Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DESTINATION_IPS in network experiments don't support CIDR blocks #717

Open
bitnahian opened this issue Oct 23, 2024 · 0 comments
Open

DESTINATION_IPS in network experiments don't support CIDR blocks #717

bitnahian opened this issue Oct 23, 2024 · 0 comments

Comments

@bitnahian
Copy link

bitnahian commented Oct 23, 2024
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

The following function specifically in line

litmus-go/chaoslib/litmus/pod-network-partition/lib/network-policy.go

Line 201 in 0cd6c6f

uniqueIps = append(uniqueIps, ips[i]+"/32") 

// setExceptIPs sets all the destination ips
// for which traffic should be blocked
func (np *NetworkPolicy) setExceptIPs(experimentsDetails *experimentTypes.ExperimentDetails) error {
...
		if ips[i] != "" && !isPresent && !strings.Contains(ips[i], ":") {
			uniqueIps = append(uniqueIps, ips[i]+"/32")
		}
	}
	np.ExceptIPs = uniqueIps
	return nil
}

Always adds /32 to IP addresses, unassuming that Destination IPs can be CIDR blocks. In fact, the documentation states so:

DESTINATION_IPS: It contains the IP addresses of the services or pods or the CIDR blocks(range of IPs), the accessibility to which is impacted.

What happened:

When adding a CIDR range to an except IPblock, which is supported like so intended:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: multi-port-egress
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.0/24
      ports:
        - protocol: TCP
          port: 32000
          endPort: 32768

It actually tries to create:

  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.0/24/32 # <-- ERROR

This raises the following error:

{"errorCode":"CHAOS_INJECT_ERROR","phase":"ChaosInject","reason":"failed to create network policy: NetworkPolicy.networking.k8s.io \"pod-network-partition-np-glob6h\" is invalid: [spec.ingress[0].from[2].ipBlock.except[2]: Invalid value: \"X.X.X.X/30/32\": not a valid CIDR, spec.egress[0].to[2].ipBlock.except[2]: Invalid value: \"Y.Y.Y.Y/30/32\": not a valid CIDR]"}

What you expected to happen:

Work according to expected code block above.

How to reproduce it (as minimally and precisely as possible):

Create pod-network-partition-loss experiment with CIDR block destination IPs.

Anything else we need to know?:

Litmus Version: 3.11

I would like to contribute by providing a fix to this issue. :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bitnahian