From 2a5ad4d93f64763ad34f07954f50c4238cd66a4a Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Tue, 14 Apr 2020 15:55:17 +0000 Subject: [PATCH 1/2] Check raw and processed network policy maps separately in add operation. --- npm/nwpolicy.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/npm/nwpolicy.go b/npm/nwpolicy.go index e64e00887a..f20208b818 100644 --- a/npm/nwpolicy.go +++ b/npm/nwpolicy.go @@ -69,16 +69,18 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP iptEntries []*iptm.IptEntry ) + // Remove the existing policy from processed (merged) network policy map if oldPolicy, oldPolicyExists := ns.rawNpMap[npObj.ObjectMeta.Name]; oldPolicyExists { npMgr.isSafeToCleanUpAzureNpmChain = false npMgr.DeleteNetworkPolicy(oldPolicy) npMgr.isSafeToCleanUpAzureNpmChain = true + } - if oldPolicy, oldPolicyExists = ns.processedNpMap[hashedSelector]; oldPolicyExists { - addedPolicy, err = addPolicy(oldPolicy, npObj) - if err != nil { - log.Printf("Error adding policy %s to %s", npName, oldPolicy.ObjectMeta.Name) - } + // Add (merge) the new policy with others who apply to the same pods + if oldPolicy, oldPolicyExists := ns.processedNpMap[hashedSelector]; oldPolicyExists { + addedPolicy, err = addPolicy(oldPolicy, npObj) + if err != nil { + log.Printf("Error adding policy %s to %s", npName, oldPolicy.ObjectMeta.Name) } } From b6e594e2d825b17e23a0ed6aaeddba05b0413130 Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Tue, 14 Apr 2020 16:28:27 +0000 Subject: [PATCH 2/2] Remove failed & succeeded pods from ipset --- npm/pod.go | 65 +++++++++++++++++++++++++++++------------------------- 1 file changed, 35 insertions(+), 30 deletions(-) diff --git a/npm/pod.go b/npm/pod.go index 7252943690..aea2473775 100644 --- a/npm/pod.go +++ b/npm/pod.go @@ -7,6 +7,7 @@ import ( "github.com/Azure/azure-container-networking/npm/util" corev1 "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" ) func isValidPod(podObj *corev1.Pod) bool { @@ -23,18 +24,18 @@ func (npMgr *NetworkPolicyManager) AddPod(podObj *corev1.Pod) error { return nil } - var err error + var ( + err error + podNs = "ns-" + podObj.ObjectMeta.Namespace + podName = podObj.ObjectMeta.Name + podNodeName = podObj.Spec.NodeName + podLabels = podObj.ObjectMeta.Labels + podIP = podObj.Status.PodIP + ipsMgr = npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr + ) - podNs := "ns-" + podObj.ObjectMeta.Namespace - podName := podObj.ObjectMeta.Name - podNodeName := podObj.Spec.NodeName - podLabels := podObj.ObjectMeta.Labels - podIP := podObj.Status.PodIP log.Printf("POD CREATING: [%s/%s/%s%+v%s]", podNs, podName, podNodeName, podLabels, podIP) - // Add the pod to ipset - ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr - // Add pod namespace if it doesn't exist if _, exists := npMgr.nsMap[podNs]; !exists { log.Printf("Creating set: %v, hashedSet: %v", podNs, util.GetHashedName(podNs)) @@ -76,18 +77,19 @@ func (npMgr *NetworkPolicyManager) UpdatePod(oldPodObj, newPodObj *corev1.Pod) e return nil } - var err error - - oldPodObjNs := oldPodObj.ObjectMeta.Namespace - oldPodObjName := oldPodObj.ObjectMeta.Name - oldPodObjLabel := oldPodObj.ObjectMeta.Labels - oldPodObjPhase := oldPodObj.Status.Phase - oldPodObjIP := oldPodObj.Status.PodIP - newPodObjNs := newPodObj.ObjectMeta.Namespace - newPodObjName := newPodObj.ObjectMeta.Name - newPodObjLabel := newPodObj.ObjectMeta.Labels - newPodObjPhase := newPodObj.Status.Phase - newPodObjIP := newPodObj.Status.PodIP + var ( + err error + oldPodObjNs = oldPodObj.ObjectMeta.Namespace + oldPodObjName = oldPodObj.ObjectMeta.Name + oldPodObjLabel = oldPodObj.ObjectMeta.Labels + oldPodObjPhase = oldPodObj.Status.Phase + oldPodObjIP = oldPodObj.Status.PodIP + newPodObjNs = newPodObj.ObjectMeta.Namespace + newPodObjName = newPodObj.ObjectMeta.Name + newPodObjLabel = newPodObj.ObjectMeta.Labels + newPodObjPhase = newPodObj.Status.Phase + newPodObjIP = newPodObj.Status.PodIP + ) log.Printf( "POD UPDATING:\n old pod: [%s/%s/%+v/%s/%s]\n new pod: [%s/%s/%+v/%s/%s]", @@ -99,7 +101,9 @@ func (npMgr *NetworkPolicyManager) UpdatePod(oldPodObj, newPodObj *corev1.Pod) e return err } - if newPodObj.ObjectMeta.DeletionTimestamp == nil && newPodObj.ObjectMeta.DeletionGracePeriodSeconds == nil { + // Assume that the pod IP will be released when pod moves to succeeded or failed state. + // If the pod transitions back to an active state, then add operation will re establish the updated pod info. + if newPodObj.ObjectMeta.DeletionTimestamp == nil && newPodObj.ObjectMeta.DeletionGracePeriodSeconds == nil && newPodObjPhase != v1.PodSucceeded && newPodObjPhase != v1.PodFailed { if err = npMgr.AddPod(newPodObj); err != nil { return err } @@ -114,17 +118,18 @@ func (npMgr *NetworkPolicyManager) DeletePod(podObj *corev1.Pod) error { return nil } - var err error + var ( + err error + podNs = "ns-" + podObj.ObjectMeta.Namespace + podName = podObj.ObjectMeta.Name + podNodeName = podObj.Spec.NodeName + podLabels = podObj.ObjectMeta.Labels + podIP = podObj.Status.PodIP + ipsMgr = npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr + ) - podNs := "ns-" + podObj.ObjectMeta.Namespace - podName := podObj.ObjectMeta.Name - podNodeName := podObj.Spec.NodeName - podLabels := podObj.ObjectMeta.Labels - podIP := podObj.Status.PodIP log.Printf("POD DELETING: [%s/%s/%s%+v%s]", podNs, podName, podNodeName, podLabels, podIP) - // Delete pod from ipset - ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr // Delete the pod from its namespace's ipset. if err = ipsMgr.DeleteFromSet(podNs, podIP); err != nil { log.Errorf("Error: failed to delete pod from namespace ipset.")