clear stale states on creation

npm/iptm/iptm.go

@@ -21,7 +21,8 @@ import (
 )
 
 const (
-	defaultlockWaitTimeInSeconds = "60"
+	defaultlockWaitTimeInSeconds string = "60"
+	iptablesErrDoesNotExist      int    = 1
 )
 
 // IptEntry represents an iptables rule.
@@ -212,6 +213,12 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
 		util.IptablesAzureEgressPortChain,
 		util.IptablesAzureEgressToChain,
 		util.IptablesAzureTargetSetsChain,
+		// Below chains exists only for before Azure-NPM:v1.0.27
+		// and should be removed after a baking period.
+		util.IptablesAzureIngressFromNsChain,
+		util.IptablesAzureIngressFromPodChain,
+		util.IptablesAzureEgressToNsChain,
+		util.IptablesAzureEgressToPodChain,
 	}
 
 	// Remove AZURE-NPM chain from FORWARD chain.
@@ -224,7 +231,7 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
 	}
 	iptMgr.OperationFlag = util.IptablesDeletionFlag
 	errCode, err := iptMgr.Run(entry)
-	if errCode != 1 && err != nil {
+	if errCode != iptablesErrDoesNotExist && err != nil {
 		log.Errorf("Error: failed to remove default rule from FORWARD chain.")
 		return err
 	}
@@ -234,7 +241,8 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
 		entry := &IptEntry{
 			Chain: chain,
 		}
-		if _, err := iptMgr.Run(entry); err != nil {
+		errCode, err := iptMgr.Run(entry)
+		if errCode != iptablesErrDoesNotExist && err != nil {
 			log.Errorf("Error: failed to flush iptables chain %s.", chain)
 		}
 	}
@@ -257,7 +265,7 @@ func (iptMgr *IptablesManager) Exists(entry *IptEntry) (bool, error) {
 		return true, nil
 	}
 
-	if returnCode == 1 {
+	if returnCode == iptablesErrDoesNotExist {
 		log.Printf("Rule doesn't exist. %+v.", entry)
 		return false, nil
 	}
@@ -273,7 +281,7 @@ func (iptMgr *IptablesManager) AddChain(chain string) error {
 	iptMgr.OperationFlag = util.IptablesChainCreationFlag
 	errCode, err := iptMgr.Run(entry)
 	if err != nil {
-		if errCode == 1 {
+		if errCode == iptablesErrDoesNotExist {
 			log.Printf("Chain already exists %s.", entry.Chain)
 			return nil
 		}
@@ -293,7 +301,7 @@ func (iptMgr *IptablesManager) DeleteChain(chain string) error {
 	iptMgr.OperationFlag = util.IptablesDestroyFlag
 	errCode, err := iptMgr.Run(entry)
 	if err != nil {
-		if errCode == 1 {
+		if errCode == iptablesErrDoesNotExist {
 			log.Printf("Chain doesn't exist %s.", entry.Chain)
 			return nil
 		}

npm/namespace.go

@@ -86,7 +86,7 @@ func (npMgr *NetworkPolicyManager) UninitAllNsList() error {
 	return nil
 }
 
-// AddNamespace handles adding  namespace to ipset.
+// AddNamespace handles adding namespace to ipset.
 func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
 	npMgr.Lock()
 	defer npMgr.Unlock()

npm/npm.go

@@ -45,9 +45,9 @@ type NetworkPolicyManager struct {
 	nsInformer      coreinformers.NamespaceInformer
 	npInformer      networkinginformers.NetworkPolicyInformer
 
-	nodeName               string
-	nsMap                  map[string]*namespace
-	isAzureNpmChainCreated bool
+	nodeName                     string
+	nsMap                        map[string]*namespace
+	isAzureNpmChainCreated       bool
 	isSafeToCleanUpAzureNpmChain bool
 
 	clusterState  telemetry.ClusterState
@@ -169,11 +169,6 @@ func (npMgr *NetworkPolicyManager) Start(stopCh <-chan struct{}) error {
 	// Starts all informers manufactured by npMgr's informerFactory.
 	npMgr.informerFactory.Start(stopCh)
 
-	// Failure detected. Needs to restore Azure-NPM related iptables entries.
-	if util.Exists(util.IptablesConfigFile) {
-		npMgr.restore()
-	}
-
 	// Wait for the initial sync of local cache.
 	if !cache.WaitForCacheSync(stopCh, npMgr.podInformer.Informer().HasSynced) {
 		return fmt.Errorf("Pod informer failed to sync")
@@ -194,6 +189,10 @@ func (npMgr *NetworkPolicyManager) Start(stopCh <-chan struct{}) error {
 
 // NewNetworkPolicyManager creates a NetworkPolicyManager
 func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory informers.SharedInformerFactory, npmVersion string) *NetworkPolicyManager {
+	// Clear out left over iptables states
+	log.Logf("Azure-NPM creating, cleaning iptables")
+	iptMgr := iptm.NewIptablesManager()
+	iptMgr.UninitNpmChains()
 
 	podInformer := informerFactory.Core().V1().Pods()
 	nsInformer := informerFactory.Core().V1().Namespaces()
@@ -212,14 +211,14 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
 	}
 
 	npMgr := &NetworkPolicyManager{
-		clientset:              clientset,
-		informerFactory:        informerFactory,
-		podInformer:            podInformer,
-		nsInformer:             nsInformer,
-		npInformer:             npInformer,
-		nodeName:               os.Getenv("HOSTNAME"),
-		nsMap:                  make(map[string]*namespace),
-		isAzureNpmChainCreated: false,
+		clientset:                    clientset,
+		informerFactory:              informerFactory,
+		podInformer:                  podInformer,
+		nsInformer:                   nsInformer,
+		npInformer:                   npInformer,
+		nodeName:                     os.Getenv("HOSTNAME"),
+		nsMap:                        make(map[string]*namespace),
+		isAzureNpmChainCreated:       false,
 		isSafeToCleanUpAzureNpmChain: false,
 		clusterState: telemetry.ClusterState{
 			PodCount:      0,
@@ -243,13 +242,15 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
 	clusterState := npMgr.GetClusterState()
 	npMgr.reportManager.Report.(*telemetry.NPMReport).GetReport(clusterID, npMgr.nodeName, npmVersion, serverVersion.GitVersion, clusterState)
 
-	allNs, err := newNs(util.KubeAllNamespacesFlag)
-	if err != nil {
-		log.Logf("Error: failed to create all-namespace.")
-		panic(err.Error)
-	}
+	allNs, _ := newNs(util.KubeAllNamespacesFlag)
 	npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs
 
+	// Create ipset for the namespace.
+	kubeSystemNs := "ns-" + util.KubeSystemFlag
+	if err := allNs.ipsMgr.CreateSet(kubeSystemNs); err != nil {
+		log.Logf("Error: failed to create ipset for namespace %s.", kubeSystemNs)
+	}
+
 	podInformer.Informer().AddEventHandler(
 		// Pod event handlers
 		cache.ResourceEventHandlerFuncs{

npm/util/const.go

@@ -47,7 +47,7 @@ const (
 	IptablesSFlag             string = "-s"
 	IptablesDFlag             string = "-d"
 	IptablesDstPortFlag       string = "--dport"
-	IptablesModuleFlag         string = "-m"
+	IptablesModuleFlag        string = "-m"
 	IptablesSetModuleFlag     string = "set"
 	IptablesMatchSetFlag      string = "--match-set"
 	IptablesStateModuleFlag   string = "state"
@@ -60,15 +60,21 @@ const (
 	IptablesCommentModuleFlag string = "comment"
 	IptablesCommentFlag       string = "--comment"
 	IptablesAddCommentFlag
-	IptablesAzureChain               string = "AZURE-NPM"
-	IptablesAzureKubeSystemChain     string = "AZURE-NPM-KUBE-SYSTEM"
-	IptablesAzureIngressPortChain    string = "AZURE-NPM-INGRESS-PORT"
-	IptablesAzureIngressFromChain    string = "AZURE-NPM-INGRESS-FROM"
-	IptablesAzureEgressPortChain     string = "AZURE-NPM-EGRESS-PORT"
-	IptablesAzureEgressToChain       string = "AZURE-NPM-EGRESS-TO"
-	IptablesAzureTargetSetsChain     string = "AZURE-NPM-TARGET-SETS"
-	IptablesForwardChain             string = "FORWARD"
-	IptablesInputChain               string = "INPUT"
+	IptablesAzureChain            string = "AZURE-NPM"
+	IptablesAzureKubeSystemChain  string = "AZURE-NPM-KUBE-SYSTEM"
+	IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT"
+	IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM"
+	IptablesAzureEgressPortChain  string = "AZURE-NPM-EGRESS-PORT"
+	IptablesAzureEgressToChain    string = "AZURE-NPM-EGRESS-TO"
+	IptablesAzureTargetSetsChain  string = "AZURE-NPM-TARGET-SETS"
+	IptablesForwardChain          string = "FORWARD"
+	IptablesInputChain            string = "INPUT"
+	// Below chains exists only for before Azure-NPM:v1.0.27
+	// and should be removed after a baking period.
+	IptablesAzureIngressFromNsChain  string = "AZURE-NPM-INGRESS-FROM-NS"
+	IptablesAzureIngressFromPodChain string = "AZURE-NPM-INGRESS-FROM-POD"
+	IptablesAzureEgressToNsChain     string = "AZURE-NPM-EGRESS-TO-NS"
+	IptablesAzureEgressToPodChain    string = "AZURE-NPM-EGRESS-TO-POD"
 )
 
 //ipset related constants.