feat(CSI-244): match subnets if existing in client rule

[sergeyberezansky]

TL;DR

Improved NFS client group rule matching to include superset IP networks.

What changed?

• Added IsSupersetOf method to NfsClientGroupRule to check if a rule covers a larger IP range.
• Updated FindNfsClientGroupRulesByFilter to include rules that are supersets of the query.
• Implemented GetMaskBits method for Network to calculate CIDR notation.
• Enhanced ContainsIPAddress method to handle cases where CIDR parsing fails.
• Added unit tests for the new IsSupersetOf functionality.

How to test?

1. Run the new unit tests in nfs_test.go.
2. Test the FindNfsClientGroupRulesByFilter function with various IP ranges and ensure it returns both exact matches and superset rules.
3. Verify that the ContainsIPAddress method correctly identifies IP addresses within a given network range.

Why make this change?

This change improves the flexibility and accuracy of NFS client group rule matching. By including superset IP networks, the system can now identify and apply rules that cover a broader range of IP addresses, enhancing the overall functionality of the NFS access control system.

When having an extremely large Kubernetes clusters, adding node IP addresses to client group could harm the rule matching performance or hit limits on max. number of rules. This allows using a subnet addresses (those should be configured by administrator)

---

[sergeyberezansky]

• chore(deps): update sidecar versions #326
• docs(CSI-254): update official docs link in Helm templates and README #323
• feat(CSI-252): implement kubelet PVC stats #322
• refactor(CSI-250): do not maintain redundant active mounts from node server after publishing volume #320
• feat(CSI-247): implement InterfaceGroup.GetRandomIpAddress() #319
• feat(CSI-249): optimize NFS mounter to use multiple targets #318
• fix(CSI-241): fix unmountWithOptions to use map key rather than options.String() #317
• feat(CSI-245): allow specifying client group for NFS #316
• chore(deps): update packages to latest versions and Go to 1.22.5 #314
• chore(deps): combine chmod with ADD in Dockerfile #313
• feat(CSI-239): moveToTrash does not return error to upper layers #312
• fix(CSI-243): service accounts for CSI plugin assume ImagePullSecret and cause error messages. #311
• feat(CSI-244): match subnets if existing in client rule #315 👈
• fix(CSI-241): conflict in metrics between node and controller #325
• feat(CSI-213): support NFS transport #299
• fix(CSI-241): disregard sync_on_close in mountmap per FS #310
• feat(CSI-253): support custom CA certificate in API secret #324
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @sergeyberezansky and the rest of your teammates on Graphite

[graphite-app]

Graphite Automations

"Request reviewers once CI passes" took an action on this PR • (09/03/24)

1 reviewer was added to this PR based on Sergey Berezansky's automation.

[sergeyberezansky]

Merge activity

• Sep 12, 6:10 AM EDT: @sergeyberezansky started a stack merge that includes this pull request via Graphite.
• Sep 12, 6:57 AM EDT: Graphite rebased this pull request as part of a merge.
• Sep 12, 6:59 AM EDT: Graphite rebased this pull request as part of a merge.
• Sep 12, 7:04 AM EDT: @sergeyberezansky merged this pull request with Graphite.