Skip to content

Commit

Permalink
netpol: create node acl before creating acl rules for the first netwo…
Browse files Browse the repository at this point in the history
…rk policy

Signed-off-by: 张祖建 <[email protected]>
  • Loading branch information
zhangzujian committed Aug 17, 2023
1 parent 82edc0c commit 0f5e44f
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
5 changes: 5 additions & 0 deletions pkg/controller/network_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,11 @@ func (c *Controller) handleUpdateNp(key string) error {
return err
}

if err = c.checkAndUpdateNodePortGroup(false); err != nil {
klog.Errorf("failed to update node acl: %v", err)
return err
}

defer func() {
if err != nil {
c.recorder.Eventf(np, corev1.EventTypeWarning, "CreateACLFailed", err.Error())
Expand Down
14 changes: 12 additions & 2 deletions pkg/controller/node.go
Original file line number Diff line number Diff line change
Expand Up @@ -933,16 +933,25 @@ func (c *Controller) fetchPodsOnNode(nodeName string, pods []*v1.Pod) ([]string,
}

func (c *Controller) CheckNodePortGroup() {
if err := c.checkAndUpdateNodePortGroup(); err != nil {
if err := c.checkAndUpdateNodePortGroup(true); err != nil {
klog.Errorf("check node port group status: %v", err)
}
}

func (c *Controller) checkAndUpdateNodePortGroup() error {
var nodeAclExists bool

func (c *Controller) checkAndUpdateNodePortGroup(updateIfNotExists bool) error {
c.npKeyMutex.LockKey("node_acl")
defer func() { _ = c.npKeyMutex.UnlockKey("node_acl") }()

klog.V(3).Infoln("start to check node port-group status")
np, _ := c.npsLister.List(labels.Everything())
networkPolicyExists := len(np) != 0

if !updateIfNotExists && networkPolicyExists == nodeAclExists {
return nil
}

nodes, err := c.nodesLister.List(labels.Everything())
if err != nil {
klog.Errorf("list nodes: %v", err)
Expand Down Expand Up @@ -994,6 +1003,7 @@ func (c *Controller) checkAndUpdateNodePortGroup() error {
}
}

nodeAclExists = networkPolicyExists
return nil
}

Expand Down

0 comments on commit 0f5e44f

Please sign in to comment.