From 92f3f93359a4fd5d805156633bd5846a711dd59c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= <zhangzujian.7@gmail.com>
Date: Tue, 15 Aug 2023 18:01:03 +0800
Subject: [PATCH] netpol: create node acl before creating acl rules for the
 first network policy

---
 pkg/controller/network_policy.go |  5 +++++
 pkg/controller/node.go           | 14 ++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
index 61e2aba176e0..2a7a62cc9668 100644
--- a/pkg/controller/network_policy.go
+++ b/pkg/controller/network_policy.go
@@ -152,6 +152,11 @@ func (c *Controller) handleUpdateNp(key string) error {
 		return err
 	}
 
+	if err = c.checkAndUpdateNodePortGroup(false); err != nil {
+		klog.Errorf("failed to update node acl: %v", err)
+		return err
+	}
+
 	defer func() {
 		if err != nil {
 			c.recorder.Eventf(np, corev1.EventTypeWarning, "CreateACLFailed", err.Error())
diff --git a/pkg/controller/node.go b/pkg/controller/node.go
index feb30064663f..ef0d77fc1900 100644
--- a/pkg/controller/node.go
+++ b/pkg/controller/node.go
@@ -933,16 +933,25 @@ func (c *Controller) fetchPodsOnNode(nodeName string, pods []*v1.Pod) ([]string,
 }
 
 func (c *Controller) CheckNodePortGroup() {
-	if err := c.checkAndUpdateNodePortGroup(); err != nil {
+	if err := c.checkAndUpdateNodePortGroup(true); err != nil {
 		klog.Errorf("check node port group status: %v", err)
 	}
 }
 
-func (c *Controller) checkAndUpdateNodePortGroup() error {
+var nodeAclExists bool
+
+func (c *Controller) checkAndUpdateNodePortGroup(updateIfNotExists bool) error {
+	c.npKeyMutex.LockKey("node_acl")
+	defer func() { _ = c.npKeyMutex.UnlockKey("node_acl") }()
+
 	klog.V(3).Infoln("start to check node port-group status")
 	np, _ := c.npsLister.List(labels.Everything())
 	networkPolicyExists := len(np) != 0
 
+	if !updateIfNotExists && networkPolicyExists == nodeAclExists {
+		return nil
+	}
+
 	nodes, err := c.nodesLister.List(labels.Everything())
 	if err != nil {
 		klog.Errorf("list nodes: %v", err)
@@ -994,6 +1003,7 @@ func (c *Controller) checkAndUpdateNodePortGroup() error {
 		}
 	}
 
+	nodeAclExists = networkPolicyExists
 	return nil
 }