fix(policy): generate ipv6 names correctly

Use ipSetName utility method to ensure that ipset names are generated correctly when they are formulated. This feeds into the activeIPSets map later on, so it is important that we get the name right from the start.
cloudnativelabs · Apr 26, 2024 · d12f422 · d12f422
1 parent 2c7151b
commit d12f422
Show file tree

Hide file tree

Showing 2 changed files with 95 additions and 8 deletions.
diff --git a/pkg/controllers/netpol/policy.go b/pkg/controllers/netpol/policy.go
@@ -904,61 +904,61 @@ func networkPolicyChainName(namespace, policyName string, version string, ipFami
 func policySourcePodIPSetName(namespace, policyName string, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + string(ipFamily)))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeSourceIPSetPrefix + encoded[:16]
+	return ipSetName(kubeSourceIPSetPrefix+encoded[:16], ipFamily)
 }
 
 func policyDestinationPodIPSetName(namespace, policyName string, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + string(ipFamily)))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix+encoded[:16], ipFamily)
 }
 
 func policyIndexedSourcePodIPSetName(
 	namespace, policyName string, ingressRuleNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "ingressrule" + strconv.Itoa(ingressRuleNo) +
 		string(ipFamily) + "pod"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeSourceIPSetPrefix + encoded[:16]
+	return ipSetName(kubeSourceIPSetPrefix+encoded[:16], ipFamily)
 }
 
 func policyIndexedDestinationPodIPSetName(
 	namespace, policyName string, egressRuleNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "egressrule" + strconv.Itoa(egressRuleNo) +
 		string(ipFamily) + "pod"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix+encoded[:16], ipFamily)
 }
 
 func policyIndexedSourceIPBlockIPSetName(
 	namespace, policyName string, ingressRuleNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "ingressrule" + strconv.Itoa(ingressRuleNo) +
 		string(ipFamily) + "ipblock"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeSourceIPSetPrefix + encoded[:16]
+	return ipSetName(kubeSourceIPSetPrefix+encoded[:16], ipFamily)
 }
 
 func policyIndexedDestinationIPBlockIPSetName(
 	namespace, policyName string, egressRuleNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "egressrule" + strconv.Itoa(egressRuleNo) +
 		string(ipFamily) + "ipblock"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix+encoded[:16], ipFamily)
 }
 
 func policyIndexedIngressNamedPortIPSetName(
 	namespace, policyName string, ingressRuleNo, namedPortNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "ingressrule" + strconv.Itoa(ingressRuleNo) +
 		strconv.Itoa(namedPortNo) + string(ipFamily) + "namedport"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix+encoded[:16], ipFamily)
 }
 
 func policyIndexedEgressNamedPortIPSetName(
 	namespace, policyName string, egressRuleNo, namedPortNo int, ipFamily api.IPFamily) string {
 	hash := sha256.Sum256([]byte(namespace + policyName + "egressrule" + strconv.Itoa(egressRuleNo) +
 		strconv.Itoa(namedPortNo) + string(ipFamily) + "namedport"))
 	encoded := base32.StdEncoding.EncodeToString(hash[:])
-	return kubeDestinationIPSetPrefix + encoded[:16]
+	return ipSetName(kubeDestinationIPSetPrefix+encoded[:16], ipFamily)
 }
 
 func policyRulePortsHasNamedPort(npPorts []networking.NetworkPolicyPort) bool {

diff --git a/pkg/controllers/netpol/policy_test.go b/pkg/controllers/netpol/policy_test.go
@@ -0,0 +1,87 @@
+package netpol
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+)
+
+func testNamePrefix(t *testing.T, testString string, isIPv6 bool) {
+	if isIPv6 {
+		assert.Truef(t, strings.HasPrefix(testString, "inet6:"), "%s is IPv6 and should begin with inet6:", testString)
+	}
+}
+
+func Test_policySourcePodIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policySourcePodIPSetName("foo", "bar", v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policySourcePodIPSetName("foo", "bar", v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyDestinationPodIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyDestinationPodIPSetName("foo", "bar", v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyDestinationPodIPSetName("foo", "bar", v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedSourcePodIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedSourcePodIPSetName("foo", "bar", 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedSourcePodIPSetName("foo", "bar", 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedDestinationPodIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedDestinationPodIPSetName("foo", "bar", 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedDestinationPodIPSetName("foo", "bar", 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedSourceIPBlockIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedSourceIPBlockIPSetName("foo", "bar", 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedSourceIPBlockIPSetName("foo", "bar", 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedDestinationIPBlockIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedDestinationIPBlockIPSetName("foo", "bar", 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedDestinationIPBlockIPSetName("foo", "bar", 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedIngressNamedPortIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedIngressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedIngressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}
+
+func Test_policyIndexedEgressNamedPortIPSetName(t *testing.T) {
+	t.Run("Check IPv4 and IPv6 names are correct", func(t *testing.T) {
+		setName := policyIndexedEgressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv4Protocol)
+		testNamePrefix(t, setName, false)
+		setName = policyIndexedEgressNamedPortIPSetName("foo", "bar", 1, 1, v1.IPv6Protocol)
+		testNamePrefix(t, setName, true)
+	})
+}