Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkg/redirectpolicy: Add missing namespace check in pod update handler #19193

Merged
merged 1 commit into from Mar 28, 2022
Merged

pkg/redirectpolicy: Add missing namespace check in pod update handler #19193

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion Documentation/gettingstarted/local-redirect-policy.rst
View file
Open in desktop
Expand Up @@ -12,7 +12,8 @@ Local Redirect Policy (beta)

This document explains how to configure Cilium's Local Redirect Policy, that
enables pod traffic destined to an IP address and port/protocol tuple
or Kubernetes service to be redirected locally to a backend pod within a node.
or Kubernetes service to be redirected locally to backend pod(s) within a node,
using eBPF. The namespace of backend pod(s) need to match with that of the policy.
The CiliumLocalRedirectPolicy is configured as a ``CustomResourceDefinition``.

There are two types of Local Redirect Policies supported. When traffic for a
Expand Down
2 changes: 1 addition & 1 deletion pkg/redirectpolicy/manager.go
View file
Open in desktop
Expand Up @@ -291,7 +291,7 @@ func (rpm *Manager) OnUpdatePodLocked(pod *slimcorev1.Pod, removeOld bool, upser
if upsertNew {
// Check if any of the current redirect policies select this pod.
for _, config := range rpm.policyConfigs {
if config.policyConfigSelectsPod(podData) {
if config.checkNamespace(pod.GetNamespace()) && config.policyConfigSelectsPod(podData) {
rpm.processConfig(config, podData)
}
}
Expand Down
28 changes: 27 additions & 1 deletion pkg/redirectpolicy/manager_test.go
View file
Open in desktop
Expand Up @@ -549,4 +549,30 @@ func (m *ManagerSuite) TestManager_AddrMatcherConfigDualStack(c *C) {
}
}

//TODO Tests for svcMatcher
// Tests add and update pod operations with namespace mismatched pods.
func (m *ManagerSuite) TestManager_OnAddandUpdatePod(c *C) {
configFe := configAddrType
m.rpm.policyFrontendsByHash[fe1.Hash()] = configFe.id
configSvc := configSvcType
m.rpm.policyConfigs[configSvc.id] = &configSvc
pod := pod1.DeepCopy()
pod.Namespace = "ns2"
podID := k8s.ServiceID{
Name: pod.Name,
Namespace: pod.Namespace,
}

m.rpm.OnAddPod(pod)

// Namespace mismatched pod not selected.
c.Assert(len(m.rpm.policyPods), Equals, 0)
_, found := m.rpm.policyPods[podID]
c.Assert(found, Equals, false)

m.rpm.OnUpdatePod(pod, true, true)

// Namespace mismatched pod not selected.
c.Assert(len(m.rpm.policyPods), Equals, 0)
_, found = m.rpm.policyPods[podID]
c.Assert(found, Equals, false)
}