netpol: create node acl before creating acl rules for the first netwo…

…rk policy Signed-off-by: 张祖建 <[email protected]>
kubeovn · Aug 17, 2023 · 0f5e44f · 0f5e44f
1 parent 82edc0c
commit 0f5e44f
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -152,6 +152,11 @@ func (c *Controller) handleUpdateNp(key string) error {
 		return err
 	}
 
+	if err = c.checkAndUpdateNodePortGroup(false); err != nil {
+		klog.Errorf("failed to update node acl: %v", err)
+		return err
+	}
+
 	defer func() {
 		if err != nil {
 			c.recorder.Eventf(np, corev1.EventTypeWarning, "CreateACLFailed", err.Error())

diff --git a/pkg/controller/node.go b/pkg/controller/node.go
@@ -933,16 +933,25 @@ func (c *Controller) fetchPodsOnNode(nodeName string, pods []*v1.Pod) ([]string,
 }
 
 func (c *Controller) CheckNodePortGroup() {
-	if err := c.checkAndUpdateNodePortGroup(); err != nil {
+	if err := c.checkAndUpdateNodePortGroup(true); err != nil {
 		klog.Errorf("check node port group status: %v", err)
 	}
 }
 
-func (c *Controller) checkAndUpdateNodePortGroup() error {
+var nodeAclExists bool
+
+func (c *Controller) checkAndUpdateNodePortGroup(updateIfNotExists bool) error {
+	c.npKeyMutex.LockKey("node_acl")
+	defer func() { _ = c.npKeyMutex.UnlockKey("node_acl") }()
+
 	klog.V(3).Infoln("start to check node port-group status")
 	np, _ := c.npsLister.List(labels.Everything())
 	networkPolicyExists := len(np) != 0
 
+	if !updateIfNotExists && networkPolicyExists == nodeAclExists {
+		return nil
+	}
+
 	nodes, err := c.nodesLister.List(labels.Everything())
 	if err != nil {
 		klog.Errorf("list nodes: %v", err)
@@ -994,6 +1003,7 @@ func (c *Controller) checkAndUpdateNodePortGroup() error {
 		}
 	}
 
+	nodeAclExists = networkPolicyExists
 	return nil
 }