Skip to content

Commit

Permalink
fix: add address_set to avoid error message
Browse files Browse the repository at this point in the history 
error parsing match "reg0[10] == 1 && (ip4.src == $destination.kafka.network.policy.zookeeper.kafka.ingress.except.IPv4.1 && ip4.dst == $destination.kafka.network.policy.zookeeper.kafka_ip4)": Syntax error at `$destination.kafka.network.policy.zookeeper.kafka.ingress.except.IPv4.1' expecting address set name.
  • Loading branch information
@oilbeater
oilbeater committed May 28, 2021
1 parent c1d3fc3 commit 3dd99a7
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 40 deletions.
93 changes: 54 additions & 39 deletions pkg/controller/network_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -231,27 +231,22 @@ func (c *Controller) handleUpdateNp(key string) error {
}
}
klog.Infof("UpdateNp Ingress, allows is %v, excepts is %v", allows, excepts)
// should not create address_set if there is no addresses
if len(allows) != 0 {
if err := c.ovnClient.CreateAddressSet(ingressAllowAsName, np.Namespace, np.Name, "ingress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", ingressAllowAsName, err)
return err
}
if err := c.ovnClient.SetAddressesToAddressSet(allows, ingressAllowAsName); err != nil {
klog.Errorf("failed to set ingress allow address_set, %v", err)
return err
}
if err := c.ovnClient.CreateAddressSet(ingressAllowAsName, np.Namespace, np.Name, "ingress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", ingressAllowAsName, err)
return err
}
if err := c.ovnClient.SetAddressesToAddressSet(allows, ingressAllowAsName); err != nil {
klog.Errorf("failed to set ingress allow address_set, %v", err)
return err
}

if len(excepts) != 0 {
if err := c.ovnClient.CreateAddressSet(ingressExceptAsName, np.Namespace, np.Name, "ingress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", ingressExceptAsName, err)
return err
}
if err := c.ovnClient.SetAddressesToAddressSet(excepts, ingressExceptAsName); err != nil {
klog.Errorf("failed to set ingress except address_set, %v", err)
return err
}
if err := c.ovnClient.CreateAddressSet(ingressExceptAsName, np.Namespace, np.Name, "ingress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", ingressExceptAsName, err)
return err
}
if err := c.ovnClient.SetAddressesToAddressSet(excepts, ingressExceptAsName); err != nil {
klog.Errorf("failed to set ingress except address_set, %v", err)
return err
}

if len(allows) != 0 || len(excepts) != 0 {
Expand All @@ -264,6 +259,15 @@ func (c *Controller) handleUpdateNp(key string) error {
if len(np.Spec.Ingress) == 0 {
ingressAllowAsName := fmt.Sprintf("%s.%s.all", ingressAllowAsNamePrefix, protocol)
ingressExceptAsName := fmt.Sprintf("%s.%s.all", ingressExceptAsNamePrefix, protocol)
if err := c.ovnClient.CreateAddressSet(ingressAllowAsName, np.Namespace, np.Name, "ingress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", ingressAllowAsName, err)
return err
}

if err := c.ovnClient.CreateAddressSet(ingressExceptAsName, np.Namespace, np.Name, "ingress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", ingressExceptAsName, err)
return err
}
ingressPorts := []netv1.NetworkPolicyPort{}
if err := c.ovnClient.CreateIngressACL(fmt.Sprintf("%s/%s", np.Namespace, np.Name), pgName, ingressAllowAsName, ingressExceptAsName, protocol, ingressPorts); err != nil {
klog.Errorf("failed to create ingress acls for np %s, %v", key, err)
Expand All @@ -284,6 +288,9 @@ func (c *Controller) handleUpdateNp(key string) error {
continue
}
idxStr := values[len(values)-1]
if idxStr == "all" {
continue
}
idx, _ := strconv.Atoi(idxStr)
if idx >= len(np.Spec.Ingress) {
if err := c.ovnClient.DeleteAddressSet(asName); err != nil {
Expand Down Expand Up @@ -340,27 +347,22 @@ func (c *Controller) handleUpdateNp(key string) error {
}
}
klog.Infof("UpdateNp Egress, allows is %v, excepts is %v", allows, excepts)
// should not create address_set if there is no addresses
if len(allows) != 0 {
if err := c.ovnClient.CreateAddressSet(egressAllowAsName, np.Namespace, np.Name, "egress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", egressAllowAsName, err)
return err
}
if err = c.ovnClient.SetAddressesToAddressSet(allows, egressAllowAsName); err != nil {
klog.Errorf("failed to set egress allow address_set, %v", err)
return err
}
if err := c.ovnClient.CreateAddressSet(egressAllowAsName, np.Namespace, np.Name, "egress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", egressAllowAsName, err)
return err
}
if err = c.ovnClient.SetAddressesToAddressSet(allows, egressAllowAsName); err != nil {
klog.Errorf("failed to set egress allow address_set, %v", err)
return err
}

if len(excepts) != 0 {
if err := c.ovnClient.CreateAddressSet(egressExceptAsName, np.Namespace, np.Name, "egress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", egressExceptAsName, err)
return err
}
if err = c.ovnClient.SetAddressesToAddressSet(excepts, egressExceptAsName); err != nil {
klog.Errorf("failed to set egress except address_set, %v", err)
return err
}
if err := c.ovnClient.CreateAddressSet(egressExceptAsName, np.Namespace, np.Name, "egress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", egressExceptAsName, err)
return err
}
if err = c.ovnClient.SetAddressesToAddressSet(excepts, egressExceptAsName); err != nil {
klog.Errorf("failed to set egress except address_set, %v", err)
return err
}

if len(allows) != 0 || len(excepts) != 0 {
Expand All @@ -373,6 +375,15 @@ func (c *Controller) handleUpdateNp(key string) error {
if len(np.Spec.Egress) == 0 {
egressAllowAsName := fmt.Sprintf("%s.%s.all", egressAllowAsNamePrefix, protocol)
egressExceptAsName := fmt.Sprintf("%s.%s.all", egressExceptAsNamePrefix, protocol)
if err := c.ovnClient.CreateAddressSet(egressAllowAsName, np.Namespace, np.Name, "egress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", egressAllowAsName, err)
return err
}

if err := c.ovnClient.CreateAddressSet(egressExceptAsName, np.Namespace, np.Name, "egress"); err != nil {
klog.Errorf("failed to create address_set %s, %v", egressExceptAsName, err)
return err
}
egressPorts := []netv1.NetworkPolicyPort{}
if err := c.ovnClient.CreateEgressACL(fmt.Sprintf("%s/%s", np.Namespace, np.Name), pgName, egressAllowAsName, egressExceptAsName, protocol, egressPorts); err != nil {
klog.Errorf("failed to create egress acls for np %s, %v", key, err)
Expand All @@ -393,6 +404,10 @@ func (c *Controller) handleUpdateNp(key string) error {
continue
}
idxStr := values[len(values)-1]
if idxStr == "all" {
continue
}

idx, _ := strconv.Atoi(idxStr)
if idx >= len(np.Spec.Egress) {
if err := c.ovnClient.DeleteAddressSet(asName); err != nil {
Expand Down Expand Up @@ -676,7 +691,7 @@ func (c *Controller) resyncNodeACL() {
}
} else {
if err := c.ovnClient.RemoveNodeSwitchAcl(subnet.Name); err != nil {
klog.Errorf("failed to set node acl, %v", err)
klog.Errorf("failed to remove node acl, %v", err)
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/ovs/ovn-nbctl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ func (c Client) CreateLogicalSwitch(ls, lr, protocol, subnet, gateway string, ex
"set", "logical_switch", ls, fmt.Sprintf("other_config:gateway=%s", gateway), "--",
"set", "logical_switch", ls, fmt.Sprintf("other_config:exclude_ips=%s", strings.Join(excludeIps, " ")))
case kubeovnv1.ProtocolDual:
// gateway is not offical column, which is used for private
// gateway is not an official column, which is used for private
cidrBlocks := strings.Split(subnet, ",")
_, err = c.ovnNbCommand(MayExist, "ls-add", ls, "--",
"set", "logical_switch", ls, fmt.Sprintf("other_config:subnet=%s", cidrBlocks[0]), "--",
Expand Down

0 comments on commit 3dd99a7

Please sign in to comment.