1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
From 901e8e07e1f031456ecd7fefce965aaa05916825 Mon Sep 17 00:00:00 2001
From: Rob Scott <robertjscott@google.com>
Date: Fri, 9 Apr 2021 15:24:17 -0700
Subject: [PATCH] Updating EndpointSlice validation to match Endpoints
validation
Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/901e8e07e1f031456ecd7fefce965aaa05916825]
CVE: CVE-2021-25737
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
pkg/apis/core/validation/validation.go | 18 ++++++----
pkg/apis/discovery/validation/validation.go | 2 ++
.../discovery/validation/validation_test.go | 34 +++++++++++++++++--
3 files changed, 45 insertions(+), 9 deletions(-)
diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
index 3daeb139d590d..c65cdd40f9061 100644
--- a/src/import/pkg/apis/core/validation/validation.go
+++ b/src/import/pkg/apis/core/validation/validation.go
@@ -4014,7 +4014,7 @@ func ValidateService(service *core.Service, allowAppProtocol bool) field.ErrorLi
allErrs = append(allErrs, field.Invalid(idxPath, ip, msgs[i]))
}
} else {
- allErrs = append(allErrs, validateNonSpecialIP(ip, idxPath)...)
+ allErrs = append(allErrs, ValidateNonSpecialIP(ip, idxPath)...)
}
}
@@ -5572,15 +5572,19 @@ func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path)
allErrs = append(allErrs, field.Invalid(fldPath.Child("nodeName"), *address.NodeName, msg))
}
}
- allErrs = append(allErrs, validateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
+ allErrs = append(allErrs, ValidateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
return allErrs
}
-func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
- // We disallow some IPs as endpoints or external-ips. Specifically,
- // unspecified and loopback addresses are nonsensical and link-local
- // addresses tend to be used for node-centric purposes (e.g. metadata
- // service).
+// ValidateNonSpecialIP is used to validate Endpoints, EndpointSlices, and
+// external IPs. Specifically, this disallows unspecified and loopback addresses
+// are nonsensical and link-local addresses tend to be used for node-centric
+// purposes (e.g. metadata service).
+//
+// IPv6 references
+// - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+// - https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
+func ValidateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
ip := net.ParseIP(ipAddress)
if ip == nil {
diff --git a/pkg/apis/discovery/validation/validation.go b/pkg/apis/discovery/validation/validation.go
index 810f2ca124d57..3aa5128359d7f 100644
--- a/src/import/pkg/apis/discovery/validation/validation.go
+++ b/src/import/pkg/apis/discovery/validation/validation.go
@@ -103,8 +103,10 @@ func validateEndpoints(endpoints []discovery.Endpoint, addrType discovery.Addres
}
case discovery.AddressTypeIPv4:
allErrs = append(allErrs, validation.IsValidIPv4Address(addressPath.Index(i), address)...)
+ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
case discovery.AddressTypeIPv6:
allErrs = append(allErrs, validation.IsValidIPv6Address(addressPath.Index(i), address)...)
+ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
case discovery.AddressTypeFQDN:
allErrs = append(allErrs, validation.IsFullyQualifiedDomainName(addressPath.Index(i), address)...)
}
diff --git a/pkg/apis/discovery/validation/validation_test.go b/pkg/apis/discovery/validation/validation_test.go
index 060545f93ab31..3c8a5465128a9 100644
--- a/src/import/pkg/apis/discovery/validation/validation_test.go
+++ b/src/import/pkg/apis/discovery/validation/validation_test.go
@@ -390,7 +390,7 @@ func TestValidateEndpointSlice(t *testing.T) {
},
},
"bad-ipv4": {
- expectedErrors: 2,
+ expectedErrors: 3,
endpointSlice: &discovery.EndpointSlice{
ObjectMeta: standardMeta,
AddressType: discovery.AddressTypeIPv4,
@@ -405,7 +405,7 @@ func TestValidateEndpointSlice(t *testing.T) {
},
},
"bad-ipv6": {
- expectedErrors: 2,
+ expectedErrors: 4,
endpointSlice: &discovery.EndpointSlice{
ObjectMeta: standardMeta,
AddressType: discovery.AddressTypeIPv6,
@@ -454,6 +454,36 @@ func TestValidateEndpointSlice(t *testing.T) {
expectedErrors: 3,
endpointSlice: &discovery.EndpointSlice{},
},
+ "special-ipv4": {
+ expectedErrors: 1,
+ endpointSlice: &discovery.EndpointSlice{
+ ObjectMeta: standardMeta,
+ AddressType: discovery.AddressTypeIPv4,
+ Ports: []discovery.EndpointPort{{
+ Name: utilpointer.StringPtr("http"),
+ Protocol: protocolPtr(api.ProtocolTCP),
+ }},
+ Endpoints: []discovery.Endpoint{{
+ Addresses: []string{"127.0.0.1"},
+ Hostname: utilpointer.StringPtr("valid-123"),
+ }},
+ },
+ },
+ "special-ipv6": {
+ expectedErrors: 1,
+ endpointSlice: &discovery.EndpointSlice{
+ ObjectMeta: standardMeta,
+ AddressType: discovery.AddressTypeIPv6,
+ Ports: []discovery.EndpointPort{{
+ Name: utilpointer.StringPtr("http"),
+ Protocol: protocolPtr(api.ProtocolTCP),
+ }},
+ Endpoints: []discovery.Endpoint{{
+ Addresses: []string{"fe80::9656:d028:8652:66b6"},
+ Hostname: utilpointer.StringPtr("valid-123"),
+ }},
+ },
+ },
}
for name, testCase := range testCases {
|