NP Changes for VPC CNI 1.19.3 (against VPC CNI 1.19.2)

.go-version

@@ -1 +1 @@
-1.22.5
+1.22.12

cmd/routed-eni-cni-plugin/cni.go

@@ -22,6 +22,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/containernetworking/cni/pkg/skel"
 	"github.com/containernetworking/cni/pkg/types"
@@ -42,7 +43,6 @@ import (
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/utils/cniutils"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/utils/logger"
 	pb "github.com/aws/amazon-vpc-cni-k8s/rpc"
-	"github.com/aws/amazon-vpc-cni-k8s/utils"
 )
 
 const ipamdAddress = "127.0.0.1:50051"
@@ -51,6 +51,8 @@ const npAgentAddress = "127.0.0.1:50052"
 
 const dummyInterfacePrefix = "dummy"
 
+const npAgentConnTimeout = 2
+
 var version string
 
 // NetConf stores the common network config for the CNI plugin
@@ -279,34 +281,38 @@ func add(args *skel.CmdArgs, cniTypes typeswrapper.CNITYPES, grpcClient grpcwrap
 	// dummy interface is appended to PrevResult for use during cleanup
 	result.Interfaces = append(result.Interfaces, dummyInterface)
 
-	if utils.IsStrictMode(r.NetworkPolicyMode) {
-		// Set up a connection to the network policy agent
-		npConn, err := grpcClient.Dial(npAgentAddress, grpc.WithTransportCredentials(insecure.NewCredentials()))
-		if err != nil {
-			log.Errorf("Failed to connect to network policy agent: %v", err)
-			return errors.Wrap(err, "add cmd: failed to connect to network policy agent backend server")
-		}
-		defer npConn.Close()
-
-		//Make a GRPC call for network policy agent
-		npc := rpcClient.NewNPBackendClient(npConn)
-
-		npr, err := npc.EnforceNpToPod(context.Background(),
-			&pb.EnforceNpRequest{
-				K8S_POD_NAME:      string(k8sArgs.K8S_POD_NAME),
-				K8S_POD_NAMESPACE: string(k8sArgs.K8S_POD_NAMESPACE),
-			})
-
-		// No need to cleanup IP and network, kubelet will send delete.
-		if err != nil || !npr.Success {
-			log.Errorf("Failed to setup default network policy for Pod Name %s and NameSpace %s: GRPC returned - %v Network policy agent returned - %v",
-				string(k8sArgs.K8S_POD_NAME), string(k8sArgs.K8S_POD_NAMESPACE), err, npr)
-			return errors.New("add cmd: failed to setup network policy in strict mode")
-		}
+	// Set up a connection to the network policy agent
+	// Cx might have removed np container if they are not using network policies
+	// If we are not able to connect to np agent we do not return return error here. If NP agent grpc is not up
+	// and listening, NP agent will be in crash loop and we will catch the issue there
+	ctx, cancel := context.WithTimeout(context.Background(), npAgentConnTimeout*time.Second) // Set timeout
+	defer cancel()
+	npConn, err := grpcClient.DialContext(ctx, npAgentAddress, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock())
+	if err != nil {
+		log.Infof("Failed to connect to network policy agent: %v. Network Policy agent might not be running", err)
+		return cniTypes.PrintResult(result, conf.CNIVersion)
+	}
+	defer npConn.Close()
+
+	//Make a GRPC call for network policy agent
+	npc := rpcClient.NewNPBackendClient(npConn)
 
-		log.Debugf("Network Policy agent returned Success : %v", npr.Success)
+	npr, err := npc.EnforceNpToPod(context.Background(),
+		&pb.EnforceNpRequest{
+			K8S_POD_NAME:        string(k8sArgs.K8S_POD_NAME),
+			K8S_POD_NAMESPACE:   string(k8sArgs.K8S_POD_NAMESPACE),
+			NETWORK_POLICY_MODE: r.NetworkPolicyMode,
+		})
+
+	// No need to cleanup IP and network, kubelet will send delete.
+	if err != nil || !npr.Success {
+		log.Errorf("Failed to setup default network policy for Pod Name %s and NameSpace %s: GRPC returned - %v Network policy agent returned - %v",
+			string(k8sArgs.K8S_POD_NAME), string(k8sArgs.K8S_POD_NAMESPACE), err, npr)
+		return errors.New("add cmd: failed to setup network policy")
 	}
 
+	log.Debugf("Network Policy agent for EnforceNpToPod returned Success : %v", npr.Success)
+
 	return cniTypes.PrintResult(result, conf.CNIVersion)
 }
 
@@ -444,6 +450,32 @@ func del(args *skel.CmdArgs, cniTypes typeswrapper.CNITYPES, grpcClient grpcwrap
 	} else {
 		log.Warnf("Container %s did not have a valid IP %s", args.ContainerID, r.IPv4Addr)
 	}
+
+	// Set up a connection to the network policy agent
+	ctx, cancel := context.WithTimeout(context.Background(), npAgentConnTimeout*time.Second) // Set timeout
+	defer cancel()
+	npConn, err := grpcClient.DialContext(ctx, npAgentAddress, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock())
+	if err != nil {
+		log.Infof("Failed to connect to network policy agent: %v. Network Policy agent might not be running", err)
+		return nil
+	}
+	defer npConn.Close()
+	//Make a GRPC call for network policy agent
+	npc := rpcClient.NewNPBackendClient(npConn)
+
+	npr, err := npc.DeletePodNp(context.Background(),
+		&pb.DeleteNpRequest{
+			K8S_POD_NAME:      string(k8sArgs.K8S_POD_NAME),
+			K8S_POD_NAMESPACE: string(k8sArgs.K8S_POD_NAMESPACE),
+		})
+
+	// NP agent will never return an error if its not able to delete ebpf probes
+	if err != nil || !npr.Success {
+		log.Errorf("Failed to delete pod network policy for Pod Name %s and NameSpace %s: GRPC returned - %v Network policy agent returned - %v",
+			string(k8sArgs.K8S_POD_NAME), string(k8sArgs.K8S_POD_NAMESPACE), err, npr)
+	}
+
+	log.Debugf("Network Policy agent for DeletePodNp returned Success : %v", npr.Success)
 	return nil
 }
 

cmd/routed-eni-cni-plugin/cni_test.go

@@ -94,6 +94,15 @@ func TestCmdAdd(t *testing.T) {
 	mockC := mock_rpc.NewMockCNIBackendClient(ctrl)
 	mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC)
 
+	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
+	mocksGRPC.EXPECT().DialContext(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(npConn, nil).Times(1)
+
+	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
+	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP).Times(1)
+
+	enforceNpReply := &rpc.EnforceNpReply{Success: true}
+	mockNP.EXPECT().EnforceNpToPod(gomock.Any(), gomock.Any()).Return(enforceNpReply, nil).Times(1)
+
 	addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum, NetworkPolicyMode: "none"}
 	mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, nil)
 
@@ -104,7 +113,7 @@ func TestCmdAdd(t *testing.T) {
 	mocksNetwork.EXPECT().SetupPodNetwork(gomock.Any(), cmdArgs.IfName, cmdArgs.Netns,
 		v4Addr, nil, int(addNetworkReply.DeviceNumber), gomock.Any(), gomock.Any()).Return(nil)
 
-	mocksTypes.EXPECT().PrintResult(gomock.Any(), gomock.Any()).Return(nil)
+	mocksTypes.EXPECT().PrintResult(gomock.Any(), gomock.Any()).Return(nil).Times(1)
 
 	err := add(cmdArgs, mocksTypes, mocksGRPC, mocksRPC, mocksNetwork)
 	assert.Nil(t, err)
@@ -131,7 +140,7 @@ func TestCmdAddWithNPenabled(t *testing.T) {
 
 	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
 
-	mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(npConn, nil)
+	mocksGRPC.EXPECT().DialContext(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(npConn, nil).Times(1)
 	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
 	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP)
 
@@ -175,7 +184,7 @@ func TestCmdAddWithNPenabledWithErr(t *testing.T) {
 
 	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
 
-	mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(npConn, nil)
+	mocksGRPC.EXPECT().DialContext(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(npConn, nil).Times(1)
 	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
 	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP)
 
@@ -281,10 +290,18 @@ func TestCmdDel(t *testing.T) {
 	mockC := mock_rpc.NewMockCNIBackendClient(ctrl)
 	mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC)
 
-	delNetworkReply := &rpc.DelNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum}
+	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
+
+	mocksGRPC.EXPECT().DialContext(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(npConn, nil).Times(1)
+	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
+	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP)
 
+	delNetworkReply := &rpc.DelNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum}
 	mockC.EXPECT().DelNetwork(gomock.Any(), gomock.Any()).Return(delNetworkReply, nil)
 
+	deleteNpReply := &rpc.DeleteNpReply{Success: true}
+	mockNP.EXPECT().DeletePodNp(gomock.Any(), gomock.Any()).Return(deleteNpReply, nil)
+
 	addr := &net.IPNet{
 		IP:   net.ParseIP(delNetworkReply.IPv4Addr),
 		Mask: net.IPv4Mask(255, 255, 255, 255),
@@ -377,10 +394,19 @@ func TestCmdAddForPodENINetwork(t *testing.T) {
 	mockC := mock_rpc.NewMockCNIBackendClient(ctrl)
 	mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC)
 
+	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
+
+	mocksGRPC.EXPECT().DialContext(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(npConn, nil).Times(1)
+	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
+	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP)
+
 	addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, PodENISubnetGW: "10.0.0.1", PodVlanId: 1,
 		PodENIMAC: "eniHardwareAddr", ParentIfIndex: 2, NetworkPolicyMode: "none"}
 	mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, nil)
 
+	enforceNpReply := &rpc.EnforceNpReply{Success: true}
+	mockNP.EXPECT().EnforceNpToPod(gomock.Any(), gomock.Any()).Return(enforceNpReply, nil)
+
 	addr := &net.IPNet{
 		IP:   net.ParseIP(addNetworkReply.IPv4Addr),
 		Mask: net.IPv4Mask(255, 255, 255, 255),
@@ -414,10 +440,18 @@ func TestCmdDelForPodENINetwork(t *testing.T) {
 	mockC := mock_rpc.NewMockCNIBackendClient(ctrl)
 	mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC)
 
-	delNetworkReply := &rpc.DelNetworkReply{Success: true, IPv4Addr: ipAddr, PodVlanId: 1}
+	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
 
+	mocksGRPC.EXPECT().DialContext(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(npConn, nil).Times(1)
+	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
+	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP)
+
+	delNetworkReply := &rpc.DelNetworkReply{Success: true, IPv4Addr: ipAddr, PodVlanId: 1}
 	mockC.EXPECT().DelNetwork(gomock.Any(), gomock.Any()).Return(delNetworkReply, nil)
 
+	deleteNpReply := &rpc.DeleteNpReply{Success: true}
+	mockNP.EXPECT().DeletePodNp(gomock.Any(), gomock.Any()).Return(deleteNpReply, nil)
+
 	addr := &net.IPNet{
 		IP:   net.ParseIP(delNetworkReply.IPv4Addr),
 		Mask: net.IPv4Mask(255, 255, 255, 255),

config/master/aws-k8s-cni-cn.yaml

@@ -539,7 +539,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.1.6
+          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.2.0
           imagePullPolicy: Always
           env:
             - name: MY_NODE_NAME

config/master/aws-k8s-cni-us-gov-east-1.yaml

@@ -539,7 +539,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.1.6
+          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.0
           imagePullPolicy: Always
           env:
             - name: MY_NODE_NAME

config/master/aws-k8s-cni-us-gov-west-1.yaml

@@ -539,7 +539,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-network-policy-agent:v1.1.6
+          image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.0
           imagePullPolicy: Always
           env:
             - name: MY_NODE_NAME

config/master/aws-k8s-cni.yaml

@@ -539,7 +539,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent:v1.1.6
+          image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent:v1.2.0
           imagePullPolicy: Always
           env:
             - name: MY_NODE_NAME