Adds a locked function to do ipcache delete on metadata match

Fixes potential racing condition introduced in PR cilium#17161. Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Weilong Cui <cuiwl@google.com>
Weil0ng · Nov 16, 2021 · 4b8e433 · 4b8e433
1 parent 849983d
commit 4b8e433
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 16 deletions.
diff --git a/pkg/ipcache/ipcache.go b/pkg/ipcache/ipcache.go
@@ -492,6 +492,18 @@ func (ipc *IPCache) GetNamedPorts() (npm policy.NamedPortMultiMap) {
 	return npm
 }
 
+// DeleteOnMetadataMatch removes the provided IP to security identity mapping from the IPCache
+// if the metadata cache holds the same "owner" metadata as the triggering pod event.
+func (ipc *IPCache) DeleteOnMetadataMatch(IP string, source source.Source, namespace, name string) (namedPortsChanged bool) {
+	ipc.mutex.Lock()
+	defer ipc.mutex.Unlock()
+	k8sMeta := ipc.getK8sMetadata(IP)
+	if k8sMeta != nil && k8sMeta.Namespace == namespace && k8sMeta.PodName == name {
+		return ipc.deleteLocked(IP, source)
+	}
+	return false
+}
+
 // Delete removes the provided IP-to-security-identity mapping from the IPCache.
 func (ipc *IPCache) Delete(IP string, source source.Source) (namedPortsChanged bool) {
 	ipc.mutex.Lock()

diff --git a/pkg/k8s/watchers/cilium_endpoint.go b/pkg/k8s/watchers/cilium_endpoint.go
@@ -210,22 +210,16 @@ func (k *K8sWatcher) endpointDeleted(endpoint *types.CiliumEndpoint) {
 		namedPortsChanged := false
 		for _, pair := range endpoint.Networking.Addressing {
 			if pair.IPV4 != "" {
-				k8sMeta := ipcache.IPIdentityCache.GetK8sMetadata(pair.IPV4)
-				if k8sMeta != nil && k8sMeta.Namespace == endpoint.Namespace && k8sMeta.PodName == endpoint.Name {
-					portsChanged := ipcache.IPIdentityCache.Delete(pair.IPV4, source.CustomResource)
-					if portsChanged {
-						namedPortsChanged = true
-					}
+				portsChanged := ipcache.IPIdentityCache.DeleteOnMetadataMatch(pair.IPV4, source.CustomResource, endpoint.Namespace, endpoint.Name)
+				if portsChanged {
+					namedPortsChanged = true
 				}
 			}
 
 			if pair.IPV6 != "" {
-				k8sMeta := ipcache.IPIdentityCache.GetK8sMetadata(pair.IPV6)
-				if k8sMeta != nil && k8sMeta.Namespace == endpoint.Namespace && k8sMeta.PodName == endpoint.Name {
-					portsChanged := ipcache.IPIdentityCache.Delete(pair.IPV6, source.CustomResource)
-					if portsChanged {
-						namedPortsChanged = true
-					}
+				portsChanged := ipcache.IPIdentityCache.DeleteOnMetadataMatch(pair.IPV6, source.CustomResource, endpoint.Namespace, endpoint.Name)
+				if portsChanged {
+					namedPortsChanged = true
 				}
 			}
 		}

diff --git a/pkg/k8s/watchers/pod.go b/pkg/k8s/watchers/pod.go
@@ -824,10 +824,7 @@ func (k *K8sWatcher) deletePodHostData(pod *slim_corev1.Pod) (bool, error) {
 			continue
 		}
 
-		k8sMeta := ipcache.IPIdentityCache.GetK8sMetadata(podIP)
-		if k8sMeta.Namespace == pod.Namespace && k8sMeta.PodName == pod.Name {
-			ipcache.IPIdentityCache.Delete(podIP, source.Kubernetes)
-		}
+		ipcache.IPIdentityCache.DeleteOnMetadataMatch(podIP, source.Kubernetes, pod.Namespace, pod.Name)
 	}
 
 	if len(errs) != 0 {