Skip to content

Commit

Permalink
ipam: Protect release from releasing alive IP
Browse files Browse the repository at this point in the history 
[ upstream commit 4890a15 ]

It has been observed that kubelet calls CNI DELETE multiple times with
potentially stale CNI result information. This can lead to a race condition
where the initial CNI DELETE properly releases the IP in use which then gets
reused by a different pod. Any subsequent CNI DELETE with the stale IP will
then cause the IP of the live pod to be released. While the pod will continue
to function, the next scheduled pod will attempt to use that IP and
continuously fail to be scheduled due to a IP in use error.

This is a regression of commit ab61853 which introduced the ability for CNI
DELETE to release an IP even if the endpoint deletion fails which is required
to fix the race condition when the CNI binary gets killed in between allocating
an IP and creating the endpoint.

Fixes: ab61853 ("cni: Release IP even when endpoint deletion fails")
Fixes: #10065

Signed-off-by: Thomas Graf <thomas@cilium.io>
Signed-off-by: Ray Bejjani <ray@isovalent.com>
  • Loading branch information
@tgraf @aanm
tgraf authored and aanm committed Feb 12, 2020
1 parent 62f4ccf commit 0f07953
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions daemon/ipam.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,13 @@
package main

import (
"fmt"
"strings"

"github.com/cilium/cilium/api/v1/models"
ipamapi "github.com/cilium/cilium/api/v1/server/restapi/ipam"
"github.com/cilium/cilium/pkg/api"
"github.com/cilium/cilium/pkg/endpointmanager"
"github.com/cilium/cilium/pkg/node"
"github.com/cilium/cilium/pkg/option"

Expand Down Expand Up @@ -92,6 +94,14 @@ func NewDeleteIPAMIPHandler(d *Daemon) ipamapi.DeleteIPAMIPHandler {
}

func (h *deleteIPAMIP) Handle(params ipamapi.DeleteIPAMIPParams) middleware.Responder {
// Release of an IP that is in use is not allowed
if ep := endpointmanager.LookupIPv4(params.IP); ep != nil {
return api.Error(ipamapi.DeleteIPAMIPFailureCode, fmt.Errorf("IP is in use by endpoint %d", ep.ID))
}
if ep := endpointmanager.LookupIPv6(params.IP); ep != nil {
return api.Error(ipamapi.DeleteIPAMIPFailureCode, fmt.Errorf("IP is in use by endpoint %d", ep.ID))
}

if err := h.daemon.ipam.ReleaseIPString(params.IP); err != nil {
return api.Error(ipamapi.DeleteIPAMIPFailureCode, err)
}
Expand Down

0 comments on commit 0f07953

Please sign in to comment.