fix: add node to pod allow acl

If this acl not exists and networkpolicy is added, probe will failed as is not allowed. If no networkpolicy exists, this allow acl may increase performance burden. So only add this acl if any networkpolicy exists
kubeovn · May 23, 2021 · c1d3fc3 · c1d3fc3
1 parent 775aec6
commit c1d3fc3
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 5 deletions.
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -501,4 +501,5 @@ func (c *Controller) startWorkers(stopCh <-chan struct{}) {
 
 	go wait.Until(c.resyncSubnetMetrics, 30*time.Second, stopCh)
 	go wait.Until(c.CheckGatewayReady, 5*time.Second, stopCh)
+	go wait.Until(c.resyncNodeACL, 10*time.Second, stopCh)
 }
diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -658,3 +658,27 @@ func isNamespaceMatchNetworkPolicy(ns *corev1.Namespace, policy *netv1.NetworkPo
 	}
 	return false
 }
+
+func (c *Controller) resyncNodeACL() {
+	np, _ := c.npsLister.List(labels.Everything())
+	networkPolicyExists := len(np) != 0
+
+	subnets, _ := c.subnetsLister.List(labels.Everything())
+	for _, subnet := range subnets {
+		if subnet.Spec.Provider == util.OvnProvider || subnet.Spec.Provider == "" {
+			if subnet.Name == c.config.NodeSwitch {
+				continue
+			}
+
+			if networkPolicyExists {
+				if err := c.ovnClient.SetNodeSwitchAcl(subnet.Name); err != nil {
+					klog.Errorf("failed to set node acl, %v", err)
+				}
+			} else {
+				if err := c.ovnClient.RemoveNodeSwitchAcl(subnet.Name); err != nil {
+					klog.Errorf("failed to set node acl, %v", err)
+				}
+			}
+		}
+	}
+}
diff --git a/pkg/ovs/ovn-nbctl.go b/pkg/ovs/ovn-nbctl.go
@@ -731,6 +731,40 @@ func (c Client) CleanLogicalSwitchAcl(ls string) error {
 	return err
 }
 
+func (c Client) SetNodeSwitchAcl(ls string) error {
+	cidrs := strings.Split(c.NodeSwitchCIDR, ",")
+	for _, cidr := range cidrs {
+		var err error
+		if util.CheckProtocol(cidr) == kubeovnv1.ProtocolIPv4 {
+			_, err = c.ovnNbCommand(MayExist, "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR), "allow-related")
+		} else {
+			_, err = c.ovnNbCommand(MayExist, "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR), "allow-related")
+		}
+		if err != nil {
+			klog.Errorf("failed to add node switch acl")
+			return err
+		}
+	}
+	return nil
+}
+
+func (c Client) RemoveNodeSwitchAcl(ls string) error {
+	cidrs := strings.Split(c.NodeSwitchCIDR, ",")
+	for _, cidr := range cidrs {
+		var err error
+		if util.CheckProtocol(cidr) == kubeovnv1.ProtocolIPv4 {
+			_, err = c.ovnNbCommand("acl-del", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR))
+		} else {
+			_, err = c.ovnNbCommand("acl-del", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR))
+		}
+		if err != nil {
+			klog.Errorf("failed to delete node switch acl")
+			return err
+		}
+	}
+	return nil
+}
+
 // ResetLogicalSwitchAcl reset acl of a switch
 func (c Client) ResetLogicalSwitchAcl(ls string) error {
 	_, err := c.ovnNbCommand("acl-del", ls)
@@ -744,12 +778,12 @@ func (c Client) SetPrivateLogicalSwitch(ls, protocol, cidr string, allow []strin
 	var dropArgs []string
 	if protocol == kubeovnv1.ProtocolIPv4 {
 		dropArgs = []string{"--", "--log", fmt.Sprintf("--name=%s", ls), fmt.Sprintf("--severity=%s", "warning"), "acl-add", ls, "to-lport", util.DefaultDropPriority, "ip", "drop"}
-		allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR), "allow-related")
-		allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.SubnetAllowPriority, fmt.Sprintf(`ip4.src==%s && ip4.dst==%s`, cidr, cidr), "allow-related")
+		allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR), "allow-related")
+		allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.SubnetAllowPriority, fmt.Sprintf(`ip4.src==%s && ip4.dst==%s`, cidr, cidr), "allow-related")
 	} else {
 		dropArgs = []string{"--", "--log", fmt.Sprintf("--name=%s", ls), fmt.Sprintf("--severity=%s", "warning"), "acl-add", ls, "to-lport", util.DefaultDropPriority, "ip", "drop"}
-		allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR), "allow-related")
-		allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.SubnetAllowPriority, fmt.Sprintf(`ip6.src==%s && ip6.dst==%s`, cidr, cidr), "allow-related")
+		allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR), "allow-related")
+		allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.SubnetAllowPriority, fmt.Sprintf(`ip6.src==%s && ip6.dst==%s`, cidr, cidr), "allow-related")
 	}
 	ovnArgs := append(delArgs, dropArgs...)
 
@@ -763,7 +797,7 @@ func (c Client) SetPrivateLogicalSwitch(ls, protocol, cidr string, allow []strin
 				match = fmt.Sprintf("(ip6.src==%s && ip6.dst==%s) || (ip6.src==%s && ip6.dst==%s)", strings.TrimSpace(subnet), cidr, cidr, strings.TrimSpace(subnet))
 			}
 
-			allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.SubnetAllowPriority, match, "allow-related")
+			allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.SubnetAllowPriority, match, "allow-related")
 		}
 	}
 	ovnArgs = append(ovnArgs, allowArgs...)