Describe the bug
The per-Node annotation node.antrea.io/max-egress-ips (which overrides the cluster-wide egress.maxEgressIPsPerNode) is not range-validated. In getMaxEgressIPsFromAnnotation (pkg/agent/controller/egress/ip_scheduler.go:120-130) only the integer parse is checked:
maxEgressIPs, err := strconv.Atoi(maxEgressIPsStr)
if err != nil {
return 0, false, err
}
return maxEgressIPs, true, nil // any int accepted: negative, 0, or > 255
This is inconsistent with the rest of the feature:
- The equivalent config option
egress.maxEgressIPsPerNode IS validated to be <= 255 (cmd/antrea-agent/options.go:570-572) and documented as such (docs/egress.md:423-427).
- The non-integer annotation case is already rejected and logged (ip_scheduler.go:137).
A negative value is accepted and used directly as the Node's capacity in the scheduling filter (ip_scheduler.go:345-354, numIPs <= s.getMaxEgressIPsByNode(node)), which then evaluates to false for that Node, so SelectNodeForIP returns ErrNoNodeAvailable and the Egress IP is never assigned. A value > 255 is accepted as well, bypassing the documented platform limit that the config option enforces.
To Reproduce
The following steps would trigger the issue:
- Deploy Antrea with the Egress feature enabled.
- Create an ExternalIPPool and a schedulable Egress that gets assigned to NodeA.
- Apply an invalid annotation:
kubectl annotate node NodeA node.antrea.io/max-egress-ips=-1 --overwrite
- The Egress IP would no longer be assigned;
kubectl describe egress <name> would show an AssignmentError / no Node available condition, with no indication that the annotation value itself is invalid.
Expected
An invalid annotation value (negative, or greater than 255) should be rejected and logged as invalid — the same way the non-integer case is handled at ip_scheduler.go:137 — consistent with how the egress.maxEgressIPsPerNode config option is validated.
Actual behavior
The invalid value is accepted as the Node's Egress-IP capacity. A negative value causes the Node to be excluded from scheduling, surfacing only as a misleading "no Node available" condition; a value greater than 255 is silently accepted, exceeding the documented limit.
Versions:
- Antrea version: main @ 899ae72 (latest commit at the time of this report)
- This was identified by source-code review against the latest
main; the affected logic is present at HEAD. I have not reproduced it on a live cluster, but the exact code path, data flow, and file/line references are provided above.
Additional context
The annotation is on the core Node object, so there is no admission webhook validating it. The existing unit test only covers a non-numeric value and the value "1" (pkg/agent/controller/egress/ip_scheduler_test.go:350-361); negative and > 255 values are untested. The fix is small and localized to getMaxEgressIPsFromAnnotation.
I've reviewed and verified this via code review and would like to work on the fix — please assign it to me.
Describe the bug
The per-Node annotation
node.antrea.io/max-egress-ips(which overrides the cluster-wideegress.maxEgressIPsPerNode) is not range-validated. IngetMaxEgressIPsFromAnnotation(pkg/agent/controller/egress/ip_scheduler.go:120-130) only the integer parse is checked:This is inconsistent with the rest of the feature:
egress.maxEgressIPsPerNodeIS validated to be <= 255 (cmd/antrea-agent/options.go:570-572) and documented as such (docs/egress.md:423-427).A negative value is accepted and used directly as the Node's capacity in the scheduling filter (ip_scheduler.go:345-354,
numIPs <= s.getMaxEgressIPsByNode(node)), which then evaluates to false for that Node, soSelectNodeForIPreturnsErrNoNodeAvailableand the Egress IP is never assigned. A value > 255 is accepted as well, bypassing the documented platform limit that the config option enforces.To Reproduce
The following steps would trigger the issue:
kubectl annotate node NodeA node.antrea.io/max-egress-ips=-1 --overwritekubectl describe egress <name>would show anAssignmentError / no Node availablecondition, with no indication that the annotation value itself is invalid.Expected
An invalid annotation value (negative, or greater than 255) should be rejected and logged as invalid — the same way the non-integer case is handled at ip_scheduler.go:137 — consistent with how the
egress.maxEgressIPsPerNodeconfig option is validated.Actual behavior
The invalid value is accepted as the Node's Egress-IP capacity. A negative value causes the Node to be excluded from scheduling, surfacing only as a misleading "no Node available" condition; a value greater than 255 is silently accepted, exceeding the documented limit.
Versions:
main; the affected logic is present at HEAD. I have not reproduced it on a live cluster, but the exact code path, data flow, and file/line references are provided above.Additional context
The annotation is on the core Node object, so there is no admission webhook validating it. The existing unit test only covers a non-numeric value and the value "1" (pkg/agent/controller/egress/ip_scheduler_test.go:350-361); negative and > 255 values are untested. The fix is small and localized to
getMaxEgressIPsFromAnnotation.I've reviewed and verified this via code review and would like to work on the fix — please assign it to me.