Skip to content

Commit 82768ac

Browse files
vakalapavakalapa
authored
[NPM] Ignoring hostnetwork pods from being added into Ipsets (#776) (#777)
* Ignoring hostnetwork pods from being added into Ipsets * generalizing the check on hostnetwork pod * Adding tests for add, update and delete hostnetwork pods
1 parent cc3f970 commit 82768ac

File tree

2 files changed

+201
-0
lines changed

2 files changed

+201
-0
lines changed

npm/pod.go

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,10 @@ func isSystemPod(podObj *corev1.Pod) bool {
2121
return podObj.ObjectMeta.Namespace == util.KubeSystemFlag
2222
}
2323

24+
func isHostNetworkPod(podObj *corev1.Pod) bool {
25+
return podObj.Spec.HostNetwork
26+
}
27+
2428
func isInvalidPodUpdate(oldPodObj, newPodObj *corev1.Pod) (isInvalidUpdate bool) {
2529
isInvalidUpdate = oldPodObj.ObjectMeta.Namespace == newPodObj.ObjectMeta.Namespace &&
2630
oldPodObj.ObjectMeta.Name == newPodObj.ObjectMeta.Name &&
@@ -61,6 +65,12 @@ func (npMgr *NetworkPolicyManager) AddPod(podObj *corev1.Pod) error {
6165
}
6266
}
6367

68+
// Ignore adding the HostNetwork pod to any ipsets.
69+
if isHostNetworkPod(podObj) {
70+
log.Logf("HostNetwork POD IGNORED: [%s%s/%s/%s%+v%s]", podUid, podNs, podName, podNodeName, podLabels, podIP)
71+
return nil
72+
}
73+
6474
// Add the pod to its namespace's ipset.
6575
log.Logf("Adding pod %s to ipset %s", podIP, podNs)
6676
if err = ipsMgr.AddToSet(podNs, podIP, util.IpsetNetHashFlag, podUid); err != nil {
@@ -116,6 +126,17 @@ func (npMgr *NetworkPolicyManager) UpdatePod(oldPodObj, newPodObj *corev1.Pod) e
116126
return nil
117127
}
118128

129+
// today K8s does not allow updating HostNetwork flag for an existing Pod. So NPM can safely
130+
// check on the oldPodObj for hostNework value
131+
if isHostNetworkPod(oldPodObj) {
132+
log.Logf(
133+
"POD UPDATING ignored for HostNetwork Pod:\n old pod: [%s/%s/%+v/%s/%s]\n new pod: [%s/%s/%+v/%s/%s]",
134+
oldPodObj.ObjectMeta.Namespace, oldPodObj.ObjectMeta.Name, oldPodObj.Status.PodIP,
135+
newPodObj.ObjectMeta.Namespace, newPodObj.ObjectMeta.Name, newPodObj.Status.PodIP,
136+
)
137+
return nil
138+
}
139+
119140
if isInvalidPodUpdate(oldPodObj, newPodObj) {
120141
return nil
121142
}

npm/pod_test.go

Lines changed: 180 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -202,3 +202,183 @@ func TestDeletePod(t *testing.T) {
202202
}
203203
npMgr.Unlock()
204204
}
205+
206+
func TestAddHostNetworkPod(t *testing.T) {
207+
npMgr := &NetworkPolicyManager{
208+
nsMap: make(map[string]*namespace),
209+
podMap: make(map[string]string),
210+
TelemetryEnabled: false,
211+
}
212+
213+
allNs, err := newNs(util.KubeAllNamespacesFlag)
214+
if err != nil {
215+
panic(err.Error)
216+
}
217+
npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs
218+
219+
ipsMgr := ipsm.NewIpsetManager()
220+
if err := ipsMgr.Save(util.IpsetTestConfigFile); err != nil {
221+
t.Errorf("TestAddHostNetworkPod failed @ ipsMgr.Save")
222+
}
223+
224+
defer func() {
225+
if err := ipsMgr.Restore(util.IpsetTestConfigFile); err != nil {
226+
t.Errorf("TestAddHostNetworkPod failed @ ipsMgr.Restore")
227+
}
228+
}()
229+
230+
podObj := &corev1.Pod{
231+
ObjectMeta: metav1.ObjectMeta{
232+
Name: "test-pod",
233+
Namespace: "test-namespace",
234+
Labels: map[string]string{
235+
"app": "test-pod",
236+
},
237+
},
238+
Status: corev1.PodStatus{
239+
Phase: "Running",
240+
PodIP: "1.2.3.4",
241+
},
242+
Spec: corev1.PodSpec{
243+
HostNetwork: true,
244+
},
245+
}
246+
247+
npMgr.Lock()
248+
if err := npMgr.AddPod(podObj); err != nil {
249+
t.Errorf("TestAddHostNetworkPod failed @ AddPod")
250+
}
251+
252+
if len(npMgr.podMap) >= 1 {
253+
t.Errorf("TestAddHostNetworkPod failed @ podMap length check")
254+
}
255+
npMgr.Unlock()
256+
}
257+
258+
func TestUpdateHostNetworkPod(t *testing.T) {
259+
npMgr := &NetworkPolicyManager{
260+
nsMap: make(map[string]*namespace),
261+
podMap: make(map[string]string),
262+
TelemetryEnabled: false,
263+
}
264+
265+
allNs, err := newNs(util.KubeAllNamespacesFlag)
266+
if err != nil {
267+
panic(err.Error)
268+
}
269+
npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs
270+
271+
ipsMgr := ipsm.NewIpsetManager()
272+
if err := ipsMgr.Save(util.IpsetTestConfigFile); err != nil {
273+
t.Errorf("TestUpdateHostNetworkPod failed @ ipsMgr.Save")
274+
}
275+
276+
defer func() {
277+
if err := ipsMgr.Restore(util.IpsetTestConfigFile); err != nil {
278+
t.Errorf("TestUpdateHostNetworkPod failed @ ipsMgr.Restore")
279+
}
280+
}()
281+
282+
// HostNetwork check is done on the oldPodObj,
283+
// so intentionally not adding hostnet true in newPodObj
284+
oldPodObj := &corev1.Pod{
285+
ObjectMeta: metav1.ObjectMeta{
286+
Name: "old-test-pod",
287+
Namespace: "test-namespace",
288+
Labels: map[string]string{
289+
"app": "old-test-pod",
290+
},
291+
},
292+
Status: corev1.PodStatus{
293+
Phase: "Running",
294+
PodIP: "1.2.3.4",
295+
},
296+
Spec: corev1.PodSpec{
297+
HostNetwork: true,
298+
},
299+
}
300+
301+
newPodObj := &corev1.Pod{
302+
ObjectMeta: metav1.ObjectMeta{
303+
Name: "new-test-pod",
304+
Namespace: "test-namespace",
305+
Labels: map[string]string{
306+
"app": "new-test-pod",
307+
},
308+
},
309+
Status: corev1.PodStatus{
310+
Phase: "Running",
311+
PodIP: "4.3.2.1",
312+
},
313+
}
314+
315+
npMgr.Lock()
316+
if err := npMgr.AddPod(oldPodObj); err != nil {
317+
t.Errorf("TestUpdateHostNetworkPod failed @ AddPod")
318+
}
319+
320+
if err := npMgr.UpdatePod(oldPodObj, newPodObj); err != nil {
321+
t.Errorf("TestUpdateHostNetworkPod failed @ UpdatePod")
322+
}
323+
324+
if len(npMgr.podMap) >= 1 {
325+
t.Errorf("TestUpdateHostNetworkPod failed @ podMap length check")
326+
}
327+
npMgr.Unlock()
328+
}
329+
330+
func TestDeleteHostNetworkPod(t *testing.T) {
331+
npMgr := &NetworkPolicyManager{
332+
nsMap: make(map[string]*namespace),
333+
podMap: make(map[string]string),
334+
TelemetryEnabled: false,
335+
}
336+
337+
allNs, err := newNs(util.KubeAllNamespacesFlag)
338+
if err != nil {
339+
panic(err.Error)
340+
}
341+
npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs
342+
343+
ipsMgr := ipsm.NewIpsetManager()
344+
if err := ipsMgr.Save(util.IpsetTestConfigFile); err != nil {
345+
t.Errorf("TestDeleteHostNetworkPod failed @ ipsMgr.Save")
346+
}
347+
348+
defer func() {
349+
if err := ipsMgr.Restore(util.IpsetTestConfigFile); err != nil {
350+
t.Errorf("TestDeleteHostNetworkPod failed @ ipsMgr.Restore")
351+
}
352+
}()
353+
354+
podObj := &corev1.Pod{
355+
ObjectMeta: metav1.ObjectMeta{
356+
Name: "test-pod",
357+
Namespace: "test-namespace",
358+
Labels: map[string]string{
359+
"app": "test-pod",
360+
},
361+
},
362+
Status: corev1.PodStatus{
363+
Phase: "Running",
364+
PodIP: "1.2.3.4",
365+
},
366+
Spec: corev1.PodSpec{
367+
HostNetwork: true,
368+
},
369+
}
370+
371+
npMgr.Lock()
372+
if err := npMgr.AddPod(podObj); err != nil {
373+
t.Errorf("TestDeleteHostNetworkPod failed @ AddPod")
374+
}
375+
376+
if len(npMgr.podMap) >= 1 {
377+
t.Errorf("TestDeleteHostNetworkPod failed @ podMap length check")
378+
}
379+
380+
if err := npMgr.DeletePod(podObj); err != nil {
381+
t.Errorf("TestDeleteHostNetworkPod failed @ DeletePod")
382+
}
383+
npMgr.Unlock()
384+
}

0 commit comments

Comments
 (0)