Skip to content

Commit

Permalink
fix: pod should be accessed from node when acl applied
Browse files Browse the repository at this point in the history
  • Loading branch information
@oilbeater
oilbeater committed Aug 28, 2019
1 parent bb63f8c commit 38be68d
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 6 deletions.
12 changes: 6 additions & 6 deletions pkg/controller/subnet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -382,11 +382,11 @@ func (c *Controller) handleAddSubnet(key string) error {
return err
}

err = c.ovnClient.CleanLogicalSwitchAcl(subnet.Name)
err = c.ovnClient.ResetLogicalSwitchAcl(subnet.Name, subnet.Spec.Protocol)
if err != nil {
subnet.Status.SetError("CleanLogicalSwitchAclFailed", err.Error())
subnet.Status.SetError("ResetLogicalSwitchAclFailed", err.Error())
} else {
subnet.Status.Ready("CleanLogicalSwitchAclSuccess", "")
subnet.Status.Ready("ResetLogicalSwitchAclSuccess", "")
}
bytes, err1 := subnet.Status.Bytes()
if err1 != nil {
Expand Down Expand Up @@ -491,11 +491,11 @@ func (c *Controller) handleUpdateSubnet(key string) error {
}
return err
}
err = c.ovnClient.CleanLogicalSwitchAcl(subnet.Name)
err = c.ovnClient.ResetLogicalSwitchAcl(subnet.Name, subnet.Spec.Protocol)
if err != nil {
subnet.Status.SetError("CleanLogicalSwitchAclFailed", err.Error())
subnet.Status.SetError("ResetLogicalSwitchAclFailed", err.Error())
} else {
subnet.Status.Ready("CleanLogicalSwitchAclSuccess", "")
subnet.Status.Ready("ResetLogicalSwitchAclSuccess", "")
}
bytes, err1 := subnet.Status.Bytes()
if err1 != nil {
Expand Down
13 changes: 13 additions & 0 deletions pkg/ovs/ovn-nbctl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,19 @@ func (c Client) CleanLogicalSwitchAcl(ls string) error {
return err
}

// ResetLogicalSwitchAcl reset acl of a switch
func (c Client) ResetLogicalSwitchAcl(ls, protocol string) error {
var err error
if protocol == kubeovnv1.ProtocolIPv6 {
_, err = c.ovnNbCommand("acl-del", ls, "--",
"acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR), "allow-related")
} else {
_, err = c.ovnNbCommand("acl-del", ls, "--",
"acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR), "allow-related")
}
return err
}

// SetPrivateLogicalSwitch will drop all ingress traffic except allow subnets
func (c Client) SetPrivateLogicalSwitch(ls, protocol, cidr string, allow []string) error {
delArgs := []string{"acl-del", ls}
Expand Down

0 comments on commit 38be68d

Please sign in to comment.