Skip to content

Commit 282cc9f

Browse files
hackerainhackerain
committed
delete legacy acls when upgrading to v1.13.x (#4742)
the acls in v1.13.x are in tier 2 rather than tier 0 in v1.12.x, the legacy acls may cause some unexpected behaviors because acls in tier 0 have the higest priority. we should delete legacy acls and recreate them when upgrading to v1.13.x. Signed-off-by: suo <[email protected]>
1 parent 86ad84b commit 282cc9f

19 files changed

+440
-58
lines changed

mocks/pkg/ovs/interface.go

+16-16
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pkg/controller/admin_network_policy.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,7 @@ func (c *Controller) handleAddAnp(key string) (err error) {
190190
return err
191191
}
192192

193-
ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil)
193+
ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil, util.NilACLTier)
194194
if err != nil {
195195
klog.Errorf("failed to generate clear operations for anp %s ingress acls: %v", key, err)
196196
return err
@@ -266,7 +266,7 @@ func (c *Controller) handleAddAnp(key string) (err error) {
266266
return fmt.Errorf("failed to delete unused ingress address set for anp %s: %w", key, err)
267267
}
268268

269-
egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil)
269+
egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil, util.NilACLTier)
270270
if err != nil {
271271
klog.Errorf("failed to generate clear operations for anp %s egress acls: %v", key, err)
272272
return err

pkg/controller/baseline_admin_network_policy.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -148,7 +148,7 @@ func (c *Controller) handleAddBanp(key string) (err error) {
148148
return err
149149
}
150150

151-
ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil)
151+
ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil, util.NilACLTier)
152152
if err != nil {
153153
klog.Errorf("failed to generate clear operations for banp %s ingress acls: %v", key, err)
154154
return err
@@ -225,7 +225,7 @@ func (c *Controller) handleAddBanp(key string) (err error) {
225225
return fmt.Errorf("failed to delete unused ingress address set for banp %s: %w", key, err)
226226
}
227227

228-
egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil)
228+
egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil, util.NilACLTier)
229229
if err != nil {
230230
klog.Errorf("failed to generate clear operations for banp %s egress acls: %v", key, err)
231231
return err

pkg/controller/controller.go

+21
Original file line numberDiff line numberDiff line change
@@ -995,6 +995,8 @@ func (c *Controller) Run(ctx context.Context) {
995995
}
996996
}
997997

998+
c.handleUpgrading()
999+
9981000
// start workers to do all the network operations
9991001
c.startWorkers(ctx)
10001002

@@ -1131,6 +1133,25 @@ func (c *Controller) shutdown() {
11311133
}
11321134
}
11331135

1136+
func (c *Controller) handleUpgrading() {
1137+
klog.Info("Start upgrading")
1138+
1139+
if err := c.upgradeSecurityGroups(); err != nil {
1140+
util.LogFatalAndExit(err, "failed to upgrade security groups")
1141+
}
1142+
if err := c.upgradeSubnets(); err != nil {
1143+
util.LogFatalAndExit(err, "failed to upgrade subnets")
1144+
}
1145+
if c.config.EnableNP {
1146+
if err := c.upgradeNetworkPolicies(); err != nil {
1147+
util.LogFatalAndExit(err, "failed to upgrade network policies")
1148+
}
1149+
}
1150+
if err := c.upgradeNodes(); err != nil {
1151+
util.LogFatalAndExit(err, "failed to upgrade nodes")
1152+
}
1153+
}
1154+
11341155
func (c *Controller) startWorkers(ctx context.Context) {
11351156
klog.Info("Starting workers")
11361157

pkg/controller/controller_test.go

+13
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"go.uber.org/mock/gomock"
88
"k8s.io/client-go/informers"
99
coreinformers "k8s.io/client-go/informers/core/v1"
10+
networkinformers "k8s.io/client-go/informers/networking/v1"
1011
"k8s.io/client-go/kubernetes/fake"
1112

1213
mockovs "github.com/kubeovn/kube-ovn/mocks/pkg/ovs"
@@ -18,7 +19,10 @@ import (
1819
type fakeControllerInformers struct {
1920
vpcInformer kubeovninformer.VpcInformer
2021
subnetInformer kubeovninformer.SubnetInformer
22+
sgInformer kubeovninformer.SecurityGroupInformer
2123
serviceInformer coreinformers.ServiceInformer
24+
npInformer networkinformers.NetworkPolicyInformer
25+
nodeInformer coreinformers.NodeInformer
2226
}
2327

2428
type fakeController struct {
@@ -34,25 +38,34 @@ func newFakeController(t *testing.T) *fakeController {
3438
kubeClient := fake.NewSimpleClientset()
3539
kubeInformerFactory := informers.NewSharedInformerFactory(kubeClient, 0)
3640
serviceInformer := kubeInformerFactory.Core().V1().Services()
41+
npInformer := kubeInformerFactory.Networking().V1().NetworkPolicies()
42+
nodeInformer := kubeInformerFactory.Core().V1().Nodes()
3743

3844
/* fake kube ovn client */
3945
kubeovnClient := kubeovnfake.NewSimpleClientset()
4046
kubeovnInformerFactory := kubeovninformerfactory.NewSharedInformerFactory(kubeovnClient, 0)
4147
vpcInformer := kubeovnInformerFactory.Kubeovn().V1().Vpcs()
4248
subnetInformer := kubeovnInformerFactory.Kubeovn().V1().Subnets()
49+
sgInformer := kubeovnInformerFactory.Kubeovn().V1().SecurityGroups()
4350

4451
fakeInformers := &fakeControllerInformers{
4552
vpcInformer: vpcInformer,
4653
subnetInformer: subnetInformer,
54+
sgInformer: sgInformer,
4755
serviceInformer: serviceInformer,
56+
npInformer: npInformer,
57+
nodeInformer: nodeInformer,
4858
}
4959

5060
/* ovn fake client */
5161
mockOvnClient := mockovs.NewMockNbClient(gomock.NewController(t))
5262

5363
ctrl := &Controller{
5464
servicesLister: serviceInformer.Lister(),
65+
npsLister: npInformer.Lister(),
66+
nodesLister: nodeInformer.Lister(),
5567
vpcsLister: vpcInformer.Lister(),
68+
sgsLister: sgInformer.Lister(),
5669
vpcSynced: alwaysReady,
5770
subnetsLister: subnetInformer.Lister(),
5871
subnetSynced: alwaysReady,

pkg/controller/network_policy.go

+38-4
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,40 @@ func (c *Controller) enqueueUpdateNp(oldObj, newObj interface{}) {
6262
}
6363
}
6464

65+
// for upgrading from v1.12.x to v1.13.x
66+
func (c *Controller) upgradeNetworkPoliciesToV1_13() error {
67+
// clear legacy acls in tier 0 for all network policies
68+
// including ingress, egress and subnet gateway acls
69+
nps, err := c.npsLister.NetworkPolicies(corev1.NamespaceAll).List(labels.Everything())
70+
if err != nil {
71+
klog.Errorf("failed to list network policies %v", err)
72+
return err
73+
}
74+
75+
for _, np := range nps {
76+
npName := np.Name
77+
nameArray := []rune(np.Name)
78+
if !unicode.IsLetter(nameArray[0]) {
79+
npName = "np" + np.Name
80+
}
81+
pgName := strings.ReplaceAll(fmt.Sprintf("%s.%s", npName, np.Namespace), "-", ".")
82+
if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.DefaultACLTier); err != nil {
83+
klog.Errorf("clear legacy network policy %s acls: %v", pgName, err)
84+
return err
85+
}
86+
}
87+
88+
return nil
89+
}
90+
91+
func (c *Controller) upgradeNetworkPolicies() error {
92+
if err := c.upgradeNetworkPoliciesToV1_13(); err != nil {
93+
klog.Errorf("failed to upgrade network policies to v1.13.x, err: %v", err)
94+
return err
95+
}
96+
return nil
97+
}
98+
6599
func (c *Controller) createAsForNetpol(ns, name, direction, asName string, addresses []string) error {
66100
if err := c.OVNNbClient.CreateAddressSet(asName, map[string]string{
67101
networkPolicyKey: fmt.Sprintf("%s/%s/%s", ns, name, direction),
@@ -165,7 +199,7 @@ func (c *Controller) handleUpdateNp(key string) error {
165199
return err
166200
}
167201

168-
ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil)
202+
ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil, util.NilACLTier)
169203
if err != nil {
170204
klog.Errorf("generate operations that clear np %s ingress acls: %v", key, err)
171205
return err
@@ -281,7 +315,7 @@ func (c *Controller) handleUpdateNp(key string) error {
281315
}
282316
}
283317
} else {
284-
if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "to-lport", nil); err != nil {
318+
if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "to-lport", nil, util.NilACLTier); err != nil {
285319
klog.Errorf("delete np %s ingress acls: %v", key, err)
286320
return err
287321
}
@@ -294,7 +328,7 @@ func (c *Controller) handleUpdateNp(key string) error {
294328
}
295329
}
296330

297-
egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil)
331+
egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil, util.NilACLTier)
298332
if err != nil {
299333
klog.Errorf("generate operations that clear np %s egress acls: %v", key, err)
300334
return err
@@ -408,7 +442,7 @@ func (c *Controller) handleUpdateNp(key string) error {
408442
}
409443
}
410444
} else {
411-
if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "from-lport", nil); err != nil {
445+
if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "from-lport", nil, util.NilACLTier); err != nil {
412446
klog.Errorf("delete np %s egress acls: %v", key, err)
413447
return err
414448
}

pkg/controller/network_policy_test.go

+36
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
package controller
2+
3+
import (
4+
"testing"
5+
6+
"github.com/stretchr/testify/require"
7+
"go.uber.org/mock/gomock"
8+
netv1 "k8s.io/api/networking/v1"
9+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
10+
11+
"github.com/kubeovn/kube-ovn/pkg/util"
12+
)
13+
14+
func Test_upgradeNetworkPolicies(t *testing.T) {
15+
t.Parallel()
16+
17+
fakeController := newFakeController(t)
18+
ctrl := fakeController.fakeController
19+
fakeinformers := fakeController.fakeInformers
20+
mockOvnClient := fakeController.mockOvnClient
21+
22+
np := &netv1.NetworkPolicy{
23+
ObjectMeta: metav1.ObjectMeta{
24+
Name: "np1",
25+
Namespace: "default",
26+
},
27+
}
28+
29+
err := fakeinformers.npInformer.Informer().GetStore().Add(np)
30+
require.NoError(t, err)
31+
32+
mockOvnClient.EXPECT().DeleteAcls(gomock.Any(), portGroupKey, "", nil, util.DefaultACLTier).Return(nil)
33+
34+
err = ctrl.upgradeNetworkPolicies()
35+
require.NoError(t, err)
36+
}

pkg/controller/node.go

+32-1
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,37 @@ func nodeUnderlayAddressSetName(node string, af int) string {
9494
return fmt.Sprintf("node_%s_underlay_v%d", strings.ReplaceAll(node, "-", "_"), af)
9595
}
9696

97+
// for upgrading from v1.12.x to v1.13.x
98+
func (c *Controller) upgradeNodesToV1_13() error {
99+
// clear legacy acls in tier 0 for node port group
100+
nodes, err := c.nodesLister.List(labels.Everything())
101+
if err != nil {
102+
klog.Errorf("failed to list nodes: %v", err)
103+
return err
104+
}
105+
106+
for _, node := range nodes {
107+
pgName := strings.ReplaceAll(node.Annotations[util.PortNameAnnotation], "-", ".")
108+
if pgName == "" {
109+
continue
110+
}
111+
if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.DefaultACLTier); err != nil {
112+
klog.Errorf("delete legacy node acl for node pg %s: %v", pgName, err)
113+
return err
114+
}
115+
}
116+
117+
return nil
118+
}
119+
120+
func (c *Controller) upgradeNodes() error {
121+
if err := c.upgradeNodesToV1_13(); err != nil {
122+
klog.Errorf("failed to upgrade nodes to v1.13.x, err: %v", err)
123+
return err
124+
}
125+
return nil
126+
}
127+
97128
func (c *Controller) handleAddNode(key string) error {
98129
c.nodeKeyMutex.LockKey(key)
99130
defer func() { _ = c.nodeKeyMutex.UnlockKey(key) }()
@@ -786,7 +817,7 @@ func (c *Controller) checkAndUpdateNodePortGroup() error {
786817
}
787818
} else {
788819
// clear all acl
789-
if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil); err != nil {
820+
if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.NilACLTier); err != nil {
790821
klog.Errorf("delete node acl for node pg %s: %v", pgName, err)
791822
}
792823
}

0 commit comments

Comments
 (0)