moved default deny acl under interfaceinfo

rejain789 · rejain789 · commit 162714bc5553 · 2024-12-23T18:23:04.000-08:00
diff --git a/cni/network/invoker.go b/cni/network/invoker.go
@@ -28,8 +28,7 @@ type IPAMAddConfig struct {
 type IPAMAddResult struct {
 	interfaceInfo map[string]network.InterfaceInfo
 	// ncResponse and host subnet prefix were moved into interface info
-	ipv6Enabled    bool
-	defaultDenyACL []cni.KVPair
+	ipv6Enabled bool
 }
 
 func (ipamAddResult IPAMAddResult) PrettyString() string {
diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go
@@ -447,8 +447,6 @@ func configureDefaultAddResult(info *IPResultInfo, addConfig *IPAMAddConfig, add
 			})
 		}
 
-		addResult.defaultDenyACL = append(addResult.defaultDenyACL, info.defaultDenyACL...)
-
 		// if we have multiple infra ip result infos, we effectively append routes and ip configs to that same interface info each time
 		// the host subnet prefix (in ipv4 or ipv6) will always refer to the same interface regardless of which ip result info we look at
 		addResult.interfaceInfo[key] = network.InterfaceInfo{
@@ -457,6 +455,7 @@ func configureDefaultAddResult(info *IPResultInfo, addConfig *IPAMAddConfig, add
 			IPConfigs:         ipConfigs,
 			Routes:            resRoute,
 			HostSubnetPrefix:  *hostIPNet,
+			DefaultDenyACL:    info.defaultDenyACL,
 		}
 	}
 
diff --git a/cni/network/invoker_cns_test.go b/cni/network/invoker_cns_test.go
@@ -821,10 +821,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 			ipamAddResult, err := invoker.Add(IPAMAddConfig{nwCfg: tt.args.nwCfg, args: tt.args.args, options: tt.args.options})
 			if tt.wantErr {
 				require.Error(err)
-				require.Equalf([]cni.KVPair(nil), ipamAddResult.defaultDenyACL, "incorrect default deny ACL")
 			} else {
 				require.NoError(err)
-				require.Equalf(expectedDefaultDenyACL, ipamAddResult.defaultDenyACL, "correct default deny ACL")
 			}
 
 			for _, ifInfo := range ipamAddResult.interfaceInfo {
@@ -837,6 +835,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 				}
 				if ifInfo.NICType == cns.InfraNIC {
 					require.Equalf(tt.wantDefaultResult, ifInfo, "incorrect default response")
+					require.Equalf(expectedDefaultDenyACL, ifInfo.DefaultDenyACL, "Correct default deny ACL")
 				}
 			}
 		})
diff --git a/cni/network/network.go b/cni/network/network.go
@@ -564,7 +564,7 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error {
 		if len(ipamAddResult.interfaceInfo) > 1 && !plugin.isDualNicFeatureSupported(args.Netns) {
 			errMsg := fmt.Sprintf("received multiple NC results %+v from CNS while dualnic feature is not supported", ipamAddResult.interfaceInfo)
 			logger.Error("received multiple NC results from CNS while dualnic feature is not supported",
-				zap.Any("results", ipamAddResult.interfaceInfo))
+				zap.Any("Processing interfaceInfo", ipamAddResult.interfaceInfo))
 			return plugin.Errorf(errMsg)
 		}
 	} else {
@@ -589,8 +589,12 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error {
 		// sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam DefaultInterface: %+v, SecondaryInterfaces: %+v", ipamAddResult.interfaceInfo[ifIndex], ipamAddResult.interfaceInfo))
 	}
 
-	logger.Info("The length of ipamAddResult defaultDenyACL's is", zap.Any("defaultDenyACLLength", ipamAddResult.defaultDenyACL))
-	nwCfg.AdditionalArgs = append(nwCfg.AdditionalArgs, ipamAddResult.defaultDenyACL...)
+	for key := range ipamAddResult.interfaceInfo {
+		if key == string(cns.InfraNIC) {
+			nwCfg.AdditionalArgs = append(nwCfg.AdditionalArgs, ipamAddResult.interfaceInfo[key].DefaultDenyACL...)
+			logger.Info("nwCfg.AdditionalArgs2:", zap.Any("ifInfo", nwCfg.AdditionalArgs))
+		}
+	}
 	policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs)
 	// moved to addIpamInvoker
 	// sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString()))
diff --git a/network/endpoint.go b/network/endpoint.go
@@ -9,6 +9,7 @@ import (
 	"net"
 	"strings"
 
+	"github.com/Azure/azure-container-networking/cni"
 	"github.com/Azure/azure-container-networking/cni/log"
 	"github.com/Azure/azure-container-networking/cns"
 	"github.com/Azure/azure-container-networking/netio"
@@ -138,6 +139,7 @@ type InterfaceInfo struct {
 	HostSubnetPrefix  net.IPNet // Move this field from ipamAddResult
 	NCResponse        *cns.GetNetworkContainerResponse
 	PnPID             string
+	DefaultDenyACL    []cni.KVPair
 }
 
 type IPConfig struct {

Original file line number	Diff line number	Diff line change
`@@ -28,8 +28,7 @@ type IPAMAddConfig struct {`
`28`	`28`	`type IPAMAddResult struct {`
`29`	`29`	`interfaceInfo map[string]network.InterfaceInfo`
`30`	`30`	`// ncResponse and host subnet prefix were moved into interface info`
`31`		`- ipv6Enabled bool`
`32`		`- defaultDenyACL []cni.KVPair`
	`31`	`+ ipv6Enabled bool`
`33`	`32`	`}`
`34`	`33`
`35`	`34`	`func (ipamAddResult IPAMAddResult) PrettyString() string {`
Original file line number	Diff line number	Diff line change
`@@ -447,8 +447,6 @@ func configureDefaultAddResult(info IPResultInfo, addConfig IPAMAddConfig, add`
`447`	`447`	`})`
`448`	`448`	`}`
`449`	`449`
`450`		`- addResult.defaultDenyACL = append(addResult.defaultDenyACL, info.defaultDenyACL...)`
`451`		`-`
`452`	`450`	`// if we have multiple infra ip result infos, we effectively append routes and ip configs to that same interface info each time`
`453`	`451`	`// the host subnet prefix (in ipv4 or ipv6) will always refer to the same interface regardless of which ip result info we look at`
`454`	`452`	`addResult.interfaceInfo[key] = network.InterfaceInfo{`
`@@ -457,6 +455,7 @@ func configureDefaultAddResult(info IPResultInfo, addConfig IPAMAddConfig, add`
`457`	`455`	`IPConfigs: ipConfigs,`
`458`	`456`	`Routes: resRoute,`
`459`	`457`	`HostSubnetPrefix: *hostIPNet,`
	`458`	`+ DefaultDenyACL: info.defaultDenyACL,`
`460`	`459`	`}`
`461`	`460`	`}`
`462`	`461`
Original file line number	Diff line number	Diff line change
`@@ -821,10 +821,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {`
`821`	`821`	`ipamAddResult, err := invoker.Add(IPAMAddConfig{nwCfg: tt.args.nwCfg, args: tt.args.args, options: tt.args.options})`
`822`	`822`	`if tt.wantErr {`
`823`	`823`	`require.Error(err)`
`824`		`- require.Equalf([]cni.KVPair(nil), ipamAddResult.defaultDenyACL, "incorrect default deny ACL")`
`825`	`824`	`} else {`
`826`	`825`	`require.NoError(err)`
`827`		`- require.Equalf(expectedDefaultDenyACL, ipamAddResult.defaultDenyACL, "correct default deny ACL")`
`828`	`826`	`}`
`829`	`827`
`830`	`828`	`for _, ifInfo := range ipamAddResult.interfaceInfo {`
`@@ -837,6 +835,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {`
`837`	`835`	`}`
`838`	`836`	`if ifInfo.NICType == cns.InfraNIC {`
`839`	`837`	`require.Equalf(tt.wantDefaultResult, ifInfo, "incorrect default response")`
	`838`	`+ require.Equalf(expectedDefaultDenyACL, ifInfo.DefaultDenyACL, "Correct default deny ACL")`
`840`	`839`	`}`
`841`	`840`	`}`
`842`	`841`	`})`