Skip to content

Commit

Permalink
Merge pull request kubernetes-sigs#2251 from oliviassss/port_range_re…
Browse files Browse the repository at this point in the history
…striction

add boundary cases and refactor computeRestrictedIngressPermissionsPerSG
  • Loading branch information
k8s-ci-robot authored Sep 24, 2021
2 parents 92445ac + cdecea3 commit 6d5dade
Show file tree
Hide file tree
Showing 2 changed files with 208 additions and 8 deletions.
18 changes: 10 additions & 8 deletions pkg/targetgroupbinding/networking_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -288,15 +288,17 @@ func (m *defaultNetworkingManager) computeRestrictedIngressPermissionsPerSG(ctx
}
permForCurrGroup := perms[0]
for _, perm := range perms {
if awssdk.Int64Value(perm.Permission.FromPort) > 0 && awssdk.Int64Value(perm.Permission.FromPort) < minPort {
minPort = awssdk.Int64Value(perm.Permission.FromPort)
if awssdk.Int64Value(perm.Permission.FromPort) == 0 && awssdk.Int64Value(perm.Permission.ToPort) == 0 {
minPort = defaultTgbMinPort
maxPort = defaultTgbMaxPort
} else {
if awssdk.Int64Value(perm.Permission.FromPort) < minPort {
minPort = awssdk.Int64Value(perm.Permission.FromPort)
}
if awssdk.Int64Value(perm.Permission.ToPort) > maxPort {
maxPort = awssdk.Int64Value(perm.Permission.ToPort)
}
}
if awssdk.Int64Value(perm.Permission.ToPort) > maxPort {
maxPort = awssdk.Int64Value(perm.Permission.ToPort)
}
}
if minPort > maxPort {
minPort, maxPort = defaultTgbMinPort, defaultTgbMaxPort
}
permForCurrGroup.Permission.FromPort = awssdk.Int64(minPort)
permForCurrGroup.Permission.ToPort = awssdk.Int64(maxPort)
Expand Down
198 changes: 198 additions & 0 deletions pkg/targetgroupbinding/networking_manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -869,6 +869,204 @@ func Test_defaultNetworkingManager_computeRestrictedIngressPermissionsPerSG(t *t
fields fields
want map[string][]networking.IPPermissionInfo
}{
{
name: "single sg, port not assigned",
fields: fields{
ingressPermissionsPerSGByTGB: map[types.NamespacedName]map[string][]networking.IPPermissionInfo{
types.NamespacedName{Namespace: "ns-1", Name: "tgb-1"}: {
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: nil,
ToPort: nil,
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-1")},
},
},
},
},
},
},
},
want: map[string][]networking.IPPermissionInfo{
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-1")},
},
},
Labels: map[string]string(nil),
},
},
},
},
{
name: "multiple sgs, port not assigned",
fields: fields{
ingressPermissionsPerSGByTGB: map[types.NamespacedName]map[string][]networking.IPPermissionInfo{
types.NamespacedName{Namespace: "ns-1", Name: "tgb-1"}: {
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: nil,
ToPort: nil,
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-1")},
},
},
},
},
},
types.NamespacedName{Namespace: "ns-1", Name: "tgb-2"}: {
"sg-b": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: nil,
ToPort: nil,
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-2")},
},
},
},
},
},
},
},
want: map[string][]networking.IPPermissionInfo{
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-1")},
},
},
Labels: map[string]string(nil),
},
},
"sg-b": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-2")},
},
},
Labels: map[string]string(nil),
},
},
},
},
{
name: "single sg, port range 0 - 65535",
fields: fields{
ingressPermissionsPerSGByTGB: map[types.NamespacedName]map[string][]networking.IPPermissionInfo{
types.NamespacedName{Namespace: "ns-1", Name: "tgb-1"}: {
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-1")},
},
},
},
},
},
},
},
want: map[string][]networking.IPPermissionInfo{
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-1")},
},
},
Labels: map[string]string(nil),
},
},
},
},
{
name: "multiple sgs, port range 0 - 65535",
fields: fields{
ingressPermissionsPerSGByTGB: map[types.NamespacedName]map[string][]networking.IPPermissionInfo{
types.NamespacedName{Namespace: "ns-1", Name: "tgb-1"}: {
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-1")},
},
},
},
},
},
types.NamespacedName{Namespace: "ns-1", Name: "tgb-2"}: {
"sg-b": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-2")},
},
},
},
},
},
},
},
want: map[string][]networking.IPPermissionInfo{
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-1")},
},
},
Labels: map[string]string(nil),
},
},
"sg-b": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
{GroupId: awssdk.String("group-2")},
},
},
Labels: map[string]string(nil),
},
},
},
},
{
name: "single sg, single protocol",
fields: fields{
Expand Down

0 comments on commit 6d5dade

Please sign in to comment.