delete legacy denyall acls when upgrading to v1.13.x (#4742)

hackerain · hackerain · commit b93defd18b58 · 2024-11-27T14:21:42.000+08:00
the acls in v1.13.x are in tier 2 rather than tier 0 in v1.12.x, which
results that legacy denyall sg will drop all traffics if a pod bound a sg,
because acls in tier 0 have the higest priority. we should recreate acls
in denyall sg when upgrading to v1.13.x.

Signed-off-by: Rain Suo &lt;yugsuo@gmail.com&gt;
diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go
@@ -277,6 +277,32 @@ func (c *OVNNbClient) CreateNodeACL(pgName, nodeIPStr, joinIPStr string) error {
 func (c *OVNNbClient) CreateSgDenyAllACL(sgName string) error {
 	pgName := GetSgPortGroupName(sgName)
 
+	// for upgrading from v1.12.x to v1.13.x
+	// see https://github.com/kubeovn/kube-ovn/issues/4742
+	oldIngressACL, err := c.GetACL(pgName, ovnnb.ACLDirectionToLport, util.SecurityGroupDropPriority, fmt.Sprintf("outport == @%s && ip", pgName), true)
+	if err != nil {
+		klog.Error(err)
+		return err
+	}
+	if oldIngressACL != nil && oldIngressACL.Tier == util.DefaultACLTier {
+		if err := c.DeleteACL(pgName, portGroupKey, ovnnb.ACLDirectionToLport, util.SecurityGroupDropPriority, fmt.Sprintf("outport == @%s && ip", pgName)); err != nil {
+			klog.Errorf("delete legacy acl from port group %s: %v", pgName, err)
+			return err
+		}
+	}
+	oldEgressACL, err := c.GetACL(pgName, ovnnb.ACLDirectionFromLport, util.SecurityGroupDropPriority, fmt.Sprintf("inport == @%s && ip", pgName), true)
+	if err != nil {
+		klog.Error(err)
+		return err
+	}
+	if oldEgressACL != nil && oldEgressACL.Tier == util.DefaultACLTier {
+		if err := c.DeleteACL(pgName, portGroupKey, ovnnb.ACLDirectionFromLport, util.SecurityGroupDropPriority, fmt.Sprintf("inport == @%s && ip", pgName)); err != nil {
+			klog.Errorf("delete legacy acl from port group %s: %v", pgName, err)
+			return err
+		}
+	}
+
+	// create new acls for deny all sg
 	ingressACL, err := c.newACL(pgName, ovnnb.ACLDirectionToLport, util.SecurityGroupDropPriority, fmt.Sprintf("outport == @%s && ip", pgName), ovnnb.ACLActionDrop, util.NetpolACLTier)
 	if err != nil {
 		klog.Error(err)
diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go
@@ -612,6 +612,49 @@ func (suite *OvnClientTestSuite) testCreateSgDenyAllACL() {
 		require.Contains(t, pg.ACLs, egressACL.UUID)
 	})
 
+	t.Run("upgrading create sg deny all acl", func(t *testing.T) {
+		sgName := "test_create_deny_all_acl_pg"
+		pgName := GetSgPortGroupName(sgName)
+
+		err := nbClient.CreatePortGroup(pgName, nil)
+		require.NoError(t, err)
+
+		// init legacy acls
+		legacyIngressACL, err := nbClient.newACL(pgName, ovnnb.ACLDirectionToLport, util.SecurityGroupDropPriority, fmt.Sprintf("outport == @%s && ip", pgName), ovnnb.ACLActionDrop, util.DefaultACLTier)
+		require.NoError(t, err)
+
+		legacyEgressACL, err := nbClient.newACL(pgName, ovnnb.ACLDirectionFromLport, util.SecurityGroupDropPriority, fmt.Sprintf("inport == @%s && ip", pgName), ovnnb.ACLActionDrop, util.DefaultACLTier)
+		require.NoError(t, err)
+
+		err = nbClient.CreateAcls(pgName, portGroupKey, legacyIngressACL, legacyEgressACL)
+		require.NoError(t, err)
+
+		// create deny all acls normally
+		err = nbClient.CreateSgDenyAllACL(sgName)
+		require.NoError(t, err)
+
+		pg, err := nbClient.GetPortGroup(pgName, false)
+		require.NoError(t, err)
+
+		// ingress acl
+		match := fmt.Sprintf("outport == @%s && ip", pgName)
+		ingressACL, err := nbClient.GetACL(pgName, ovnnb.ACLDirectionToLport, util.SecurityGroupDropPriority, match, false)
+		require.NoError(t, err)
+		expect := newACL(pgName, ovnnb.ACLDirectionToLport, util.SecurityGroupDropPriority, match, ovnnb.ACLActionDrop, util.NetpolACLTier)
+		expect.UUID = ingressACL.UUID
+		require.Equal(t, expect, ingressACL)
+		require.Contains(t, pg.ACLs, ingressACL.UUID)
+
+		// egress acl
+		match = fmt.Sprintf("inport == @%s && ip", pgName)
+		egressACL, err := nbClient.GetACL(pgName, ovnnb.ACLDirectionFromLport, util.SecurityGroupDropPriority, match, false)
+		require.NoError(t, err)
+		expect = newACL(pgName, ovnnb.ACLDirectionFromLport, util.SecurityGroupDropPriority, match, ovnnb.ACLActionDrop, util.NetpolACLTier)
+		expect.UUID = egressACL.UUID
+		require.Equal(t, expect, egressACL)
+		require.Contains(t, pg.ACLs, egressACL.UUID)
+	})
+
 	t.Run("should print log err when sg name does not exist", func(t *testing.T) {
 		sgName := "test_nonexist_pg"
 		err := nbClient.CreateSgDenyAllACL(sgName)
diff --git a/pkg/util/const.go b/pkg/util/const.go
@@ -157,6 +157,7 @@ const (
 	AnpMaxPriority       = 99
 	AnpACLMaxPriority    = 30000
 	BanpACLMaxPriority   = 1800
+	DefaultACLTier       = 0
 	AnpACLTier           = 1
 	NetpolACLTier        = 2
 	BanpACLTier          = 3
