fix: [WIN-NPM] allow readiness probes (#1887)

* get node IP

* add allow-host-to-endpoint ACL

* update ACL ID to be equal to other ACLs in the netpol

* add node ip to acl

* UTs and make node IP a part of pMgr cfg

* fix skip test logic from #1857

* fix pMgr UTs and prom metrics

* fix lints and add comments

* fix UT and prom metrics for linux

* UT for getting node IP

* revert skipTest change

* error out if node IP is an empty string

* update logging for node ip and only get node ip for windows

---------

Co-authored-by: Vamsi Kalapala <[email protected]>

Author: huntergregory

npm/cmd/start.go

@@ -136,8 +136,20 @@ func start(config npmconfig.Config, flags npmconfig.Flags) error {
 			npmV2DataplaneCfg.IPSetMode = ipsets.ApplyAllIPSets
 		}
 
+		var nodeIP string
+		if util.IsWindowsDP() {
+			nodeIP, err = util.NodeIP()
+			if err != nil {
+				metrics.SendErrorLogAndMetric(util.NpmID, "error: failed to get node IP while booting up: %v", err)
+				return fmt.Errorf("failed to get node IP while booting up: %w", err)
+			}
+			klog.Infof("node IP is %s", nodeIP)
+		}
+		npmV2DataplaneCfg.NodeIP = nodeIP
+
 		dp, err = dataplane.NewDataPlane(models.GetNodeName(), common.NewIOShim(), npmV2DataplaneCfg, stopChannel)
 		if err != nil {
+			metrics.SendErrorLogAndMetric(util.NpmID, "error: failed to create dataplane with error %v", err)
 			return fmt.Errorf("failed to create dataplane with error %w", err)
 		}
 		dp.RunPeriodicTasks()

npm/pkg/dataplane/dataplane-test-cases_windows_test.go

@@ -21,8 +21,9 @@ const (
 )
 
 const (
-	thisNode  = "this-node"
-	otherNode = "other-node"
+	testNodeIP = "6.7.8.9"
+	thisNode   = "this-node"
+	otherNode  = "other-node"
 
 	ip1 = "10.0.0.1"
 	ip2 = "10.0.0.2"
@@ -62,6 +63,7 @@ var (
 			AddEmptySetToLists: true,
 		},
 		PolicyManagerCfg: &policies.PolicyManagerCfg{
+			NodeIP:     testNodeIP,
 			PolicyMode: policies.IPSetPolicyMode,
 		},
 	}
@@ -73,6 +75,7 @@ var (
 			AddEmptySetToLists: true,
 		},
 		PolicyManagerCfg: &policies.PolicyManagerCfg{
+			NodeIP:     testNodeIP,
 			PolicyMode: policies.IPSetPolicyMode,
 		},
 	}
@@ -301,6 +304,13 @@ func basicTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -403,6 +413,13 @@ func basicTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -580,6 +597,13 @@ func basicTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -745,6 +769,13 @@ func capzCalicoTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -883,6 +914,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -943,6 +981,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1002,6 +1047,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1060,6 +1112,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1122,6 +1181,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 						{
 							ID:              "azure-acl-baseazurewireserver",
 							Action:          "Block",
@@ -1222,6 +1288,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1282,6 +1355,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1342,6 +1422,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1402,6 +1489,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1577,6 +1671,13 @@ func updatePodTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1685,6 +1786,13 @@ func podAssignmentSequence3Tests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1816,6 +1924,13 @@ func podAssignmentSequence3Tests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -1881,6 +1996,13 @@ func podAssignmentSequence3Tests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base2",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 						{
 							ID:              "azure-acl-x-base3",
 							Protocols:       "",
@@ -1903,6 +2025,13 @@ func podAssignmentSequence3Tests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base3",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -2036,6 +2165,13 @@ func remoteEndpointTests() []*SerialTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},
@@ -2109,6 +2245,13 @@ func getAllMultiJobTests() []*MultiJobTestCase {
 							RemotePorts:     "",
 							Priority:        222,
 						},
+						{
+							ID:              "azure-acl-x-base",
+							Action:          "Allow",
+							Direction:       "In",
+							RemoteAddresses: testNodeIP,
+							Priority:        201,
+						},
 					},
 				},
 			},

npm/pkg/dataplane/dataplane_test.go

@@ -23,6 +23,7 @@ var (
 			NetworkName: "azure",
 		},
 		PolicyManagerCfg: &policies.PolicyManagerCfg{
+			NodeIP:               "6.7.8.9",
 			PolicyMode:           policies.IPSetPolicyMode,
 			PlaceAzureChainFirst: util.PlaceAzureChainFirst,
 		},

npm/pkg/dataplane/policies/policymanager.go

@@ -29,6 +29,8 @@ const (
 )
 
 type PolicyManagerCfg struct {
+	// NodeIP is only used in Windows
+	NodeIP string
 	// PolicyMode only affects Windows
 	PolicyMode PolicyManagerMode
 	// PlaceAzureChainFirst only affects Linux
@@ -92,6 +94,11 @@ func (pMgr *PolicyManager) Bootup(epIDs []string) error {
 		// update Prometheus metrics on success
 		metrics.IncNumACLRulesBy(numLinuxBaseACLRules)
 	}
+
+	if util.IsWindowsDP() && pMgr.NodeIP == "" {
+		return npmerrors.Errorf(npmerrors.BootupPolicyMgr, false, "policy manager must have a configured nodeIP in Windows")
+	}
+
 	return nil
 }
 
@@ -144,11 +151,11 @@ func (pMgr *PolicyManager) AddPolicy(policy *NPMNetworkPolicy, endpointList map[
 	}
 
 	// update Prometheus metrics on success
-	numEndpoints := 1
 	if util.IsWindowsDP() {
-		numEndpoints = len(endpointList)
+		metrics.IncNumACLRulesBy((1 + policy.numACLRulesProducedInKernel()) * len(endpointList))
+	} else {
+		metrics.IncNumACLRulesBy(policy.numACLRulesProducedInKernel())
 	}
-	metrics.IncNumACLRulesBy(policy.numACLRulesProducedInKernel() * numEndpoints)
 
 	pMgr.policyMap.cache[policy.PolicyKey] = policy
 	return nil
@@ -188,11 +195,12 @@ func (pMgr *PolicyManager) RemovePolicy(policyKey string) error {
 	}
 
 	// update Prometheus metrics on success
-	numEndpointsRemoved := 1
 	if util.IsWindowsDP() {
-		numEndpointsRemoved = numEndpointsBefore - len(policy.PodEndpoints)
+		numEndpointsRemoved := numEndpointsBefore - len(policy.PodEndpoints)
+		metrics.DecNumACLRulesBy((1 + policy.numACLRulesProducedInKernel()) * numEndpointsRemoved)
+	} else {
+		metrics.DecNumACLRulesBy(policy.numACLRulesProducedInKernel())
 	}
-	metrics.DecNumACLRulesBy(policy.numACLRulesProducedInKernel() * numEndpointsRemoved)
 
 	// remove policy from cache
 	delete(pMgr.policyMap.cache, policyKey)
@@ -223,7 +231,7 @@ func (pMgr *PolicyManager) RemovePolicyForEndpoints(policyKey string, endpointLi
 	}
 
 	// update Prometheus metrics on success
-	metrics.DecNumACLRulesBy(policy.numACLRulesProducedInKernel() * len(endpointList))
+	metrics.DecNumACLRulesBy((1 + policy.numACLRulesProducedInKernel()) * len(endpointList))
 
 	return nil
 }