From 0d55fbf9db712329f83662af3cd18a7ff6fec7ac Mon Sep 17 00:00:00 2001 From: Tom Wieczorek Date: Wed, 10 Jul 2024 17:54:56 +0200 Subject: [PATCH] Deny non-cluster-wide settings Signed-off-by: Tom Wieczorek --- pkg/apis/k0s/v1beta1/clusterconfig_types.go | 11 ++++++++- pkg/apis/k0s/v1beta1/network.go | 5 ++++ .../k0s.k0sproject.io_clusterconfigs.yaml | 23 +++++++++++++++---- 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/pkg/apis/k0s/v1beta1/clusterconfig_types.go b/pkg/apis/k0s/v1beta1/clusterconfig_types.go index 2cddf9177cba..dd5bfad48a70 100644 --- a/pkg/apis/k0s/v1beta1/clusterconfig_types.go +++ b/pkg/apis/k0s/v1beta1/clusterconfig_types.go @@ -35,8 +35,15 @@ const ( ) // ClusterSpec defines the desired state of ClusterConfig -// +kubebuilder:validation:XValidation:rule="!has(self.api.externalAddress) || self.api.externalAddress == '' || !has(self.network.nodeLocalLoadBalancing.enabled) || !self.network.nodeLocalLoadBalancing.enabled",message="node-local load balancing cannot be used in conjunction with an external Kubernetes API server address" +// +kubebuilder:validation:XValidation:rule="!has(self.api)",message="All API settings have to be configured in the local k0s controller configuration" +// +kubebuilder:validation:XValidation:rule="!has(self.storage)",message="All storage settings have to be configured in the local k0s controller configuration" +// +kubebuilder:validation:XValidation:rule="!has(self.install)",message="All install settings have to be configured in the local k0s controller configuration" type ClusterSpec struct { + // Keep the validation rules in sync with the GetClusterWideConfig method. + + // some disabled rules: + // kubebuilder:validation:XValidation:rule="!has(self.api.externalAddress) || size(self.api.externalAddress) == nil || !has(self.network.nodeLocalLoadBalancing.enabled) || !self.network.nodeLocalLoadBalancing.enabled",message="node-local load balancing cannot be used in conjunction with an external Kubernetes API server address" + API *APISpec `json:"api,omitempty"` ControllerManager *ControllerManagerSpec `json:"controllerManager,omitempty"` Scheduler *SchedulerSpec `json:"scheduler,omitempty"` @@ -382,6 +389,8 @@ func (c *ClusterConfig) Validate() (errs []error) { // - Network.ControlPlaneLoadBalancing // - Install func (c *ClusterConfig) GetClusterWideConfig() *ClusterConfig { + // Keep this method in sync with the XValidation rules. + c = c.DeepCopy() if c != nil && c.Spec != nil { c.Spec.API = nil diff --git a/pkg/apis/k0s/v1beta1/network.go b/pkg/apis/k0s/v1beta1/network.go index 8d3e59d5afaa..427a72b666e6 100644 --- a/pkg/apis/k0s/v1beta1/network.go +++ b/pkg/apis/k0s/v1beta1/network.go @@ -30,7 +30,12 @@ import ( var _ Validateable = (*Network)(nil) // Network defines the network related config options +// +kubebuilder:validation:XValidation:rule="!has(self.serviceCIDR)",message="The service CIDR has to be configured in the local k0s controller configuration" +// +kubebuilder:validation:XValidation:rule="!has(self.clusterDomain)",message="The cluster domain has to be configured in the local k0s controller configuration" +// +kubebuilder:validation:XValidation:rule="!has(self.controlPlaneLoadBalancing)",message="Control plane load balancing has to be configured in the local k0s controller configuration" type Network struct { + // Keep the validation rules in sync with the GetClusterWideConfig method. + Calico *Calico `json:"calico"` DualStack DualStack `json:"dualStack,omitempty"` diff --git a/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml b/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml index cd1caa245e09..93d605c8563c 100644 --- a/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml +++ b/static/manifests/k0s/CustomResourceDefinition/k0s.k0sproject.io_clusterconfigs.yaml @@ -722,6 +722,16 @@ spec: description: Network CIDR to use for cluster VIP services type: string type: object + x-kubernetes-validations: + - message: The service CIDR has to be configured in the local k0s + controller configuration + rule: '!has(self.serviceCIDR)' + - message: The cluster domain has to be configured in the local k0s + controller configuration + rule: '!has(self.clusterDomain)' + - message: Control plane load balancing has to be configured in the + local k0s controller configuration + rule: '!has(self.controlPlaneLoadBalancing)' scheduler: description: SchedulerSpec defines the fields for the Scheduler properties: @@ -809,10 +819,15 @@ spec: type: array type: object x-kubernetes-validations: - - message: node-local load balancing cannot be used in conjunction with - an external Kubernetes API server address - rule: '!has(self.api.externalAddress) || self.api.externalAddress == - '''' || !has(self.network.nodeLocalLoadBalancing.enabled) || !self.network.nodeLocalLoadBalancing.enabled' + - message: All API settings have to be configured in the local k0s controller + configuration + rule: '!has(self.api)' + - message: All storage settings have to be configured in the local k0s + controller configuration + rule: '!has(self.storage)' + - message: All install settings have to be configured in the local k0s + controller configuration + rule: '!has(self.install)' status: description: ClusterConfigStatus defines the observed state of ClusterConfig type: object