kubeovn / kube-ovn / 26011673291

27%

Build Type

push

github

Committed by web-flow

Commit Message

fix(webhook): reject same-family duplicates in ip_address annotation (#6746)

The ovn.kubernetes.io/ip_address annotation is meant to carry a single
static address per family (optionally one IPv4 + one IPv6 for dual
stack). The webhook used to accept values like "10.0.0.1,10.0.0.2",
since checkIPConflict only validated each entry against existing IP
CRs and never bounded the count per family.

Downstream of the webhook this is a real bug, not just ambiguous input:

* pkg/ipam.Subnet keeps V4NicToIP/V6NicToIP as single-value maps, so
  the second IPv4 allocation overwrites the first and the pod ends up
  tracked as owning only the last address. Pod deletion then leaks the
  first IP because the nic-keyed release path cannot see it.
* pkg/ipam.checkAndAppendIpsForDual triggers dual-stack auto-completion
  on len(ips) == 2. Two same-family IPs satisfy that count check, so a
  dual-stack subnet silently degrades to single stack with no IPv6
  ever assigned.

Add checkIPAddressFamilyUniqueness, invoked from validateIPConflict
before checkIPConflict, that counts addresses per family and rejects
the annotation when either family exceeds one. The wording mirrors the
upstream antrea fix (antrea-io/antrea#7994). The ip_pool annotation is
deliberately left untouched: it is a candidate-pool semantic and
StatefulSet ordinal indexing relies on having multiple addresses of
the same family.

Invalid IPs inside the value are not reported here; they fall through
to checkIPConflict so the existing "invalid static ip/ippool annotation
value" error wording stays the only source of truth for parse errors.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

Coverage Stats

27 of 30 new or added lines in 1 file covered. (90.0%)

2 existing lines in 1 file now uncovered.

14310 of 57283 relevant lines covered (24.98%)

0.29 hits per line