Skip to content

Egress max-egress-ips Node annotation is not range-validated (negative / >255 values are accepted) #8115

Description

@Anand-240

Describe the bug
The per-Node annotation node.antrea.io/max-egress-ips (which overrides the cluster-wide egress.maxEgressIPsPerNode) is not range-validated. In getMaxEgressIPsFromAnnotation (pkg/agent/controller/egress/ip_scheduler.go:120-130) only the integer parse is checked:

maxEgressIPs, err := strconv.Atoi(maxEgressIPsStr)
if err != nil {
    return 0, false, err
}
return maxEgressIPs, true, nil   // any int accepted: negative, 0, or > 255

This is inconsistent with the rest of the feature:

  • The equivalent config option egress.maxEgressIPsPerNode IS validated to be <= 255 (cmd/antrea-agent/options.go:570-572) and documented as such (docs/egress.md:423-427).
  • The non-integer annotation case is already rejected and logged (ip_scheduler.go:137).

A negative value is accepted and used directly as the Node's capacity in the scheduling filter (ip_scheduler.go:345-354, numIPs <= s.getMaxEgressIPsByNode(node)), which then evaluates to false for that Node, so SelectNodeForIP returns ErrNoNodeAvailable and the Egress IP is never assigned. A value > 255 is accepted as well, bypassing the documented platform limit that the config option enforces.

To Reproduce
The following steps would trigger the issue:

  1. Deploy Antrea with the Egress feature enabled.
  2. Create an ExternalIPPool and a schedulable Egress that gets assigned to NodeA.
  3. Apply an invalid annotation:
    kubectl annotate node NodeA node.antrea.io/max-egress-ips=-1 --overwrite
  4. The Egress IP would no longer be assigned; kubectl describe egress <name> would show an AssignmentError / no Node available condition, with no indication that the annotation value itself is invalid.

Expected
An invalid annotation value (negative, or greater than 255) should be rejected and logged as invalid — the same way the non-integer case is handled at ip_scheduler.go:137 — consistent with how the egress.maxEgressIPsPerNode config option is validated.

Actual behavior
The invalid value is accepted as the Node's Egress-IP capacity. A negative value causes the Node to be excluded from scheduling, surfacing only as a misleading "no Node available" condition; a value greater than 255 is silently accepted, exceeding the documented limit.

Versions:

  • Antrea version: main @ 899ae72 (latest commit at the time of this report)
  • This was identified by source-code review against the latest main; the affected logic is present at HEAD. I have not reproduced it on a live cluster, but the exact code path, data flow, and file/line references are provided above.

Additional context
The annotation is on the core Node object, so there is no admission webhook validating it. The existing unit test only covers a non-numeric value and the value "1" (pkg/agent/controller/egress/ip_scheduler_test.go:350-361); negative and > 255 values are untested. The fix is small and localized to getMaxEgressIPsFromAnnotation.

I've reviewed and verified this via code review and would like to work on the fix — please assign it to me.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions