Azure · jaer-tsun · Dec 17, 2019 · Dec 18, 2019 · Dec 18, 2019 · saiyan86
@@ -86,11 +86,8 @@ func (npMgr *NetworkPolicyManager) UninitAllNsList() error {
 	return nil
 }
 
-// AddNamespace handles adding namespace to ipset.
+// AddNamespace handles adding namespace to ipset
 func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
-	npMgr.Lock()
-	defer npMgr.Unlock()
-
 	var err error
 
 	nsName, nsLabel := "ns-" + nsObj.ObjectMeta.Name, nsObj.ObjectMeta.Labels
@@ -135,6 +132,14 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
 	return nil
 }
 
+// AddNamespaceWithLock acquires NetworkPolicyManager lock before adding namespace to ipset
+func (npMgr *NetworkPolicyManager) AddNamespaceWithLock(nsObj *corev1.Namespace) error {
+	npMgr.Lock()
+	defer npMgr.Unlock()
+
+	return npMgr.AddNamespace(nsObj)
+}
+
 // UpdateNamespace handles updating namespace in ipset.
 func (npMgr *NetworkPolicyManager) UpdateNamespace(oldNsObj *corev1.Namespace, newNsObj *corev1.Namespace) error {
 	var err error
@@ -151,7 +156,7 @@ func (npMgr *NetworkPolicyManager) UpdateNamespace(oldNsObj *corev1.Namespace, n
 	}
 
 	if newNsObj.ObjectMeta.DeletionTimestamp == nil && newNsObj.ObjectMeta.DeletionGracePeriodSeconds == nil {
-		if err = npMgr.AddNamespace(newNsObj); err != nil {
+		if err = npMgr.AddNamespaceWithLock(newNsObj); err != nil {
 			return err
 		}
 	}

@@ -80,7 +80,7 @@ func TestAddNamespace(t *testing.T) {
 		},
 	}
 
-	if err := npMgr.AddNamespace(nsObj); err != nil {
+	if err := npMgr.AddNamespaceWithLock(nsObj); err != nil {
 		t.Errorf("TestAddNamespace @ npMgr.AddNamespace")
 	}
 }
@@ -130,7 +130,7 @@ func TestUpdateNamespace(t *testing.T) {
 		},
 	}
 
-	if err := npMgr.AddNamespace(oldNsObj); err != nil {
+	if err := npMgr.AddNamespaceWithLock(oldNsObj); err != nil {
 		t.Errorf("TestUpdateNamespace failed @ npMgr.AddNamespace")
 	}
 
@@ -175,7 +175,7 @@ func TestDeleteNamespace(t *testing.T) {
 		},
 	}
 
-	if err := npMgr.AddNamespace(nsObj); err != nil {
+	if err := npMgr.AddNamespaceWithLock(nsObj); err != nil {
 		t.Errorf("TestDeleteNamespace @ npMgr.AddNamespace")
 	}
 

@@ -136,11 +136,21 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
 	iptMgr := iptm.NewIptablesManager()
 	iptMgr.UninitNpmChains()
 
-	podInformer := informerFactory.Core().V1().Pods()
-	nsInformer := informerFactory.Core().V1().Namespaces()
-	npInformer := informerFactory.Networking().V1().NetworkPolicies()
+	var (
+		podInformer   = informerFactory.Core().V1().Pods()
+		nsInformer    = informerFactory.Core().V1().Namespaces()
+		npInformer    = informerFactory.Networking().V1().NetworkPolicies()
+		serverVersion *version.Info
+		err           error
+	)
 
-	serverVersion, err := clientset.ServerVersion()
+	for ticker, start := time.NewTicker(1 * time.Second).C, time.Now(); time.Since(start) < time.Minute * 1; {
+		<-ticker
+		serverVersion, err = clientset.ServerVersion()
+		if err == nil {
+			break
+		}
+	}
 	if err != nil {
 		log.Logf("Error: failed to retrieving kubernetes version")
 		panic(err.Error)
@@ -207,7 +217,7 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
 		// Namespace event handlers
 		cache.ResourceEventHandlerFuncs{
 			AddFunc: func(obj interface{}) {
-				npMgr.AddNamespace(obj.(*corev1.Namespace))
+				npMgr.AddNamespaceWithLock(obj.(*corev1.Namespace))
 			},
 			UpdateFunc: func(old, new interface{}) {
 				npMgr.UpdateNamespace(old.(*corev1.Namespace), new.(*corev1.Namespace))

@@ -6,7 +6,10 @@ import (
 	"github.com/Azure/azure-container-networking/log"
 	"github.com/Azure/azure-container-networking/npm/iptm"
 	"github.com/Azure/azure-container-networking/npm/util"
+
+	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func (npMgr *NetworkPolicyManager) canCleanUpNpmChains() bool {
@@ -36,13 +39,21 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
 	npNs, npName := "ns-"+npObj.ObjectMeta.Namespace, npObj.ObjectMeta.Name
 	log.Printf("NETWORK POLICY CREATING: %v", npObj)
 
+	// Add policy namespace if it doesn't exist
 	var exists bool
 	if ns, exists = npMgr.nsMap[npNs]; !exists {
-		ns, err = newNs(npNs)
-		if err != nil {
-			log.Printf("Error creating namespace %s\n", npNs)
+		nsObj := &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   npObj.ObjectMeta.Namespace,
+				Labels: make(map[string]string),
+			},
 		}
-		npMgr.nsMap[npNs] = ns
+
+		if err = npMgr.AddNamespace(nsObj); err != nil {
+			return err
+		}
+
+		ns = npMgr.nsMap[npNs]
 	}
 
 	if ns.policyExists(npObj) {

@@ -66,7 +66,7 @@ func TestAddNetworkPolicy(t *testing.T) {
 		},
 	}
 
-	if err := npMgr.AddNamespace(nsObj); err != nil {
+	if err := npMgr.AddNamespaceWithLock(nsObj); err != nil {
 		t.Errorf("TestAddNetworkPolicy @ npMgr.AddNamespace")
 	}
 
@@ -177,7 +177,7 @@ func TestUpdateNetworkPolicy(t *testing.T) {
 		},
 	}
 
-	if err := npMgr.AddNamespace(nsObj); err != nil {
+	if err := npMgr.AddNamespaceWithLock(nsObj); err != nil {
 		t.Errorf("TestUpdateNetworkPolicy @ npMgr.AddNamespace")
 	}
 
@@ -289,7 +289,7 @@ func TestDeleteNetworkPolicy(t *testing.T) {
 		},
 	}
 
-	if err := npMgr.AddNamespace(nsObj); err != nil {
+	if err := npMgr.AddNamespaceWithLock(nsObj); err != nil {
 		t.Errorf("TestDeleteNetworkPolicy @ npMgr.AddNamespace")
 	}
 

@@ -7,6 +7,7 @@ import (
 	"github.com/Azure/azure-container-networking/npm/util"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func isValidPod(podObj *corev1.Pod) bool {
@@ -35,6 +36,20 @@ func (npMgr *NetworkPolicyManager) AddPod(podObj *corev1.Pod) error {
 	podIP := podObj.Status.PodIP
 	log.Printf("POD CREATING: [%s/%s/%s%+v%s]", podNs, podName, podNodeName, podLabels, podIP)
 
+	// Add pod namespace if it doesn't exist
+	if _, exists := npMgr.nsMap[podNs]; !exists {
+		nsObj := &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   podObj.ObjectMeta.Namespace,
+				Labels: make(map[string]string),
+			},
+		}
+
+		if err = npMgr.AddNamespace(nsObj); err != nil {
+			return err
+		}
+	}
+
 	// Add the pod to ipset
 	ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
 	// Add the pod to its namespace's ipset.
@@ -60,13 +75,6 @@ func (npMgr *NetworkPolicyManager) AddPod(podObj *corev1.Pod) error {
 		}
 	}
 
-	ns, err := newNs(podNs)
-	if err != nil {
-		log.Errorf("Error: failed to create namespace %s", podNs)
-		return err
-	}
-	npMgr.nsMap[podNs] = ns
-
 	return nil
 }