if nil or unchanged), or set to the default strategy's family as necessary. The existing family defaulting when cluster ip is provided remains in the api section. We add additonal family defaulting at the time we allocate the IP to ensure that IPFamily is a consequence of the ClusterIP and prevent accidental reversion. This defaulting also ensures that old clients that submit a nil IPFamily for non ClusterIP services receive a default. To properly handle validation, make the strategy and the validation code path condition on which configuration options are passed to service storage. Move validation and preparation logic inside the strategy where it belongs. Service validation is now dependent on the configuration of the server, and as such ValidateConditionService needs to know what the allowed families are.
2025-11-02 11:18:16 +00:00 · 2020-01-06 19:50:04 -05:00
parent f01d848c48
commit c6b833ac3c
13 changed files with 1263 additions and 363 deletions
--- a/pkg/apis/core/validation/validation_test.go
+++ b/pkg/apis/core/validation/validation_test.go
@@ -10193,12 +10193,12 @@ func TestValidateServiceCreate(t *testing.T) {
 			numErrs: 0,
 		},
 		{
-			name: "invalid, service with invalid IPFamily",
+			name: "allowed valid, service with invalid IPFamily is ignored (tested in conditional validation)",
 			tweakSvc: func(s *core.Service) {
 				invalidServiceIPFamily := core.IPFamily("not-a-valid-ip-family")
 				s.Spec.IPFamily = &invalidServiceIPFamily
 			},
-			numErrs: 1,
+			numErrs: 0,
 		},
 		{
 			name: "valid topology keys",
@@ -12204,18 +12204,18 @@ func TestValidateServiceUpdate(t *testing.T) {
 			numErrs: 0,
 		},
 		{
-			name: "remove ipfamily",
+			name: "remove ipfamily (covered by conditional validation)",
 			tweakSvc: func(oldSvc, newSvc *core.Service) {
 				ipv6Service := core.IPv6Protocol
 				oldSvc.Spec.IPFamily = &ipv6Service

 				newSvc.Spec.IPFamily = nil
 			},
-			numErrs: 1,
+			numErrs: 0,
 		},

 		{
-			name: "change ServiceIPFamily",
+			name: "change ServiceIPFamily (covered by conditional validation)",
 			tweakSvc: func(oldSvc, newSvc *core.Service) {
 				ipv4Service := core.IPv4Protocol
 				oldSvc.Spec.Type = core.ServiceTypeClusterIP
@@ -12225,7 +12225,7 @@ func TestValidateServiceUpdate(t *testing.T) {
 				newSvc.Spec.Type = core.ServiceTypeClusterIP
 				newSvc.Spec.IPFamily = &ipv6Service
 			},
-			numErrs: 1,
+			numErrs: 0,
 		},
 		{
 			name: "update with valid app protocol, field unset, gate disabled",