istio: istio.io/istio/pkg/config/validation Index | Files

package validation

import "istio.io/istio/pkg/config/validation"

Index

Package Files

validation.go virtualservice.go

Constants

const (

    // UnixAddressPrefix is the prefix used to indicate an address is for a Unix Domain socket. It is used in
    // ServiceEntry.Endpoint.Address message.
    UnixAddressPrefix = "unix://"
)

Constants for duration fields

Variables

var (

    // EmptyValidate is a Validate that does nothing and returns no error.
    EmptyValidate = registerValidateFunc("EmptyValidate",
        func(string, string, proto.Message) error {
            return nil
        })
)
var ValidateAuthorizationPolicy = registerValidateFunc("ValidateAuthorizationPolicy",
    func(name, namespace string, msg proto.Message) error {
        in, ok := msg.(*security_beta.AuthorizationPolicy)
        if !ok {
            return fmt.Errorf("cannot cast to AuthorizationPolicy")
        }

        if err := validateWorkloadSelector(in.Selector); err != nil {
            return err
        }

        if in.Action == security_beta.AuthorizationPolicy_DENY && in.Rules == nil {
            return fmt.Errorf("a deny policy without `rules` is meaningless and has no effect, found in %s.%s", name, namespace)
        }

        var errs error
        for i, rule := range in.GetRules() {
            if rule == nil {
                errs = appendErrors(errs, fmt.Errorf("`rule` must not be null, found at rule %d in %s.%s", i, name, namespace))
                continue
            }
            if rule.From != nil && len(rule.From) == 0 {
                errs = appendErrors(errs, fmt.Errorf("`from` must not be empty, found at rule %d in %s.%s", i, name, namespace))
            }
            for _, from := range rule.From {
                if from == nil {
                    errs = appendErrors(errs, fmt.Errorf("`from` must not be null, found at rule %d in %s.%s", i, name, namespace))
                    continue
                }
                if from.Source == nil {
                    errs = appendErrors(errs, fmt.Errorf("`from.source` must not be nil, found at rule %d in %s.%s", i, name, namespace))
                } else {
                    src := from.Source
                    if len(src.Principals) == 0 && len(src.RequestPrincipals) == 0 && len(src.Namespaces) == 0 && len(src.IpBlocks) == 0 &&
                        len(src.NotPrincipals) == 0 && len(src.NotRequestPrincipals) == 0 && len(src.NotNamespaces) == 0 && len(src.NotIpBlocks) == 0 {
                        errs = appendErrors(errs, fmt.Errorf("`from.source` must not be empty, found at rule %d in %s.%s", i, name, namespace))
                    }
                    errs = appendErrors(errs, security.ValidateIPs(from.Source.GetIpBlocks()))
                    errs = appendErrors(errs, security.ValidateIPs(from.Source.GetNotIpBlocks()))
                    errs = appendErrors(errs, security.CheckEmptyValues("Principals", src.Principals))
                    errs = appendErrors(errs, security.CheckEmptyValues("RequestPrincipals", src.RequestPrincipals))
                    errs = appendErrors(errs, security.CheckEmptyValues("Namespaces", src.Namespaces))
                    errs = appendErrors(errs, security.CheckEmptyValues("IpBlocks", src.IpBlocks))
                    errs = appendErrors(errs, security.CheckEmptyValues("NotPrincipals", src.NotPrincipals))
                    errs = appendErrors(errs, security.CheckEmptyValues("NotRequestPrincipals", src.NotRequestPrincipals))
                    errs = appendErrors(errs, security.CheckEmptyValues("NotNamespaces", src.NotNamespaces))
                    errs = appendErrors(errs, security.CheckEmptyValues("NotIpBlocks", src.NotIpBlocks))
                }
            }
            if rule.To != nil && len(rule.To) == 0 {
                errs = appendErrors(errs, fmt.Errorf("`to` must not be empty, found at rule %d in %s.%s", i, name, namespace))
            }
            for _, to := range rule.To {
                if to == nil {
                    errs = appendErrors(errs, fmt.Errorf("`to` must not be nil, found at rule %d in %s.%s", i, name, namespace))
                    continue
                }
                if to.Operation == nil {
                    errs = appendErrors(errs, fmt.Errorf("`to.operation` must not be nil, found at rule %d in %s.%s", i, name, namespace))
                } else {
                    op := to.Operation
                    if len(op.Ports) == 0 && len(op.Methods) == 0 && len(op.Paths) == 0 && len(op.Hosts) == 0 &&
                        len(op.NotPorts) == 0 && len(op.NotMethods) == 0 && len(op.NotPaths) == 0 && len(op.NotHosts) == 0 {
                        errs = appendErrors(errs, fmt.Errorf("`to.operation` must not be empty, found at rule %d in %s.%s", i, name, namespace))
                    }
                    errs = appendErrors(errs, security.ValidatePorts(to.Operation.GetPorts()))
                    errs = appendErrors(errs, security.ValidatePorts(to.Operation.GetNotPorts()))
                    errs = appendErrors(errs, security.CheckEmptyValues("Ports", op.Ports))
                    errs = appendErrors(errs, security.CheckEmptyValues("Methods", op.Methods))
                    errs = appendErrors(errs, security.CheckEmptyValues("Paths", op.Paths))
                    errs = appendErrors(errs, security.CheckEmptyValues("Hosts", op.Hosts))
                    errs = appendErrors(errs, security.CheckEmptyValues("NotPorts", op.NotPorts))
                    errs = appendErrors(errs, security.CheckEmptyValues("NotMethods", op.NotMethods))
                    errs = appendErrors(errs, security.CheckEmptyValues("NotPaths", op.NotPaths))
                    errs = appendErrors(errs, security.CheckEmptyValues("NotHosts", op.NotHosts))
                }
            }
            for _, condition := range rule.GetWhen() {
                key := condition.GetKey()
                if key == "" {
                    errs = appendErrors(errs, fmt.Errorf("`key` must not be empty, found in %s.%s", name, namespace))
                } else {
                    if len(condition.GetValues()) == 0 && len(condition.GetNotValues()) == 0 {
                        errs = appendErrors(errs, fmt.Errorf("at least one of `values` or `notValues` must be set for key %s, found in %s.%s",
                            key, name, namespace))
                    } else {
                        if err := security.ValidateAttribute(key, condition.GetValues()); err != nil {
                            errs = appendErrors(errs, fmt.Errorf("invalid `value` for `key` %s: %v, found in %s.%s", key, err, name, namespace))
                        }
                        if err := security.ValidateAttribute(key, condition.GetNotValues()); err != nil {
                            errs = appendErrors(errs, fmt.Errorf("invalid `notValue` for `key` %s: %v, found in %s.%s", key, err, name, namespace))
                        }
                    }
                }
            }
        }
        return errs
    })

ValidateAuthorizationPolicy checks that AuthorizationPolicy is well-formed.

var ValidateDestinationRule = registerValidateFunc("ValidateDestinationRule",
    func(_, namespace string, msg proto.Message) (errs error) {
        rule, ok := msg.(*networking.DestinationRule)
        if !ok {
            return fmt.Errorf("cannot cast to destination rule")
        }

        errs = appendErrors(errs,
            ValidateWildcardDomain(rule.Host),
            validateTrafficPolicy(rule.TrafficPolicy))

        for _, subset := range rule.Subsets {
            if subset == nil {
                errs = appendErrors(errs, errors.New("subset may not be null"))
                continue
            }
            errs = appendErrors(errs, validateSubset(subset))
        }

        errs = appendErrors(errs, validateExportTo(namespace, rule.ExportTo, false))
        return
    })

ValidateDestinationRule checks proxy policies

var ValidateEnvoyFilter = registerValidateFunc("ValidateEnvoyFilter",
    func(_, _ string, msg proto.Message) (errs error) {
        rule, ok := msg.(*networking.EnvoyFilter)
        if !ok {
            return fmt.Errorf("cannot cast to Envoy filter")
        }

        if err := validateAlphaWorkloadSelector(rule.WorkloadSelector); err != nil {
            return err
        }

        for _, cp := range rule.ConfigPatches {
            if cp == nil {
                errs = appendErrors(errs, fmt.Errorf("Envoy filter: null config patch"))
                continue
            }
            if cp.ApplyTo == networking.EnvoyFilter_INVALID {
                errs = appendErrors(errs, fmt.Errorf("Envoy filter: missing applyTo"))
                continue
            }
            if cp.Patch == nil {
                errs = appendErrors(errs, fmt.Errorf("Envoy filter: missing patch"))
                continue
            }
            if cp.Patch.Operation == networking.EnvoyFilter_Patch_INVALID {
                errs = appendErrors(errs, fmt.Errorf("Envoy filter: missing patch operation"))
                continue
            }
            if cp.Patch.Operation != networking.EnvoyFilter_Patch_REMOVE && cp.Patch.Value == nil {
                errs = appendErrors(errs, fmt.Errorf("Envoy filter: missing patch value for non-remove operation"))
                continue
            }

            if cp.Match != nil && cp.Match.Proxy != nil && cp.Match.Proxy.ProxyVersion != "" {
                if _, err := regexp.Compile(cp.Match.Proxy.ProxyVersion); err != nil {
                    errs = appendErrors(errs, fmt.Errorf("Envoy filter: invalid regex for proxy version, [%v]", err))
                    continue
                }
            }

            switch cp.ApplyTo {
            case networking.EnvoyFilter_LISTENER,
                networking.EnvoyFilter_FILTER_CHAIN,
                networking.EnvoyFilter_NETWORK_FILTER,
                networking.EnvoyFilter_HTTP_FILTER:
                if cp.Match != nil && cp.Match.ObjectTypes != nil {
                    if cp.Match.GetListener() == nil {
                        errs = appendErrors(errs, fmt.Errorf("Envoy filter: applyTo for listener class objects cannot have non listener match"))
                        continue
                    }
                    listenerMatch := cp.Match.GetListener()
                    if listenerMatch.FilterChain != nil {
                        if listenerMatch.FilterChain.Filter != nil {

                            if listenerMatch.FilterChain.Filter.Name == "" {
                                errs = appendErrors(errs, fmt.Errorf("Envoy filter: filter match has no name to match on"))
                                continue
                            } else if listenerMatch.FilterChain.Filter.SubFilter != nil {

                                if cp.ApplyTo != networking.EnvoyFilter_HTTP_FILTER {
                                    errs = appendErrors(errs, fmt.Errorf("Envoy filter: subfilter match can be used with applyTo HTTP_FILTER only"))
                                    continue
                                }

                                if listenerMatch.FilterChain.Filter.Name != wellknown.HTTPConnectionManager &&
                                    listenerMatch.FilterChain.Filter.Name != "envoy.http_connection_manager" {
                                    errs = appendErrors(errs, fmt.Errorf("Envoy filter: subfilter match requires filter match with %s",
                                        wellknown.HTTPConnectionManager))
                                    continue
                                }
                                if listenerMatch.FilterChain.Filter.SubFilter.Name == "" {
                                    errs = appendErrors(errs, fmt.Errorf("Envoy filter: subfilter match has no name to match on"))
                                    continue
                                }
                            }
                        }
                    }
                }
            case networking.EnvoyFilter_ROUTE_CONFIGURATION, networking.EnvoyFilter_VIRTUAL_HOST, networking.EnvoyFilter_HTTP_ROUTE:
                if cp.Match != nil && cp.Match.ObjectTypes != nil {
                    if cp.Match.GetRouteConfiguration() == nil {
                        errs = appendErrors(errs,
                            fmt.Errorf("Envoy filter: applyTo for http route class objects cannot have non route configuration match"))
                    }
                }

            case networking.EnvoyFilter_CLUSTER:
                if cp.Match != nil && cp.Match.ObjectTypes != nil {
                    if cp.Match.GetCluster() == nil {
                        errs = appendErrors(errs, fmt.Errorf("Envoy filter: applyTo for cluster class objects cannot have non cluster match"))
                    }
                }
            }

            if _, err := xds.BuildXDSObjectFromStruct(cp.ApplyTo, cp.Patch.Value); err != nil {
                errs = appendErrors(errs, err)
            }
        }

        return
    })

ValidateEnvoyFilter checks envoy filter config supplied by user

var ValidateGateway = registerValidateFunc("ValidateGateway",
    func(name, _ string, msg proto.Message) (errs error) {

        if !labels.IsDNS1123Label(name) {
            errs = appendErrors(errs, fmt.Errorf("invalid gateway name: %q", name))
        }
        value, ok := msg.(*networking.Gateway)
        if !ok {
            errs = appendErrors(errs, fmt.Errorf("cannot cast to gateway: %#v", msg))
            return
        }

        if len(value.Servers) == 0 {
            errs = appendErrors(errs, fmt.Errorf("gateway must have at least one server"))
        } else {
            for _, server := range value.Servers {
                errs = appendErrors(errs, validateServer(server))
            }
        }

        portNames := make(map[string]bool)

        for _, s := range value.Servers {
            if s == nil {
                errs = appendErrors(errs, fmt.Errorf("server may not be nil"))
                continue
            }
            if s.Port != nil {
                if portNames[s.Port.Name] {
                    errs = appendErrors(errs, fmt.Errorf("port names in servers must be unique: duplicate name %s", s.Port.Name))
                }
                portNames[s.Port.Name] = true
            }
        }

        return errs
    })

ValidateGateway checks gateway specifications

var ValidatePeerAuthentication = registerValidateFunc("ValidatePeerAuthentication",
    func(name, namespace string, msg proto.Message) error {
        in, ok := msg.(*security_beta.PeerAuthentication)
        if !ok {
            return errors.New("cannot cast to PeerAuthentication")
        }

        var errs error
        emptySelector := in.Selector == nil || len(in.Selector.MatchLabels) == 0

        if emptySelector && len(in.PortLevelMtls) != 0 {
            errs = appendErrors(errs,
                fmt.Errorf("mesh/namespace peer authentication cannot have port level mTLS"))
        }

        if in.PortLevelMtls != nil && len(in.PortLevelMtls) == 0 {
            errs = appendErrors(errs,
                fmt.Errorf("port level mTLS, if defined, must have at least one element"))
        }

        for port := range in.PortLevelMtls {
            if port == 0 {
                errs = appendErrors(errs, fmt.Errorf("port cannot be 0"))
            }
        }

        errs = appendErrors(errs, validateWorkloadSelector(in.Selector))

        return errs
    })

ValidatePeerAuthentication checks that peer authentication spec is well-formed.

var ValidateRequestAuthentication = registerValidateFunc("ValidateRequestAuthentication",
    func(name, namespace string, msg proto.Message) error {
        in, ok := msg.(*security_beta.RequestAuthentication)
        if !ok {
            return errors.New("cannot cast to RequestAuthentication")
        }

        var errs error
        errs = appendErrors(errs, validateWorkloadSelector(in.Selector))

        for _, rule := range in.JwtRules {
            errs = appendErrors(errs, validateJwtRule(rule))
        }
        return errs
    })

ValidateRequestAuthentication checks that request authentication spec is well-formed.

var ValidateServiceEntry = registerValidateFunc("ValidateServiceEntry",
    func(_, namespace string, config proto.Message) (errs error) {
        serviceEntry, ok := config.(*networking.ServiceEntry)
        if !ok {
            return fmt.Errorf("cannot cast to service entry")
        }

        if err := validateAlphaWorkloadSelector(serviceEntry.WorkloadSelector); err != nil {
            return err
        }

        if serviceEntry.WorkloadSelector != nil && serviceEntry.Endpoints != nil {
            errs = appendErrors(errs, fmt.Errorf("only one of WorkloadSelector or Endpoints is allowed in Service Entry"))
        }

        if len(serviceEntry.Hosts) == 0 {
            errs = appendErrors(errs, fmt.Errorf("service entry must have at least one host"))
        }
        for _, hostname := range serviceEntry.Hosts {

            if hostname == "*" {
                errs = appendErrors(errs, fmt.Errorf("invalid host %s", hostname))
            } else {
                errs = appendErrors(errs, ValidateWildcardDomain(hostname))
            }
        }

        cidrFound := false
        for _, address := range serviceEntry.Addresses {
            cidrFound = cidrFound || strings.Contains(address, "/")
            errs = appendErrors(errs, ValidateIPSubnet(address))
        }

        if cidrFound {
            if serviceEntry.Resolution != networking.ServiceEntry_NONE && serviceEntry.Resolution != networking.ServiceEntry_STATIC {
                errs = appendErrors(errs, fmt.Errorf("CIDR addresses are allowed only for NONE/STATIC resolution types"))
            }
        }

        servicePortNumbers := make(map[uint32]bool)
        servicePorts := make(map[string]bool, len(serviceEntry.Ports))
        for _, port := range serviceEntry.Ports {
            if port == nil {
                errs = appendErrors(errs, fmt.Errorf("service entry port may not be null"))
                continue
            }
            if servicePorts[port.Name] {
                errs = appendErrors(errs, fmt.Errorf("service entry port name %q already defined", port.Name))
            }
            servicePorts[port.Name] = true
            if servicePortNumbers[port.Number] {
                errs = appendErrors(errs, fmt.Errorf("service entry port %d already defined", port.Number))
            }
            servicePortNumbers[port.Number] = true
        }

        switch serviceEntry.Resolution {
        case networking.ServiceEntry_NONE:
            if len(serviceEntry.Endpoints) != 0 {
                errs = appendErrors(errs, fmt.Errorf("no endpoints should be provided for resolution type none"))
            }
        case networking.ServiceEntry_STATIC:
            unixEndpoint := false
            for _, endpoint := range serviceEntry.Endpoints {
                addr := endpoint.GetAddress()
                if strings.HasPrefix(addr, UnixAddressPrefix) {
                    unixEndpoint = true
                    errs = appendErrors(errs, ValidateUnixAddress(strings.TrimPrefix(addr, UnixAddressPrefix)))
                    if len(endpoint.Ports) != 0 {
                        errs = appendErrors(errs, fmt.Errorf("unix endpoint %s must not include ports", addr))
                    }
                } else {
                    errs = appendErrors(errs, ValidateIPAddress(addr))

                    for name, port := range endpoint.Ports {
                        if !servicePorts[name] {
                            errs = appendErrors(errs, fmt.Errorf("endpoint port %v is not defined by the service entry", port))
                        }
                    }
                }
                errs = appendErrors(errs, labels.Instance(endpoint.Labels).Validate())

            }
            if unixEndpoint && len(serviceEntry.Ports) != 1 {
                errs = appendErrors(errs, errors.New("exactly 1 service port required for unix endpoints"))
            }
        case networking.ServiceEntry_DNS:
            if len(serviceEntry.Endpoints) == 0 {
                for _, hostname := range serviceEntry.Hosts {
                    if err := ValidateFQDN(hostname); err != nil {
                        errs = appendErrors(errs,
                            fmt.Errorf("hosts must be FQDN if no endpoints are provided for resolution mode DNS"))
                    }
                }
            }

            for _, endpoint := range serviceEntry.Endpoints {
                ipAddr := net.ParseIP(endpoint.Address)
                if ipAddr == nil {
                    if err := ValidateFQDN(endpoint.Address); err != nil {
                        errs = appendErrors(errs,
                            fmt.Errorf("endpoint address %q is not a valid FQDN or an IP address", endpoint.Address))
                    }
                }
                errs = appendErrors(errs,
                    labels.Instance(endpoint.Labels).Validate())
                for name, port := range endpoint.Ports {
                    if !servicePorts[name] {
                        errs = appendErrors(errs, fmt.Errorf("endpoint port %v is not defined by the service entry", port))
                    }
                    errs = appendErrors(errs,
                        ValidatePortName(name),
                        ValidatePort(int(port)))
                }
            }
        default:
            errs = appendErrors(errs, fmt.Errorf("unsupported resolution type %s",
                networking.ServiceEntry_Resolution_name[int32(serviceEntry.Resolution)]))
        }

        if serviceEntry.Resolution != networking.ServiceEntry_NONE && len(serviceEntry.Hosts) > 1 {
            canDifferentiate := true
            for _, port := range serviceEntry.Ports {
                p := protocol.Parse(port.Protocol)
                if !p.IsHTTP() && !p.IsTLS() {
                    canDifferentiate = false
                    break
                }
            }

            if !canDifferentiate {
                errs = appendErrors(errs, fmt.Errorf("multiple hosts provided with non-HTTP, non-TLS ports"))
            }
        }

        for _, port := range serviceEntry.Ports {
            if port == nil {
                errs = appendErrors(errs, errors.New("port may not be null"))
                continue
            }
            errs = appendErrors(errs,
                ValidatePortName(port.Name),
                ValidateProtocol(port.Protocol),
                ValidatePort(int(port.Number)))
        }

        errs = appendErrors(errs, validateExportTo(namespace, serviceEntry.ExportTo, true))
        return
    })

ValidateServiceEntry validates a service entry.

var ValidateSidecar = registerValidateFunc("ValidateSidecar",
    func(_, _ string, msg proto.Message) (errs error) {
        rule, ok := msg.(*networking.Sidecar)
        if !ok {
            return fmt.Errorf("cannot cast to Sidecar")
        }

        if err := validateAlphaWorkloadSelector(rule.WorkloadSelector); err != nil {
            return err
        }

        if len(rule.Egress) == 0 {
            return fmt.Errorf("sidecar: missing egress")
        }

        portMap := make(map[uint32]struct{})
        for _, i := range rule.Ingress {
            if i == nil {
                errs = appendErrors(errs, fmt.Errorf("sidecar: ingress may not be null"))
                continue
            }
            if i.Port == nil {
                errs = appendErrors(errs, fmt.Errorf("sidecar: port is required for ingress listeners"))
                continue
            }

            bind := i.GetBind()
            errs = appendErrors(errs, validateSidecarIngressPortAndBind(i.Port, bind))

            if _, found := portMap[i.Port.Number]; found {
                errs = appendErrors(errs, fmt.Errorf("sidecar: ports on IP bound listeners must be unique"))
            }
            portMap[i.Port.Number] = struct{}{}

            if len(i.DefaultEndpoint) == 0 {
                errs = appendErrors(errs, fmt.Errorf("sidecar: default endpoint must be set for all ingress listeners"))
            } else {
                if strings.HasPrefix(i.DefaultEndpoint, UnixAddressPrefix) {
                    errs = appendErrors(errs, ValidateUnixAddress(strings.TrimPrefix(i.DefaultEndpoint, UnixAddressPrefix)))
                } else {

                    parts := strings.Split(i.DefaultEndpoint, ":")
                    if len(parts) < 2 {
                        errs = appendErrors(errs, fmt.Errorf("sidecar: defaultEndpoint must be of form 127.0.0.1:<port>"))
                    } else {
                        if len(parts[0]) > 0 && parts[0] != "127.0.0.1" {
                            errs = appendErrors(errs, fmt.Errorf("sidecar: defaultEndpoint must be of form 127.0.0.1:<port>"))
                        }

                        port, err := strconv.Atoi(parts[1])
                        if err != nil {
                            errs = appendErrors(errs, fmt.Errorf("sidecar: defaultEndpoint port (%s) is not a number: %v", parts[1], err))
                        } else {
                            errs = appendErrors(errs, ValidatePort(port))
                        }
                    }
                }
            }
        }

        portMap = make(map[uint32]struct{})
        udsMap := make(map[string]struct{})
        catchAllEgressListenerFound := false
        for index, i := range rule.Egress {
            if i == nil {
                errs = appendErrors(errs, errors.New("egress listener may not be null"))
                continue
            }

            if i.Port == nil {
                if !catchAllEgressListenerFound {
                    if index == len(rule.Egress)-1 {
                        catchAllEgressListenerFound = true
                    } else {
                        errs = appendErrors(errs, fmt.Errorf("sidecar: the egress listener with empty port should be the last listener in the list"))
                    }
                } else {
                    errs = appendErrors(errs, fmt.Errorf("sidecar: egress can have only one listener with empty port"))
                    continue
                }
            } else {
                bind := i.GetBind()
                captureMode := i.GetCaptureMode()
                errs = appendErrors(errs, validateSidecarEgressPortBindAndCaptureMode(i.Port, bind, captureMode))

                if i.Port.Number == 0 {
                    if _, found := udsMap[bind]; found {
                        errs = appendErrors(errs, fmt.Errorf("sidecar: unix domain socket values for listeners must be unique"))
                    }
                    udsMap[bind] = struct{}{}
                } else {
                    if _, found := portMap[i.Port.Number]; found {
                        errs = appendErrors(errs, fmt.Errorf("sidecar: ports on IP bound listeners must be unique"))
                    }
                    portMap[i.Port.Number] = struct{}{}
                }
            }

            if len(i.Hosts) == 0 {
                errs = appendErrors(errs, fmt.Errorf("sidecar: egress listener must contain at least one host"))
            } else {
                for _, hostname := range i.Hosts {
                    errs = appendErrors(errs, validateNamespaceSlashWildcardHostname(hostname, false))
                }
            }

        }

        errs = appendErrors(errs, validateSidecarOutboundTrafficPolicy(rule.OutboundTrafficPolicy))

        return
    })

ValidateSidecar checks sidecar config supplied by user

var ValidateVirtualService = registerValidateFunc("ValidateVirtualService",
    func(_, namespace string, msg proto.Message) (errs error) {
        virtualService, ok := msg.(*networking.VirtualService)
        if !ok {
            return errors.New("cannot cast to virtual service")
        }

        isDelegate := false
        if len(virtualService.Hosts) == 0 {
            if features.EnableVirtualServiceDelegate {
                isDelegate = true
            } else {
                errs = appendErrors(errs, fmt.Errorf("virtual service must have at least one host"))
            }
        }

        if isDelegate {
            if len(virtualService.Gateways) != 0 {

                errs = appendErrors(errs, fmt.Errorf("delegate virtual service must have no gateways specified"))
            }
            if len(virtualService.Tls) != 0 {

                errs = appendErrors(errs, fmt.Errorf("delegate virtual service must have no tls route specified"))
            }
            if len(virtualService.Tcp) != 0 {

                errs = appendErrors(errs, fmt.Errorf("delegate virtual service must have no tcp route specified"))
            }
        }

        appliesToMesh := false
        appliesToGateway := false
        if len(virtualService.Gateways) == 0 {
            appliesToMesh = true
        }

        errs = appendErrors(errs, validateGatewayNames(virtualService.Gateways))
        for _, gatewayName := range virtualService.Gateways {
            if gatewayName == constants.IstioMeshGateway {
                appliesToMesh = true
            } else {
                appliesToGateway = true
            }
        }

        allHostsValid := true
        for _, virtualHost := range virtualService.Hosts {
            if err := ValidateWildcardDomain(virtualHost); err != nil {
                ipAddr := net.ParseIP(virtualHost)
                if ipAddr == nil {
                    errs = appendErrors(errs, err)
                    allHostsValid = false
                }
            } else if appliesToMesh && virtualHost == "*" {
                errs = appendErrors(errs, fmt.Errorf("wildcard host * is not allowed for virtual services bound to the mesh gateway"))
                allHostsValid = false
            }
        }

        if allHostsValid {
            for i := 0; i < len(virtualService.Hosts); i++ {
                hostI := host.Name(virtualService.Hosts[i])
                for j := i + 1; j < len(virtualService.Hosts); j++ {
                    hostJ := host.Name(virtualService.Hosts[j])
                    if hostI.Matches(hostJ) {
                        errs = appendErrors(errs, fmt.Errorf("duplicate hosts in virtual service: %s & %s", hostI, hostJ))
                    }
                }
            }
        }

        if len(virtualService.Http) == 0 && len(virtualService.Tcp) == 0 && len(virtualService.Tls) == 0 {
            errs = appendErrors(errs, errors.New("http, tcp or tls must be provided in virtual service"))
        }
        for _, httpRoute := range virtualService.Http {
            if httpRoute == nil {
                errs = appendErrors(errs, errors.New("http route may not be null"))
                continue
            }
            if !appliesToGateway && httpRoute.Delegate != nil {
                errs = appendErrors(errs, errors.New("http delegate only applies to gateway"))
            }
            errs = appendErrors(errs, validateHTTPRoute(httpRoute, isDelegate))
        }
        for _, tlsRoute := range virtualService.Tls {
            errs = appendErrors(errs, validateTLSRoute(tlsRoute, virtualService))
        }
        for _, tcpRoute := range virtualService.Tcp {
            errs = appendErrors(errs, validateTCPRoute(tcpRoute))
        }

        errs = appendErrors(errs, validateExportTo(namespace, virtualService.ExportTo, false))
        return
    })

ValidateVirtualService checks that a v1alpha3 route rule is well-formed.

var ValidateWorkloadEntry = registerValidateFunc("ValidateWorkloadEntry",
    func(_, _ string, config proto.Message) (errs error) {
        we, ok := config.(*networking.WorkloadEntry)
        if !ok {
            return fmt.Errorf("cannot cast to workload entry")
        }
        if we.Address == "" {
            return fmt.Errorf("address must be set")
        }

        return nil
    })

ValidateWorkloadEntry validates a workload entry.

func IsValidateFunc Uses

func IsValidateFunc(name string) bool

IsValidateFunc indicates whether there is a validation function with the given name.

func ValidateConnectTimeout Uses

func ValidateConnectTimeout(timeout *types.Duration) error

ValidateConnectTimeout validates the envoy conncection timeout

func ValidateDatadogCollector Uses

func ValidateDatadogCollector(d *meshconfig.Tracing_Datadog) error

ValidateDatadogCollector validates the configuration for sending envoy spans to Datadog

func ValidateDuration Uses

func ValidateDuration(pd *types.Duration) error

ValidateDuration checks that a proto duration is well-formed

func ValidateDurationGogo Uses

func ValidateDurationGogo(pd *types.Duration) error

ValidateDurationGogo checks that a gogo proto duration is well-formed

func ValidateDurationRange Uses

func ValidateDurationRange(dur, min, max time.Duration) error

ValidateDurationRange verifies range is in specified duration

func ValidateFQDN Uses

func ValidateFQDN(fqdn string) error

ValidateFQDN checks a fully-qualified domain name

func ValidateGogoDuration Uses

func ValidateGogoDuration(in *types.Duration) error

ValidateGogoDuration validates the variant of duration.

func ValidateHTTPHeaderName Uses

func ValidateHTTPHeaderName(name string) error

ValidateHTTPHeaderName validates a header name

func ValidateIPAddress Uses

func ValidateIPAddress(addr string) error

ValidateIPAddress validates that a string in "CIDR notation" or "Dot-decimal notation"

func ValidateIPSubnet Uses

func ValidateIPSubnet(subnet string) error

ValidateIPSubnet checks that a string is in "CIDR notation" or "Dot-decimal notation"

func ValidateLightstepCollector Uses

func ValidateLightstepCollector(ls *meshconfig.Tracing_Lightstep) error

ValidateLightstepCollector validates the configuration for sending envoy spans to LightStep

func ValidateMeshConfig Uses

func ValidateMeshConfig(mesh *meshconfig.MeshConfig) (errs error)

ValidateMeshConfig checks that the mesh config is well-formed

func ValidateMeshNetworks Uses

func ValidateMeshNetworks(meshnetworks *meshconfig.MeshNetworks) (errs error)

ValidateMeshNetworks validates meshnetworks.

func ValidateParentAndDrain Uses

func ValidateParentAndDrain(drainTime, parentShutdown *types.Duration) (errs error)

ValidateParentAndDrain checks that parent and drain durations are valid

func ValidatePercent Uses

func ValidatePercent(val int32) error

ValidatePercent checks that percent is in range

func ValidatePort Uses

func ValidatePort(port int) error

ValidatePort checks that the network port is in range

func ValidatePortName Uses

func ValidatePortName(name string) error

func ValidateProtocol Uses

func ValidateProtocol(protocolStr string) error

func ValidateProtocolDetectionTimeout Uses

func ValidateProtocolDetectionTimeout(timeout *types.Duration) error

ValidateProtocolDetectionTimeout validates the envoy protocol detection timeout

func ValidateProxyAddress Uses

func ValidateProxyAddress(hostAddr string) error

ValidateProxyAddress checks that a network address is well-formed

func ValidateProxyConfig Uses

func ValidateProxyConfig(config *meshconfig.ProxyConfig) (errs error)

ValidateProxyConfig checks that the mesh config is well-formed

func ValidateUnixAddress Uses

func ValidateUnixAddress(addr string) error

ValidateUnixAddress validates that the string is a valid unix domain socket path.

func ValidateWildcardDomain Uses

func ValidateWildcardDomain(domain string) error

ValidateWildcardDomain checks that a domain is a valid FQDN, but also allows wildcard prefixes.

func ValidateZipkinCollector Uses

func ValidateZipkinCollector(z *meshconfig.Tracing_Zipkin) error

ValidateZipkinCollector validates the configuration for sending envoy spans to Zipkin

type ValidateFunc Uses

type ValidateFunc func(name, namespace string, config proto.Message) error

Validate defines a validation func for an API proto.

func GetValidateFunc Uses

func GetValidateFunc(name string) ValidateFunc

GetValidateFunc returns the validation function with the given name, or null if it does not exist.

Package validation imports 27 packages (graph) and is imported by 24 packages. Updated 2020-08-13. Refresh now. Tools for package owners.