clear stale states on creation (#411)

Yongli Chen · jaer-tsun · commit ff7b9c080188 · 2019-09-30T19:09:49.000-04:00
* clear stale states on creation

* log first UninitNpmChains() call

* adding kube system namespace after reboot
diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go
@@ -21,7 +21,8 @@ import (
 )
 
 const (
-	defaultlockWaitTimeInSeconds = "60"
+	defaultlockWaitTimeInSeconds string = "60"
+	iptablesErrDoesNotExist      int    = 1
 )
 
 // IptEntry represents an iptables rule.
@@ -212,6 +213,12 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
 		util.IptablesAzureEgressPortChain,
 		util.IptablesAzureEgressToChain,
 		util.IptablesAzureTargetSetsChain,
+		// Below chains exists only for before Azure-NPM:v1.0.27
+		// and should be removed after a baking period.
+		util.IptablesAzureIngressFromNsChain,
+		util.IptablesAzureIngressFromPodChain,
+		util.IptablesAzureEgressToNsChain,
+		util.IptablesAzureEgressToPodChain,
 	}
 
 	// Remove AZURE-NPM chain from FORWARD chain.
@@ -224,7 +231,7 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
 	}
 	iptMgr.OperationFlag = util.IptablesDeletionFlag
 	errCode, err := iptMgr.Run(entry)
-	if errCode != 1 && err != nil {
+	if errCode != iptablesErrDoesNotExist && err != nil {
 		log.Errorf("Error: failed to remove default rule from FORWARD chain.")
 		return err
 	}
@@ -234,7 +241,8 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
 		entry := &IptEntry{
 			Chain: chain,
 		}
-		if _, err := iptMgr.Run(entry); err != nil {
+		errCode, err := iptMgr.Run(entry)
+		if errCode != iptablesErrDoesNotExist && err != nil {
 			log.Errorf("Error: failed to flush iptables chain %s.", chain)
 		}
 	}
@@ -257,7 +265,7 @@ func (iptMgr *IptablesManager) Exists(entry *IptEntry) (bool, error) {
 		return true, nil
 	}
 
-	if returnCode == 1 {
+	if returnCode == iptablesErrDoesNotExist {
 		log.Printf("Rule doesn't exist. %+v.", entry)
 		return false, nil
 	}
@@ -273,7 +281,7 @@ func (iptMgr *IptablesManager) AddChain(chain string) error {
 	iptMgr.OperationFlag = util.IptablesChainCreationFlag
 	errCode, err := iptMgr.Run(entry)
 	if err != nil {
-		if errCode == 1 {
+		if errCode == iptablesErrDoesNotExist {
 			log.Printf("Chain already exists %s.", entry.Chain)
 			return nil
 		}
@@ -293,7 +301,7 @@ func (iptMgr *IptablesManager) DeleteChain(chain string) error {
 	iptMgr.OperationFlag = util.IptablesDestroyFlag
 	errCode, err := iptMgr.Run(entry)
 	if err != nil {
-		if errCode == 1 {
+		if errCode == iptablesErrDoesNotExist {
 			log.Printf("Chain doesn't exist %s.", entry.Chain)
 			return nil
 		}
diff --git a/npm/namespace.go b/npm/namespace.go
@@ -86,7 +86,7 @@ func (npMgr *NetworkPolicyManager) UninitAllNsList() error {
 	return nil
 }
 
-// AddNamespace handles adding  namespace to ipset.
+// AddNamespace handles adding namespace to ipset.
 func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
 	npMgr.Lock()
 	defer npMgr.Unlock()
diff --git a/npm/npm.go b/npm/npm.go
@@ -45,9 +45,9 @@ type NetworkPolicyManager struct {
 	nsInformer      coreinformers.NamespaceInformer
 	npInformer      networkinginformers.NetworkPolicyInformer
 
-	nodeName               string
-	nsMap                  map[string]*namespace
-	isAzureNpmChainCreated bool
+	nodeName                     string
+	nsMap                        map[string]*namespace
+	isAzureNpmChainCreated       bool
 	isSafeToCleanUpAzureNpmChain bool
 
 	clusterState  telemetry.ClusterState
@@ -169,11 +169,6 @@ func (npMgr *NetworkPolicyManager) Start(stopCh <-chan struct{}) error {
 	// Starts all informers manufactured by npMgr's informerFactory.
 	npMgr.informerFactory.Start(stopCh)
 
-	// Failure detected. Needs to restore Azure-NPM related iptables entries.
-	if util.Exists(util.IptablesConfigFile) {
-		npMgr.restore()
-	}
-
 	// Wait for the initial sync of local cache.
 	if !cache.WaitForCacheSync(stopCh, npMgr.podInformer.Informer().HasSynced) {
 		return fmt.Errorf("Pod informer failed to sync")
@@ -194,6 +189,10 @@ func (npMgr *NetworkPolicyManager) Start(stopCh <-chan struct{}) error {
 
 // NewNetworkPolicyManager creates a NetworkPolicyManager
 func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory informers.SharedInformerFactory, npmVersion string) *NetworkPolicyManager {
+	// Clear out left over iptables states
+	log.Logf("Azure-NPM creating, cleaning iptables")
+	iptMgr := iptm.NewIptablesManager()
+	iptMgr.UninitNpmChains()
 
 	podInformer := informerFactory.Core().V1().Pods()
 	nsInformer := informerFactory.Core().V1().Namespaces()
@@ -212,14 +211,14 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
 	}
 
 	npMgr := &NetworkPolicyManager{
-		clientset:              clientset,
-		informerFactory:        informerFactory,
-		podInformer:            podInformer,
-		nsInformer:             nsInformer,
-		npInformer:             npInformer,
-		nodeName:               os.Getenv("HOSTNAME"),
-		nsMap:                  make(map[string]*namespace),
-		isAzureNpmChainCreated: false,
+		clientset:                    clientset,
+		informerFactory:              informerFactory,
+		podInformer:                  podInformer,
+		nsInformer:                   nsInformer,
+		npInformer:                   npInformer,
+		nodeName:                     os.Getenv("HOSTNAME"),
+		nsMap:                        make(map[string]*namespace),
+		isAzureNpmChainCreated:       false,
 		isSafeToCleanUpAzureNpmChain: false,
 		clusterState: telemetry.ClusterState{
 			PodCount:      0,
@@ -243,13 +242,15 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
 	clusterState := npMgr.GetClusterState()
 	npMgr.reportManager.Report.(*telemetry.NPMReport).GetReport(clusterID, npMgr.nodeName, npmVersion, serverVersion.GitVersion, clusterState)
 
-	allNs, err := newNs(util.KubeAllNamespacesFlag)
-	if err != nil {
-		log.Logf("Error: failed to create all-namespace.")
-		panic(err.Error)
-	}
+	allNs, _ := newNs(util.KubeAllNamespacesFlag)
 	npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs
 
+	// Create ipset for the namespace.
+	kubeSystemNs := "ns-" + util.KubeSystemFlag
+	if err := allNs.ipsMgr.CreateSet(kubeSystemNs); err != nil {
+		log.Logf("Error: failed to create ipset for namespace %s.", kubeSystemNs)
+	}
+
 	podInformer.Informer().AddEventHandler(
 		// Pod event handlers
 		cache.ResourceEventHandlerFuncs{
diff --git a/npm/util/const.go b/npm/util/const.go
@@ -47,7 +47,7 @@ const (
 	IptablesSFlag             string = "-s"
 	IptablesDFlag             string = "-d"
 	IptablesDstPortFlag       string = "--dport"
-	IptablesModuleFlag         string = "-m"
+	IptablesModuleFlag        string = "-m"
 	IptablesSetModuleFlag     string = "set"
 	IptablesMatchSetFlag      string = "--match-set"
 	IptablesStateModuleFlag   string = "state"
@@ -60,15 +60,21 @@ const (
 	IptablesCommentModuleFlag string = "comment"
 	IptablesCommentFlag       string = "--comment"
 	IptablesAddCommentFlag
-	IptablesAzureChain               string = "AZURE-NPM"
-	IptablesAzureKubeSystemChain     string = "AZURE-NPM-KUBE-SYSTEM"
-	IptablesAzureIngressPortChain    string = "AZURE-NPM-INGRESS-PORT"
-	IptablesAzureIngressFromChain    string = "AZURE-NPM-INGRESS-FROM"
-	IptablesAzureEgressPortChain     string = "AZURE-NPM-EGRESS-PORT"
-	IptablesAzureEgressToChain       string = "AZURE-NPM-EGRESS-TO"
-	IptablesAzureTargetSetsChain     string = "AZURE-NPM-TARGET-SETS"
-	IptablesForwardChain             string = "FORWARD"
-	IptablesInputChain               string = "INPUT"
+	IptablesAzureChain            string = "AZURE-NPM"
+	IptablesAzureKubeSystemChain  string = "AZURE-NPM-KUBE-SYSTEM"
+	IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT"
+	IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM"
+	IptablesAzureEgressPortChain  string = "AZURE-NPM-EGRESS-PORT"
+	IptablesAzureEgressToChain    string = "AZURE-NPM-EGRESS-TO"
+	IptablesAzureTargetSetsChain  string = "AZURE-NPM-TARGET-SETS"
+	IptablesForwardChain          string = "FORWARD"
+	IptablesInputChain            string = "INPUT"
+	// Below chains exists only for before Azure-NPM:v1.0.27
+	// and should be removed after a baking period.
+	IptablesAzureIngressFromNsChain  string = "AZURE-NPM-INGRESS-FROM-NS"
+	IptablesAzureIngressFromPodChain string = "AZURE-NPM-INGRESS-FROM-POD"
+	IptablesAzureEgressToNsChain     string = "AZURE-NPM-EGRESS-TO-NS"
+	IptablesAzureEgressToPodChain    string = "AZURE-NPM-EGRESS-TO-POD"
 )
 
 //ipset related constants.

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,8 @@ import (`
`21`	`21`	`)`
`22`	`22`
`23`	`23`	`const (`
`24`		`- defaultlockWaitTimeInSeconds = "60"`
	`24`	`+ defaultlockWaitTimeInSeconds string = "60"`
	`25`	`+ iptablesErrDoesNotExist int = 1`
`25`	`26`	`)`
`26`	`27`
`27`	`28`	`// IptEntry represents an iptables rule.`
`@@ -212,6 +213,12 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {`
`212`	`213`	`util.IptablesAzureEgressPortChain,`
`213`	`214`	`util.IptablesAzureEgressToChain,`
`214`	`215`	`util.IptablesAzureTargetSetsChain,`
	`216`	`+ // Below chains exists only for before Azure-NPM:v1.0.27`
	`217`	`+ // and should be removed after a baking period.`
	`218`	`+ util.IptablesAzureIngressFromNsChain,`
	`219`	`+ util.IptablesAzureIngressFromPodChain,`
	`220`	`+ util.IptablesAzureEgressToNsChain,`
	`221`	`+ util.IptablesAzureEgressToPodChain,`
`215`	`222`	`}`
`216`	`223`
`217`	`224`	`// Remove AZURE-NPM chain from FORWARD chain.`
`@@ -224,7 +231,7 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {`
`224`	`231`	`}`
`225`	`232`	`iptMgr.OperationFlag = util.IptablesDeletionFlag`
`226`	`233`	`errCode, err := iptMgr.Run(entry)`
`227`		`- if errCode != 1 && err != nil {`
	`234`	`+ if errCode != iptablesErrDoesNotExist && err != nil {`
`228`	`235`	`log.Errorf("Error: failed to remove default rule from FORWARD chain.")`
`229`	`236`	`return err`
`230`	`237`	`}`
`@@ -234,7 +241,8 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {`
`234`	`241`	`entry := &IptEntry{`
`235`	`242`	`Chain: chain,`
`236`	`243`	`}`
`237`		`- if _, err := iptMgr.Run(entry); err != nil {`
	`244`	`+ errCode, err := iptMgr.Run(entry)`
	`245`	`+ if errCode != iptablesErrDoesNotExist && err != nil {`
`238`	`246`	`log.Errorf("Error: failed to flush iptables chain %s.", chain)`
`239`	`247`	`}`
`240`	`248`	`}`
`@@ -257,7 +265,7 @@ func (iptMgr IptablesManager) Exists(entry IptEntry) (bool, error) {`
`257`	`265`	`return true, nil`
`258`	`266`	`}`
`259`	`267`
`260`		`- if returnCode == 1 {`
	`268`	`+ if returnCode == iptablesErrDoesNotExist {`
`261`	`269`	`log.Printf("Rule doesn't exist. %+v.", entry)`
`262`	`270`	`return false, nil`
`263`	`271`	`}`
`@@ -273,7 +281,7 @@ func (iptMgr *IptablesManager) AddChain(chain string) error {`
`273`	`281`	`iptMgr.OperationFlag = util.IptablesChainCreationFlag`
`274`	`282`	`errCode, err := iptMgr.Run(entry)`
`275`	`283`	`if err != nil {`
`276`		`- if errCode == 1 {`
	`284`	`+ if errCode == iptablesErrDoesNotExist {`
`277`	`285`	`log.Printf("Chain already exists %s.", entry.Chain)`
`278`	`286`	`return nil`
`279`	`287`	`}`
`@@ -293,7 +301,7 @@ func (iptMgr *IptablesManager) DeleteChain(chain string) error {`
`293`	`301`	`iptMgr.OperationFlag = util.IptablesDestroyFlag`
`294`	`302`	`errCode, err := iptMgr.Run(entry)`
`295`	`303`	`if err != nil {`
`296`		`- if errCode == 1 {`
	`304`	`+ if errCode == iptablesErrDoesNotExist {`
`297`	`305`	`log.Printf("Chain doesn't exist %s.", entry.Chain)`
`298`	`306`	`return nil`
`299`	`307`	`}`
Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ func (npMgr *NetworkPolicyManager) UninitAllNsList() error {`
`86`	`86`	`return nil`
`87`	`87`	`}`
`88`	`88`
`89`		`-// AddNamespace handles adding namespace to ipset.`
	`89`	`+// AddNamespace handles adding namespace to ipset.`
`90`	`90`	`func (npMgr NetworkPolicyManager) AddNamespace(nsObj corev1.Namespace) error {`
`91`	`91`	`npMgr.Lock()`
`92`	`92`	`defer npMgr.Unlock()`