Skip to content

Commit a3481f5

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #18255 from hakman/dns-topology-validation
validation: enforce supported DNS topology per cloud provider
2 parents eb7ac52 + d95e464 commit a3481f5

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

pkg/apis/kops/validation/validation.go

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -539,9 +539,68 @@ func validateTopology(c *kops.Cluster, topology *kops.TopologySpec, fieldPath *f
539539
allErrs = append(allErrs, IsValidValue(fieldPath.Child("dns", "type"), &topology.DNS, kops.SupportedDnsTypes)...)
540540
}
541541

542+
allErrs = append(allErrs, validateCloudDNSTopology(c, fieldPath.Child("dns", "type"))...)
543+
542544
return allErrs
543545
}
544546

547+
func validateCloudDNSTopology(c *kops.Cluster, fieldPath *field.Path) field.ErrorList {
548+
type dnsTopologies struct {
549+
gossip bool // protokube has a seed mechanism
550+
none bool // api server and kops-controller have a stable address
551+
public bool // dns-controller/external-dns provider exists
552+
private bool // private-zone exists
553+
}
554+
555+
var cloudDNSTopologies = map[kops.CloudProviderID]dnsTopologies{
556+
kops.CloudProviderAWS: {none: true, gossip: true, public: true, private: true},
557+
kops.CloudProviderAzure: {none: true, gossip: true},
558+
kops.CloudProviderDO: {none: true, gossip: true, public: true},
559+
kops.CloudProviderGCE: {none: true, gossip: true, public: true, private: true},
560+
kops.CloudProviderHetzner: {none: true, gossip: true},
561+
kops.CloudProviderLinode: {none: true},
562+
kops.CloudProviderMetal: {none: true},
563+
kops.CloudProviderOpenstack: {none: true, gossip: true, public: true, private: true},
564+
kops.CloudProviderScaleway: {none: true, gossip: true, public: true},
565+
}
566+
567+
cloud := c.GetCloudProvider()
568+
topologies, ok := cloudDNSTopologies[cloud]
569+
if !ok {
570+
return field.ErrorList{field.Forbidden(fieldPath,
571+
fmt.Sprintf("cloud provider %q has no declared DNS topology support", cloud))}
572+
}
573+
574+
switch {
575+
case c.UsesLegacyGossip():
576+
if !topologies.gossip {
577+
return field.ErrorList{field.Forbidden(fieldPath,
578+
fmt.Sprintf("cloud provider %q does not support gossip dns topology", cloud))}
579+
}
580+
return nil
581+
case c.UsesNoneDNS():
582+
if !topologies.none {
583+
return field.ErrorList{field.Forbidden(fieldPath,
584+
fmt.Sprintf("cloud provider %q does not support none dns topology", cloud))}
585+
}
586+
return nil
587+
case c.UsesPrivateDNS():
588+
if !topologies.private {
589+
return field.ErrorList{field.Forbidden(fieldPath,
590+
fmt.Sprintf("cloud provider %q does not support private dns topology", cloud))}
591+
}
592+
return nil
593+
case c.UsesPublicDNS():
594+
if !topologies.public {
595+
return field.ErrorList{field.Forbidden(fieldPath,
596+
fmt.Sprintf("cloud provider %q does not support public dns topology", cloud))}
597+
}
598+
return nil
599+
default:
600+
return field.ErrorList{field.Forbidden(fieldPath, "unsupported dns topology")}
601+
}
602+
}
603+
545604
func validateSubnets(cluster *kops.Cluster, subnets []kops.ClusterSubnetSpec, fieldPath *field.Path, strict bool, providerConstraints *cloudProviderConstraints, networkCIDRs []*net.IPNet, podCIDR, serviceClusterIPRange *net.IPNet) field.ErrorList {
546605
allErrs := field.ErrorList{}
547606

0 commit comments

Comments
 (0)