add skip-cleanup arg

istio · May 16, 2024 · 03cc823 · 03cc823
1 parent 0ceea78
commit 03cc823
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 3 deletions.
diff --git a/tools/istio-iptables/pkg/capture/run.go b/tools/istio-iptables/pkg/capture/run.go
@@ -927,7 +927,7 @@ func (cfg *IptablesConfigurator) executeCommands(iptVer, ipt6Ver *dep.IptablesVe
 	residueFound, applyRequired := cfg.VerifyRerunStatus(iptVer, ipt6Ver)
 
 	// Cleanup Step
-	if (residueFound && applyRequired) || cfg.cfg.CleanupOnly {
+	if (residueFound && applyRequired && !cfg.cfg.SkipCleanup) || cfg.cfg.CleanupOnly {
 		// Apply safety guardrails if not there
 		if residueFound {
 			log.Info("Setting up guardrails")

diff --git a/tools/istio-iptables/pkg/capture/run_test.go b/tools/istio-iptables/pkg/capture/run_test.go
@@ -384,6 +384,7 @@ func TestIdempotentEquivalentRerun(t *testing.T) {
 			defer func() {
 				// Final Cleanup
 				cfg.CleanupOnly = true
+				cfg.SkipCleanup = false
 				iptConfigurator := NewIptablesConfigurator(cfg, ext)
 				assert.NoError(t, iptConfigurator.Run())
 				residueFound, applyRequired := iptConfigurator.VerifyRerunStatus(&iptVer, &ipt6Ver)
@@ -392,6 +393,7 @@ func TestIdempotentEquivalentRerun(t *testing.T) {
 			}()
 
 			// First Pass
+			cfg.SkipCleanup = true
 			iptConfigurator := NewIptablesConfigurator(cfg, ext)
 			assert.NoError(t, iptConfigurator.Run())
 			residueFound, applyRequired := iptConfigurator.VerifyRerunStatus(&iptVer, &ipt6Ver)
@@ -438,6 +440,7 @@ func TestIdempotentUnequaledRerun(t *testing.T) {
 			defer func() {
 				// Final Cleanup
 				cfg.CleanupOnly = true
+				cfg.SkipCleanup = false
 				iptConfigurator := NewIptablesConfigurator(cfg, ext)
 				assert.NoError(t, iptConfigurator.Run())
 				residueFound, applyRequired := iptConfigurator.VerifyRerunStatus(&iptVer, &ipt6Ver)
@@ -466,10 +469,15 @@ func TestIdempotentUnequaledRerun(t *testing.T) {
 			assert.Equal(t, residueFound, true)
 			assert.Equal(t, applyRequired, true)
 
-			// Second pass
+			// Fail is expected if cleanup is skipped
+			cfg.SkipCleanup = true
 			iptConfigurator = NewIptablesConfigurator(cfg, ext)
-			assert.NoError(t, iptConfigurator.Run())
+			assert.Error(t, iptConfigurator.Run())
 
+			// Second pass with cleanup
+			cfg.SkipCleanup = false
+			iptConfigurator = NewIptablesConfigurator(cfg, ext)
+			assert.NoError(t, iptConfigurator.Run())
 		})
 	}
 }

diff --git a/tools/istio-iptables/pkg/cmd/root.go b/tools/istio-iptables/pkg/cmd/root.go
@@ -137,6 +137,8 @@ func bindCmdlineFlags(cfg *config.Config, cmd *cobra.Command) {
 
 	flag.BindEnv(fs, constants.CNIMode, "", "Whether to run as CNI plugin.", &cfg.CNIMode)
 
+	flag.BindEnv(fs, constants.SkipCleanup, "", "Skip cleanup of pre-existing and incompatible iptables rules", &cfg.SkipCleanup)
+
 	flag.BindEnv(fs, constants.CleanupOnly, "", "Perform a forced cleanup without creating new iptables chains or rules.",
 		&cfg.CleanupOnly)
 }

diff --git a/tools/istio-iptables/pkg/config/config.go b/tools/istio-iptables/pkg/config/config.go
@@ -87,6 +87,7 @@ type Config struct {
 	DualStack               bool          `json:"DUAL_STACK"`
 	HostIP                  netip.Addr    `json:"HOST_IP"`
 	HostIPv4LoopbackCidr    string        `json:"HOST_IPV4_LOOPBACK_CIDR"`
+	SkipCleanup             bool          `json:"SKIP_CLEANUP"`
 	CleanupOnly             bool          `json:"CLEANUP_ONLY"`
 }
 

diff --git a/tools/istio-iptables/pkg/constants/constants.go b/tools/istio-iptables/pkg/constants/constants.go
@@ -106,6 +106,7 @@ const (
 	CaptureAllDNS             = "capture-all-dns"
 	NetworkNamespace          = "network-namespace"
 	CNIMode                   = "cni-mode"
+	SkipCleanup               = "skip-cleanup"
 	CleanupOnly               = "cleanup-only"
 )