Add webhook check to prevent CIDR duplication when configure multi rules filtering

Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>

Author: msherif1234

apis/flowcollector/v1beta2/flowcollector_validation_webhook.go

@@ -107,8 +107,15 @@ func (r *FlowCollector) validateAgent(_ context.Context, fc *FlowCollector) (adm
 	}
 	var errs []error
 	if fc.Spec.Agent.EBPF.FlowFilter != nil && fc.Spec.Agent.EBPF.FlowFilter.Enable != nil && *fc.Spec.Agent.EBPF.FlowFilter.Enable {
+		m := make(map[string]bool)
 		for i := range fc.Spec.Agent.EBPF.FlowFilter.FlowFilterRules {
-			errs = append(errs, validateFilter(&fc.Spec.Agent.EBPF.FlowFilter.FlowFilterRules[i])...)
+			rule := fc.Spec.Agent.EBPF.FlowFilter.FlowFilterRules[i]
+			if found := m[rule.CIDR]; found {
+				errs = append(errs, fmt.Errorf("flow filter rule CIDR %s already exists", rule.CIDR))
+				break
+			}
+			m[rule.CIDR] = true
+			errs = append(errs, validateFilter(&rule)...)
 		}
 		errs = append(errs, validateFilter(fc.Spec.Agent.EBPF.FlowFilter)...)
 	}

apis/flowcollector/v1beta2/flowcollector_validation_webhook_test.go

@@ -49,6 +49,7 @@ func TestValidateAgent(t *testing.T) {
 										Action:    "Accept",
 										CIDR:      "0.0.0.0/0",
 										Direction: "Egress",
+										Protocol:  "TCP",
 									},
 								},
 							},
@@ -57,6 +58,42 @@ func TestValidateAgent(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Invalid filter with duplicate CIDR",
+			fc: &FlowCollector{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "cluster",
+				},
+				Spec: FlowCollectorSpec{
+					Agent: FlowCollectorAgent{
+						Type: AgentEBPF,
+						EBPF: FlowCollectorEBPF{
+							Features:   []AgentFeature{DNSTracking, FlowRTT, PacketDrop},
+							Privileged: true,
+							Sampling:   ptr.To(int32(100)),
+							FlowFilter: &EBPFFlowFilter{
+								Enable: ptr.To(true),
+								FlowFilterRules: []EBPFFlowFilterRule{
+									{
+										Action:    "Accept",
+										CIDR:      "0.0.0.0/0",
+										Direction: "Egress",
+										Protocol:  "TCP",
+									},
+									{
+										Action:    "Accept",
+										CIDR:      "0.0.0.0/0",
+										Direction: "Egress",
+										Protocol:  "UDP",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedError: "flow filter rule CIDR 0.0.0.0/0 already exists",
+		},
 		{
 			name: "PacketDrop without privilege triggers warning",
 			fc: &FlowCollector{