network-policy-api icon indicating copy to clipboard operation
network-policy-api copied to clipboard
verified publisher icon kubernetes-sigs

Fix validation of CIDR fields

Open danwinship opened this issue 2 months ago • 11 comments

re https://github.com/kubernetes/kubernetes/issues/134224; isCIDR() allows both "mask-like" CIDRs ("192.168.0.0/24") and "address-like" CIDRs ("192.168.0.5/24"). We only want the former.

(If isCIDR() gets changed, then the extra clause here will just be a no-op, but we'll have better backward-compatibility this way.)

danwinship avatar Sep 24 '25 15:09 danwinship

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Sep 24 '25 15:09 k8s-ci-robot

Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name Link
Latest commit e6300dc94760147e200ac79a5e946fb74d1c9324
Latest deploy log https://app.netlify.com/projects/kubernetes-sigs-network-policy-api/deploys/68f7b18aee17cc0008f28d75
Deploy Preview https://deploy-preview-324--kubernetes-sigs-network-policy-api.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

netlify[bot] avatar Sep 24 '25 15:09 netlify[bot]

uh...

The CustomResourceDefinition "adminnetworkpolicies.policy.networking.k8s.io" is invalid: spec.validation.openAPIV3Schema.properties[spec].properties[egress].items.properties[to].items.properties[networks].items.x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of 1.475000x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)

danwinship avatar Sep 24 '25 16:09 danwinship

@tssurya @npinaeva any ideas about how to deal with that CEL cost error? ^^^

danwinship avatar Sep 29 '25 13:09 danwinship

@tssurya @npinaeva any ideas about how to deal with that CEL cost error? ^^^

this suggests something is unbounded OR if everything is bounded then yea I remember hitting this error before and I had to play around with the maximum numbers to make it reasonable. IIRC the problem is that we can have 100 egress rules and each rule can have 100 peers and then each peer could be 25 network cidrs.. that's too much? 100x100x25? the only way to fix this is to reduce this number somewhere..

so see if 20 cidr's or 15 fixes this?

I remember I chose 25 cidrs cause back then as well cost exceeded for higher numbers.. :)

tssurya avatar Sep 29 '25 16:09 tssurya

uh...

The CustomResourceDefinition "adminnetworkpolicies.policy.networking.k8s.io" is invalid: spec.validation.openAPIV3Schema.properties[spec].properties[egress].items.properties[to].items.properties[networks].items.x-kubernetes-validations[0].rule: Forbidden: estimated rule cost exceeds budget by factor of 1.475000x (try simplifying the rule, or adding maxItems, maxProperties, and maxLength where arrays, maps, and strings are declared)

@tssurya @npinaeva any ideas about how to deal with that CEL cost error? ^^^

this suggests something is unbounded OR if everything is bounded then yea I remember hitting this error before and I had to play around with the maximum numbers to make it reasonable. IIRC the problem is that we can have 100 egress rules and each rule can have 100 peers and then each peer could be 25 network cidrs.. that's too much? 100x100x25? the only way to fix this is to reduce this number somewhere..

so see if 20 cidr's or 15 fixes this?

I remember I chose 25 cidrs cause back then as well cost exceeded for higher numbers.. :)

@jpbetz @cici37 any best practices or guidelines we can follow here?

aojea avatar Sep 29 '25 21:09 aojea

/lgtm

bowei avatar Oct 03 '25 21:10 bowei

https://github.com/kubernetes/kubernetes/issues/120973#issuecomment-3381265267

danwinship avatar Oct 08 '25 12:10 danwinship

New changes are detected. LGTM label has been removed.

k8s-ci-robot avatar Oct 09 '25 13:10 k8s-ci-robot

will rebasing help since https://github.com/kubernetes-sigs/network-policy-api/pull/329 merged?

npinaeva avatar Oct 16 '25 15:10 npinaeva

@danwinship: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-network-policy-api-crd-e2e e6300dc94760147e200ac79a5e946fb74d1c9324 link true /test pull-network-policy-api-crd-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

k8s-ci-robot avatar Oct 21 '25 16:10 k8s-ci-robot