From f16c807f0918243672272e63bf344dac406eace3 Mon Sep 17 00:00:00 2001
From: John Gardiner Myers <jgmyers@proofpoint.com>
Date: Sun, 22 Jan 2023 11:24:28 -0800
Subject: [PATCH] Validate additionalNetworkCIDRs only set on AWS

---
 pkg/apis/kops/validation/validation.go | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
index 37e985b5c1..7caf705912 100644
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@@ -294,6 +294,7 @@ type cloudProviderConstraints struct {
 	requiresSubnets                                 bool
 	requiresNetworkCIDR                             bool
 	prohibitsNetworkCIDR                            bool
+	prohibitsMultipleNetworkCIDRs                   bool
 	requiresNonMasqueradeCIDR                       bool
 	requiresServiceClusterSubnetOfNonMasqueradeCIDR bool
 	requiresSubnetCIDR                              bool
@@ -303,6 +304,7 @@ func validateCloudProvider(c *kops.Cluster, provider *kops.CloudProviderSpec, fi
 	constraints = &cloudProviderConstraints{
 		requiresSubnets:                                 true,
 		requiresNetworkCIDR:                             true,
+		prohibitsMultipleNetworkCIDRs:                   true,
 		requiresNonMasqueradeCIDR:                       true,
 		requiresServiceClusterSubnetOfNonMasqueradeCIDR: true,
 		requiresSubnetCIDR:                              true,
@@ -312,6 +314,7 @@ func validateCloudProvider(c *kops.Cluster, provider *kops.CloudProviderSpec, fi
 	if c.Spec.CloudProvider.AWS != nil {
 		optionTaken = true
 		allErrs = append(allErrs, validateAWS(c, provider.AWS, fieldSpec.Child("aws"))...)
+		constraints.prohibitsMultipleNetworkCIDRs = false
 	}
 	if c.Spec.CloudProvider.Azure != nil {
 		if optionTaken {
@@ -950,11 +953,15 @@ func validateNetworking(cluster *kops.Cluster, v *kops.NetworkingSpec, fldPath *
 		}
 	}
 
-	for i, cidr := range v.AdditionalNetworkCIDRs {
-		networkCIDR, errs := parseCIDR(fldPath.Child("additionalNetworkCIDRs").Index(i), cidr)
-		allErrs = append(allErrs, errs...)
-		if networkCIDR != nil {
-			networkCIDRs = append(networkCIDRs, networkCIDR)
+	if len(v.AdditionalNetworkCIDRs) > 0 && providerConstraints.prohibitsMultipleNetworkCIDRs {
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("additionalNetworkCIDRs"), fmt.Sprintf("%s doesn't support additionalNetworkCIDRs", c.GetCloudProvider())))
+	} else {
+		for i, cidr := range v.AdditionalNetworkCIDRs {
+			networkCIDR, errs := parseCIDR(fldPath.Child("additionalNetworkCIDRs").Index(i), cidr)
+			allErrs = append(allErrs, errs...)
+			if networkCIDR != nil {
+				networkCIDRs = append(networkCIDRs, networkCIDR)
+			}
 		}
 	}