fix(policy): generate ipv6 names correctly

aauren · aauren · commit e63b999de978 · 2024-04-26T13:41:46.000-05:00
Use ipSetName utility method to ensure that ipset names are generated
correctly when they are formulated. This feeds into the activeIPSets map
later on, so it is important that we get the name right from the start.
diff --git a/pkg/controllers/netpol/policy.go b/pkg/controllers/netpol/policy.go
@@ -904,61 +904,61 @@ func networkPolicyChainName(namespace, policyName string, version string, ipFami
 func policySourcePodIPSetName(namespace, policyName string, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + string(ipFamily)))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeSourceIPSetPrefix + encoded[:16]
+	return ipSetName(kubeSourceIPSetPrefix + encoded[:16], ipFamily)
 }
 
 func policyDestinationPodIPSetName(namespace, policyName string, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + string(ipFamily)))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
 }
 
 func policyIndexedSourcePodIPSetName(
 	namespace, policyName string, ingressRuleNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "ingressrule" + strconv.Itoa(ingressRuleNo) +
 		string(ipFamily) + "pod"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeSourceIPSetPrefix + encoded[:16]
+	return ipSetName(kubeSourceIPSetPrefix + encoded[:16], ipFamily)
 }
 
 func policyIndexedDestinationPodIPSetName(
 	namespace, policyName string, egressRuleNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "egressrule" + strconv.Itoa(egressRuleNo) +
 		string(ipFamily) + "pod"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
 }
 
 func policyIndexedSourceIPBlockIPSetName(
 	namespace, policyName string, ingressRuleNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "ingressrule" + strconv.Itoa(ingressRuleNo) +
 		string(ipFamily) + "ipblock"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeSourceIPSetPrefix + encoded[:16]
+	return ipSetName(kubeSourceIPSetPrefix + encoded[:16], ipFamily)
 }
 
 func policyIndexedDestinationIPBlockIPSetName(
 	namespace, policyName string, egressRuleNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "egressrule" + strconv.Itoa(egressRuleNo) +
 		string(ipFamily) + "ipblock"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
 }
 
 func policyIndexedIngressNamedPortIPSetName(
 	namespace, policyName string, ingressRuleNo, namedPortNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "ingressrule" + strconv.Itoa(ingressRuleNo) +
 		strconv.Itoa(namedPortNo) + string(ipFamily) + "namedport"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
 }
 
 func policyIndexedEgressNamedPortIPSetName(
 	namespace, policyName string, egressRuleNo, namedPortNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "egressrule" + strconv.Itoa(egressRuleNo) +
 		strconv.Itoa(namedPortNo) + string(ipFamily) + "namedport"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix + encoded[:16], ipFamily)
 }
 
 func policyRulePortsHasNamedPort(npPorts []networking.NetworkPolicyPort) bool {
diff --git a/pkg/controllers/netpol/policy_test.go b/pkg/controllers/netpol/policy_test.go
@@ -0,0 +1,87 @@
+package netpol
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+)
+
+func testNamePrefix(t *testing.T, testString string, isIPv6 bool) {
+	if isIPv6 {
+		assert.Truef(t, strings.HasPrefix(testString, "inet6:"), "%s is IPv6 and should begin with inet6:", testString)
+	}
+}
+
+func Test_policySourcePodIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policySourcePodIPSetName("foo", "bar", v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policySourcePodIPSetName("foo", "bar", v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyDestinationPodIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyDestinationPodIPSetName("foo", "bar", v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyDestinationPodIPSetName("foo", "bar", v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedSourcePodIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedSourcePodIPSetName("foo", "bar", 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedSourcePodIPSetName("foo", "bar", 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedDestinationPodIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedDestinationPodIPSetName("foo", "bar", 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedDestinationPodIPSetName("foo", "bar", 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedSourceIPBlockIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedSourceIPBlockIPSetName("foo", "bar", 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedSourceIPBlockIPSetName("foo", "bar", 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedDestinationIPBlockIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedDestinationIPBlockIPSetName("foo", "bar", 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedDestinationIPBlockIPSetName("foo", "bar", 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedIngressNamedPortIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedIngressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedIngressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedEgressNamedPortIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedEgressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedEgressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
