Skip to content

[NPM] Ignoring hostnetwork pods from being added into Ipsets #776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 2, 2021
Merged

[NPM] Ignoring hostnetwork pods from being added into Ipsets #776

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b69cfd8
Ignoring hostnetwork pods from being added into Ipsets
vakalapa Feb 1, 2021
4a68db7
generalizing the check on hostnetwork pod
vakalapa Feb 1, 2021
bd5c2c8
Adding tests for add, update and delete hostnetwork pods
vakalapa Feb 2, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions npm/pod.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ func isSystemPod(podObj *corev1.Pod) bool {
return podObj.ObjectMeta.Namespace == util.KubeSystemFlag
}

func isHostNetworkPod(podObj *corev1.Pod) bool {
return podObj.Spec.HostNetwork
}

func isInvalidPodUpdate(oldPodObj, newPodObj *corev1.Pod) (isInvalidUpdate bool) {
isInvalidUpdate = oldPodObj.ObjectMeta.Namespace == newPodObj.ObjectMeta.Namespace &&
oldPodObj.ObjectMeta.Name == newPodObj.ObjectMeta.Name &&
Expand Down Expand Up @@ -61,6 +65,12 @@ func (npMgr *NetworkPolicyManager) AddPod(podObj *corev1.Pod) error {
}
}

// Ignore adding the HostNetwork pod to any ipsets.
if isHostNetworkPod(podObj) {
log.Logf("HostNetwork POD IGNORED: [%s%s/%s/%s%+v%s]", podUid, podNs, podName, podNodeName, podLabels, podIP)
return nil
}

// Add the pod to its namespace's ipset.
log.Logf("Adding pod %s to ipset %s", podIP, podNs)
if err = ipsMgr.AddToSet(podNs, podIP, util.IpsetNetHashFlag, podUid); err != nil {
Expand Down Expand Up @@ -116,6 +126,17 @@ func (npMgr *NetworkPolicyManager) UpdatePod(oldPodObj, newPodObj *corev1.Pod) e
return nil
}

// today K8s does not allow updating HostNetwork flag for an existing Pod. So NPM can safely
// check on the oldPodObj for hostNework value
if isHostNetworkPod(oldPodObj) {
log.Logf(
"POD UPDATING ignored for HostNetwork Pod:\n old pod: [%s/%s/%+v/%s/%s]\n new pod: [%s/%s/%+v/%s/%s]",
oldPodObj.ObjectMeta.Namespace, oldPodObj.ObjectMeta.Name, oldPodObj.Status.PodIP,
newPodObj.ObjectMeta.Namespace, newPodObj.ObjectMeta.Name, newPodObj.Status.PodIP,
)
return nil
}

if isInvalidPodUpdate(oldPodObj, newPodObj) {
return nil
}
Expand Down
180 changes: 180 additions & 0 deletions npm/pod_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,3 +202,183 @@ func TestDeletePod(t *testing.T) {
}
npMgr.Unlock()
}

func TestAddHostNetworkPod(t *testing.T) {
npMgr := &NetworkPolicyManager{
nsMap: make(map[string]*namespace),
podMap: make(map[string]string),
TelemetryEnabled: false,
}

allNs, err := newNs(util.KubeAllNamespacesFlag)
if err != nil {
panic(err.Error)
Copy link
Contributor

@ramiro-gamarra ramiro-gamarra Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't panic on tests. use t.Fatal. same for below

Copy link
Contributor Author

@vakalapa vakalapa Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logged a work item to fix this for all NPM tests.

}
npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs

ipsMgr := ipsm.NewIpsetManager()
if err := ipsMgr.Save(util.IpsetTestConfigFile); err != nil {
t.Errorf("TestAddHostNetworkPod failed @ ipsMgr.Save")
Copy link
Contributor

@ramiro-gamarra ramiro-gamarra Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add error to test logging. gives more context as to why something failed. same for below

Copy link
Contributor Author

@vakalapa vakalapa Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logged a work item to fix this for all NPM tests.

}

defer func() {
if err := ipsMgr.Restore(util.IpsetTestConfigFile); err != nil {
t.Errorf("TestAddHostNetworkPod failed @ ipsMgr.Restore")
}
}()

podObj := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "test-pod",
Namespace: "test-namespace",
Labels: map[string]string{
"app": "test-pod",
},
},
Status: corev1.PodStatus{
Phase: "Running",
PodIP: "1.2.3.4",
},
Spec: corev1.PodSpec{
HostNetwork: true,
},
}

npMgr.Lock()
Copy link
Contributor

@ramiro-gamarra ramiro-gamarra Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curious about locks being taken, since this variable is scoped to the test. what else could be modifying this?

Copy link
Contributor Author

@vakalapa vakalapa Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are all compartmentalized tests, in the current state they are in, no two tests (i have to double check) share the npMgr. So the lock should be scop is limited to a given testcase.

Copy link
Contributor

@ramiro-gamarra ramiro-gamarra Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose my question is, is it necessary to take locks?

if err := npMgr.AddPod(podObj); err != nil {
t.Errorf("TestAddHostNetworkPod failed @ AddPod")
}

if len(npMgr.podMap) >= 1 {
t.Errorf("TestAddHostNetworkPod failed @ podMap length check")
}
npMgr.Unlock()
}

func TestUpdateHostNetworkPod(t *testing.T) {
npMgr := &NetworkPolicyManager{
nsMap: make(map[string]*namespace),
podMap: make(map[string]string),
TelemetryEnabled: false,
}

allNs, err := newNs(util.KubeAllNamespacesFlag)
if err != nil {
panic(err.Error)
}
npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs

ipsMgr := ipsm.NewIpsetManager()
if err := ipsMgr.Save(util.IpsetTestConfigFile); err != nil {
t.Errorf("TestUpdateHostNetworkPod failed @ ipsMgr.Save")
}

defer func() {
if err := ipsMgr.Restore(util.IpsetTestConfigFile); err != nil {
t.Errorf("TestUpdateHostNetworkPod failed @ ipsMgr.Restore")
}
}()

// HostNetwork check is done on the oldPodObj,
// so intentionally not adding hostnet true in newPodObj
oldPodObj := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "old-test-pod",
Namespace: "test-namespace",
Labels: map[string]string{
"app": "old-test-pod",
},
},
Status: corev1.PodStatus{
Phase: "Running",
PodIP: "1.2.3.4",
},
Spec: corev1.PodSpec{
HostNetwork: true,
},
}

newPodObj := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "new-test-pod",
Namespace: "test-namespace",
Labels: map[string]string{
"app": "new-test-pod",
},
},
Status: corev1.PodStatus{
Phase: "Running",
PodIP: "4.3.2.1",
},
}

npMgr.Lock()
if err := npMgr.AddPod(oldPodObj); err != nil {
t.Errorf("TestUpdateHostNetworkPod failed @ AddPod")
}

if err := npMgr.UpdatePod(oldPodObj, newPodObj); err != nil {
t.Errorf("TestUpdateHostNetworkPod failed @ UpdatePod")
}

if len(npMgr.podMap) >= 1 {
t.Errorf("TestUpdateHostNetworkPod failed @ podMap length check")
}
npMgr.Unlock()
}

func TestDeleteHostNetworkPod(t *testing.T) {
npMgr := &NetworkPolicyManager{
nsMap: make(map[string]*namespace),
podMap: make(map[string]string),
TelemetryEnabled: false,
}

allNs, err := newNs(util.KubeAllNamespacesFlag)
if err != nil {
panic(err.Error)
}
npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs

ipsMgr := ipsm.NewIpsetManager()
if err := ipsMgr.Save(util.IpsetTestConfigFile); err != nil {
t.Errorf("TestDeleteHostNetworkPod failed @ ipsMgr.Save")
}

defer func() {
if err := ipsMgr.Restore(util.IpsetTestConfigFile); err != nil {
t.Errorf("TestDeleteHostNetworkPod failed @ ipsMgr.Restore")
}
}()

podObj := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "test-pod",
Namespace: "test-namespace",
Labels: map[string]string{
"app": "test-pod",
},
},
Status: corev1.PodStatus{
Phase: "Running",
PodIP: "1.2.3.4",
},
Spec: corev1.PodSpec{
HostNetwork: true,
},
}

npMgr.Lock()
if err := npMgr.AddPod(podObj); err != nil {
t.Errorf("TestDeleteHostNetworkPod failed @ AddPod")
}

if len(npMgr.podMap) >= 1 {
t.Errorf("TestDeleteHostNetworkPod failed @ podMap length check")
}

if err := npMgr.DeletePod(podObj); err != nil {
t.Errorf("TestDeleteHostNetworkPod failed @ DeletePod")
}
npMgr.Unlock()
}