Skip to content

Commit 4eeea48

Browse files
rejain789rejain789
committed
moved GetEndpointPolicy so that it is only run on init
1 parent fbc02b3 commit 4eeea48

File tree

1 file changed

+15
-18
lines changed

1 file changed

+15
-18
lines changed

cns/middlewares/k8sSwiftV2_windows.go

Lines changed: 15 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,21 @@ import (
1414
"github.com/pkg/errors"
1515
)
1616

17+
var defaultDenyEgressPolicy policy.Policy
18+
var defaultDenyIngressPolicy policy.Policy
19+
var err error
20+
21+
func init() {
22+
defaultDenyEgressPolicy, err = getEndpointPolicy(policy.ACLPolicy, cns.ActionTypeBlock, cns.DirectionTypeIn, 10_000)
23+
if err != nil {
24+
logger.Errorf("failed to add default deny egress acl's for pod with err %v", err)
25+
}
26+
defaultDenyIngressPolicy, err = getEndpointPolicy(policy.ACLPolicy, cns.ActionTypeBlock, cns.DirectionTypeOut, 10_000)
27+
if err != nil {
28+
logger.Errorf("failed to add default deny ingress acl's for pod with err %v", err)
29+
}
30+
}
31+
1732
// for AKS L1VH, do not set default route on infraNIC to avoid customer pod reaching all infra vnet services
1833
// default route is set for secondary interface NIC(i.e,delegatedNIC)
1934
func (k *K8sSWIFTv2Middleware) setRoutes(podIPInfo *cns.PodIpInfo) error {
@@ -142,19 +157,7 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa
142157
for i := range ipConfigsResp.PodIPInfo {
143158
ipInfo := &ipConfigsResp.PodIPInfo[i]
144159
// there will be no pod connectivity to and from those pods
145-
var defaultDenyEgressPolicy, defaultDenyIngressPolicy policy.Policy
146-
147160
if defaultDenyACLbool && ipInfo.NICType == cns.InfraNIC {
148-
defaultDenyEgressPolicy, err = getEndpointPolicy(policy.ACLPolicy, cns.ActionTypeBlock, cns.DirectionTypeOut, 10_000)
149-
if err != nil {
150-
logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err)
151-
}
152-
153-
defaultDenyIngressPolicy, err = getEndpointPolicy(policy.ACLPolicy, cns.ActionTypeBlock, cns.DirectionTypeIn, 10_000)
154-
if err != nil {
155-
logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err)
156-
}
157-
158161
ipInfo.EndpointPolicies = append(ipInfo.EndpointPolicies, defaultDenyEgressPolicy, defaultDenyIngressPolicy)
159162
logger.Printf("Created endpoint policies for defaultDenyEgressPolicy and defaultDenyIngressPolicy")
160163

@@ -208,12 +211,6 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa
208211
}
209212

210213
func GetDefaultDenyBool(mtpnc v1alpha1.MultitenantPodNetworkConfig) (bool, error) {
211-
212-
// Check if the MTPNC CRD is ready. If one of the fields is empty, return error
213-
if !mtpnc.IsReady() {
214-
return false, errMTPNCNotReady
215-
}
216-
217214
// returns the value of DefaultDenyACL from mtpnc
218215
return mtpnc.Status.DefaultDenyACL, nil
219216
}

0 commit comments

Comments
 (0)