* Ignoring hostnetwork pods from being added into Ipsets * generalizing the check on hostnetwork pod * Adding tests for add, update and delete hostnetwork pods
This commit is contained in:
Vamsi Kalapala
GitHub
Родитель
cc3f97059a
Коммит
82768ac7fa
21
npm/pod.go
21
npm/pod.go
|
|
@ -21,6 +21,10 @@ func isSystemPod(podObj *corev1.Pod) bool {
|
|||
return podObj.ObjectMeta.Namespace == util.KubeSystemFlag
|
||||
}
|
||||
|
||||
func isHostNetworkPod(podObj *corev1.Pod) bool {
|
||||
return podObj.Spec.HostNetwork
|
||||
}
|
||||
|
||||
func isInvalidPodUpdate(oldPodObj, newPodObj *corev1.Pod) (isInvalidUpdate bool) {
|
||||
isInvalidUpdate = oldPodObj.ObjectMeta.Namespace == newPodObj.ObjectMeta.Namespace &&
|
||||
oldPodObj.ObjectMeta.Name == newPodObj.ObjectMeta.Name &&
|
||||
|
|
@ -61,6 +65,12 @@ func (npMgr *NetworkPolicyManager) AddPod(podObj *corev1.Pod) error {
|
|||
}
|
||||
}
|
||||
|
||||
// Ignore adding the HostNetwork pod to any ipsets.
|
||||
if isHostNetworkPod(podObj) {
|
||||
log.Logf("HostNetwork POD IGNORED: [%s%s/%s/%s%+v%s]", podUid, podNs, podName, podNodeName, podLabels, podIP)
|
||||
return nil
|
||||
}
|
||||
|
||||
// Add the pod to its namespace's ipset.
|
||||
log.Logf("Adding pod %s to ipset %s", podIP, podNs)
|
||||
if err = ipsMgr.AddToSet(podNs, podIP, util.IpsetNetHashFlag, podUid); err != nil {
|
||||
|
|
@ -116,6 +126,17 @@ func (npMgr *NetworkPolicyManager) UpdatePod(oldPodObj, newPodObj *corev1.Pod) e
|
|||
return nil
|
||||
}
|
||||
|
||||
// today K8s does not allow updating HostNetwork flag for an existing Pod. So NPM can safely
|
||||
// check on the oldPodObj for hostNework value
|
||||
if isHostNetworkPod(oldPodObj) {
|
||||
log.Logf(
|
||||
"POD UPDATING ignored for HostNetwork Pod:\n old pod: [%s/%s/%+v/%s/%s]\n new pod: [%s/%s/%+v/%s/%s]",
|
||||
oldPodObj.ObjectMeta.Namespace, oldPodObj.ObjectMeta.Name, oldPodObj.Status.PodIP,
|
||||
newPodObj.ObjectMeta.Namespace, newPodObj.ObjectMeta.Name, newPodObj.Status.PodIP,
|
||||
)
|
||||
return nil
|
||||
}
|
||||
|
||||
if isInvalidPodUpdate(oldPodObj, newPodObj) {
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
180
npm/pod_test.go
180
npm/pod_test.go
|
|
@ -202,3 +202,183 @@ func TestDeletePod(t *testing.T) {
|
|||
}
|
||||
npMgr.Unlock()
|
||||
}
|
||||
|
||||
func TestAddHostNetworkPod(t *testing.T) {
|
||||
npMgr := &NetworkPolicyManager{
|
||||
nsMap: make(map[string]*namespace),
|
||||
podMap: make(map[string]string),
|
||||
TelemetryEnabled: false,
|
||||
}
|
||||
|
||||
allNs, err := newNs(util.KubeAllNamespacesFlag)
|
||||
if err != nil {
|
||||
panic(err.Error)
|
||||
}
|
||||
npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs
|
||||
|
||||
ipsMgr := ipsm.NewIpsetManager()
|
||||
if err := ipsMgr.Save(util.IpsetTestConfigFile); err != nil {
|
||||
t.Errorf("TestAddHostNetworkPod failed @ ipsMgr.Save")
|
||||
}
|
||||
|
||||
defer func() {
|
||||
if err := ipsMgr.Restore(util.IpsetTestConfigFile); err != nil {
|
||||
t.Errorf("TestAddHostNetworkPod failed @ ipsMgr.Restore")
|
||||
}
|
||||
}()
|
||||
|
||||
podObj := &corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test-pod",
|
||||
Namespace: "test-namespace",
|
||||
Labels: map[string]string{
|
||||
"app": "test-pod",
|
||||
},
|
||||
},
|
||||
Status: corev1.PodStatus{
|
||||
Phase: "Running",
|
||||
PodIP: "1.2.3.4",
|
||||
},
|
||||
Spec: corev1.PodSpec{
|
||||
HostNetwork: true,
|
||||
},
|
||||
}
|
||||
|
||||
npMgr.Lock()
|
||||
if err := npMgr.AddPod(podObj); err != nil {
|
||||
t.Errorf("TestAddHostNetworkPod failed @ AddPod")
|
||||
}
|
||||
|
||||
if len(npMgr.podMap) >= 1 {
|
||||
t.Errorf("TestAddHostNetworkPod failed @ podMap length check")
|
||||
}
|
||||
npMgr.Unlock()
|
||||
}
|
||||
|
||||
func TestUpdateHostNetworkPod(t *testing.T) {
|
||||
npMgr := &NetworkPolicyManager{
|
||||
nsMap: make(map[string]*namespace),
|
||||
podMap: make(map[string]string),
|
||||
TelemetryEnabled: false,
|
||||
}
|
||||
|
||||
allNs, err := newNs(util.KubeAllNamespacesFlag)
|
||||
if err != nil {
|
||||
panic(err.Error)
|
||||
}
|
||||
npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs
|
||||
|
||||
ipsMgr := ipsm.NewIpsetManager()
|
||||
if err := ipsMgr.Save(util.IpsetTestConfigFile); err != nil {
|
||||
t.Errorf("TestUpdateHostNetworkPod failed @ ipsMgr.Save")
|
||||
}
|
||||
|
||||
defer func() {
|
||||
if err := ipsMgr.Restore(util.IpsetTestConfigFile); err != nil {
|
||||
t.Errorf("TestUpdateHostNetworkPod failed @ ipsMgr.Restore")
|
||||
}
|
||||
}()
|
||||
|
||||
// HostNetwork check is done on the oldPodObj,
|
||||
// so intentionally not adding hostnet true in newPodObj
|
||||
oldPodObj := &corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "old-test-pod",
|
||||
Namespace: "test-namespace",
|
||||
Labels: map[string]string{
|
||||
"app": "old-test-pod",
|
||||
},
|
||||
},
|
||||
Status: corev1.PodStatus{
|
||||
Phase: "Running",
|
||||
PodIP: "1.2.3.4",
|
||||
},
|
||||
Spec: corev1.PodSpec{
|
||||
HostNetwork: true,
|
||||
},
|
||||
}
|
||||
|
||||
newPodObj := &corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "new-test-pod",
|
||||
Namespace: "test-namespace",
|
||||
Labels: map[string]string{
|
||||
"app": "new-test-pod",
|
||||
},
|
||||
},
|
||||
Status: corev1.PodStatus{
|
||||
Phase: "Running",
|
||||
PodIP: "4.3.2.1",
|
||||
},
|
||||
}
|
||||
|
||||
npMgr.Lock()
|
||||
if err := npMgr.AddPod(oldPodObj); err != nil {
|
||||
t.Errorf("TestUpdateHostNetworkPod failed @ AddPod")
|
||||
}
|
||||
|
||||
if err := npMgr.UpdatePod(oldPodObj, newPodObj); err != nil {
|
||||
t.Errorf("TestUpdateHostNetworkPod failed @ UpdatePod")
|
||||
}
|
||||
|
||||
if len(npMgr.podMap) >= 1 {
|
||||
t.Errorf("TestUpdateHostNetworkPod failed @ podMap length check")
|
||||
}
|
||||
npMgr.Unlock()
|
||||
}
|
||||
|
||||
func TestDeleteHostNetworkPod(t *testing.T) {
|
||||
npMgr := &NetworkPolicyManager{
|
||||
nsMap: make(map[string]*namespace),
|
||||
podMap: make(map[string]string),
|
||||
TelemetryEnabled: false,
|
||||
}
|
||||
|
||||
allNs, err := newNs(util.KubeAllNamespacesFlag)
|
||||
if err != nil {
|
||||
panic(err.Error)
|
||||
}
|
||||
npMgr.nsMap[util.KubeAllNamespacesFlag] = allNs
|
||||
|
||||
ipsMgr := ipsm.NewIpsetManager()
|
||||
if err := ipsMgr.Save(util.IpsetTestConfigFile); err != nil {
|
||||
t.Errorf("TestDeleteHostNetworkPod failed @ ipsMgr.Save")
|
||||
}
|
||||
|
||||
defer func() {
|
||||
if err := ipsMgr.Restore(util.IpsetTestConfigFile); err != nil {
|
||||
t.Errorf("TestDeleteHostNetworkPod failed @ ipsMgr.Restore")
|
||||
}
|
||||
}()
|
||||
|
||||
podObj := &corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test-pod",
|
||||
Namespace: "test-namespace",
|
||||
Labels: map[string]string{
|
||||
"app": "test-pod",
|
||||
},
|
||||
},
|
||||
Status: corev1.PodStatus{
|
||||
Phase: "Running",
|
||||
PodIP: "1.2.3.4",
|
||||
},
|
||||
Spec: corev1.PodSpec{
|
||||
HostNetwork: true,
|
||||
},
|
||||
}
|
||||
|
||||
npMgr.Lock()
|
||||
if err := npMgr.AddPod(podObj); err != nil {
|
||||
t.Errorf("TestDeleteHostNetworkPod failed @ AddPod")
|
||||
}
|
||||
|
||||
if len(npMgr.podMap) >= 1 {
|
||||
t.Errorf("TestDeleteHostNetworkPod failed @ podMap length check")
|
||||
}
|
||||
|
||||
if err := npMgr.DeletePod(podObj); err != nil {
|
||||
t.Errorf("TestDeleteHostNetworkPod failed @ DeletePod")
|
||||
}
|
||||
npMgr.Unlock()
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче