Add an integration test to verify that IPs with leading zeros are still allowed by the API server. This test guarantee that data that was previous valid (containing IPs with leading zeros) remains valid. Ref CVE-2021-29923
oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2022-01-24-070025 True False 5h37m Cluster version is 4.10.0-0.nightly-2022-01-24-070025 Creating service with leading 0's in IP apiVersion: v1 kind: Service metadata: name: test namespace: default spec: clusterIP: 172.16.001.008 ports: - name: "80" port: 80 protocol: TCP targetPort: 80 selector: app: test type: ClusterIP oc create -f test.yaml --loglevel=9 I0125 17:41:47.104925 26383 loader.go:379] Config loaded from file: /Users/rahulgangwar/office-work/kubeconfig/kube.124.txt I0125 17:41:47.110959 26383 request.go:1107] Request Body: {"apiVersion":"v1","kind":"Service","metadata":{"name":"test2","namespace":"default"},"spec":{"clusterIP":"172.30.001.009","ports":[{"name":"80","port":80,"protocol":"TCP","targetPort":80}],"selector":{"app":"test2"},"type":"ClusterIP"}} I0125 17:41:47.111047 26383 round_trippers.go:425] curl -k -v -XPOST -H "Content-Type: application/json" -H "User-Agent: oc/4.7.0 (darwin/amd64) kubernetes/9b9f77a" -H "Accept: application/json" 'https://api.rgangwar-25de.qe.devcluster.openshift.com:6443/api/v1/namespaces/default/services?fieldManager=kubectl-create' I0125 17:41:48.205013 26383 round_trippers.go:445] POST https://api.rgangwar-25de.qe.devcluster.openshift.com:6443/api/v1/namespaces/default/services?fieldManager=kubectl-create 201 Created in 1093 milliseconds I0125 17:41:48.205122 26383 round_trippers.go:451] Response Headers: I0125 17:41:48.205150 26383 round_trippers.go:454] Content-Type: application/json I0125 17:41:48.205168 26383 round_trippers.go:454] Content-Length: 912 I0125 17:41:48.205182 26383 round_trippers.go:454] Date: Tue, 25 Jan 2022 12:11:48 GMT I0125 17:41:48.205195 26383 round_trippers.go:454] Audit-Id: 78fc3717-638f-463a-bbd4-56ac871c36d7 I0125 17:41:48.205208 26383 round_trippers.go:454] Cache-Control: no-cache, private I0125 17:41:48.205299 26383 request.go:1107] Response Body: {"kind":"Service","apiVersion":"v1","metadata":{"name":"test2","namespace":"default","uid":"ed82e61b-16c8-42da-89d9-bd214903db49","resourceVersion":"125208","creationTimestamp":"2022-01-25T12:11:48Z","managedFields":[{"manager":"kubectl-create","operation":"Update","apiVersion":"v1","time":"2022-01-25T12:11:48Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:clusterIP":{},"f:internalTrafficPolicy":{},"f:ports":{".":{},"k:{\"port\":80,\"protocol\":\"TCP\"}":{".":{},"f:name":{},"f:port":{},"f:protocol":{},"f:targetPort":{}}},"f:selector":{},"f:sessionAffinity":{},"f:type":{}}}}]},"spec":{"ports":[{"name":"80","protocol":"TCP","port":80,"targetPort":80}],"selector":{"app":"test2"},"clusterIP":"172.30.001.009","clusterIPs":["172.30.001.009"],"type":"ClusterIP","sessionAffinity":"None","ipFamilies":["IPv4"],"ipFamilyPolicy":"SingleStack","internalTrafficPolicy":"Cluster"},"status":{"loadBalancer":{}}} service/test2 created oc get service test2 -n default NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE test2 ClusterIP 172.30.001.009 <none> 80/TCP 3m11s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056