add networkpolicy support for attachment cni

kubeovn · Nov 23, 2021 · a5f0256 · a5f0256
1 parent 712e6f4
commit a5f0256
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 14 deletions.
diff --git a/pkg/controller/gc.go b/pkg/controller/gc.go
@@ -551,7 +551,7 @@ func (c *Controller) isOVNProvided(providerName string, pod *corev1.Pod) (bool,
 		klog.Errorf("parse annotation logical switch %s error %v", ls, err)
 		return false, err
 	}
-	if subnet.Spec.Provider != "ovn" {
+	if !strings.HasSuffix(subnet.Spec.Provider, util.OvnProvider) {
 		return false, nil
 	}
 	return true, nil

diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -16,6 +16,7 @@ import (
 	"k8s.io/klog"
 
 	kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
+	"github.com/kubeovn/kube-ovn/pkg/ovs"
 	"github.com/kubeovn/kube-ovn/pkg/util"
 )
 
@@ -496,11 +497,22 @@ func (c *Controller) fetchSelectedPorts(namespace string, selector *metav1.Label
 
 	ports := make([]string, 0, len(pods))
 	for _, pod := range pods {
-		if !isPodAlive(pod) {
+		if !isPodAlive(pod) || pod.Spec.HostNetwork {
 			continue
 		}
-		if !pod.Spec.HostNetwork && pod.Annotations[util.AllocatedAnnotation] == "true" {
-			ports = append(ports, fmt.Sprintf("%s.%s", pod.Name, pod.Namespace))
+		podNets, err := c.getPodKubeovnNets(pod)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get pod networks, %v", err)
+		}
+
+		for _, podNet := range podNets {
+			if !isOvnSubnet(podNet.Subnet) {
+				continue
+			}
+
+			if pod.Annotations[fmt.Sprintf(util.AllocatedAnnotationTemplate, podNet.ProviderName)] == "true" {
+				ports = append(ports, ovs.PodNameToPortName(pod.Name, pod.Namespace, podNet.ProviderName))
+			}
 		}
 	}
 	return ports, nil

diff --git a/pkg/ovs/ovn-nbctl.go b/pkg/ovs/ovn-nbctl.go
@@ -159,13 +159,13 @@ func (c Client) SetPortSecurity(portSecurity bool, port, mac, ipStr, vips string
 // CreatePort create logical switch port in ovn
 func (c Client) CreatePort(ls, port, ip, mac, pod, namespace string, portSecurity bool, securityGroups string, vips string) error {
 	var ovnCommand []string
+	var addresses []string
+	addresses = append(addresses, mac)
+	addresses = append(addresses, strings.Split(ip, ",")...)
 	ovnCommand = []string{MayExist, "lsp-add", ls, port, "--",
-		"lsp-set-addresses", port, mac}
+		"lsp-set-addresses", port, strings.Join(addresses, " ")}
 
 	if portSecurity {
-		var addresses []string
-		addresses = append(addresses, mac)
-		addresses = append(addresses, strings.Split(ip, ",")...)
 		addresses = append(addresses, strings.Split(vips, ",")...)
 		ovnCommand = append(ovnCommand,
 			"--", "lsp-set-port-security", port, strings.Join(addresses, " "))
@@ -1147,14 +1147,17 @@ func (c Client) CreateNpPortGroup(pgName, npNs, npName string) error {
 }
 
 func (c Client) DeletePortGroup(pgName string) error {
-	if _, err := c.ovnNbCommand("get", "port_group", pgName, "_uuid"); err != nil {
-		if strings.Contains(err.Error(), "no row") {
-			return nil
-		}
-		klog.Errorf("failed to get pg %s, %v", pgName, err)
+	output, err := c.ovnNbCommand(
+		"--data=bare", "--no-heading", "--columns=_uuid", "find", "port_group", fmt.Sprintf("name=%s", pgName))
+	if err != nil {
+		klog.Errorf("failed to find port_group %s: %v, %q", pgName, err, output)
 		return err
 	}
-	_, err := c.ovnNbCommand("pg-del", pgName)
+	if output == "" {
+		return nil
+	}
+
+	_, err = c.ovnNbCommand("pg-del", pgName)
 	return err
 }