Skip to content

Commit e63b999

Browse files
committed
fix(policy): generate ipv6 names correctly
Use ipSetName utility method to ensure that ipset names are generated correctly when they are formulated. This feeds into the activeIPSets map later on, so it is important that we get the name right from the start.
1 parent da8f980 commit e63b999

File tree

2 files changed

+95
-8
lines changed

2 files changed

+95
-8
lines changed

pkg/controllers/netpol/policy.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -904,61 +904,61 @@ func networkPolicyChainName(namespace, policyName string, version string, ipFami
904904
func policySourcePodIPSetName(namespace, policyName string, ipFamily api.IPFamily) string {
905905
hash := sha256.Sum256([]byte(namespace + policyName + string(ipFamily)))
906906
encoded := base32.StdEncoding.EncodeToString(hash[:])
907-
return kubeSourceIPSetPrefix + encoded[:16]
907+
return ipSetName(kubeSourceIPSetPrefix + encoded[:16], ipFamily)
908908
}
909909

910910
func policyDestinationPodIPSetName(namespace, policyName string, ipFamily api.IPFamily) string {
911911
hash := sha256.Sum256([]byte(namespace + policyName + string(ipFamily)))
912912
encoded := base32.StdEncoding.EncodeToString(hash[:])
913-
return kubeDestinationIPSetPrefix + encoded[:16]
913+
return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
914914
}
915915

916916
func policyIndexedSourcePodIPSetName(
917917
namespace, policyName string, ingressRuleNo int, ipFamily api.IPFamily) string {
918918
hash := sha256.Sum256([]byte(namespace + policyName + "ingressrule" + strconv.Itoa(ingressRuleNo) +
919919
string(ipFamily) + "pod"))
920920
encoded := base32.StdEncoding.EncodeToString(hash[:])
921-
return kubeSourceIPSetPrefix + encoded[:16]
921+
return ipSetName(kubeSourceIPSetPrefix + encoded[:16], ipFamily)
922922
}
923923

924924
func policyIndexedDestinationPodIPSetName(
925925
namespace, policyName string, egressRuleNo int, ipFamily api.IPFamily) string {
926926
hash := sha256.Sum256([]byte(namespace + policyName + "egressrule" + strconv.Itoa(egressRuleNo) +
927927
string(ipFamily) + "pod"))
928928
encoded := base32.StdEncoding.EncodeToString(hash[:])
929-
return kubeDestinationIPSetPrefix + encoded[:16]
929+
return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
930930
}
931931

932932
func policyIndexedSourceIPBlockIPSetName(
933933
namespace, policyName string, ingressRuleNo int, ipFamily api.IPFamily) string {
934934
hash := sha256.Sum256([]byte(namespace + policyName + "ingressrule" + strconv.Itoa(ingressRuleNo) +
935935
string(ipFamily) + "ipblock"))
936936
encoded := base32.StdEncoding.EncodeToString(hash[:])
937-
return kubeSourceIPSetPrefix + encoded[:16]
937+
return ipSetName(kubeSourceIPSetPrefix + encoded[:16], ipFamily)
938938
}
939939

940940
func policyIndexedDestinationIPBlockIPSetName(
941941
namespace, policyName string, egressRuleNo int, ipFamily api.IPFamily) string {
942942
hash := sha256.Sum256([]byte(namespace + policyName + "egressrule" + strconv.Itoa(egressRuleNo) +
943943
string(ipFamily) + "ipblock"))
944944
encoded := base32.StdEncoding.EncodeToString(hash[:])
945-
return kubeDestinationIPSetPrefix + encoded[:16]
945+
return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
946946
}
947947

948948
func policyIndexedIngressNamedPortIPSetName(
949949
namespace, policyName string, ingressRuleNo, namedPortNo int, ipFamily api.IPFamily) string {
950950
hash := sha256.Sum256([]byte(namespace + policyName + "ingressrule" + strconv.Itoa(ingressRuleNo) +
951951
strconv.Itoa(namedPortNo) + string(ipFamily) + "namedport"))
952952
encoded := base32.StdEncoding.EncodeToString(hash[:])
953-
return kubeDestinationIPSetPrefix + encoded[:16]
953+
return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
954954
}
955955

956956
func policyIndexedEgressNamedPortIPSetName(
957957
namespace, policyName string, egressRuleNo, namedPortNo int, ipFamily api.IPFamily) string {
958958
hash := sha256.Sum256([]byte(namespace + policyName + "egressrule" + strconv.Itoa(egressRuleNo) +
959959
strconv.Itoa(namedPortNo) + string(ipFamily) + "namedport"))
960960
encoded := base32.StdEncoding.EncodeToString(hash[:])
961-
return kubeDestinationIPSetPrefix + encoded[:16]
961+
return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
962962
}
963963

964964
func policyRulePortsHasNamedPort(npPorts []networking.NetworkPolicyPort) bool {

pkg/controllers/netpol/policy_test.go

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
package netpol
2+
3+
import (
4+
"strings"
5+
"testing"
6+
7+
"github.com/stretchr/testify/assert"
8+
v1 "k8s.io/api/core/v1"
9+
)
10+
11+
func testNamePrefix(t *testing.T, testString string, isIPv6 bool) {
12+
if isIPv6 {
13+
assert.Truef(t, strings.HasPrefix(testString, "inet6:"), "%s is IPv6 and should begin with inet6:", testString)
14+
}
15+
}
16+
17+
func Test_policySourcePodIPSetName(t *testing.T) {
18+
t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
19+
setName := policySourcePodIPSetName("foo", "bar", v1.IPv4Protocol)
20+
testNamePrefix(t, setName, false)
21+
setName = policySourcePodIPSetName("foo", "bar", v1.IPv6Protocol)
22+
testNamePrefix(t, setName, true)
23+
})
24+
}
25+
26+
func Test_policyDestinationPodIPSetName(t *testing.T) {
27+
t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
28+
setName := policyDestinationPodIPSetName("foo", "bar", v1.IPv4Protocol)
29+
testNamePrefix(t, setName, false)
30+
setName = policyDestinationPodIPSetName("foo", "bar", v1.IPv6Protocol)
31+
testNamePrefix(t, setName, true)
32+
})
33+
}
34+
35+
func Test_policyIndexedSourcePodIPSetName(t *testing.T) {
36+
t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
37+
setName := policyIndexedSourcePodIPSetName("foo", "bar", 1, v1.IPv4Protocol)
38+
testNamePrefix(t, setName, false)
39+
setName = policyIndexedSourcePodIPSetName("foo", "bar", 1, v1.IPv6Protocol)
40+
testNamePrefix(t, setName, true)
41+
})
42+
}
43+
44+
func Test_policyIndexedDestinationPodIPSetName(t *testing.T) {
45+
t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
46+
setName := policyIndexedDestinationPodIPSetName("foo", "bar", 1, v1.IPv4Protocol)
47+
testNamePrefix(t, setName, false)
48+
setName = policyIndexedDestinationPodIPSetName("foo", "bar", 1, v1.IPv6Protocol)
49+
testNamePrefix(t, setName, true)
50+
})
51+
}
52+
53+
func Test_policyIndexedSourceIPBlockIPSetName(t *testing.T) {
54+
t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
55+
setName := policyIndexedSourceIPBlockIPSetName("foo", "bar", 1, v1.IPv4Protocol)
56+
testNamePrefix(t, setName, false)
57+
setName = policyIndexedSourceIPBlockIPSetName("foo", "bar", 1, v1.IPv6Protocol)
58+
testNamePrefix(t, setName, true)
59+
})
60+
}
61+
62+
func Test_policyIndexedDestinationIPBlockIPSetName(t *testing.T) {
63+
t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
64+
setName := policyIndexedDestinationIPBlockIPSetName("foo", "bar", 1, v1.IPv4Protocol)
65+
testNamePrefix(t, setName, false)
66+
setName = policyIndexedDestinationIPBlockIPSetName("foo", "bar", 1, v1.IPv6Protocol)
67+
testNamePrefix(t, setName, true)
68+
})
69+
}
70+
71+
func Test_policyIndexedIngressNamedPortIPSetName(t *testing.T) {
72+
t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
73+
setName := policyIndexedIngressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv4Protocol)
74+
testNamePrefix(t, setName, false)
75+
setName = policyIndexedIngressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv6Protocol)
76+
testNamePrefix(t, setName, true)
77+
})
78+
}
79+
80+
func Test_policyIndexedEgressNamedPortIPSetName(t *testing.T) {
81+
t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
82+
setName := policyIndexedEgressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv4Protocol)
83+
testNamePrefix(t, setName, false)
84+
setName = policyIndexedEgressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv6Protocol)
85+
testNamePrefix(t, setName, true)
86+
})
87+
}

0 commit comments

Comments
 (0)