Deny non-cluster-wide settings

Signed-off-by: Tom Wieczorek <[email protected]>
twz123 · Jul 10, 2024 · 0d55fbf · 0d55fbf
1 parent 723a6ae
commit 0d55fbf
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 5 deletions.
diff --git a/pkg/apis/k0s/v1beta1/clusterconfig_types.go b/pkg/apis/k0s/v1beta1/clusterconfig_types.go
@@ -35,8 +35,15 @@ const (
 )
 
 // ClusterSpec defines the desired state of ClusterConfig
-// +kubebuilder:validation:XValidation:rule="!has(self.api.externalAddress) || self.api.externalAddress == '' || !has(self.network.nodeLocalLoadBalancing.enabled) || !self.network.nodeLocalLoadBalancing.enabled",message="node-local load balancing cannot be used in conjunction with an external Kubernetes API server address"
+// +kubebuilder:validation:XValidation:rule="!has(self.api)",message="All API settings have to be configured in the local k0s controller configuration"
+// +kubebuilder:validation:XValidation:rule="!has(self.storage)",message="All storage settings have to be configured in the local k0s controller configuration"
+// +kubebuilder:validation:XValidation:rule="!has(self.install)",message="All install settings have to be configured in the local k0s controller configuration"
 type ClusterSpec struct {
+	// Keep the validation rules in sync with the GetClusterWideConfig method.
+
+	// some disabled rules:
+	// kubebuilder:validation:XValidation:rule="!has(self.api.externalAddress) || size(self.api.externalAddress) == nil || !has(self.network.nodeLocalLoadBalancing.enabled) || !self.network.nodeLocalLoadBalancing.enabled",message="node-local load balancing cannot be used in conjunction with an external Kubernetes API server address"
+
 	API               *APISpec               `json:"api,omitempty"`
 	ControllerManager *ControllerManagerSpec `json:"controllerManager,omitempty"`
 	Scheduler         *SchedulerSpec         `json:"scheduler,omitempty"`
@@ -382,6 +389,8 @@ func (c *ClusterConfig) Validate() (errs []error) {
 // - Network.ControlPlaneLoadBalancing
 // - Install
 func (c *ClusterConfig) GetClusterWideConfig() *ClusterConfig {
+	// Keep this method in sync with the XValidation rules.
+
 	c = c.DeepCopy()
 	if c != nil && c.Spec != nil {
 		c.Spec.API = nil

diff --git a/pkg/apis/k0s/v1beta1/network.go b/pkg/apis/k0s/v1beta1/network.go
@@ -30,7 +30,12 @@ import (
 var _ Validateable = (*Network)(nil)
 
 // Network defines the network related config options
+// +kubebuilder:validation:XValidation:rule="!has(self.serviceCIDR)",message="The service CIDR has to be configured in the local k0s controller configuration"
+// +kubebuilder:validation:XValidation:rule="!has(self.clusterDomain)",message="The cluster domain has to be configured in the local k0s controller configuration"
+// +kubebuilder:validation:XValidation:rule="!has(self.controlPlaneLoadBalancing)",message="Control plane load balancing has to be configured in the local k0s controller configuration"
 type Network struct {
+	// Keep the validation rules in sync with the GetClusterWideConfig method.
+
 	Calico    *Calico   `json:"calico"`
 	DualStack DualStack `json:"dualStack,omitempty"`
 

diff --git a/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml b/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml
@@ -722,6 +722,16 @@ spec:
                     description: Network CIDR to use for cluster VIP services
                     type: string
                 type: object
+                x-kubernetes-validations:
+                - message: The service CIDR has to be configured in the local k0s
+                    controller configuration
+                  rule: '!has(self.serviceCIDR)'
+                - message: The cluster domain has to be configured in the local k0s
+                    controller configuration
+                  rule: '!has(self.clusterDomain)'
+                - message: Control plane load balancing has to be configured in the
+                    local k0s controller configuration
+                  rule: '!has(self.controlPlaneLoadBalancing)'
               scheduler:
                 description: SchedulerSpec defines the fields for the Scheduler
                 properties:
@@ -809,10 +819,15 @@ spec:
                 type: array
             type: object
             x-kubernetes-validations:
-            - message: node-local load balancing cannot be used in conjunction with
-                an external Kubernetes API server address
-              rule: '!has(self.api.externalAddress) || self.api.externalAddress ==
-                '''' || !has(self.network.nodeLocalLoadBalancing.enabled) || !self.network.nodeLocalLoadBalancing.enabled'
+            - message: All API settings have to be configured in the local k0s controller
+                configuration
+              rule: '!has(self.api)'
+            - message: All storage settings have to be configured in the local k0s
+                controller configuration
+              rule: '!has(self.storage)'
+            - message: All install settings have to be configured in the local k0s
+                controller configuration
+              rule: '!has(self.install)'
           status:
             description: ClusterConfigStatus defines the observed state of ClusterConfig
             type: object