From 82f7917e67a1b1b28ddbc0af6058c98d13623dd9 Mon Sep 17 00:00:00 2001 From: Aaron U'Ren Date: Thu, 9 May 2024 17:10:13 -0500 Subject: [PATCH] fix(ipset): reset ipset handler before use At the very end of a NPC full sync we call ipset.Save() during the ipset cleanup stage. This causes all of the current IPv4 and IPv6 sets that are defined on the system (ours or not) to enter into the handler's state. Since `ipset restore` is not implicitly destructive (e.g. it doesn't remove sets that aren't defined like iptables-restore does) we don't really need this previous state, and in some ways it may come back to cause bugs if the state isn't purged. So this is a fail safe to clean them out to ensure that they don't end up building up cruft. It also makes the restores go faster as kube-router is only defining it's own rules rather than defining all rules. --- .../netpol/network_policy_controller.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pkg/controllers/netpol/network_policy_controller.go b/pkg/controllers/netpol/network_policy_controller.go index a6addb4356..e4cc19f8cc 100644 --- a/pkg/controllers/netpol/network_policy_controller.go +++ b/pkg/controllers/netpol/network_policy_controller.go @@ -226,6 +226,22 @@ func (npc *NetworkPolicyController) fullPolicySync() { npc.mu.Lock() defer npc.mu.Unlock() + for ipFamily := range npc.ipSetHandlers { + // Ensure that we start with clean handlers that don't contain previous save data + var err error + //nolint:exhaustive // we don't need a default condition here because we control this ourselves + switch ipFamily { + case v1core.IPv4Protocol: + npc.ipSetHandlers[ipFamily], err = utils.NewIPSet(false) + case v1core.IPv6Protocol: + npc.ipSetHandlers[ipFamily], err = utils.NewIPSet(true) + } + if err != nil { + klog.Errorf("failed to create ipset handler: %v", err) + return + } + } + healthcheck.SendHeartBeat(npc.healthChan, "NPC") start := time.Now() syncVersion := strconv.FormatInt(start.UnixNano(), syncVersionBase)