Add usesNAT flag to control nonMasqueradeCIDR check for custom CNI ne…

…tworking
kubernetes · May 7, 2019 · 1251f77 · 1251f77
1 parent a8a1f7e
commit 1251f77
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
@@ -52,6 +52,7 @@ type ExternalNetworkingSpec struct {
 // but this is useful for arbitrary network modes or for modes that don't need additional configuration.
 type CNINetworkingSpec struct {
 	UsesSecondaryIP bool `json:"usesSecondaryIP,omitempty"`
+	UsesNAT bool `json:"usesNAT,omitempty"`
 }
 
 // KopeioNetworkingSpec declares that we want Kopeio networking

diff --git a/pkg/apis/kops/validation/legacy.go b/pkg/apis/kops/validation/legacy.go
@@ -196,7 +196,11 @@ func ValidateCluster(c *kops.Cluster, strict bool) *field.Error {
 			return field.Invalid(fieldSpec.Child("NonMasqueradeCIDR"), nonMasqueradeCIDRString, "Cluster had an invalid NonMasqueradeCIDR")
 		}
 
-		if networkCIDR != nil && subnet.Overlap(nonMasqueradeCIDR, networkCIDR) && c.Spec.Networking != nil && c.Spec.Networking.AmazonVPC == nil && c.Spec.Networking.LyftVPC == nil {
+		if networkCIDR != nil && subnet.Overlap(nonMasqueradeCIDR, networkCIDR) &&
+			c.Spec.Networking != nil &&
+			(c.Spec.Networking.CNI == nil || c.Spec.Networking.CNI.UsesNAT) &&
+			c.Spec.Networking.AmazonVPC == nil &&
+			c.Spec.Networking.LyftVPC == nil {
 
 			return field.Invalid(fieldSpec.Child("NonMasqueradeCIDR"), nonMasqueradeCIDRString, fmt.Sprintf("NonMasqueradeCIDR %q cannot overlap with NetworkCIDR %q", nonMasqueradeCIDRString, c.Spec.NetworkCIDR))
 		}