Enable outboundNAT for Windows containers.

network/endpoint.go

@@ -51,19 +51,13 @@ func (nw *network) newEndpoint(epInfo *EndpointInfo) (*endpoint, error) {
 		}
 	}()
 
-	if nw.Endpoints[epInfo.Id] != nil {
-		err = errEndpointExists
-		return nil, err
-	}
-
 	// Call the platform implementation.
 	ep, err = nw.newEndpointImpl(epInfo)
 	if err != nil {
 		return nil, err
 	}
 
 	nw.Endpoints[epInfo.Id] = ep
-
 	log.Printf("[net] Created endpoint %+v.", ep)
 
 	return ep, nil

network/endpoint_linux.go

@@ -32,6 +32,12 @@ func (nw *network) newEndpointImpl(epInfo *EndpointInfo) (*endpoint, error) {
 	var ep *endpoint
 	var err error
 
+	if nw.Endpoints[epInfo.Id] != nil {
+		log.Printf("[net] Endpoint alreday exists.")		
+		err = errEndpointExists
+		return nil, err
+	}
+
 	// Create a veth pair.
 	hostIfName := fmt.Sprintf("%s%s", hostVEthInterfacePrefix, epInfo.Id[:7])
 	contIfName := fmt.Sprintf("%s%s-2", hostVEthInterfacePrefix, epInfo.Id[:7])

network/endpoint_windows.go

@@ -14,16 +14,71 @@ import (
 	"github.com/Microsoft/hcsshim"
 )
 
+// ConstructEpName constructs endpoint name from netNsPath.
+func ConstructEpName(containerID string, netNsPath string, ifName string) (string, string) {
+	infraEpName, workloadEpName := "", ""
+
+	if len(containerID) > 8 {
+		containerID = containerID[:8]
+	}
+
+	if netNsPath != "" {
+		splits := strings.Split(netNsPath, ":")
+		// For workload containers, we extract its linking infrastructure container ID.
+		if len(splits) == 2 {
+			if len(splits[1]) > 8 {
+				splits[1] = splits[1][:8]
+			}
+			infraEpName = splits[1] + "-" + ifName
+			workloadEpName = containerID + "-" + ifName
+		} else {
+			// For infrastructure containers, we just use its container ID.
+			infraEpName = containerID + "-" + ifName
+		}
+	}
+	return infraEpName, workloadEpName
+}
+
 // newEndpointImpl creates a new endpoint in the network.
 func (nw *network) newEndpointImpl(epInfo *EndpointInfo) (*endpoint, error) {
-	// Initialize HNS endpoint.
-	hnsEndpoint := &hcsshim.HNSEndpoint{
-		Name:           epInfo.Id,
+	// Get Infrastructure containerID. Handle ADD calls for workload container.
+	infraEpName, workloadEpName := ConstructEpName(epInfo.ContainerID, epInfo.NetNsPath, epInfo.IfName)
+
+	/* Handle consecutive ADD calls for infrastructure containers.
+	 * This is a temporary work around for issue #57253 of Kubernetes.
+	 * We can delete this if statement once they fix it.
+	 * Issue link: https://github.com/kubernetes/kubernetes/issues/57253
+	 */
+	if workloadEpName == "" {
+		if nw.Endpoints[infraEpName] != nil {
+			log.Printf("[net] Found existing endpoint %v, return immediately.", infraEpName)
+			return nw.Endpoints[infraEpName], nil
+		}
+	}
+
+	log.Printf("[net] infraEpName: %v", infraEpName)
+
+	hnsEndpoint, _ := hcsshim.GetHNSEndpointByName(infraEpName)
+	if hnsEndpoint != nil {
+		log.Printf("[net] Found existing endpoint through hcsshim%v", infraEpName)
+		log.Printf("[net] Attaching ep %v to container %v", hnsEndpoint.Id, epInfo.ContainerID)
+		if err := hcsshim.HotAttachEndpoint(epInfo.ContainerID, hnsEndpoint.Id); err != nil {
+			return nil, err
+		}
+		return nw.Endpoints[infraEpName], nil
+	}
+
+	hnsEndpoint = &hcsshim.HNSEndpoint{
+		Name:           infraEpName,
 		VirtualNetwork: nw.HnsId,
 		DNSSuffix:      epInfo.DNS.Suffix,
 		DNSServerList:  strings.Join(epInfo.DNS.Servers, ","),
 	}
 
+	//enable outbound NAT
+	var enableOutBoundNat = json.RawMessage(`{"Type":  "OutBoundNAT"}`)
+	hnsEndpoint.Policies = append(hnsEndpoint.Policies, enableOutBoundNat)
+
 	// HNS currently supports only one IP address per endpoint.
 	if epInfo.IPAddresses != nil {
 		hnsEndpoint.IPAddress = epInfo.IPAddresses[0].IP
@@ -55,7 +110,7 @@ func (nw *network) newEndpointImpl(epInfo *EndpointInfo) (*endpoint, error) {
 
 	// Create the endpoint object.
 	ep := &endpoint{
-		Id:          epInfo.Id,
+		Id:          infraEpName,
 		HnsId:       hnsResponse.Id,
 		SandboxKey:  epInfo.ContainerID,
 		IfName:      epInfo.IfName,