github.com/openshift/installer@v1.4.17/pkg/types/azure/validation/machinepool.go (about) 1 package validation 2 3 import ( 4 "fmt" 5 "sort" 6 7 "k8s.io/apimachinery/pkg/util/sets" 8 "k8s.io/apimachinery/pkg/util/validation/field" 9 10 "github.com/openshift/installer/pkg/types/azure" 11 "github.com/openshift/installer/pkg/types/azure/defaults" 12 ) 13 14 const ( 15 enabled = "Enabled" 16 ) 17 18 var ( 19 validSecurityEncryptionTypes = map[azure.SecurityEncryptionTypes]bool{ 20 azure.SecurityEncryptionTypesVMGuestStateOnly: true, 21 azure.SecurityEncryptionTypesDiskWithVMGuestState: true, 22 } 23 24 validSecurityEncryptionTypeValues = func() []string { 25 v := make([]string, 0, len(validSecurityEncryptionTypes)) 26 for n := range validSecurityEncryptionTypes { 27 v = append(v, string(n)) 28 } 29 sort.Strings(v) 30 return v 31 }() 32 ) 33 34 // ValidateMachinePool checks that the specified machine pool is valid. 35 func ValidateMachinePool(p *azure.MachinePool, poolName string, platform *azure.Platform, fldPath *field.Path) field.ErrorList { 36 allErrs := field.ErrorList{} 37 38 if p.OSDisk.DiskSizeGB < 0 { 39 allErrs = append(allErrs, field.Invalid(fldPath.Child("diskSizeGB"), p.OSDisk.DiskSizeGB, "Storage DiskSizeGB must be positive")) 40 } else if platform.CloudName == azure.StackCloud && p.OSDisk.DiskSizeGB != 0 && (p.OSDisk.DiskSizeGB < defaults.AzurestackMinimumDiskSize || p.OSDisk.DiskSizeGB > defaults.AzurestackMaximumDiskSize) { 41 allErrs = append(allErrs, field.Invalid(fldPath.Child("diskSizeGB"), p.OSDisk.DiskSizeGB, "Storage DiskSizeGB must be between 128 and 1023 inclusive for Azure Stack")) 42 } 43 44 if p.OSDisk.DiskType != "" { 45 diskTypes := sets.NewString( 46 "StandardSSD_LRS", 47 // "UltraSSD_LRS" needs azure terraform version 2.0 48 "Premium_LRS") 49 // The control plane cannot use Standard_LRS. Don't let the default machine pool specify "Standard_LRS" either. 50 if poolName != "" && poolName != "master" { 51 diskTypes.Insert("Standard_LRS") 52 } 53 54 if !diskTypes.Has(p.OSDisk.DiskType) { 55 allErrs = append(allErrs, field.NotSupported(fldPath.Child("diskType"), p.OSDisk.DiskType, diskTypes.List())) 56 } 57 } 58 59 if p.UltraSSDCapability != "" { 60 ultraSSDCapabilities := sets.NewString("Enabled", "Disabled") 61 if !ultraSSDCapabilities.Has(p.UltraSSDCapability) { 62 allErrs = append(allErrs, 63 field.NotSupported(fldPath.Child("ultraSSDCapability"), 64 p.UltraSSDCapability, ultraSSDCapabilities.List())) 65 } 66 } 67 68 allErrs = append(allErrs, ValidateEncryptionAtHost(p, platform.CloudName, fldPath.Child("defaultMachinePlatform"))...) 69 if p.OSDisk.DiskEncryptionSet != nil { 70 allErrs = append(allErrs, ValidateDiskEncryption(p, platform.CloudName, fldPath.Child("defaultMachinePlatform"))...) 71 } 72 73 allErrs = append(allErrs, validateSecurityProfile(p, platform.CloudName, fldPath.Child("defaultMachinePlatform"))...) 74 75 if p.VMNetworkingType != "" { 76 acceleratedNetworkingOptions := sets.NewString(string(azure.VMnetworkingTypeAccelerated), string(azure.VMNetworkingTypeBasic)) 77 if !acceleratedNetworkingOptions.Has(p.VMNetworkingType) { 78 allErrs = append(allErrs, 79 field.NotSupported(fldPath.Child("acceleratedNetworking"), 80 p.VMNetworkingType, acceleratedNetworkingOptions.List())) 81 } 82 } 83 84 allErrs = append(allErrs, validateOSImage(p, fldPath)...) 85 86 return allErrs 87 } 88 89 func validateOSImage(p *azure.MachinePool, fldPath *field.Path) field.ErrorList { 90 var allErrs field.ErrorList 91 92 osImageFldPath := fldPath.Child("osImage") 93 94 emptyOSImage := azure.OSImage{} 95 if p.OSImage != emptyOSImage { 96 if p.OSImage.Plan != "" { 97 planOptions := sets.NewString( 98 string(azure.ImageNoPurchasePlan), 99 string(azure.ImageWithPurchasePlan), 100 ) 101 if !planOptions.Has(string(p.OSImage.Plan)) { 102 allErrs = append(allErrs, field.NotSupported(osImageFldPath.Child("plan"), p.OSImage.Plan, planOptions.List())) 103 } 104 } 105 if p.OSImage.Publisher == "" { 106 allErrs = append(allErrs, field.Required(osImageFldPath.Child("publisher"), "must specify publisher for the OS image")) 107 } 108 if p.OSImage.Offer == "" { 109 allErrs = append(allErrs, field.Required(osImageFldPath.Child("offer"), "must specify offer for the OS image")) 110 } 111 if p.OSImage.SKU == "" { 112 allErrs = append(allErrs, field.Required(osImageFldPath.Child("sku"), "must specify SKU for the OS image")) 113 } 114 if p.OSImage.Version == "" { 115 allErrs = append(allErrs, field.Required(osImageFldPath.Child("version"), "must specify version for the OS image")) 116 } 117 } 118 119 return allErrs 120 } 121 122 func validateSecurityProfile(p *azure.MachinePool, cloudName azure.CloudEnvironment, fieldPath *field.Path) field.ErrorList { 123 var errs field.ErrorList 124 125 if p.Settings == nil && p.OSDisk.SecurityProfile == nil { 126 return errs 127 } 128 if p.Settings == nil && p.OSDisk.SecurityProfile.SecurityEncryptionType != "" { 129 return append(errs, field.Required(fieldPath.Child("settings"), 130 "settings should be set when osDisk.securityProfile.securityEncryptionType is defined.")) 131 } 132 133 if cloudName == azure.StackCloud { 134 return append(errs, field.Invalid(fieldPath.Child("settings").Child("securityType"), 135 p.Settings.SecurityType, 136 fmt.Sprintf("the securityType field is not supported on %s.", azure.StackCloud))) 137 } 138 139 switch p.Settings.SecurityType { 140 case azure.SecurityTypesConfidentialVM: 141 if p.OSDisk.SecurityProfile == nil || p.OSDisk.SecurityProfile.SecurityEncryptionType == "" { 142 securityProfileFieldPath := fieldPath.Child("osDisk").Child("securityProfile") 143 return append(errs, field.Required(securityProfileFieldPath.Child("securityEncryptionType"), 144 fmt.Sprintf("securityEncryptionType should be set when securityType is set to %s.", 145 azure.SecurityTypesConfidentialVM))) 146 } 147 148 if !validSecurityEncryptionTypes[p.OSDisk.SecurityProfile.SecurityEncryptionType] { 149 securityProfileFieldPath := fieldPath.Child("osDisk").Child("securityProfile") 150 return append(errs, field.NotSupported(securityProfileFieldPath.Child("securityEncryptionType"), 151 p.OSDisk.SecurityProfile.SecurityEncryptionType, validSecurityEncryptionTypeValues)) 152 } 153 154 if p.Settings.ConfidentialVM == nil { 155 return append(errs, field.Required(fieldPath.Child("settings").Child("confidentialVM"), 156 fmt.Sprintf("confidentialVM should be set when securityType is set to %s.", 157 azure.SecurityTypesConfidentialVM))) 158 } 159 160 if p.Settings.ConfidentialVM.UEFISettings == nil { 161 return append(errs, field.Required(fieldPath.Child("settings").Child("confidentialVM").Child("uefiSettings"), 162 fmt.Sprintf("uefiSettings should be set when securityType is set to %s.", 163 azure.SecurityTypesConfidentialVM))) 164 } 165 166 if p.Settings.ConfidentialVM.UEFISettings.VirtualizedTrustedPlatformModule != nil && 167 *p.Settings.ConfidentialVM.UEFISettings.VirtualizedTrustedPlatformModule != enabled { 168 uefiSettingsFieldPath := fieldPath.Child("settings").Child("confidentialVM").Child("uefiSettings") 169 return append(errs, field.Invalid(uefiSettingsFieldPath.Child("virtualizedTrustedPlatformModule"), 170 *p.Settings.ConfidentialVM.UEFISettings.VirtualizedTrustedPlatformModule, 171 fmt.Sprintf("virtualizedTrustedPlatformModule should be enabled when securityType is set to %s.", 172 azure.SecurityTypesConfidentialVM))) 173 } 174 175 if p.OSDisk.SecurityProfile.SecurityEncryptionType == azure.SecurityEncryptionTypesDiskWithVMGuestState { 176 if p.EncryptionAtHost { 177 return append(errs, field.Invalid(fieldPath.Child("encryptionAtHost"), p.EncryptionAtHost, 178 fmt.Sprintf("encryptionAtHost cannot be set to true when securityEncryptionType is set to %s.", 179 azure.SecurityEncryptionTypesDiskWithVMGuestState))) 180 } 181 182 if p.Settings.ConfidentialVM.UEFISettings.SecureBoot != nil && 183 *p.Settings.ConfidentialVM.UEFISettings.SecureBoot != enabled { 184 uefiSettingsFieldPath := fieldPath.Child("settings").Child("confidentialVM").Child("uefiSettings") 185 return append(errs, field.Invalid(uefiSettingsFieldPath.Child("secureBoot"), 186 *p.Settings.ConfidentialVM.UEFISettings.SecureBoot, 187 fmt.Sprintf("secureBoot should be enabled when securityEncryptionType is set to %s.", 188 azure.SecurityEncryptionTypesDiskWithVMGuestState))) 189 } 190 } 191 case azure.SecurityTypesTrustedLaunch: 192 if p.Settings.TrustedLaunch == nil { 193 return append(errs, field.Required(fieldPath.Child("settings").Child("trustedLaunch"), 194 fmt.Sprintf("trustedLaunch should be set when securityType is set to %s.", 195 azure.SecurityTypesTrustedLaunch))) 196 } 197 default: 198 if p.OSDisk.SecurityProfile != nil && p.OSDisk.SecurityProfile.SecurityEncryptionType != "" { 199 return append(errs, field.Invalid(fieldPath.Child("settings").Child("securityType"), 200 p.Settings.SecurityType, 201 fmt.Sprintf("securityType should be set to %s when securityEncryptionType is defined.", 202 azure.SecurityTypesConfidentialVM))) 203 } 204 205 if p.Settings.TrustedLaunch != nil && p.Settings.TrustedLaunch.UEFISettings != nil && 206 ((p.Settings.TrustedLaunch.UEFISettings.SecureBoot != nil && *p.Settings.TrustedLaunch.UEFISettings.SecureBoot == enabled) || 207 (p.Settings.TrustedLaunch.UEFISettings.VirtualizedTrustedPlatformModule != nil && *p.Settings.TrustedLaunch.UEFISettings.VirtualizedTrustedPlatformModule == enabled)) { 208 return append(errs, field.Invalid(fieldPath.Child("settings").Child("securityType"), 209 p.Settings.SecurityType, 210 fmt.Sprintf("securityType should be set to %s when uefiSettings are enabled.", 211 azure.SecurityTypesTrustedLaunch))) 212 } 213 } 214 215 return errs 216 }