From 4c72bb6dfb566fdbe5f22642a2923798e2bbc91f Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Tue, 7 Apr 2020 18:56:48 +0000 Subject: [PATCH 1/4] Remove old npm chains which were causing errors on uninit --- npm/iptm/iptm.go | 7 ------- npm/nwpolicy.go | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go index ebae4f79f5..b9739a393c 100644 --- a/npm/iptm/iptm.go +++ b/npm/iptm/iptm.go @@ -182,18 +182,11 @@ func (iptMgr *IptablesManager) InitNpmChains() error { func (iptMgr *IptablesManager) UninitNpmChains() error { IptablesAzureChainList := []string{ util.IptablesAzureChain, - util.IptablesAzureKubeSystemChain, util.IptablesAzureIngressPortChain, util.IptablesAzureIngressFromChain, util.IptablesAzureEgressPortChain, util.IptablesAzureEgressToChain, util.IptablesAzureTargetSetsChain, - // Below chains exists only for before Azure-NPM:v1.0.27 - // and should be removed after a baking period. - util.IptablesAzureIngressFromNsChain, - util.IptablesAzureIngressFromPodChain, - util.IptablesAzureEgressToNsChain, - util.IptablesAzureEgressToPodChain, } // Remove AZURE-NPM chain from FORWARD chain. diff --git a/npm/nwpolicy.go b/npm/nwpolicy.go index b4c1e432ae..d43125d9d3 100644 --- a/npm/nwpolicy.go +++ b/npm/nwpolicy.go @@ -179,11 +179,11 @@ func (npMgr *NetworkPolicyManager) DeleteNetworkPolicy(npObj *networkingv1.Netwo } if npMgr.canCleanUpNpmChains() { + npMgr.isAzureNpmChainCreated = false if err = iptMgr.UninitNpmChains(); err != nil { log.Errorf("Error: failed to uninitialize azure-npm chains.") return err } - npMgr.isAzureNpmChainCreated = false } return nil From d6cf817083821a0c7b83a6f31e20849c9d93549e Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Fri, 10 Apr 2020 00:34:38 +0000 Subject: [PATCH 2/4] Utilize rawNpMap and refrain from updating policies with no change. --- npm/iptm/iptm.go | 11 ++++++----- npm/nwpolicy.go | 8 ++++++++ 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go index b9739a393c..5b6260cf4c 100644 --- a/npm/iptm/iptm.go +++ b/npm/iptm/iptm.go @@ -229,12 +229,10 @@ func (iptMgr *IptablesManager) Exists(entry *IptEntry) (bool, error) { iptMgr.OperationFlag = util.IptablesCheckFlag returnCode, err := iptMgr.Run(entry) if err == nil { - log.Printf("Rule exists. %+v.", entry) return true, nil } if returnCode == iptablesErrDoesNotExist { - log.Printf("Rule doesn't exist. %+v.", entry) return false, nil } @@ -341,12 +339,15 @@ func (iptMgr *IptablesManager) Run(entry *IptEntry) (int, error) { } cmdArgs := append([]string{util.IptablesWaitFlag, entry.LockWaitTimeInSeconds, iptMgr.OperationFlag, entry.Chain}, entry.Specs...) - log.Printf("Executing iptables command %s %v", cmdName, cmdArgs) - _, err := exec.Command(cmdName, cmdArgs...).Output() + if iptMgr.OperationFlag != util.IptablesCheckFlag { + log.Printf("Executing iptables command %s %v", cmdName, cmdArgs) + } + + _, err := exec.Command(cmdName, cmdArgs...).Output() if msg, failed := err.(*exec.ExitError); failed { errCode := msg.Sys().(syscall.WaitStatus).ExitStatus() - if errCode > 0 { + if errCode > 0 && iptMgr.OperationFlag != util.IptablesCheckFlag { log.Errorf("Error: There was an error running command: [%s %v] Stderr: [%v, %s]", cmdName, strings.Join(cmdArgs, " "), err, strings.TrimSuffix(string(msg.Stderr), "\n")) } diff --git a/npm/nwpolicy.go b/npm/nwpolicy.go index d43125d9d3..80e8180999 100644 --- a/npm/nwpolicy.go +++ b/npm/nwpolicy.go @@ -46,6 +46,8 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP return nil } + ns.rawNpMap[npObj.ObjectMeta.Name] = npObj + allNs := npMgr.nsMap[util.KubeAllNamespacesFlag] if !npMgr.isAzureNpmChainCreated { @@ -116,6 +118,10 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP // UpdateNetworkPolicy handles updateing network policy in iptables. func (npMgr *NetworkPolicyManager) UpdateNetworkPolicy(oldNpObj *networkingv1.NetworkPolicy, newNpObj *networkingv1.NetworkPolicy) error { + if isSamePolicy(oldNpObj, newNpObj) { + return nil + } + var err error log.Printf("NETWORK POLICY UPDATING:\n old policy:[%v]\n new policy:[%v]", oldNpObj, newNpObj) @@ -164,6 +170,8 @@ func (npMgr *NetworkPolicyManager) DeleteNetworkPolicy(npObj *networkingv1.Netwo } } + delete(ns.rawNpMap, npObj.ObjectMeta.Name) + hashedSelector := HashSelector(&npObj.Spec.PodSelector) if oldPolicy, oldPolicyExists := ns.processedNpMap[hashedSelector]; oldPolicyExists { deductedPolicy, err := deductPolicy(oldPolicy, npObj) From 9b8ec0afc7f2d057df61ba3de3aa2f21a6ba5bb6 Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Fri, 10 Apr 2020 18:26:30 +0000 Subject: [PATCH 3/4] redacted From e4092d9c0d622c57bafc1d1fdbd404b96c7b55ea Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Fri, 10 Apr 2020 19:02:10 +0000 Subject: [PATCH 4/4] add added policy to processedNpMap --- npm/nwpolicy.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/npm/nwpolicy.go b/npm/nwpolicy.go index 80e8180999..77f09a55e8 100644 --- a/npm/nwpolicy.go +++ b/npm/nwpolicy.go @@ -69,13 +69,16 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP var addedPolicy *networkingv1.NetworkPolicy addedPolicy = nil if oldPolicy, oldPolicyExists := ns.processedNpMap[hashedSelector]; oldPolicyExists { + npMgr.isSafeToCleanUpAzureNpmChain = false + npMgr.DeleteNetworkPolicy(oldPolicy) + npMgr.isSafeToCleanUpAzureNpmChain = true + addedPolicy, err = addPolicy(oldPolicy, npObj) if err != nil { log.Printf("Error adding policy %s to %s", npName, oldPolicy.ObjectMeta.Name) + } else { + ns.processedNpMap[hashedSelector] = addedPolicy } - npMgr.isSafeToCleanUpAzureNpmChain = false - npMgr.DeleteNetworkPolicy(oldPolicy) - npMgr.isSafeToCleanUpAzureNpmChain = true } else { ns.processedNpMap[hashedSelector] = npObj }