Skip to content

Commit e98b789

Browse files
jaer-tsunjaer-tsun
authored
Fix NPM Bugs (#542)
* Remove old npm chains which were causing errors on uninit * Utilize rawNpMap and refrain from updating policies with no change. * redacted * add added policy to processedNpMap
1 parent 5319878 commit e98b789

File tree

2 files changed

+21
-16
lines changed

2 files changed

+21
-16
lines changed

npm/iptm/iptm.go

Lines changed: 6 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -182,18 +182,11 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
182182
func (iptMgr *IptablesManager) UninitNpmChains() error {
183183
IptablesAzureChainList := []string{
184184
util.IptablesAzureChain,
185-
util.IptablesAzureKubeSystemChain,
186185
util.IptablesAzureIngressPortChain,
187186
util.IptablesAzureIngressFromChain,
188187
util.IptablesAzureEgressPortChain,
189188
util.IptablesAzureEgressToChain,
190189
util.IptablesAzureTargetSetsChain,
191-
// Below chains exists only for before Azure-NPM:v1.0.27
192-
// and should be removed after a baking period.
193-
util.IptablesAzureIngressFromNsChain,
194-
util.IptablesAzureIngressFromPodChain,
195-
util.IptablesAzureEgressToNsChain,
196-
util.IptablesAzureEgressToPodChain,
197190
}
198191

199192
// Remove AZURE-NPM chain from FORWARD chain.
@@ -236,12 +229,10 @@ func (iptMgr *IptablesManager) Exists(entry *IptEntry) (bool, error) {
236229
iptMgr.OperationFlag = util.IptablesCheckFlag
237230
returnCode, err := iptMgr.Run(entry)
238231
if err == nil {
239-
log.Printf("Rule exists. %+v.", entry)
240232
return true, nil
241233
}
242234

243235
if returnCode == iptablesErrDoesNotExist {
244-
log.Printf("Rule doesn't exist. %+v.", entry)
245236
return false, nil
246237
}
247238

@@ -348,12 +339,15 @@ func (iptMgr *IptablesManager) Run(entry *IptEntry) (int, error) {
348339
}
349340

350341
cmdArgs := append([]string{util.IptablesWaitFlag, entry.LockWaitTimeInSeconds, iptMgr.OperationFlag, entry.Chain}, entry.Specs...)
351-
log.Printf("Executing iptables command %s %v", cmdName, cmdArgs)
352-
_, err := exec.Command(cmdName, cmdArgs...).Output()
353342

343+
if iptMgr.OperationFlag != util.IptablesCheckFlag {
344+
log.Printf("Executing iptables command %s %v", cmdName, cmdArgs)
345+
}
346+
347+
_, err := exec.Command(cmdName, cmdArgs...).Output()
354348
if msg, failed := err.(*exec.ExitError); failed {
355349
errCode := msg.Sys().(syscall.WaitStatus).ExitStatus()
356-
if errCode > 0 {
350+
if errCode > 0 && iptMgr.OperationFlag != util.IptablesCheckFlag {
357351
log.Errorf("Error: There was an error running command: [%s %v] Stderr: [%v, %s]", cmdName, strings.Join(cmdArgs, " "), err, strings.TrimSuffix(string(msg.Stderr), "\n"))
358352
}
359353

npm/nwpolicy.go

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,8 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
4646
return nil
4747
}
4848

49+
ns.rawNpMap[npObj.ObjectMeta.Name] = npObj
50+
4951
allNs := npMgr.nsMap[util.KubeAllNamespacesFlag]
5052

5153
if !npMgr.isAzureNpmChainCreated {
@@ -67,13 +69,16 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
6769
var addedPolicy *networkingv1.NetworkPolicy
6870
addedPolicy = nil
6971
if oldPolicy, oldPolicyExists := ns.processedNpMap[hashedSelector]; oldPolicyExists {
72+
npMgr.isSafeToCleanUpAzureNpmChain = false
73+
npMgr.DeleteNetworkPolicy(oldPolicy)
74+
npMgr.isSafeToCleanUpAzureNpmChain = true
75+
7076
addedPolicy, err = addPolicy(oldPolicy, npObj)
7177
if err != nil {
7278
log.Printf("Error adding policy %s to %s", npName, oldPolicy.ObjectMeta.Name)
79+
} else {
80+
ns.processedNpMap[hashedSelector] = addedPolicy
7381
}
74-
npMgr.isSafeToCleanUpAzureNpmChain = false
75-
npMgr.DeleteNetworkPolicy(oldPolicy)
76-
npMgr.isSafeToCleanUpAzureNpmChain = true
7782
} else {
7883
ns.processedNpMap[hashedSelector] = npObj
7984
}
@@ -116,6 +121,10 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
116121

117122
// UpdateNetworkPolicy handles updateing network policy in iptables.
118123
func (npMgr *NetworkPolicyManager) UpdateNetworkPolicy(oldNpObj *networkingv1.NetworkPolicy, newNpObj *networkingv1.NetworkPolicy) error {
124+
if isSamePolicy(oldNpObj, newNpObj) {
125+
return nil
126+
}
127+
119128
var err error
120129

121130
log.Printf("NETWORK POLICY UPDATING:\n old policy:[%v]\n new policy:[%v]", oldNpObj, newNpObj)
@@ -164,6 +173,8 @@ func (npMgr *NetworkPolicyManager) DeleteNetworkPolicy(npObj *networkingv1.Netwo
164173
}
165174
}
166175

176+
delete(ns.rawNpMap, npObj.ObjectMeta.Name)
177+
167178
hashedSelector := HashSelector(&npObj.Spec.PodSelector)
168179
if oldPolicy, oldPolicyExists := ns.processedNpMap[hashedSelector]; oldPolicyExists {
169180
deductedPolicy, err := deductPolicy(oldPolicy, npObj)
@@ -179,11 +190,11 @@ func (npMgr *NetworkPolicyManager) DeleteNetworkPolicy(npObj *networkingv1.Netwo
179190
}
180191

181192
if npMgr.canCleanUpNpmChains() {
193+
npMgr.isAzureNpmChainCreated = false
182194
if err = iptMgr.UninitNpmChains(); err != nil {
183195
log.Errorf("Error: failed to uninitialize azure-npm chains.")
184196
return err
185197
}
186-
npMgr.isAzureNpmChainCreated = false
187198
}
188199

189200
return nil

0 commit comments

Comments
 (0)