hashicorp · ndhanushkodi · Jan 31, 2024 · Jan 30, 2024 · Jan 30, 2024 · Jan 31, 2024
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net"
 	"sort"
+	"strconv"
 	"strings"
 
 	"github.com/go-logr/logr"
@@ -445,10 +446,14 @@ func getEffectiveTargetPort(targetPort intstr.IntOrString, prefixedPods selector
 	var mostPrevalentContainerPort *corev1.ContainerPort
 	maxCount := 0
 	effectiveNameForPort := func(port *corev1.ContainerPort) string {
-		if port.Name != "" {
-			return port.Name
+		var isNum bool
+		if _, err := strconv.Atoi(port.Name); err == nil {
+			isNum = true
 		}
-		return targetPort.String()
+		if port.Name == "" || isNum {
+			return "cslport-" + targetPort.String()
+		}
+		return port.Name
 	}
 	for _, podData := range prefixedPods {
 		containerPort := getTargetContainerPort(targetPortInt, podData.samplePod)
@@ -493,7 +498,7 @@ func getEffectiveTargetPort(targetPort intstr.IntOrString, prefixedPods selector
 
 	// If still no match for the target port, fall back to string-ifying the target port name, which
 	// is what the PodController will do when converting unnamed ContainerPorts to Workload ports.
-	return targetPort.String()
+	return "cslport-" + targetPort.String()
 }
 
 // getTargetContainerPort returns the pod ContainerPort matching the given numeric port value, or nil if none is found.

@@ -229,7 +229,7 @@ func TestReconcile_CreateService(t *testing.T) {
 								Name:       "other",
 								Port:       10001,
 								Protocol:   "TCP",
-								TargetPort: intstr.FromString("10001"),
+								TargetPort: intstr.FromString("cslport-10001"),
 								// no app protocol specified
 							},
 						},
@@ -260,7 +260,7 @@ func TestReconcile_CreateService(t *testing.T) {
 						},
 						{
 							VirtualPort: 10001,
-							TargetPort:  "10001",
+							TargetPort:  "cslport-10001",
 							Protocol:    pbcatalog.Protocol_PROTOCOL_TCP,
 						},
 						{
@@ -554,12 +554,12 @@ func TestReconcile_CreateService(t *testing.T) {
 						},
 						{
 							VirtualPort: 9090,
-							TargetPort:  "6789", // Matches service target number
+							TargetPort:  "cslport-6789", // Matches service target number
 							Protocol:    pbcatalog.Protocol_PROTOCOL_GRPC,
 						},
 						{
 							VirtualPort: 10010,
-							TargetPort:  "10010", // Matches service target number (unmatched by container ports)
+							TargetPort:  "cslport-10010", // Matches service target number (unmatched by container ports)
 							Protocol:    pbcatalog.Protocol_PROTOCOL_HTTP,
 						},
 						{
@@ -713,7 +713,7 @@ func TestReconcile_CreateService(t *testing.T) {
 						},
 						{
 							VirtualPort: 9090,
-							TargetPort:  "6789", // Matches service target number due to unnamed being most common
+							TargetPort:  "cslport-6789", // Matches service target number due to unnamed being most common
 							Protocol:    pbcatalog.Protocol_PROTOCOL_GRPC,
 						},
 						{
@@ -1269,7 +1269,7 @@ func TestReconcile_UpdateService(t *testing.T) {
 						},
 						{
 							VirtualPort: 10001,
-							TargetPort:  "10001",
+							TargetPort:  "unspec-port", //this might need to be changed to "my_unspecified_port"
 							Protocol:    pbcatalog.Protocol_PROTOCOL_UNSPECIFIED,
 						},
 						{
@@ -1390,7 +1390,7 @@ func TestReconcile_UpdateService(t *testing.T) {
 								Name:       "other",
 								Port:       10001,
 								Protocol:   "TCP",
-								TargetPort: intstr.FromString("10001"),
+								TargetPort: intstr.FromString("cslport-10001"),
 								// no app protocol specified
 							},
 						},
@@ -1421,7 +1421,7 @@ func TestReconcile_UpdateService(t *testing.T) {
 						},
 						{
 							VirtualPort: 10001,
-							TargetPort:  "10001",
+							TargetPort:  "cslport-10001",
 							Protocol:    pbcatalog.Protocol_PROTOCOL_TCP,
 						},
 						{

@@ -620,8 +620,12 @@ func getWorkloadPorts(pod corev1.Pod) ([]string, map[string]*pbcatalog.WorkloadP
 	for _, container := range pod.Spec.Containers {
 		for _, port := range container.Ports {
 			name := port.Name
-			if name == "" {
-				name = strconv.Itoa(int(port.ContainerPort))
+			var isNum bool
+			if _, err := strconv.Atoi(name); err == nil {
+				isNum = true
+			}
+			if name == "" || isNum {
+				name = "cslport-" + strconv.Itoa(int(port.ContainerPort))
 			}
 
 			// TODO: error check reserved "mesh" keyword and 20000

@@ -239,14 +239,14 @@ func TestWorkloadWrite(t *testing.T) {
 			},
 			expectedWorkload: &pbcatalog.Workload{
 				Addresses: []*pbcatalog.WorkloadAddress{
-					{Host: "10.0.0.1", Ports: []string{"80", "8080", "mesh"}},
+					{Host: "10.0.0.1", Ports: []string{"cslport-80", "cslport-8080", "mesh"}},
 				},
 				Ports: map[string]*pbcatalog.WorkloadPort{
-					"80": {
+					"cslport-80": {
 						Port:     80,
 						Protocol: pbcatalog.Protocol_PROTOCOL_UNSPECIFIED,
 					},
-					"8080": {
+					"cslport-8080": {
 						Port:     8080,
 						Protocol: pbcatalog.Protocol_PROTOCOL_UNSPECIFIED,
 					},

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
+	"strings"
 
 	mapset "github.com/deckarep/golang-set"
 	"github.com/go-logr/logr"
@@ -251,6 +252,16 @@ func (w *MeshWebhook) Handle(ctx context.Context, req admission.Request) admissi
 
 	w.Log.Info("received pod", "name", req.Name, "ns", req.Namespace)
 
+	// Validate that none of the pod ports start with the prefix "cslport-" as that may result in conflicts with ports
+	// created by the pod controller when creating workloads.
+	for _, c := range pod.Spec.Containers {
+		for _, p := range c.Ports {
+			if strings.HasPrefix(p.Name, "cslport-") {
+				return admission.Errored(http.StatusInternalServerError, fmt.Errorf("error creating pod: port names cannot be prefixed with \"cslport-\" as that prefix is reserved"))
+			}
+		}
+	}
+
 	// Add our volume that will be shared by the init container and
 	// the sidecar for passing data in the pod.
 	pod.Spec.Volumes = append(pod.Spec.Volumes, w.containerVolume())

@@ -1164,6 +1164,115 @@ func TestHandlerHandle_ValidateOverwriteProbes(t *testing.T) {
 	}
 }
 
+func TestHandlerValidatePorts(t *testing.T) {
+	cases := []struct {
+		Name string
+		Pod  *corev1.Pod
+		Err  string
+	}{
+		{
+			"basic pod, with ports",
+			&corev1.Pod{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: "web",
+							Ports: []corev1.ContainerPort{
+								{
+									Name:          "http",
+									ContainerPort: 8080,
+								},
+							},
+						},
+						{
+							Name: "web-side",
+						},
+					},
+				},
+			},
+			"",
+		},
+		{
+			"basic pod, with unnamed ports",
+			&corev1.Pod{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: "web",
+							Ports: []corev1.ContainerPort{
+								{
+									ContainerPort: 8080,
+								},
+							},
+						},
+						{
+							Name: "web-side",
+						},
+					},
+				},
+			},
+			"",
+		},
+		{
+			"basic pod, with invalid prefix name",
+			&corev1.Pod{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: "web",
+							Ports: []corev1.ContainerPort{
+								{
+									Name:          "cslport-8080",
+									ContainerPort: 8080,
+								},
+							},
+						},
+						{
+							Name: "web-side",
+						},
+					},
+				},
+			},
+			"error creating pod: port names cannot be prefixed with \"cslport-\" as that prefix is reserved",
+		},
+	}
+	for _, tt := range cases {
+		t.Run(tt.Name, func(t *testing.T) {
+			s := runtime.NewScheme()
+			s.AddKnownTypes(schema.GroupVersion{
+				Group:   "",
+				Version: "v1",
+			}, &corev1.Pod{})
+			decoder, err := admission.NewDecoder(s)
+			require.NoError(t, err)
+
+			w := MeshWebhook{
+				Log:                    logrtest.New(t),
+				AllowK8sNamespacesSet:  mapset.NewSetWith("*"),
+				DenyK8sNamespacesSet:   mapset.NewSet(),
+				EnableTransparentProxy: true,
+				TProxyOverwriteProbes:  true,
+				decoder:                decoder,
+				ConsulConfig:           &consul.Config{HTTPPort: 8500},
+				Clientset:              defaultTestClientWithNamespace(),
+			}
+			req := admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Namespace: namespaces.DefaultNamespace,
+					Object:    encodeRaw(t, tt.Pod),
+				},
+			}
+			resp := w.Handle(context.Background(), req)
+			if tt.Err == "" {
+				require.True(t, resp.Allowed)
+			} else {
+				require.False(t, resp.Allowed)
+				require.Contains(t, resp.Result.Message, tt.Err)
+			}
+
+		})
+	}
+}
 func TestHandlerDefaultAnnotations(t *testing.T) {
 	cases := []struct {
 		Name     string