fix(NSC): harden Network Services Controller against panics, races, and sync errors

Aprazor · aauren · commit aba49a9892a1 · 2026-03-31T20:30:15.000-05:00
This combines five defensive fixes in the Network Services Controller:

1. shuffle(): check rand.Int error before dereferencing result
   - rand.Int returns (nil, err) on failure, but the result was
     dereferenced before the error check, causing a nil panic

2. NodePort healthcheck: add RWMutex to protect shared maps
   - UpdateServicesInfo writes serviceInfoMap/endpointsInfoMap from
     the sync goroutine while HTTP handlers read concurrently

3. setupIpvsFirewall: use continue instead of return in dual-stack loop
   - return nil after clearing one IP family's chain skipped the
     second family entirely on dual-stack nodes

4. setupMangleTableRule/cleanupMangleTableRule: add nil check for ParseIP
   - net.ParseIP result was used without nil check, causing panic
     on malformed IP strings from service annotations

5. synctypeIpvs: track errors across both sync steps for heartbeat
   - err from syncIpvsServices was overwritten by syncHairpinIptablesRules,
     masking IPVS failures from the health check system
diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
@@ -383,15 +383,21 @@ func (nsc *NetworkServicesController) Run(healthChan chan<- *healthcheck.Control
 				// and we don't want to duplicate the effort, so this is a slimmer version of doSync()
 				klog.V(1).Info("Performing requested sync of ipvs services")
 				nsc.mu.Lock()
+				var syncErrors bool
 				err = nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
 				if err != nil {
 					klog.Errorf("error during ipvs sync in network service controller. Error: %v", err)
+					syncErrors = true
 				}
 				err = nsc.syncHairpinIptablesRules()
 				if err != nil {
 					klog.Errorf("error syncing hairpin iptables rules: %v", err)
+					syncErrors = true
 				}
 				nsc.mu.Unlock()
+				if syncErrors {
+					err = fmt.Errorf("one or more errors during ipvs sync")
+				}
 			}
 			if err == nil {
 				healthcheck.SendHeartBeat(healthChan, healthcheck.NetworkServicesController)
@@ -482,9 +488,9 @@ func (nsc *NetworkServicesController) setupIpvsFirewall() error {
 			return fmt.Errorf("failed to run iptables command: %s", err.Error())
 		}
 
-		// config.IpvsPermitAll: true then create INPUT/KUBE-ROUTER-SERVICE Chain creation else return
+		// config.IpvsPermitAll: true then create INPUT/KUBE-ROUTER-SERVICE Chain creation else skip
 		if !nsc.ipvsPermitAll {
-			return nil
+			continue
 		}
 
 		var comment string
@@ -981,10 +987,11 @@ func parseSchedFlags(value string) schedFlags {
 func shuffle(endPoints []endpointSliceInfo) []endpointSliceInfo {
 	for index1 := range endPoints {
 		randBitInt, err := rand.Int(rand.Reader, big.NewInt(int64(index1+1)))
-		index2 := randBitInt.Int64()
 		if err != nil {
 			klog.Warningf("unable to get a random int: %v", err)
+			continue
 		}
+		index2 := randBitInt.Int64()
 		endPoints[index1], endPoints[index2] = endPoints[index2], endPoints[index1]
 	}
 	return endPoints
@@ -1561,6 +1568,9 @@ func (nsc *NetworkServicesController) setupMangleTableRule(ip string, protocol s
 	var iptablesCmdHandler utils.IPTablesHandler
 	tcpMSS := nsc.mtu
 	parsedIP := net.ParseIP(ip)
+	if parsedIP == nil {
+		return fmt.Errorf("invalid IP address: %s", ip)
+	}
 	if parsedIP.To4() != nil {
 		iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv4Protocol]
 		tcpMSS -= 2*ipv4.HeaderLen + tcpHeaderMinLen
@@ -1669,6 +1679,9 @@ func (nsc *NetworkServicesController) cleanupMangleTableRule(ip string, protocol
 	var iptablesCmdHandler utils.IPTablesHandler
 	tcpMSS := nsc.mtu
 	parsedIP := net.ParseIP(ip)
+	if parsedIP == nil {
+		return fmt.Errorf("invalid IP address: %s", ip)
+	}
 	if parsedIP.To4() != nil {
 		iptablesCmdHandler = nsc.iptablesCmdHandlers[v1.IPv4Protocol]
 		tcpMSS -= 2*ipv4.HeaderLen + tcpHeaderMinLen
diff --git a/pkg/controllers/proxy/nodeport_healthcheck.go b/pkg/controllers/proxy/nodeport_healthcheck.go
@@ -24,6 +24,7 @@ type serviceHealthCheck struct {
 }
 
 type nphcServicesInfo struct {
+	mu               sync.RWMutex
 	serviceInfoMap   serviceInfoMap
 	endpointsInfoMap endpointSliceInfoMap
 }
@@ -36,8 +37,10 @@ type nphcHandler struct {
 func (nphc *nodePortHealthCheckController) UpdateServicesInfo(serviceInfoMap serviceInfoMap,
 	endpointsInfoMap endpointSliceInfoMap) error {
 	klog.V(1).Info("Running UpdateServicesInfo for NodePort health check")
+	nphc.mu.Lock()
 	nphc.serviceInfoMap = serviceInfoMap
 	nphc.endpointsInfoMap = endpointsInfoMap
+	nphc.mu.Unlock()
 
 	newActiveServices := make(map[int]bool)
 
@@ -141,7 +144,9 @@ func (nphc *nodePortHealthCheckController) stopHealthCheck(nodePort int) error {
 }
 
 func (npHandler *nphcHandler) Handler(w http.ResponseWriter, r *http.Request) {
+	npHandler.nphc.mu.RLock()
 	eps := npHandler.nphc.endpointsInfoMap[npHandler.svcHC.serviceID]
+	npHandler.nphc.mu.RUnlock()
 	endpointsOnNode := hasActiveEndpoints(eps)
 
 	var numActiveEndpoints int8
