node/vnids: Correctly handle case where NetNamespace watch is far behind

When adding a pod, if the NetNamespace isn't found, we'll issue a GET directly to the apiserver and treat it as an ADD. Except we didn't actually handle it correctly, and caused NetworkPolicy to ignore this NetNS forever. Fixes: rhbz 1825355
squeed · Apr 28, 2020 · b5f89a6 · b5f89a6
1 parent 3bc4715
commit b5f89a6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/pkg/network/node/networkpolicy.go b/pkg/network/node/networkpolicy.go
@@ -102,6 +102,9 @@ func (np *networkPolicyPlugin) SupportsVNIDs() bool {
 }
 
 func (np *networkPolicyPlugin) Start(node *OsdnNode) error {
+	np.lock.Lock()
+	defer np.lock.Unlock()
+
 	np.node = node
 	np.vnids = newNodeVNIDMap(np, node.networkClient)
 	if err := np.vnids.Start(node.networkInformers); err != nil {
@@ -134,9 +137,6 @@ func (np *networkPolicyPlugin) Start(node *OsdnNode) error {
 }
 
 func (np *networkPolicyPlugin) initNamespaces() error {
-	np.lock.Lock()
-	defer np.lock.Unlock()
-
 	inUseVNIDs := np.node.oc.FindPolicyVNIDs()
 
 	namespaces, err := np.node.kClient.CoreV1().Namespaces().List(metav1.ListOptions{})
@@ -149,7 +149,9 @@ func (np *networkPolicyPlugin) initNamespaces() error {
 		npns.gotNamespace = true
 		np.namespacesByName[ns.Name] = npns
 
-		if vnid, err := np.vnids.WaitAndGetVNID(ns.Name); err == nil {
+		// can't call WaitAndGetVNID here, because it calls back in to np
+		// and we hold the lock!
+		if vnid, err := np.vnids.getVNID(ns.Name); err == nil {
 			npns.vnid = vnid
 			npns.inUse = inUseVNIDs.Has(int(vnid))
 			npns.gotNetNamespace = true
@@ -162,7 +164,7 @@ func (np *networkPolicyPlugin) initNamespaces() error {
 		return err
 	}
 	for _, policy := range policies.Items {
-		vnid, err := np.vnids.WaitAndGetVNID(policy.Namespace)
+		vnid, err := np.vnids.getVNID(policy.Namespace)
 		if err != nil {
 			continue
 		}

diff --git a/pkg/network/node/vnids.go b/pkg/network/node/vnids.go
@@ -119,7 +119,7 @@ func (vmap *nodeVNIDMap) WaitAndGetVNID(name string) (uint32, error) {
 			return 0, fmt.Errorf("failed to find netid for namespace: %s, %v", name, err)
 		}
 		klog.Warningf("Netid for namespace: %s exists but not found in vnid map", name)
-		vmap.setVNID(netns.Name, netns.NetID, netnsIsMulticastEnabled(netns))
+		vmap.handleAddOrUpdateNetNamespace(netns, nil, watch.Added)
 		return netns.NetID, nil
 	}
 }