endpoint: trigger k8s sync controller on identity update

When an endpoint's identity is updated, Cilium does not sync immediately the new state with k8s, but rather waits up to 10 seconds for the sync-to-k8s-ciliumendpoint controller to run, meaning that the the new identity can remain unannounced for up to 10 seconds. This commit fixes this by explicitly triggering the k8s sync controller whenever an endpoint's identity is updated. Fixes: #15097 Suggested-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com>
cilium · Jun 1, 2021 · 26d3fca · 26d3fca
1 parent 231ef51
commit 26d3fca
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/pkg/endpoint/endpoint.go b/pkg/endpoint/endpoint.go
@@ -350,6 +350,10 @@ type Endpoint struct {
 	isHost bool
 
 	noTrackPort uint16
+
+	// endpointSyncControllerName is the name of the endpoint controller
+	// used to synchronize the endpoint itself to kubernetes
+	endpointSyncControllerName string
 }
 
 // SetAllocator sets the identity allocator for this endpoint.
@@ -1961,6 +1965,10 @@ func (e *Endpoint) identityLabelsChanged(ctx context.Context, myChangeRev int) (
 	// assigned.
 	e.forcePolicyComputation()
 
+	// Trigger the sync-to-k8s-ciliumendpoint controller to sync the new
+	// endpoint's identity.
+	e.controllers.TriggerController(e.endpointSyncControllerName)
+
 	e.unlock()
 
 	if readyToRegenerate {
@@ -2335,3 +2343,12 @@ func (e *Endpoint) setDefaultPolicyConfig() {
 func (e *Endpoint) GetCreatedAt() time.Time {
 	return e.createdAt
 }
+
+// SetEndpointSyncControllerName sets the name of the endpoint controller used
+// to synchronize the endpoint itself to kubernetes.
+func (e *Endpoint) SetEndpointSyncControllerName(name string) {
+	e.mutex.Lock()
+	defer e.mutex.Unlock()
+
+	e.endpointSyncControllerName = name
+}
diff --git a/pkg/k8s/watchers/endpointsynchronizer.go b/pkg/k8s/watchers/endpointsynchronizer.go
@@ -90,6 +90,8 @@ func (epSync *EndpointSynchronizer) RunK8sCiliumEndpointSync(e *endpoint.Endpoin
 		needInit = true                    // needInit indicates that we may need to create the CEP
 	)
 
+	e.SetEndpointSyncControllerName(controllerName)
+
 	// NOTE: The controller functions do NOT hold the endpoint locks
 	e.UpdateController(controllerName,
 		controller.ControllerParams{