Skip to content

Commit ddb3417

Browse files
huntergregoryvakalapa
huntergregory
and
vakalapa
authored
fix: [WIN-NPM] allow readiness probes (#1887)
* get node IP * add allow-host-to-endpoint ACL * update ACL ID to be equal to other ACLs in the netpol * add node ip to acl * UTs and make node IP a part of pMgr cfg * fix skip test logic from #1857 * fix pMgr UTs and prom metrics * fix lints and add comments * fix UT and prom metrics for linux * UT for getting node IP * revert skipTest change * error out if node IP is an empty string * update logging for node ip and only get node ip for windows --------- Co-authored-by: Vamsi Kalapala <[email protected]>
1 parent 44fb03e commit ddb3417

9 files changed

+228
-13
lines changed

npm/cmd/start.go

+12
Original file line numberDiff line numberDiff line change
@@ -136,8 +136,20 @@ func start(config npmconfig.Config, flags npmconfig.Flags) error {
136136
npmV2DataplaneCfg.IPSetMode = ipsets.ApplyAllIPSets
137137
}
138138

139+
var nodeIP string
140+
if util.IsWindowsDP() {
141+
nodeIP, err = util.NodeIP()
142+
if err != nil {
143+
metrics.SendErrorLogAndMetric(util.NpmID, "error: failed to get node IP while booting up: %v", err)
144+
return fmt.Errorf("failed to get node IP while booting up: %w", err)
145+
}
146+
klog.Infof("node IP is %s", nodeIP)
147+
}
148+
npmV2DataplaneCfg.NodeIP = nodeIP
149+
139150
dp, err = dataplane.NewDataPlane(models.GetNodeName(), common.NewIOShim(), npmV2DataplaneCfg, stopChannel)
140151
if err != nil {
152+
metrics.SendErrorLogAndMetric(util.NpmID, "error: failed to create dataplane with error %v", err)
141153
return fmt.Errorf("failed to create dataplane with error %w", err)
142154
}
143155
dp.RunPeriodicTasks()

npm/pkg/dataplane/dataplane-test-cases_windows_test.go

+145-2
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,9 @@ const (
2121
)
2222

2323
const (
24-
thisNode = "this-node"
25-
otherNode = "other-node"
24+
testNodeIP = "6.7.8.9"
25+
thisNode = "this-node"
26+
otherNode = "other-node"
2627

2728
ip1 = "10.0.0.1"
2829
ip2 = "10.0.0.2"
@@ -62,6 +63,7 @@ var (
6263
AddEmptySetToLists: true,
6364
},
6465
PolicyManagerCfg: &policies.PolicyManagerCfg{
66+
NodeIP: testNodeIP,
6567
PolicyMode: policies.IPSetPolicyMode,
6668
},
6769
}
@@ -73,6 +75,7 @@ var (
7375
AddEmptySetToLists: true,
7476
},
7577
PolicyManagerCfg: &policies.PolicyManagerCfg{
78+
NodeIP: testNodeIP,
7679
PolicyMode: policies.IPSetPolicyMode,
7780
},
7881
}
@@ -301,6 +304,13 @@ func basicTests() []*SerialTestCase {
301304
RemotePorts: "",
302305
Priority: 222,
303306
},
307+
{
308+
ID: "azure-acl-x-base",
309+
Action: "Allow",
310+
Direction: "In",
311+
RemoteAddresses: testNodeIP,
312+
Priority: 201,
313+
},
304314
},
305315
},
306316
},
@@ -403,6 +413,13 @@ func basicTests() []*SerialTestCase {
403413
RemotePorts: "",
404414
Priority: 222,
405415
},
416+
{
417+
ID: "azure-acl-x-base",
418+
Action: "Allow",
419+
Direction: "In",
420+
RemoteAddresses: testNodeIP,
421+
Priority: 201,
422+
},
406423
},
407424
},
408425
},
@@ -580,6 +597,13 @@ func basicTests() []*SerialTestCase {
580597
RemotePorts: "",
581598
Priority: 222,
582599
},
600+
{
601+
ID: "azure-acl-x-base",
602+
Action: "Allow",
603+
Direction: "In",
604+
RemoteAddresses: testNodeIP,
605+
Priority: 201,
606+
},
583607
},
584608
},
585609
},
@@ -745,6 +769,13 @@ func capzCalicoTests() []*SerialTestCase {
745769
RemotePorts: "",
746770
Priority: 222,
747771
},
772+
{
773+
ID: "azure-acl-x-base",
774+
Action: "Allow",
775+
Direction: "In",
776+
RemoteAddresses: testNodeIP,
777+
Priority: 201,
778+
},
748779
},
749780
},
750781
},
@@ -883,6 +914,13 @@ func updatePodTests() []*SerialTestCase {
883914
RemotePorts: "",
884915
Priority: 222,
885916
},
917+
{
918+
ID: "azure-acl-x-base2",
919+
Action: "Allow",
920+
Direction: "In",
921+
RemoteAddresses: testNodeIP,
922+
Priority: 201,
923+
},
886924
},
887925
},
888926
},
@@ -943,6 +981,13 @@ func updatePodTests() []*SerialTestCase {
943981
RemotePorts: "",
944982
Priority: 222,
945983
},
984+
{
985+
ID: "azure-acl-x-base2",
986+
Action: "Allow",
987+
Direction: "In",
988+
RemoteAddresses: testNodeIP,
989+
Priority: 201,
990+
},
946991
},
947992
},
948993
},
@@ -1002,6 +1047,13 @@ func updatePodTests() []*SerialTestCase {
10021047
RemotePorts: "",
10031048
Priority: 222,
10041049
},
1050+
{
1051+
ID: "azure-acl-x-base2",
1052+
Action: "Allow",
1053+
Direction: "In",
1054+
RemoteAddresses: testNodeIP,
1055+
Priority: 201,
1056+
},
10051057
},
10061058
},
10071059
},
@@ -1060,6 +1112,13 @@ func updatePodTests() []*SerialTestCase {
10601112
RemotePorts: "",
10611113
Priority: 222,
10621114
},
1115+
{
1116+
ID: "azure-acl-x-base2",
1117+
Action: "Allow",
1118+
Direction: "In",
1119+
RemoteAddresses: testNodeIP,
1120+
Priority: 201,
1121+
},
10631122
},
10641123
},
10651124
},
@@ -1122,6 +1181,13 @@ func updatePodTests() []*SerialTestCase {
11221181
RemotePorts: "",
11231182
Priority: 222,
11241183
},
1184+
{
1185+
ID: "azure-acl-x-base2",
1186+
Action: "Allow",
1187+
Direction: "In",
1188+
RemoteAddresses: testNodeIP,
1189+
Priority: 201,
1190+
},
11251191
{
11261192
ID: "azure-acl-baseazurewireserver",
11271193
Action: "Block",
@@ -1222,6 +1288,13 @@ func updatePodTests() []*SerialTestCase {
12221288
RemotePorts: "",
12231289
Priority: 222,
12241290
},
1291+
{
1292+
ID: "azure-acl-x-base2",
1293+
Action: "Allow",
1294+
Direction: "In",
1295+
RemoteAddresses: testNodeIP,
1296+
Priority: 201,
1297+
},
12251298
},
12261299
},
12271300
},
@@ -1282,6 +1355,13 @@ func updatePodTests() []*SerialTestCase {
12821355
RemotePorts: "",
12831356
Priority: 222,
12841357
},
1358+
{
1359+
ID: "azure-acl-x-base2",
1360+
Action: "Allow",
1361+
Direction: "In",
1362+
RemoteAddresses: testNodeIP,
1363+
Priority: 201,
1364+
},
12851365
},
12861366
},
12871367
},
@@ -1342,6 +1422,13 @@ func updatePodTests() []*SerialTestCase {
13421422
RemotePorts: "",
13431423
Priority: 222,
13441424
},
1425+
{
1426+
ID: "azure-acl-x-base2",
1427+
Action: "Allow",
1428+
Direction: "In",
1429+
RemoteAddresses: testNodeIP,
1430+
Priority: 201,
1431+
},
13451432
},
13461433
},
13471434
},
@@ -1402,6 +1489,13 @@ func updatePodTests() []*SerialTestCase {
14021489
RemotePorts: "",
14031490
Priority: 222,
14041491
},
1492+
{
1493+
ID: "azure-acl-x-base2",
1494+
Action: "Allow",
1495+
Direction: "In",
1496+
RemoteAddresses: testNodeIP,
1497+
Priority: 201,
1498+
},
14051499
},
14061500
},
14071501
},
@@ -1577,6 +1671,13 @@ func updatePodTests() []*SerialTestCase {
15771671
RemotePorts: "",
15781672
Priority: 222,
15791673
},
1674+
{
1675+
ID: "azure-acl-x-base2",
1676+
Action: "Allow",
1677+
Direction: "In",
1678+
RemoteAddresses: testNodeIP,
1679+
Priority: 201,
1680+
},
15801681
},
15811682
},
15821683
},
@@ -1685,6 +1786,13 @@ func podAssignmentSequence3Tests() []*SerialTestCase {
16851786
RemotePorts: "",
16861787
Priority: 222,
16871788
},
1789+
{
1790+
ID: "azure-acl-x-base2",
1791+
Action: "Allow",
1792+
Direction: "In",
1793+
RemoteAddresses: testNodeIP,
1794+
Priority: 201,
1795+
},
16881796
},
16891797
},
16901798
},
@@ -1816,6 +1924,13 @@ func podAssignmentSequence3Tests() []*SerialTestCase {
18161924
RemotePorts: "",
18171925
Priority: 222,
18181926
},
1927+
{
1928+
ID: "azure-acl-x-base2",
1929+
Action: "Allow",
1930+
Direction: "In",
1931+
RemoteAddresses: testNodeIP,
1932+
Priority: 201,
1933+
},
18191934
},
18201935
},
18211936
},
@@ -1881,6 +1996,13 @@ func podAssignmentSequence3Tests() []*SerialTestCase {
18811996
RemotePorts: "",
18821997
Priority: 222,
18831998
},
1999+
{
2000+
ID: "azure-acl-x-base2",
2001+
Action: "Allow",
2002+
Direction: "In",
2003+
RemoteAddresses: testNodeIP,
2004+
Priority: 201,
2005+
},
18842006
{
18852007
ID: "azure-acl-x-base3",
18862008
Protocols: "",
@@ -1903,6 +2025,13 @@ func podAssignmentSequence3Tests() []*SerialTestCase {
19032025
RemotePorts: "",
19042026
Priority: 222,
19052027
},
2028+
{
2029+
ID: "azure-acl-x-base3",
2030+
Action: "Allow",
2031+
Direction: "In",
2032+
RemoteAddresses: testNodeIP,
2033+
Priority: 201,
2034+
},
19062035
},
19072036
},
19082037
},
@@ -2036,6 +2165,13 @@ func remoteEndpointTests() []*SerialTestCase {
20362165
RemotePorts: "",
20372166
Priority: 222,
20382167
},
2168+
{
2169+
ID: "azure-acl-x-base",
2170+
Action: "Allow",
2171+
Direction: "In",
2172+
RemoteAddresses: testNodeIP,
2173+
Priority: 201,
2174+
},
20392175
},
20402176
},
20412177
},
@@ -2109,6 +2245,13 @@ func getAllMultiJobTests() []*MultiJobTestCase {
21092245
RemotePorts: "",
21102246
Priority: 222,
21112247
},
2248+
{
2249+
ID: "azure-acl-x-base",
2250+
Action: "Allow",
2251+
Direction: "In",
2252+
RemoteAddresses: testNodeIP,
2253+
Priority: 201,
2254+
},
21122255
},
21132256
},
21142257
},

npm/pkg/dataplane/dataplane_test.go

+1
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ var (
2323
NetworkName: "azure",
2424
},
2525
PolicyManagerCfg: &policies.PolicyManagerCfg{
26+
NodeIP: "6.7.8.9",
2627
PolicyMode: policies.IPSetPolicyMode,
2728
PlaceAzureChainFirst: util.PlaceAzureChainFirst,
2829
},

npm/pkg/dataplane/policies/policymanager.go

+15-7
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@ const (
2929
)
3030

3131
type PolicyManagerCfg struct {
32+
// NodeIP is only used in Windows
33+
NodeIP string
3234
// PolicyMode only affects Windows
3335
PolicyMode PolicyManagerMode
3436
// PlaceAzureChainFirst only affects Linux
@@ -92,6 +94,11 @@ func (pMgr *PolicyManager) Bootup(epIDs []string) error {
9294
// update Prometheus metrics on success
9395
metrics.IncNumACLRulesBy(numLinuxBaseACLRules)
9496
}
97+
98+
if util.IsWindowsDP() && pMgr.NodeIP == "" {
99+
return npmerrors.Errorf(npmerrors.BootupPolicyMgr, false, "policy manager must have a configured nodeIP in Windows")
100+
}
101+
95102
return nil
96103
}
97104

@@ -144,11 +151,11 @@ func (pMgr *PolicyManager) AddPolicy(policy *NPMNetworkPolicy, endpointList map[
144151
}
145152

146153
// update Prometheus metrics on success
147-
numEndpoints := 1
148154
if util.IsWindowsDP() {
149-
numEndpoints = len(endpointList)
155+
metrics.IncNumACLRulesBy((1 + policy.numACLRulesProducedInKernel()) * len(endpointList))
156+
} else {
157+
metrics.IncNumACLRulesBy(policy.numACLRulesProducedInKernel())
150158
}
151-
metrics.IncNumACLRulesBy(policy.numACLRulesProducedInKernel() * numEndpoints)
152159

153160
pMgr.policyMap.cache[policy.PolicyKey] = policy
154161
return nil
@@ -188,11 +195,12 @@ func (pMgr *PolicyManager) RemovePolicy(policyKey string) error {
188195
}
189196

190197
// update Prometheus metrics on success
191-
numEndpointsRemoved := 1
192198
if util.IsWindowsDP() {
193-
numEndpointsRemoved = numEndpointsBefore - len(policy.PodEndpoints)
199+
numEndpointsRemoved := numEndpointsBefore - len(policy.PodEndpoints)
200+
metrics.DecNumACLRulesBy((1 + policy.numACLRulesProducedInKernel()) * numEndpointsRemoved)
201+
} else {
202+
metrics.DecNumACLRulesBy(policy.numACLRulesProducedInKernel())
194203
}
195-
metrics.DecNumACLRulesBy(policy.numACLRulesProducedInKernel() * numEndpointsRemoved)
196204

197205
// remove policy from cache
198206
delete(pMgr.policyMap.cache, policyKey)
@@ -223,7 +231,7 @@ func (pMgr *PolicyManager) RemovePolicyForEndpoints(policyKey string, endpointLi
223231
}
224232

225233
// update Prometheus metrics on success
226-
metrics.DecNumACLRulesBy(policy.numACLRulesProducedInKernel() * len(endpointList))
234+
metrics.DecNumACLRulesBy((1 + policy.numACLRulesProducedInKernel()) * len(endpointList))
227235

228236
return nil
229237
}

0 commit comments

Comments
 (0)