Merge pull request #2099 from duanjiong/networkpolicy-fix

fix namespace networkpolicy
2020-05-22 14:54:34 +08:00
parent 62566b9712 7a0b18315f
commit b8e6a670d7
2 changed files with 41 additions and 35 deletions
--- a/pkg/controller/network/nsnetworkpolicy/controller.go
+++ b/pkg/controller/network/nsnetworkpolicy/controller.go
@@ -3,6 +3,7 @@ package nsnetworkpolicy
 import (
 	"fmt"
 	"net"
+	"sort"
 	"strings"
 	"time"

@@ -280,12 +281,10 @@ func (c *NSNetworkPolicyController) generateNodeRule() (netv1.NetworkPolicyIngre
 		if snatIPs != "" {
 			ips = append(ips, strings.Split(snatIPs, ";")...)
 		}
-
-		for _, address := range node.Status.Addresses {
-			ips = append(ips, address.Address)
-		}
 	}

+	sort.Strings(ips)
+
 	for _, ip := range ips {
 		cidr, err := stringToCIDR(ip)
 		if err != nil {
@@ -339,15 +338,17 @@ func (c *NSNetworkPolicyController) nsEnqueue(ns *corev1.Namespace) {
 		return
 	}

-	klog.V(4).Infof("Enqueue namespace %s", ns.Name)
+	workspaceName := ns.Labels[constants.WorkspaceLabelKey]
+	if workspaceName == "" {
+		return
+	}
+
 	c.nsQueue.Add(key)
 }

 func (c *NSNetworkPolicyController) addWorkspace(newObj interface{}) {
 	new := newObj.(*workspacev1alpha1.Workspace)

-	klog.V(4).Infof("Add workspace %s", new.Name)
-
 	label := labels.SelectorFromSet(labels.Set{constants.WorkspaceLabelKey: new.Name})
 	nsList, err := c.namespaceInformer.Lister().List(label)
 	if err != nil {
@@ -360,6 +361,18 @@ func (c *NSNetworkPolicyController) addWorkspace(newObj interface{}) {
 	}
 }

+func (c *NSNetworkPolicyController) addNode(newObj interface{}) {
+	nsList, err := c.namespaceInformer.Lister().List(labels.Everything())
+	if err != nil {
+		klog.Errorf("Error while list namespace by label")
+		return
+	}
+
+	for _, ns := range nsList {
+		c.nsEnqueue(ns)
+	}
+}
+
 func (c *NSNetworkPolicyController) addNamespace(obj interface{}) {
 	ns := obj.(*corev1.Namespace)

@@ -368,8 +381,6 @@ func (c *NSNetworkPolicyController) addNamespace(obj interface{}) {
 		return
 	}

-	klog.V(4).Infof("Add namespace %s", ns.Name)
-
 	c.nsEnqueue(ns)
 }

@@ -381,17 +392,7 @@ func isNetworkIsolateEnabled(ns *corev1.Namespace) bool {
 	return false
 }

-func hadNamespaceLabel(ns *corev1.Namespace) bool {
-	if ns.Annotations[constants.NamespaceLabelKey] == ns.Name {
-		return true
-	}
-
-	return false
-}
-
 func (c *NSNetworkPolicyController) syncNs(key string) error {
-	klog.V(4).Infof("Sync namespace %s", key)
-
 	_, name, err := cache.SplitMetaNamespaceKey(key)
 	if err != nil {
 		klog.Errorf("Not a valid controller key %s, %#v", key, err)
@@ -411,9 +412,9 @@ func (c *NSNetworkPolicyController) syncNs(key string) error {

 	workspaceName := ns.Labels[constants.WorkspaceLabelKey]
 	if workspaceName == "" {
-		klog.Error("Workspace name should not be empty")
 		return nil
 	}
+
 	wksp, err := c.workspaceInformer.Lister().Get(workspaceName)
 	if err != nil {
 		//Should not be here
@@ -425,16 +426,6 @@ func (c *NSNetworkPolicyController) syncNs(key string) error {
 		return err
 	}

-	//Maybe some ns not labeled
-	if !hadNamespaceLabel(ns) {
-		ns.Labels[constants.NamespaceLabelKey] = ns.Name
-		_, err := c.client.CoreV1().Namespaces().Update(ns)
-		if err != nil {
-			//Just log, label can also be added by namespace controller
-			klog.Errorf("cannot label namespace %s", ns.Name)
-		}
-	}
-
 	matchWorkspace := false
 	delete := false
 	nsnpList, _ := c.informer.Lister().NamespaceNetworkPolicies(ns.Name).List(labels.Everything())
@@ -611,7 +602,7 @@ func NewNSNetworkPolicyController(
 		AddFunc: controller.addWorkspace,
 		UpdateFunc: func(oldObj, newObj interface{}) {
 			old := oldObj.(*workspacev1alpha1.Workspace)
-			new := oldObj.(*workspacev1alpha1.Workspace)
+			new := newObj.(*workspacev1alpha1.Workspace)
 			if old.Spec.NetworkIsolation == new.Spec.NetworkIsolation {
 				return
 			}
@@ -619,12 +610,29 @@ func NewNSNetworkPolicyController(
 		},
 	})

-	namespaceInformer.Informer().AddEventHandlerWithResyncPeriod(cache.ResourceEventHandlerFuncs{
+	nodeInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: controller.addNode,
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			old := oldObj.(*corev1.Node)
+			new := newObj.(*corev1.Node)
+			if old.Annotations[NodeNSNPAnnotationKey] == new.Annotations[NodeNSNPAnnotationKey] {
+				return
+			}
+			controller.addNode(newObj)
+		},
+	})
+
+	namespaceInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: controller.addNamespace,
 		UpdateFunc: func(oldObj interface{}, newObj interface{}) {
+			old := oldObj.(*corev1.Namespace)
+			new := newObj.(*corev1.Namespace)
+			if old.Annotations[NamespaceNPAnnotationKey] == new.Annotations[NamespaceNPAnnotationKey] {
+				return
+			}
 			controller.addNamespace(newObj)
 		},
-	}, defaultSleepDuration)
+	})

 	nsnpInformer.Informer().AddEventHandlerWithResyncPeriod(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
--- a/pkg/controller/network/provider/ns_k8s.go
+++ b/pkg/controller/network/provider/ns_k8s.go
@@ -50,7 +50,6 @@ func (c *k8sPolicyController) Start(stopCh <-chan struct{}) {
 }

 func (c *k8sPolicyController) Set(np *netv1.NetworkPolicy) error {
-	klog.V(4).Infof("Set NetworkPolicy %s/%s  %+v", np.Namespace, np.Name, np)
 	// Add to cache.
 	k := c.GetKey(np.Name, np.Namespace)
 	c.resourceCache.Set(k, *np)
@@ -59,7 +58,6 @@ func (c *k8sPolicyController) Set(np *netv1.NetworkPolicy) error {
 }

 func (c *k8sPolicyController) Delete(key string) {
-	klog.V(4).Infof("Delete NetworkPolicy %s", key)
 	c.resourceCache.Delete(key)
 }