import "istio.io/istio/pkg/config/validation"
validation.go virtualservice.go
const (
// UnixAddressPrefix is the prefix used to indicate an address is for a Unix Domain socket. It is used in
// ServiceEntry.Endpoint.Address message.
UnixAddressPrefix = "unix://"
)Constants for duration fields
var (
// EmptyValidate is a Validate that does nothing and returns no error.
EmptyValidate = registerValidateFunc("EmptyValidate",
func(string, string, proto.Message) error {
return nil
})
)var ValidateAuthorizationPolicy = registerValidateFunc("ValidateAuthorizationPolicy", func(name, namespace string, msg proto.Message) error { in, ok := msg.(*security_beta.AuthorizationPolicy) if !ok { return fmt.Errorf("cannot cast to AuthorizationPolicy") } if err := validateWorkloadSelector(in.Selector); err != nil { return err } if in.Action == security_beta.AuthorizationPolicy_DENY && in.Rules == nil { return fmt.Errorf("a deny policy without `rules` is meaningless and has no effect, found in %s.%s", name, namespace) } var errs error for i, rule := range in.GetRules() { if rule == nil { errs = appendErrors(errs, fmt.Errorf("`rule` must not be null, found at rule %d in %s.%s", i, name, namespace)) continue } if rule.From != nil && len(rule.From) == 0 { errs = appendErrors(errs, fmt.Errorf("`from` must not be empty, found at rule %d in %s.%s", i, name, namespace)) } for _, from := range rule.From { if from == nil { errs = appendErrors(errs, fmt.Errorf("`from` must not be null, found at rule %d in %s.%s", i, name, namespace)) continue } if from.Source == nil { errs = appendErrors(errs, fmt.Errorf("`from.source` must not be nil, found at rule %d in %s.%s", i, name, namespace)) } else { src := from.Source if len(src.Principals) == 0 && len(src.RequestPrincipals) == 0 && len(src.Namespaces) == 0 && len(src.IpBlocks) == 0 && len(src.NotPrincipals) == 0 && len(src.NotRequestPrincipals) == 0 && len(src.NotNamespaces) == 0 && len(src.NotIpBlocks) == 0 { errs = appendErrors(errs, fmt.Errorf("`from.source` must not be empty, found at rule %d in %s.%s", i, name, namespace)) } errs = appendErrors(errs, security.ValidateIPs(from.Source.GetIpBlocks())) errs = appendErrors(errs, security.ValidateIPs(from.Source.GetNotIpBlocks())) errs = appendErrors(errs, security.CheckEmptyValues("Principals", src.Principals)) errs = appendErrors(errs, security.CheckEmptyValues("RequestPrincipals", src.RequestPrincipals)) errs = appendErrors(errs, security.CheckEmptyValues("Namespaces", src.Namespaces)) errs = appendErrors(errs, security.CheckEmptyValues("IpBlocks", src.IpBlocks)) errs = appendErrors(errs, security.CheckEmptyValues("NotPrincipals", src.NotPrincipals)) errs = appendErrors(errs, security.CheckEmptyValues("NotRequestPrincipals", src.NotRequestPrincipals)) errs = appendErrors(errs, security.CheckEmptyValues("NotNamespaces", src.NotNamespaces)) errs = appendErrors(errs, security.CheckEmptyValues("NotIpBlocks", src.NotIpBlocks)) } } if rule.To != nil && len(rule.To) == 0 { errs = appendErrors(errs, fmt.Errorf("`to` must not be empty, found at rule %d in %s.%s", i, name, namespace)) } for _, to := range rule.To { if to == nil { errs = appendErrors(errs, fmt.Errorf("`to` must not be nil, found at rule %d in %s.%s", i, name, namespace)) continue } if to.Operation == nil { errs = appendErrors(errs, fmt.Errorf("`to.operation` must not be nil, found at rule %d in %s.%s", i, name, namespace)) } else { op := to.Operation if len(op.Ports) == 0 && len(op.Methods) == 0 && len(op.Paths) == 0 && len(op.Hosts) == 0 && len(op.NotPorts) == 0 && len(op.NotMethods) == 0 && len(op.NotPaths) == 0 && len(op.NotHosts) == 0 { errs = appendErrors(errs, fmt.Errorf("`to.operation` must not be empty, found at rule %d in %s.%s", i, name, namespace)) } errs = appendErrors(errs, security.ValidatePorts(to.Operation.GetPorts())) errs = appendErrors(errs, security.ValidatePorts(to.Operation.GetNotPorts())) errs = appendErrors(errs, security.CheckEmptyValues("Ports", op.Ports)) errs = appendErrors(errs, security.CheckEmptyValues("Methods", op.Methods)) errs = appendErrors(errs, security.CheckEmptyValues("Paths", op.Paths)) errs = appendErrors(errs, security.CheckEmptyValues("Hosts", op.Hosts)) errs = appendErrors(errs, security.CheckEmptyValues("NotPorts", op.NotPorts)) errs = appendErrors(errs, security.CheckEmptyValues("NotMethods", op.NotMethods)) errs = appendErrors(errs, security.CheckEmptyValues("NotPaths", op.NotPaths)) errs = appendErrors(errs, security.CheckEmptyValues("NotHosts", op.NotHosts)) } } for _, condition := range rule.GetWhen() { key := condition.GetKey() if key == "" { errs = appendErrors(errs, fmt.Errorf("`key` must not be empty, found in %s.%s", name, namespace)) } else { if len(condition.GetValues()) == 0 && len(condition.GetNotValues()) == 0 { errs = appendErrors(errs, fmt.Errorf("at least one of `values` or `notValues` must be set for key %s, found in %s.%s", key, name, namespace)) } else { if err := security.ValidateAttribute(key, condition.GetValues()); err != nil { errs = appendErrors(errs, fmt.Errorf("invalid `value` for `key` %s: %v, found in %s.%s", key, err, name, namespace)) } if err := security.ValidateAttribute(key, condition.GetNotValues()); err != nil { errs = appendErrors(errs, fmt.Errorf("invalid `notValue` for `key` %s: %v, found in %s.%s", key, err, name, namespace)) } } } } } return errs })
ValidateAuthorizationPolicy checks that AuthorizationPolicy is well-formed.
var ValidateDestinationRule = registerValidateFunc("ValidateDestinationRule", func(_, namespace string, msg proto.Message) (errs error) { rule, ok := msg.(*networking.DestinationRule) if !ok { return fmt.Errorf("cannot cast to destination rule") } errs = appendErrors(errs, ValidateWildcardDomain(rule.Host), validateTrafficPolicy(rule.TrafficPolicy)) for _, subset := range rule.Subsets { if subset == nil { errs = appendErrors(errs, errors.New("subset may not be null")) continue } errs = appendErrors(errs, validateSubset(subset)) } errs = appendErrors(errs, validateExportTo(namespace, rule.ExportTo, false)) return })
ValidateDestinationRule checks proxy policies
var ValidateEnvoyFilter = registerValidateFunc("ValidateEnvoyFilter", func(_, _ string, msg proto.Message) (errs error) { rule, ok := msg.(*networking.EnvoyFilter) if !ok { return fmt.Errorf("cannot cast to Envoy filter") } if err := validateAlphaWorkloadSelector(rule.WorkloadSelector); err != nil { return err } for _, cp := range rule.ConfigPatches { if cp == nil { errs = appendErrors(errs, fmt.Errorf("Envoy filter: null config patch")) continue } if cp.ApplyTo == networking.EnvoyFilter_INVALID { errs = appendErrors(errs, fmt.Errorf("Envoy filter: missing applyTo")) continue } if cp.Patch == nil { errs = appendErrors(errs, fmt.Errorf("Envoy filter: missing patch")) continue } if cp.Patch.Operation == networking.EnvoyFilter_Patch_INVALID { errs = appendErrors(errs, fmt.Errorf("Envoy filter: missing patch operation")) continue } if cp.Patch.Operation != networking.EnvoyFilter_Patch_REMOVE && cp.Patch.Value == nil { errs = appendErrors(errs, fmt.Errorf("Envoy filter: missing patch value for non-remove operation")) continue } if cp.Match != nil && cp.Match.Proxy != nil && cp.Match.Proxy.ProxyVersion != "" { if _, err := regexp.Compile(cp.Match.Proxy.ProxyVersion); err != nil { errs = appendErrors(errs, fmt.Errorf("Envoy filter: invalid regex for proxy version, [%v]", err)) continue } } switch cp.ApplyTo { case networking.EnvoyFilter_LISTENER, networking.EnvoyFilter_FILTER_CHAIN, networking.EnvoyFilter_NETWORK_FILTER, networking.EnvoyFilter_HTTP_FILTER: if cp.Match != nil && cp.Match.ObjectTypes != nil { if cp.Match.GetListener() == nil { errs = appendErrors(errs, fmt.Errorf("Envoy filter: applyTo for listener class objects cannot have non listener match")) continue } listenerMatch := cp.Match.GetListener() if listenerMatch.FilterChain != nil { if listenerMatch.FilterChain.Filter != nil { if listenerMatch.FilterChain.Filter.Name == "" { errs = appendErrors(errs, fmt.Errorf("Envoy filter: filter match has no name to match on")) continue } else if listenerMatch.FilterChain.Filter.SubFilter != nil { if cp.ApplyTo != networking.EnvoyFilter_HTTP_FILTER { errs = appendErrors(errs, fmt.Errorf("Envoy filter: subfilter match can be used with applyTo HTTP_FILTER only")) continue } if listenerMatch.FilterChain.Filter.Name != wellknown.HTTPConnectionManager && listenerMatch.FilterChain.Filter.Name != "envoy.http_connection_manager" { errs = appendErrors(errs, fmt.Errorf("Envoy filter: subfilter match requires filter match with %s", wellknown.HTTPConnectionManager)) continue } if listenerMatch.FilterChain.Filter.SubFilter.Name == "" { errs = appendErrors(errs, fmt.Errorf("Envoy filter: subfilter match has no name to match on")) continue } } } } } case networking.EnvoyFilter_ROUTE_CONFIGURATION, networking.EnvoyFilter_VIRTUAL_HOST, networking.EnvoyFilter_HTTP_ROUTE: if cp.Match != nil && cp.Match.ObjectTypes != nil { if cp.Match.GetRouteConfiguration() == nil { errs = appendErrors(errs, fmt.Errorf("Envoy filter: applyTo for http route class objects cannot have non route configuration match")) } } case networking.EnvoyFilter_CLUSTER: if cp.Match != nil && cp.Match.ObjectTypes != nil { if cp.Match.GetCluster() == nil { errs = appendErrors(errs, fmt.Errorf("Envoy filter: applyTo for cluster class objects cannot have non cluster match")) } } } if _, err := xds.BuildXDSObjectFromStruct(cp.ApplyTo, cp.Patch.Value); err != nil { errs = appendErrors(errs, err) } } return })
ValidateEnvoyFilter checks envoy filter config supplied by user
var ValidateGateway = registerValidateFunc("ValidateGateway", func(name, _ string, msg proto.Message) (errs error) { if !labels.IsDNS1123Label(name) { errs = appendErrors(errs, fmt.Errorf("invalid gateway name: %q", name)) } value, ok := msg.(*networking.Gateway) if !ok { errs = appendErrors(errs, fmt.Errorf("cannot cast to gateway: %#v", msg)) return } if len(value.Servers) == 0 { errs = appendErrors(errs, fmt.Errorf("gateway must have at least one server")) } else { for _, server := range value.Servers { errs = appendErrors(errs, validateServer(server)) } } portNames := make(map[string]bool) for _, s := range value.Servers { if s == nil { errs = appendErrors(errs, fmt.Errorf("server may not be nil")) continue } if s.Port != nil { if portNames[s.Port.Name] { errs = appendErrors(errs, fmt.Errorf("port names in servers must be unique: duplicate name %s", s.Port.Name)) } portNames[s.Port.Name] = true } } return errs })
ValidateGateway checks gateway specifications
var ValidatePeerAuthentication = registerValidateFunc("ValidatePeerAuthentication", func(name, namespace string, msg proto.Message) error { in, ok := msg.(*security_beta.PeerAuthentication) if !ok { return errors.New("cannot cast to PeerAuthentication") } var errs error emptySelector := in.Selector == nil || len(in.Selector.MatchLabels) == 0 if emptySelector && len(in.PortLevelMtls) != 0 { errs = appendErrors(errs, fmt.Errorf("mesh/namespace peer authentication cannot have port level mTLS")) } if in.PortLevelMtls != nil && len(in.PortLevelMtls) == 0 { errs = appendErrors(errs, fmt.Errorf("port level mTLS, if defined, must have at least one element")) } for port := range in.PortLevelMtls { if port == 0 { errs = appendErrors(errs, fmt.Errorf("port cannot be 0")) } } errs = appendErrors(errs, validateWorkloadSelector(in.Selector)) return errs })
ValidatePeerAuthentication checks that peer authentication spec is well-formed.
var ValidateRequestAuthentication = registerValidateFunc("ValidateRequestAuthentication", func(name, namespace string, msg proto.Message) error { in, ok := msg.(*security_beta.RequestAuthentication) if !ok { return errors.New("cannot cast to RequestAuthentication") } var errs error errs = appendErrors(errs, validateWorkloadSelector(in.Selector)) for _, rule := range in.JwtRules { errs = appendErrors(errs, validateJwtRule(rule)) } return errs })
ValidateRequestAuthentication checks that request authentication spec is well-formed.
var ValidateServiceEntry = registerValidateFunc("ValidateServiceEntry", func(_, namespace string, config proto.Message) (errs error) { serviceEntry, ok := config.(*networking.ServiceEntry) if !ok { return fmt.Errorf("cannot cast to service entry") } if err := validateAlphaWorkloadSelector(serviceEntry.WorkloadSelector); err != nil { return err } if serviceEntry.WorkloadSelector != nil && serviceEntry.Endpoints != nil { errs = appendErrors(errs, fmt.Errorf("only one of WorkloadSelector or Endpoints is allowed in Service Entry")) } if len(serviceEntry.Hosts) == 0 { errs = appendErrors(errs, fmt.Errorf("service entry must have at least one host")) } for _, hostname := range serviceEntry.Hosts { if hostname == "*" { errs = appendErrors(errs, fmt.Errorf("invalid host %s", hostname)) } else { errs = appendErrors(errs, ValidateWildcardDomain(hostname)) } } cidrFound := false for _, address := range serviceEntry.Addresses { cidrFound = cidrFound || strings.Contains(address, "/") errs = appendErrors(errs, ValidateIPSubnet(address)) } if cidrFound { if serviceEntry.Resolution != networking.ServiceEntry_NONE && serviceEntry.Resolution != networking.ServiceEntry_STATIC { errs = appendErrors(errs, fmt.Errorf("CIDR addresses are allowed only for NONE/STATIC resolution types")) } } servicePortNumbers := make(map[uint32]bool) servicePorts := make(map[string]bool, len(serviceEntry.Ports)) for _, port := range serviceEntry.Ports { if port == nil { errs = appendErrors(errs, fmt.Errorf("service entry port may not be null")) continue } if servicePorts[port.Name] { errs = appendErrors(errs, fmt.Errorf("service entry port name %q already defined", port.Name)) } servicePorts[port.Name] = true if servicePortNumbers[port.Number] { errs = appendErrors(errs, fmt.Errorf("service entry port %d already defined", port.Number)) } servicePortNumbers[port.Number] = true } switch serviceEntry.Resolution { case networking.ServiceEntry_NONE: if len(serviceEntry.Endpoints) != 0 { errs = appendErrors(errs, fmt.Errorf("no endpoints should be provided for resolution type none")) } case networking.ServiceEntry_STATIC: unixEndpoint := false for _, endpoint := range serviceEntry.Endpoints { addr := endpoint.GetAddress() if strings.HasPrefix(addr, UnixAddressPrefix) { unixEndpoint = true errs = appendErrors(errs, ValidateUnixAddress(strings.TrimPrefix(addr, UnixAddressPrefix))) if len(endpoint.Ports) != 0 { errs = appendErrors(errs, fmt.Errorf("unix endpoint %s must not include ports", addr)) } } else { errs = appendErrors(errs, ValidateIPAddress(addr)) for name, port := range endpoint.Ports { if !servicePorts[name] { errs = appendErrors(errs, fmt.Errorf("endpoint port %v is not defined by the service entry", port)) } } } errs = appendErrors(errs, labels.Instance(endpoint.Labels).Validate()) } if unixEndpoint && len(serviceEntry.Ports) != 1 { errs = appendErrors(errs, errors.New("exactly 1 service port required for unix endpoints")) } case networking.ServiceEntry_DNS: if len(serviceEntry.Endpoints) == 0 { for _, hostname := range serviceEntry.Hosts { if err := ValidateFQDN(hostname); err != nil { errs = appendErrors(errs, fmt.Errorf("hosts must be FQDN if no endpoints are provided for resolution mode DNS")) } } } for _, endpoint := range serviceEntry.Endpoints { ipAddr := net.ParseIP(endpoint.Address) if ipAddr == nil { if err := ValidateFQDN(endpoint.Address); err != nil { errs = appendErrors(errs, fmt.Errorf("endpoint address %q is not a valid FQDN or an IP address", endpoint.Address)) } } errs = appendErrors(errs, labels.Instance(endpoint.Labels).Validate()) for name, port := range endpoint.Ports { if !servicePorts[name] { errs = appendErrors(errs, fmt.Errorf("endpoint port %v is not defined by the service entry", port)) } errs = appendErrors(errs, ValidatePortName(name), ValidatePort(int(port))) } } default: errs = appendErrors(errs, fmt.Errorf("unsupported resolution type %s", networking.ServiceEntry_Resolution_name[int32(serviceEntry.Resolution)])) } if serviceEntry.Resolution != networking.ServiceEntry_NONE && len(serviceEntry.Hosts) > 1 { canDifferentiate := true for _, port := range serviceEntry.Ports { p := protocol.Parse(port.Protocol) if !p.IsHTTP() && !p.IsTLS() { canDifferentiate = false break } } if !canDifferentiate { errs = appendErrors(errs, fmt.Errorf("multiple hosts provided with non-HTTP, non-TLS ports")) } } for _, port := range serviceEntry.Ports { if port == nil { errs = appendErrors(errs, errors.New("port may not be null")) continue } errs = appendErrors(errs, ValidatePortName(port.Name), ValidateProtocol(port.Protocol), ValidatePort(int(port.Number))) } errs = appendErrors(errs, validateExportTo(namespace, serviceEntry.ExportTo, true)) return })
ValidateServiceEntry validates a service entry.
var ValidateSidecar = registerValidateFunc("ValidateSidecar", func(_, _ string, msg proto.Message) (errs error) { rule, ok := msg.(*networking.Sidecar) if !ok { return fmt.Errorf("cannot cast to Sidecar") } if err := validateAlphaWorkloadSelector(rule.WorkloadSelector); err != nil { return err } if len(rule.Egress) == 0 { return fmt.Errorf("sidecar: missing egress") } portMap := make(map[uint32]struct{}) for _, i := range rule.Ingress { if i == nil { errs = appendErrors(errs, fmt.Errorf("sidecar: ingress may not be null")) continue } if i.Port == nil { errs = appendErrors(errs, fmt.Errorf("sidecar: port is required for ingress listeners")) continue } bind := i.GetBind() errs = appendErrors(errs, validateSidecarIngressPortAndBind(i.Port, bind)) if _, found := portMap[i.Port.Number]; found { errs = appendErrors(errs, fmt.Errorf("sidecar: ports on IP bound listeners must be unique")) } portMap[i.Port.Number] = struct{}{} if len(i.DefaultEndpoint) == 0 { errs = appendErrors(errs, fmt.Errorf("sidecar: default endpoint must be set for all ingress listeners")) } else { if strings.HasPrefix(i.DefaultEndpoint, UnixAddressPrefix) { errs = appendErrors(errs, ValidateUnixAddress(strings.TrimPrefix(i.DefaultEndpoint, UnixAddressPrefix))) } else { parts := strings.Split(i.DefaultEndpoint, ":") if len(parts) < 2 { errs = appendErrors(errs, fmt.Errorf("sidecar: defaultEndpoint must be of form 127.0.0.1:<port>")) } else { if len(parts[0]) > 0 && parts[0] != "127.0.0.1" { errs = appendErrors(errs, fmt.Errorf("sidecar: defaultEndpoint must be of form 127.0.0.1:<port>")) } port, err := strconv.Atoi(parts[1]) if err != nil { errs = appendErrors(errs, fmt.Errorf("sidecar: defaultEndpoint port (%s) is not a number: %v", parts[1], err)) } else { errs = appendErrors(errs, ValidatePort(port)) } } } } } portMap = make(map[uint32]struct{}) udsMap := make(map[string]struct{}) catchAllEgressListenerFound := false for index, i := range rule.Egress { if i == nil { errs = appendErrors(errs, errors.New("egress listener may not be null")) continue } if i.Port == nil { if !catchAllEgressListenerFound { if index == len(rule.Egress)-1 { catchAllEgressListenerFound = true } else { errs = appendErrors(errs, fmt.Errorf("sidecar: the egress listener with empty port should be the last listener in the list")) } } else { errs = appendErrors(errs, fmt.Errorf("sidecar: egress can have only one listener with empty port")) continue } } else { bind := i.GetBind() captureMode := i.GetCaptureMode() errs = appendErrors(errs, validateSidecarEgressPortBindAndCaptureMode(i.Port, bind, captureMode)) if i.Port.Number == 0 { if _, found := udsMap[bind]; found { errs = appendErrors(errs, fmt.Errorf("sidecar: unix domain socket values for listeners must be unique")) } udsMap[bind] = struct{}{} } else { if _, found := portMap[i.Port.Number]; found { errs = appendErrors(errs, fmt.Errorf("sidecar: ports on IP bound listeners must be unique")) } portMap[i.Port.Number] = struct{}{} } } if len(i.Hosts) == 0 { errs = appendErrors(errs, fmt.Errorf("sidecar: egress listener must contain at least one host")) } else { for _, hostname := range i.Hosts { errs = appendErrors(errs, validateNamespaceSlashWildcardHostname(hostname, false)) } } } errs = appendErrors(errs, validateSidecarOutboundTrafficPolicy(rule.OutboundTrafficPolicy)) return })
ValidateSidecar checks sidecar config supplied by user
var ValidateVirtualService = registerValidateFunc("ValidateVirtualService", func(_, namespace string, msg proto.Message) (errs error) { virtualService, ok := msg.(*networking.VirtualService) if !ok { return errors.New("cannot cast to virtual service") } isDelegate := false if len(virtualService.Hosts) == 0 { if features.EnableVirtualServiceDelegate { isDelegate = true } else { errs = appendErrors(errs, fmt.Errorf("virtual service must have at least one host")) } } if isDelegate { if len(virtualService.Gateways) != 0 { errs = appendErrors(errs, fmt.Errorf("delegate virtual service must have no gateways specified")) } if len(virtualService.Tls) != 0 { errs = appendErrors(errs, fmt.Errorf("delegate virtual service must have no tls route specified")) } if len(virtualService.Tcp) != 0 { errs = appendErrors(errs, fmt.Errorf("delegate virtual service must have no tcp route specified")) } } appliesToMesh := false appliesToGateway := false if len(virtualService.Gateways) == 0 { appliesToMesh = true } errs = appendErrors(errs, validateGatewayNames(virtualService.Gateways)) for _, gatewayName := range virtualService.Gateways { if gatewayName == constants.IstioMeshGateway { appliesToMesh = true } else { appliesToGateway = true } } allHostsValid := true for _, virtualHost := range virtualService.Hosts { if err := ValidateWildcardDomain(virtualHost); err != nil { ipAddr := net.ParseIP(virtualHost) if ipAddr == nil { errs = appendErrors(errs, err) allHostsValid = false } } else if appliesToMesh && virtualHost == "*" { errs = appendErrors(errs, fmt.Errorf("wildcard host * is not allowed for virtual services bound to the mesh gateway")) allHostsValid = false } } if allHostsValid { for i := 0; i < len(virtualService.Hosts); i++ { hostI := host.Name(virtualService.Hosts[i]) for j := i + 1; j < len(virtualService.Hosts); j++ { hostJ := host.Name(virtualService.Hosts[j]) if hostI.Matches(hostJ) { errs = appendErrors(errs, fmt.Errorf("duplicate hosts in virtual service: %s & %s", hostI, hostJ)) } } } } if len(virtualService.Http) == 0 && len(virtualService.Tcp) == 0 && len(virtualService.Tls) == 0 { errs = appendErrors(errs, errors.New("http, tcp or tls must be provided in virtual service")) } for _, httpRoute := range virtualService.Http { if httpRoute == nil { errs = appendErrors(errs, errors.New("http route may not be null")) continue } if !appliesToGateway && httpRoute.Delegate != nil { errs = appendErrors(errs, errors.New("http delegate only applies to gateway")) } errs = appendErrors(errs, validateHTTPRoute(httpRoute, isDelegate)) } for _, tlsRoute := range virtualService.Tls { errs = appendErrors(errs, validateTLSRoute(tlsRoute, virtualService)) } for _, tcpRoute := range virtualService.Tcp { errs = appendErrors(errs, validateTCPRoute(tcpRoute)) } errs = appendErrors(errs, validateExportTo(namespace, virtualService.ExportTo, false)) return })
ValidateVirtualService checks that a v1alpha3 route rule is well-formed.
var ValidateWorkloadEntry = registerValidateFunc("ValidateWorkloadEntry", func(_, _ string, config proto.Message) (errs error) { we, ok := config.(*networking.WorkloadEntry) if !ok { return fmt.Errorf("cannot cast to workload entry") } if we.Address == "" { return fmt.Errorf("address must be set") } return nil })
ValidateWorkloadEntry validates a workload entry.
IsValidateFunc indicates whether there is a validation function with the given name.
ValidateConnectTimeout validates the envoy conncection timeout
func ValidateDatadogCollector(d *meshconfig.Tracing_Datadog) error
ValidateDatadogCollector validates the configuration for sending envoy spans to Datadog
ValidateDuration checks that a proto duration is well-formed
ValidateDurationGogo checks that a gogo proto duration is well-formed
ValidateDurationRange verifies range is in specified duration
ValidateFQDN checks a fully-qualified domain name
ValidateGogoDuration validates the variant of duration.
ValidateHTTPHeaderName validates a header name
ValidateIPAddress validates that a string in "CIDR notation" or "Dot-decimal notation"
ValidateIPSubnet checks that a string is in "CIDR notation" or "Dot-decimal notation"
func ValidateLightstepCollector(ls *meshconfig.Tracing_Lightstep) error
ValidateLightstepCollector validates the configuration for sending envoy spans to LightStep
func ValidateMeshConfig(mesh *meshconfig.MeshConfig) (errs error)
ValidateMeshConfig checks that the mesh config is well-formed
func ValidateMeshNetworks(meshnetworks *meshconfig.MeshNetworks) (errs error)
ValidateMeshNetworks validates meshnetworks.
ValidateParentAndDrain checks that parent and drain durations are valid
ValidatePercent checks that percent is in range
ValidatePort checks that the network port is in range
ValidateProtocolDetectionTimeout validates the envoy protocol detection timeout
ValidateProxyAddress checks that a network address is well-formed
func ValidateProxyConfig(config *meshconfig.ProxyConfig) (errs error)
ValidateProxyConfig checks that the mesh config is well-formed
ValidateUnixAddress validates that the string is a valid unix domain socket path.
ValidateWildcardDomain checks that a domain is a valid FQDN, but also allows wildcard prefixes.
func ValidateZipkinCollector(z *meshconfig.Tracing_Zipkin) error
ValidateZipkinCollector validates the configuration for sending envoy spans to Zipkin
Validate defines a validation func for an API proto.
func GetValidateFunc(name string) ValidateFunc
GetValidateFunc returns the validation function with the given name, or null if it does not exist.
Package validation imports 27 packages (graph) and is imported by 24 packages. Updated 2020-08-13. Refresh now. Tools for package owners.