diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go index ea4705ee5c..ee02d06021 100644 --- a/npm/iptm/iptm.go +++ b/npm/iptm/iptm.go @@ -21,7 +21,8 @@ import ( ) const ( - defaultlockWaitTimeInSeconds = "60" + defaultlockWaitTimeInSeconds string = "60" + iptablesErrDoesNotExist int = 1 ) // IptEntry represents an iptables rule. @@ -212,6 +213,12 @@ func (iptMgr *IptablesManager) UninitNpmChains() error { util.IptablesAzureEgressPortChain, util.IptablesAzureEgressToChain, util.IptablesAzureTargetSetsChain, + // Below chains exists only for before Azure-NPM:v1.0.27 + // and should be removed after a baking period. + util.IptablesAzureIngressFromNsChain, + util.IptablesAzureIngressFromPodChain, + util.IptablesAzureEgressToNsChain, + util.IptablesAzureEgressToPodChain, } // Remove AZURE-NPM chain from FORWARD chain. @@ -224,7 +231,7 @@ func (iptMgr *IptablesManager) UninitNpmChains() error { } iptMgr.OperationFlag = util.IptablesDeletionFlag errCode, err := iptMgr.Run(entry) - if errCode != 1 && err != nil { + if errCode != iptablesErrDoesNotExist && err != nil { log.Errorf("Error: failed to remove default rule from FORWARD chain.") return err } @@ -234,7 +241,8 @@ func (iptMgr *IptablesManager) UninitNpmChains() error { entry := &IptEntry{ Chain: chain, } - if _, err := iptMgr.Run(entry); err != nil { + errCode, err := iptMgr.Run(entry) + if errCode != iptablesErrDoesNotExist && err != nil { log.Errorf("Error: failed to flush iptables chain %s.", chain) } } @@ -257,7 +265,7 @@ func (iptMgr *IptablesManager) Exists(entry *IptEntry) (bool, error) { return true, nil } - if returnCode == 1 { + if returnCode == iptablesErrDoesNotExist { log.Printf("Rule doesn't exist. %+v.", entry) return false, nil } @@ -273,7 +281,7 @@ func (iptMgr *IptablesManager) AddChain(chain string) error { iptMgr.OperationFlag = util.IptablesChainCreationFlag errCode, err := iptMgr.Run(entry) if err != nil { - if errCode == 1 { + if errCode == iptablesErrDoesNotExist { log.Printf("Chain already exists %s.", entry.Chain) return nil } @@ -293,7 +301,7 @@ func (iptMgr *IptablesManager) DeleteChain(chain string) error { iptMgr.OperationFlag = util.IptablesDestroyFlag errCode, err := iptMgr.Run(entry) if err != nil { - if errCode == 1 { + if errCode == iptablesErrDoesNotExist { log.Printf("Chain doesn't exist %s.", entry.Chain) return nil } diff --git a/npm/namespace.go b/npm/namespace.go index 28b46623e1..58f2ccb32b 100644 --- a/npm/namespace.go +++ b/npm/namespace.go @@ -86,7 +86,7 @@ func (npMgr *NetworkPolicyManager) UninitAllNsList() error { return nil } -// AddNamespace handles adding namespace to ipset. +// AddNamespace handles adding namespace to ipset. func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error { npMgr.Lock() defer npMgr.Unlock() diff --git a/npm/npm.go b/npm/npm.go index d7b39af855..fe18d8b69b 100644 --- a/npm/npm.go +++ b/npm/npm.go @@ -45,9 +45,9 @@ type NetworkPolicyManager struct { nsInformer coreinformers.NamespaceInformer npInformer networkinginformers.NetworkPolicyInformer - nodeName string - nsMap map[string]*namespace - isAzureNpmChainCreated bool + nodeName string + nsMap map[string]*namespace + isAzureNpmChainCreated bool isSafeToCleanUpAzureNpmChain bool clusterState telemetry.ClusterState @@ -169,11 +169,6 @@ func (npMgr *NetworkPolicyManager) Start(stopCh <-chan struct{}) error { // Starts all informers manufactured by npMgr's informerFactory. npMgr.informerFactory.Start(stopCh) - // Failure detected. Needs to restore Azure-NPM related iptables entries. - if util.Exists(util.IptablesConfigFile) { - npMgr.restore() - } - // Wait for the initial sync of local cache. if !cache.WaitForCacheSync(stopCh, npMgr.podInformer.Informer().HasSynced) { return fmt.Errorf("Pod informer failed to sync") @@ -194,6 +189,10 @@ func (npMgr *NetworkPolicyManager) Start(stopCh <-chan struct{}) error { // NewNetworkPolicyManager creates a NetworkPolicyManager func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory informers.SharedInformerFactory, npmVersion string) *NetworkPolicyManager { + // Clear out left over iptables states + log.Logf("Azure-NPM creating, cleaning iptables") + iptMgr := iptm.NewIptablesManager() + iptMgr.UninitNpmChains() podInformer := informerFactory.Core().V1().Pods() nsInformer := informerFactory.Core().V1().Namespaces() @@ -212,14 +211,14 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in } npMgr := &NetworkPolicyManager{ - clientset: clientset, - informerFactory: informerFactory, - podInformer: podInformer, - nsInformer: nsInformer, - npInformer: npInformer, - nodeName: os.Getenv("HOSTNAME"), - nsMap: make(map[string]*namespace), - isAzureNpmChainCreated: false, + clientset: clientset, + informerFactory: informerFactory, + podInformer: podInformer, + nsInformer: nsInformer, + npInformer: npInformer, + nodeName: os.Getenv("HOSTNAME"), + nsMap: make(map[string]*namespace), + isAzureNpmChainCreated: false, isSafeToCleanUpAzureNpmChain: false, clusterState: telemetry.ClusterState{ PodCount: 0, @@ -243,13 +242,15 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in clusterState := npMgr.GetClusterState() npMgr.reportManager.Report.(*telemetry.NPMReport).GetReport(clusterID, npMgr.nodeName, npmVersion, serverVersion.GitVersion, clusterState) - allNs, err := newNs(util.KubeAllNamespacesFlag) - if err != nil { - log.Logf("Error: failed to create all-namespace.") - panic(err.Error) - } + allNs, _ := newNs(util.KubeAllNamespacesFlag) npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs + // Create ipset for the namespace. + kubeSystemNs := "ns-" + util.KubeSystemFlag + if err := allNs.ipsMgr.CreateSet(kubeSystemNs); err != nil { + log.Logf("Error: failed to create ipset for namespace %s.", kubeSystemNs) + } + podInformer.Informer().AddEventHandler( // Pod event handlers cache.ResourceEventHandlerFuncs{ diff --git a/npm/util/const.go b/npm/util/const.go index b1910f56ca..399d9cfc3c 100644 --- a/npm/util/const.go +++ b/npm/util/const.go @@ -47,7 +47,7 @@ const ( IptablesSFlag string = "-s" IptablesDFlag string = "-d" IptablesDstPortFlag string = "--dport" - IptablesModuleFlag string = "-m" + IptablesModuleFlag string = "-m" IptablesSetModuleFlag string = "set" IptablesMatchSetFlag string = "--match-set" IptablesStateModuleFlag string = "state" @@ -60,15 +60,21 @@ const ( IptablesCommentModuleFlag string = "comment" IptablesCommentFlag string = "--comment" IptablesAddCommentFlag - IptablesAzureChain string = "AZURE-NPM" - IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM" - IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT" - IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM" - IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT" - IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO" - IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS" - IptablesForwardChain string = "FORWARD" - IptablesInputChain string = "INPUT" + IptablesAzureChain string = "AZURE-NPM" + IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM" + IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT" + IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM" + IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT" + IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO" + IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS" + IptablesForwardChain string = "FORWARD" + IptablesInputChain string = "INPUT" + // Below chains exists only for before Azure-NPM:v1.0.27 + // and should be removed after a baking period. + IptablesAzureIngressFromNsChain string = "AZURE-NPM-INGRESS-FROM-NS" + IptablesAzureIngressFromPodChain string = "AZURE-NPM-INGRESS-FROM-POD" + IptablesAzureEgressToNsChain string = "AZURE-NPM-EGRESS-TO-NS" + IptablesAzureEgressToPodChain string = "AZURE-NPM-EGRESS-TO-POD" ) //ipset related constants.