in pkg/api/v20230701preview/openshiftcluster_validatestatic.go [205:274]
func (sv openShiftClusterStaticValidator) validateNetworkProfile(path string, np *NetworkProfile, apiServerVisibility Visibility, ingressVisibility Visibility) error {
podIP, pod, err := net.ParseCIDR(np.PodCIDR)
if err != nil {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, path+".podCidr", fmt.Sprintf("The provided pod CIDR '%s' is invalid: '%s'.", np.PodCIDR, err))
}
if pod.IP.To4() == nil {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, path+".podCidr", fmt.Sprintf("The provided pod CIDR '%s' is invalid: must be IPv4.", np.PodCIDR))
}
for _, s := range api.JoinCIDRRange {
_, cidr, _ := net.ParseCIDR(s)
if cidr.Contains(pod.IP) || pod.Contains(cidr.IP) {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidCIDRRange, path, fmt.Sprintf("Azure Red Hat OpenShift uses 100.64.0.0/16, 169.254.169.0/29, and 100.88.0.0/16 IP address ranges internally. Do not include this '%s' IP address range in any other CIDR definitions in your cluster.", np.PodCIDR))
}
}
ones, _ := pod.Mask.Size()
if ones > 18 {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, path+".podCidr", fmt.Sprintf("The provided vnet CIDR '%s' is invalid: must be /18 or larger.", np.PodCIDR))
}
nip := podIP.Mask(pod.Mask)
if nip.String() != podIP.String() {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidNetworkAddress, path+".podCidr", fmt.Sprintf("The provided pod CIDR '%s' is invalid, expecting: '%s/%d'.", np.PodCIDR, nip.String(), ones))
}
serviceIP, service, err := net.ParseCIDR(np.ServiceCIDR)
if err != nil {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, path+".serviceCidr", fmt.Sprintf("The provided service CIDR '%s' is invalid: '%s'.", np.ServiceCIDR, err))
}
if service.IP.To4() == nil {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, path+".serviceCidr", fmt.Sprintf("The provided service CIDR '%s' is invalid: must be IPv4.", np.ServiceCIDR))
}
for _, s := range api.JoinCIDRRange {
_, cidr, _ := net.ParseCIDR(s)
if cidr.Contains(service.IP) || service.Contains(cidr.IP) {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidCIDRRange, path, fmt.Sprintf("Azure Red Hat OpenShift uses 100.64.0.0/16, 169.254.169.0/29, and 100.88.0.0/16 IP address ranges internally. Do not include this '%s' IP address range in any other CIDR definitions in your cluster.", np.ServiceCIDR))
}
}
ones, _ = service.Mask.Size()
if ones > 22 {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, path+".serviceCidr", fmt.Sprintf("The provided vnet CIDR '%s' is invalid: must be /22 or larger.", np.ServiceCIDR))
}
nip = serviceIP.Mask(service.Mask)
if nip.String() != serviceIP.String() {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidNetworkAddress, path+".serviceCidr", fmt.Sprintf("The provided service CIDR '%s' is invalid, expecting: '%s/%d'.", np.ServiceCIDR, nip.String(), ones))
}
if np.OutboundType != "" {
if np.OutboundType != OutboundTypeLoadbalancer && np.OutboundType != OutboundTypeUserDefinedRouting {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, path+".outboundType", fmt.Sprintf("The provided outboundType '%s' is invalid: must be UserDefinedRouting or Loadbalancer.", np.OutboundType))
}
if np.OutboundType == OutboundTypeUserDefinedRouting && (apiServerVisibility != VisibilityPrivate || ingressVisibility != VisibilityPrivate) {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, path+".outboundType", fmt.Sprintf("The provided outboundType '%s' is invalid: cannot use UserDefinedRouting if either API Server Visibility or Ingress Visibility is public.", np.OutboundType))
}
}
if np.OutboundType == OutboundTypeUserDefinedRouting && np.LoadBalancerProfile != nil {
return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, path+".loadBalancerProfile", "The provided loadBalancerProfile is invalid: cannot use a loadBalancerProfile if outboundType is UserDefinedRouting.")
}
return nil
}