Add webhook to validate PrefixSet resource

Author: felix-kaestner

PROJECT

@@ -195,4 +195,7 @@ resources:
   kind: PrefixSet
   path: github.com/ironcore-dev/network-operator/api/core/v1alpha1
   version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

charts/network-operator/templates/webhook/webhooks.yaml

@@ -31,6 +31,26 @@ webhooks:
           - v1alpha1
         resources:
           - interfaces
+  - name: prefixset-v1alpha1.kb.io
+    clientConfig:
+      service:
+        name: network-operator-webhook-service
+        namespace: {{ .Release.Namespace }}
+        path: /validate-networking-metal-ironcore-dev-v1alpha1-prefixset
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - networking.metal.ironcore.dev
+        apiVersions:
+          - v1alpha1
+        resources:
+          - prefixsets
   - name: vrf-v1alpha1.kb.io
     clientConfig:
       service:

cmd/main.go

@@ -438,6 +438,17 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := (&corecontroller.EVPNInstanceReconciler{
+		Client:           mgr.GetClient(),
+		Scheme:           mgr.GetScheme(),
+		Recorder:         mgr.GetEventRecorderFor("evpn-instance-controller"),
+		WatchFilterValue: watchFilterValue,
+		Provider:         prov,
+	}).SetupWithManager(ctx, mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "EVPNInstance")
+		os.Exit(1)
+	}
+
 	if err := (&corecontroller.PrefixSetReconciler{
 		Client:           mgr.GetClient(),
 		Scheme:           mgr.GetScheme(),
@@ -462,15 +473,12 @@ func main() {
 			os.Exit(1)
 		}
 	}
-	if err := (&corecontroller.EVPNInstanceReconciler{
-		Client:           mgr.GetClient(),
-		Scheme:           mgr.GetScheme(),
-		Recorder:         mgr.GetEventRecorderFor("evpn-instance-controller"),
-		WatchFilterValue: watchFilterValue,
-		Provider:         prov,
-	}).SetupWithManager(ctx, mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "EVPNInstance")
-		os.Exit(1)
+
+	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
+		if err := webhookv1alpha1.SetupPrefixSetWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "PrefixSet")
+			os.Exit(1)
+		}
 	}
 	// +kubebuilder:scaffold:builder
 

config/webhook/manifests.yaml

@@ -24,6 +24,26 @@ webhooks:
     resources:
     - interfaces
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-networking-metal-ironcore-dev-v1alpha1-prefixset
+  failurePolicy: Fail
+  name: prefixset-v1alpha1.kb.io
+  rules:
+  - apiGroups:
+    - networking.metal.ironcore.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - prefixsets
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

internal/webhook/core/v1alpha1/prefixset_webhook.go

@@ -0,0 +1,114 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/ironcore-dev/network-operator/api/core/v1alpha1"
+)
+
+// log is for logging in this package.
+var prefixsetlog = logf.Log.WithName("prefixset-resource")
+
+// SetupPrefixSetWebhookWithManager registers the webhook for PrefixSets in the manager.
+func SetupPrefixSetWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&v1alpha1.PrefixSet{}).
+		WithValidator(&PrefixSetCustomValidator{}).
+		Complete()
+}
+
+// +kubebuilder:webhook:path=/validate-networking-metal-ironcore-dev-v1alpha1-prefixset,mutating=false,failurePolicy=Fail,sideEffects=None,groups=networking.metal.ironcore.dev,resources=prefixsets,verbs=create;update,versions=v1alpha1,name=prefixset-v1alpha1.kb.io,admissionReviewVersions=v1
+
+// PrefixSetCustomValidator struct is responsible for validating the PrefixSet resource
+// when it is created, updated, or deleted.
+type PrefixSetCustomValidator struct{}
+
+var _ webhook.CustomValidator = &PrefixSetCustomValidator{}
+
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type PrefixSet.
+func (v *PrefixSetCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
+	ps, ok := obj.(*v1alpha1.PrefixSet)
+	if !ok {
+		return nil, fmt.Errorf("expected a PrefixSets object but got %T", obj)
+	}
+
+	prefixsetlog.Info("Validation for PrefixSets upon creation", "name", ps.GetName())
+
+	return nil, validatePrefixSetSpec(ps)
+}
+
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type PrefixSet.
+func (v *PrefixSetCustomValidator) ValidateUpdate(_ context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	prev, ok := oldObj.(*v1alpha1.PrefixSet)
+	if !ok {
+		return nil, fmt.Errorf("expected a PrefixSets object for the oldObj but got %T", oldObj)
+	}
+
+	curr, ok := newObj.(*v1alpha1.PrefixSet)
+	if !ok {
+		return nil, fmt.Errorf("expected a PrefixSets object for the newObj but got %T", newObj)
+	}
+
+	prefixsetlog.Info("Validation for PrefixSets upon update", "name", curr.GetName())
+
+	if err := validatePrefixSetSpec(curr); err != nil {
+		return nil, err
+	}
+
+	if len(prev.Spec.Entries) > 0 && prev.Is6() != curr.Is6() {
+		return nil, errors.New("cannot change IP family of a PrefixSet once created")
+	}
+
+	return nil, nil
+}
+
+// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type PrefixSet.
+func (v *PrefixSetCustomValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+// validatePrefixSetSpec performs validation on the PrefixSet spec.
+func validatePrefixSetSpec(ps *v1alpha1.PrefixSet) error {
+	var is6 bool
+	var errAgg []error
+	for i, ent := range ps.Spec.Entries {
+		if i > 0 && ent.Prefix.Addr().Is6() != is6 {
+			errAgg = append(errAgg, errors.New("all prefixes in a PrefixSet must be of the same IP family"))
+		}
+		is6 = ent.Prefix.Addr().Is6()
+		if ent.MaskLengthRange != nil {
+			bits := ent.Prefix.Bits()
+			rmin := int(ent.MaskLengthRange.Min)
+			rmax := int(ent.MaskLengthRange.Max)
+
+			if rmin < bits {
+				errAgg = append(errAgg, fmt.Errorf("entry %d: mask length range min %d is invalid for prefix %s", i, rmin, ent.Prefix.String()))
+			}
+			if rmax < bits {
+				errAgg = append(errAgg, fmt.Errorf("entry %d: mask length range max %d is invalid for prefix %s", i, rmax, ent.Prefix.String()))
+			}
+			if rmin > rmax {
+				errAgg = append(errAgg, fmt.Errorf("entry %d: mask length range min %d cannot be greater than max %d", i, rmin, rmax))
+			}
+			const maxBits = 32
+			if !is6 && rmin > maxBits {
+				errAgg = append(errAgg, fmt.Errorf("entry %d: mask length range min %d exceeds maximum %d bits for IPv4", i, rmin, maxBits))
+			}
+			if !is6 && rmax > maxBits {
+				errAgg = append(errAgg, fmt.Errorf("entry %d: mask length range max %d exceeds maximum %d bits for IPv4", i, rmax, maxBits))
+			}
+		}
+	}
+	return errors.Join(errAgg...)
+}