fix(NRC): extend atomic.Bool to initSrcDstCheckDone and ec2IamAuthorized

Aprazor · aauren · commit 01f8216d2491 · 2026-03-31T20:21:44.000-05:00
bgpServerStarted was already fixed. This commit applies the same pattern
to initSrcDstCheckDone and ec2IamAuthorized, which are written from Run()
and the AWS src-dst-check path and read from syncInternalPeers() via
bgp_peers.go — potential data race under concurrent BGP peer syncs.

Also adds TestAtomicBoolFieldsNoConcurrentDataRace to
network_routes_controller_test.go to exercise all three fields under
the race detector.
diff --git a/pkg/controllers/routing/aws.go b/pkg/controllers/routing/aws.go
@@ -74,7 +74,7 @@ func (nrc *NetworkRoutingController) disableSourceDestinationCheck() {
 			var apiErr smithy.APIError
 			if errors.As(err, &apiErr) {
 				if apiErr.ErrorCode() == "UnauthorizedOperation" {
-					nrc.ec2IamAuthorized = false
+					nrc.ec2IamAuthorized.Store(false)
 					klog.Errorf("Node does not have necessary IAM creds to modify instance attribute. So skipping "+
 						"disabling src-dst check. %v", apiErr.ErrorMessage())
 					return
diff --git a/pkg/controllers/routing/bgp_peers.go b/pkg/controllers/routing/bgp_peers.go
@@ -374,7 +374,7 @@ func (nrc *NetworkRoutingController) OnNodeUpdate(_ interface{}) {
 
 	// skip if first round of disableSourceDestinationCheck() is not done yet, this is to prevent
 	// all the nodes for all the node add update trying to perform disableSourceDestinationCheck
-	if nrc.disableSrcDstCheck && nrc.initSrcDstCheckDone && nrc.ec2IamAuthorized {
+	if nrc.disableSrcDstCheck && nrc.initSrcDstCheckDone.Load() && nrc.ec2IamAuthorized.Load() {
 		nrc.disableSourceDestinationCheck()
 	}
 }
diff --git a/pkg/controllers/routing/network_routes_controller.go b/pkg/controllers/routing/network_routes_controller.go
@@ -144,8 +144,8 @@ type NetworkRoutingController struct {
 	bgpClusterID                   string
 	cniConfFile                    string
 	disableSrcDstCheck             bool
-	initSrcDstCheckDone            bool
-	ec2IamAuthorized               bool
+	initSrcDstCheckDone            atomic.Bool
+	ec2IamAuthorized               atomic.Bool
 	pathPrependAS                  string
 	pathPrependCount               uint8
 	pathPrepend                    bool
@@ -190,7 +190,7 @@ func (nrc *NetworkRoutingController) Run(
 	// In case of cluster provisioned on AWS disable source-destination check
 	if nrc.disableSrcDstCheck {
 		nrc.disableSourceDestinationCheck()
-		nrc.initSrcDstCheckDone = true
+		nrc.initSrcDstCheckDone.Store(true)
 	}
 
 	// enable IP forwarding for the packets coming in/out from the pods
@@ -1273,7 +1273,7 @@ func NewNetworkRoutingController(clientset kubernetes.Interface,
 	nrc.bgpRRServer = false
 	nrc.bgpServerStarted.Store(false)
 	nrc.disableSrcDstCheck = kubeRouterConfig.DisableSrcDstCheck
-	nrc.initSrcDstCheckDone = false
+	nrc.initSrcDstCheckDone.Store(false)
 	nrc.routeSyncer = routes.NewRouteSyncer(kubeRouterConfig.InjectedRoutesSyncPeriod, kubeRouterConfig.MetricsEnabled)
 
 	nrc.bgpHoldtime = kubeRouterConfig.BGPHoldTime.Seconds()
@@ -1307,7 +1307,7 @@ func NewNetworkRoutingController(clientset kubernetes.Interface,
 	}
 
 	// let's start with assumption we have necessary IAM creds to access EC2 api
-	nrc.ec2IamAuthorized = true
+	nrc.ec2IamAuthorized.Store(true)
 
 	if nrc.enableCNI {
 		nrc.cniConfFile = os.Getenv("KUBE_ROUTER_CNI_CONF_FILE")
diff --git a/pkg/controllers/routing/network_routes_controller_test.go b/pkg/controllers/routing/network_routes_controller_test.go
@@ -3032,3 +3032,39 @@ func waitForListerWithTimeout(lister cache.Indexer, timeout time.Duration, t *te
 		}
 	}
 }
+
+func TestAtomicBoolFieldsNoConcurrentDataRace(t *testing.T) {
+	// Verify that bgpServerStarted, initSrcDstCheckDone, and ec2IamAuthorized
+	// can be read and written concurrently without a data race.
+	// This test is only meaningful when run with -race.
+	nrc := &NetworkRoutingController{}
+	nrc.bgpServerStarted.Store(false)
+	nrc.initSrcDstCheckDone.Store(false)
+	nrc.ec2IamAuthorized.Store(true)
+
+	var wg sync.WaitGroup
+
+	// Writers
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < 1000; i++ {
+			nrc.bgpServerStarted.Store(i%2 == 0)
+			nrc.initSrcDstCheckDone.Store(i%2 == 0)
+			nrc.ec2IamAuthorized.Store(i%2 != 0)
+		}
+	}()
+
+	// Readers
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < 1000; i++ {
+			_ = nrc.bgpServerStarted.Load()
+			_ = nrc.initSrcDstCheckDone.Load()
+			_ = nrc.ec2IamAuthorized.Load()
+		}
+	}()
+
+	wg.Wait()
+}

Original file line number	Diff line number	Diff line change
`@@ -374,7 +374,7 @@ func (nrc *NetworkRoutingController) OnNodeUpdate(_ interface{}) {`
`374`	`374`
`375`	`375`	`// skip if first round of disableSourceDestinationCheck() is not done yet, this is to prevent`
`376`	`376`	`// all the nodes for all the node add update trying to perform disableSourceDestinationCheck`
`377`		`- if nrc.disableSrcDstCheck && nrc.initSrcDstCheckDone && nrc.ec2IamAuthorized {`
	`377`	`+ if nrc.disableSrcDstCheck && nrc.initSrcDstCheckDone.Load() && nrc.ec2IamAuthorized.Load() {`
`378`	`378`	`nrc.disableSourceDestinationCheck()`
`379`	`379`	`}`
`380`	`380`	`}`