.gitignore

-Original file line number
+Diff line change
@@ Expand Up / @@ -43,6 +43,9 @@ tools/bin @@
     # Mocked interface generate through mockgen
     *_mock.go
+    # Claude Code working directory
+    .work/
     # dev
     dev/
@@ Expand Down @@

hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

-Original file line number
+Diff line change
@@ Expand Up @@
     	errs = append(errs, validateSliceNetworkCIDRs(hc)...)
     	errs = append(errs, checkAdvertiseAddressOverlapping(hc)...)
     	errs = append(errs, validateNodePortVsServiceNetwork(hc)...)
+    	errs = append(errs, validateNodePortPortRange(hc)...)
     	return errs.ToAggregate()
     }
@@ Expand Down Expand Up @@
     	return errs
     }
+    // parseNodePortRange parses a ServiceNodePortRange string like "30000-32767" into min/max values.
+    // This range defines which ports on worker nodes are available for NodePort services.
+    // The range is configurable per cluster via spec.configuration.network.serviceNodePortRange,
+    // with a default of 30000-32767 (following Kubernetes standard).
+    func parseNodePortRange(rangeStr string) (min, max int32, err error) {
+    	if rangeStr == "" {
+    		return 30000, 32767, nil // Default range
+    	}
+    	parts := strings.Split(rangeStr, "-")
+    	if len(parts) != 2 {
+    		return 0, 0, fmt.Errorf("invalid range format: %s", rangeStr)
+    	}
+    	minVal, err := strconv.ParseInt(parts[0], 10, 32)
+    	if err != nil {
+    		return 0, 0, fmt.Errorf("invalid minimum port: %s", parts[0])
+    	}
+    	maxVal, err := strconv.ParseInt(parts[1], 10, 32)
+    	if err != nil {
+    		return 0, 0, fmt.Errorf("invalid maximum port: %s", parts[1])
+    	}
+    	return int32(minVal), int32(maxVal), nil
+    }
+    // validateNodePortPortRange validates that NodePort.Port is within the configured ServiceNodePortRange.
+    //
+    // NodePort services expose applications on worker nodes using a specific port. The available port range
+    // is controlled by the kube-apiserver's --service-node-port-range flag, which prevents conflicts with
+    // system services and other applications running on nodes.
+    //
+    // This validation ensures:
+    // 1. Specified ports fall within the cluster's configured range (preventing kube-apiserver rejection)
+    // 2. Port 0 (dynamic assignment) is always allowed (kube-apiserver will auto-assign from valid range)
+    // 3. Early feedback to users instead of late failure during cluster provisioning
+    //
+    // The range is configurable via spec.configuration.network.serviceNodePortRange, defaulting to
+    // the Kubernetes standard of 30000-32767.
+    func validateNodePortPortRange(hc *hyperv1.HostedCluster) field.ErrorList {
+    	var errs field.ErrorList
+    	// Get the configured NodePort range for this cluster
+    	nodePortRange := ""
+    	if hc.Spec.Configuration != nil && hc.Spec.Configuration.Network != nil {
+    		nodePortRange = hc.Spec.Configuration.Network.ServiceNodePortRange
+    	}
+    	if nodePortRange == "" {
+    		nodePortRange = config.DefaultServiceNodePortRange
+    	}
+    	// Parse the range
+    	minPort, maxPort, err := parseNodePortRange(nodePortRange)
+    	if err != nil {
+    		errs = append(errs, field.Invalid(
+    			field.NewPath("spec.configuration.network.serviceNodePortRange"),
+    			nodePortRange,
+    			fmt.Sprintf("invalid ServiceNodePortRange format: %v", err)))
+    		return errs
+    	}
+    	// Validate NodePort.Port against the configured range
+    	for idx, svc := range hc.Spec.Services {
+    		if svc.Service == hyperv1.APIServer && svc.Type == hyperv1.NodePort && svc.NodePort != nil {
+    			port := svc.NodePort.Port
+    			if port > 0 && (port < minPort || port > maxPort) {
+    				errs = append(errs, field.Invalid(
+    					field.NewPath(fmt.Sprintf("spec.services[%d].nodePort.port", idx)),
+    					port,
+    					fmt.Sprintf("port must be within the configured range %d-%d or 0 for dynamic assignment", minPort, maxPort)))
+    			}
+    		}
+    	}
+    	return errs
+    }
     func validateSliceNetworkCIDRs(hc *hyperv1.HostedCluster) field.ErrorList {
     	var cidrEntries []cidrEntry
@@ Expand Down @@

OCPBUGS-65824: Add dynamic NodePort range validation to prevent cluster creation failures #7652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft

jparrill wants to merge 2 commits into openshift:main from jparrill:fix-OCPBUGS-65824

+367 −1

-Original file line number
+Diff line change
@@ Expand Up / @@ -43,6 +43,9 @@ tools/bin @@
     # Mocked interface generate through mockgen
     *_mock.go
+    # Claude Code working directory
+    .work/
     # dev
     dev/
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     	errs = append(errs, validateSliceNetworkCIDRs(hc)...)
     	errs = append(errs, checkAdvertiseAddressOverlapping(hc)...)
     	errs = append(errs, validateNodePortVsServiceNetwork(hc)...)
+    	errs = append(errs, validateNodePortPortRange(hc)...)
     	return errs.ToAggregate()
     }
@@ Expand Down Expand Up @@
     	return errs
     }
+    // parseNodePortRange parses a ServiceNodePortRange string like "30000-32767" into min/max values.
+    // This range defines which ports on worker nodes are available for NodePort services.
+    // The range is configurable per cluster via spec.configuration.network.serviceNodePortRange,
+    // with a default of 30000-32767 (following Kubernetes standard).
+    func parseNodePortRange(rangeStr string) (min, max int32, err error) {
+    	if rangeStr == "" {
+    		return 30000, 32767, nil // Default range
+    	}
+    	parts := strings.Split(rangeStr, "-")
+    	if len(parts) != 2 {
+    		return 0, 0, fmt.Errorf("invalid range format: %s", rangeStr)
+    	}
+    	minVal, err := strconv.ParseInt(parts[0], 10, 32)
+    	if err != nil {
+    		return 0, 0, fmt.Errorf("invalid minimum port: %s", parts[0])
+    	}
+    	maxVal, err := strconv.ParseInt(parts[1], 10, 32)
+    	if err != nil {
+    		return 0, 0, fmt.Errorf("invalid maximum port: %s", parts[1])
+    	}
+    	return int32(minVal), int32(maxVal), nil
+    }
+    // validateNodePortPortRange validates that NodePort.Port is within the configured ServiceNodePortRange.
+    //
+    // NodePort services expose applications on worker nodes using a specific port. The available port range
+    // is controlled by the kube-apiserver's --service-node-port-range flag, which prevents conflicts with
+    // system services and other applications running on nodes.
+    //
+    // This validation ensures:
+    // 1. Specified ports fall within the cluster's configured range (preventing kube-apiserver rejection)
+    // 2. Port 0 (dynamic assignment) is always allowed (kube-apiserver will auto-assign from valid range)
+    // 3. Early feedback to users instead of late failure during cluster provisioning
+    //
+    // The range is configurable via spec.configuration.network.serviceNodePortRange, defaulting to
+    // the Kubernetes standard of 30000-32767.
+    func validateNodePortPortRange(hc *hyperv1.HostedCluster) field.ErrorList {
+    	var errs field.ErrorList
+    	// Get the configured NodePort range for this cluster
+    	nodePortRange := ""
+    	if hc.Spec.Configuration != nil && hc.Spec.Configuration.Network != nil {
+    		nodePortRange = hc.Spec.Configuration.Network.ServiceNodePortRange
+    	}
+    	if nodePortRange == "" {
+    		nodePortRange = config.DefaultServiceNodePortRange
+    	}
+    	// Parse the range
+    	minPort, maxPort, err := parseNodePortRange(nodePortRange)
+    	if err != nil {
+    		errs = append(errs, field.Invalid(
+    			field.NewPath("spec.configuration.network.serviceNodePortRange"),
+    			nodePortRange,
+    			fmt.Sprintf("invalid ServiceNodePortRange format: %v", err)))
+    		return errs
+    	}
+    	// Validate NodePort.Port against the configured range
+    	for idx, svc := range hc.Spec.Services {
+    		if svc.Service == hyperv1.APIServer && svc.Type == hyperv1.NodePort && svc.NodePort != nil {
+    			port := svc.NodePort.Port
+    			if port > 0 && (port < minPort || port > maxPort) {
+    				errs = append(errs, field.Invalid(
+    					field.NewPath(fmt.Sprintf("spec.services[%d].nodePort.port", idx)),
+    					port,
+    					fmt.Sprintf("port must be within the configured range %d-%d or 0 for dynamic assignment", minPort, maxPort)))
+    			}
+    		}
+    	}
+    	return errs
+    }
     func validateSliceNetworkCIDRs(hc *hyperv1.HostedCluster) field.ErrorList {
     	var cidrEntries []cidrEntry
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OCPBUGS-65824: Add dynamic NodePort range validation to prevent cluster creation failures #7652

Diff view

Diff view

There are no files selected for viewing

Uh oh!

OCPBUGS-65824: Add dynamic NodePort range validation to prevent cluster creation failures #7652

Are you sure you want to change the base?

OCPBUGS-65824: Add dynamic NodePort range validation to prevent cluster creation failures #7652

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!