Skip to content

Check Processed NP Map & Add Update Pod Conditions #546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 14, 2020
Merged

Check Processed NP Map & Add Update Pod Conditions #546

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2a5ad4d
Check raw and processed network policy maps separately in add operation.
jaer-tsun Apr 14, 2020
b6e594e
Remove failed & succeeded pods from ipset
jaer-tsun Apr 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions npm/nwpolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,16 +69,18 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
iptEntries []*iptm.IptEntry
)

// Remove the existing policy from processed (merged) network policy map
if oldPolicy, oldPolicyExists := ns.rawNpMap[npObj.ObjectMeta.Name]; oldPolicyExists {
npMgr.isSafeToCleanUpAzureNpmChain = false
npMgr.DeleteNetworkPolicy(oldPolicy)
npMgr.isSafeToCleanUpAzureNpmChain = true
}

if oldPolicy, oldPolicyExists = ns.processedNpMap[hashedSelector]; oldPolicyExists {
addedPolicy, err = addPolicy(oldPolicy, npObj)
if err != nil {
log.Printf("Error adding policy %s to %s", npName, oldPolicy.ObjectMeta.Name)
}
// Add (merge) the new policy with others who apply to the same pods
if oldPolicy, oldPolicyExists := ns.processedNpMap[hashedSelector]; oldPolicyExists {
addedPolicy, err = addPolicy(oldPolicy, npObj)
if err != nil {
log.Printf("Error adding policy %s to %s", npName, oldPolicy.ObjectMeta.Name)
}
}

Expand Down
65 changes: 35 additions & 30 deletions npm/pod.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"github.com/Azure/azure-container-networking/npm/util"

corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
)

func isValidPod(podObj *corev1.Pod) bool {
Expand All @@ -23,18 +24,18 @@ func (npMgr *NetworkPolicyManager) AddPod(podObj *corev1.Pod) error {
return nil
}

var err error
var (
err error
podNs = "ns-" + podObj.ObjectMeta.Namespace
podName = podObj.ObjectMeta.Name
podNodeName = podObj.Spec.NodeName
podLabels = podObj.ObjectMeta.Labels
podIP = podObj.Status.PodIP
ipsMgr = npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
)

podNs := "ns-" + podObj.ObjectMeta.Namespace
podName := podObj.ObjectMeta.Name
podNodeName := podObj.Spec.NodeName
podLabels := podObj.ObjectMeta.Labels
podIP := podObj.Status.PodIP
log.Printf("POD CREATING: [%s/%s/%s%+v%s]", podNs, podName, podNodeName, podLabels, podIP)

// Add the pod to ipset
ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr

// Add pod namespace if it doesn't exist
if _, exists := npMgr.nsMap[podNs]; !exists {
log.Printf("Creating set: %v, hashedSet: %v", podNs, util.GetHashedName(podNs))
Expand Down Expand Up @@ -76,18 +77,19 @@ func (npMgr *NetworkPolicyManager) UpdatePod(oldPodObj, newPodObj *corev1.Pod) e
return nil
}

var err error

oldPodObjNs := oldPodObj.ObjectMeta.Namespace
oldPodObjName := oldPodObj.ObjectMeta.Name
oldPodObjLabel := oldPodObj.ObjectMeta.Labels
oldPodObjPhase := oldPodObj.Status.Phase
oldPodObjIP := oldPodObj.Status.PodIP
newPodObjNs := newPodObj.ObjectMeta.Namespace
newPodObjName := newPodObj.ObjectMeta.Name
newPodObjLabel := newPodObj.ObjectMeta.Labels
newPodObjPhase := newPodObj.Status.Phase
newPodObjIP := newPodObj.Status.PodIP
var (
err error
oldPodObjNs = oldPodObj.ObjectMeta.Namespace
oldPodObjName = oldPodObj.ObjectMeta.Name
oldPodObjLabel = oldPodObj.ObjectMeta.Labels
oldPodObjPhase = oldPodObj.Status.Phase
oldPodObjIP = oldPodObj.Status.PodIP
newPodObjNs = newPodObj.ObjectMeta.Namespace
newPodObjName = newPodObj.ObjectMeta.Name
newPodObjLabel = newPodObj.ObjectMeta.Labels
newPodObjPhase = newPodObj.Status.Phase
newPodObjIP = newPodObj.Status.PodIP
)

log.Printf(
"POD UPDATING:\n old pod: [%s/%s/%+v/%s/%s]\n new pod: [%s/%s/%+v/%s/%s]",
Expand All @@ -99,7 +101,9 @@ func (npMgr *NetworkPolicyManager) UpdatePod(oldPodObj, newPodObj *corev1.Pod) e
return err
}

if newPodObj.ObjectMeta.DeletionTimestamp == nil && newPodObj.ObjectMeta.DeletionGracePeriodSeconds == nil {
// Assume that the pod IP will be released when pod moves to succeeded or failed state.
// If the pod transitions back to an active state, then add operation will re establish the updated pod info.
if newPodObj.ObjectMeta.DeletionTimestamp == nil && newPodObj.ObjectMeta.DeletionGracePeriodSeconds == nil && newPodObjPhase != v1.PodSucceeded && newPodObjPhase != v1.PodFailed {
if err = npMgr.AddPod(newPodObj); err != nil {
return err
}
Expand All @@ -114,17 +118,18 @@ func (npMgr *NetworkPolicyManager) DeletePod(podObj *corev1.Pod) error {
return nil
}

var err error
var (
err error
podNs = "ns-" + podObj.ObjectMeta.Namespace
podName = podObj.ObjectMeta.Name
podNodeName = podObj.Spec.NodeName
podLabels = podObj.ObjectMeta.Labels
podIP = podObj.Status.PodIP
ipsMgr = npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
)

podNs := "ns-" + podObj.ObjectMeta.Namespace
podName := podObj.ObjectMeta.Name
podNodeName := podObj.Spec.NodeName
podLabels := podObj.ObjectMeta.Labels
podIP := podObj.Status.PodIP
log.Printf("POD DELETING: [%s/%s/%s%+v%s]", podNs, podName, podNodeName, podLabels, podIP)

// Delete pod from ipset
ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
// Delete the pod from its namespace's ipset.
if err = ipsMgr.DeleteFromSet(podNs, podIP); err != nil {
log.Errorf("Error: failed to delete pod from namespace ipset.")
Expand Down