mirrors/kube-router
1
0
Fork 0
mirror of https://github.com/cloudnativelabs/kube-router.git synced 2025-10-05 23:11:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

doc(network_policy_controller): add comments

Browse Source
This commit is contained in:
Aaron U'Ren 2020-05-12 16:03:09 -05:00
parent f476d39d7d
commit 02058ece97
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/controllers/netpol/network_policy_controller.go
View File

@ -953,6 +953,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
cleanupPolicyChains := make([]string, 0) cleanupPolicyChains := make([]string, 0)
cleanupPolicyIPSets := make([]*utils.Set, 0) cleanupPolicyIPSets := make([]*utils.Set, 0)
// initialize tool sets for working with iptables and ipset
iptablesCmdHandler, err := iptables.New() iptablesCmdHandler, err := iptables.New()
if err != nil { if err != nil {
glog.Fatalf("failed to initialize iptables command executor due to %s", err.Error()) glog.Fatalf("failed to initialize iptables command executor due to %s", err.Error())
@ -966,7 +967,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
glog.Fatalf("failed to initialize ipsets command executor due to %s", err.Error()) glog.Fatalf("failed to initialize ipsets command executor due to %s", err.Error())
} }
// get the list of chains created for pod firewall and network policies // find iptables chains and ipsets that are no longer used by comparing current to the active maps we were passed
chains, err := iptablesCmdHandler.ListChains("filter") chains, err := iptablesCmdHandler.ListChains("filter")
for _, chain := range chains { for _, chain := range chains {
if strings.HasPrefix(chain, kubeNetworkPolicyChainPrefix) { if strings.HasPrefix(chain, kubeNetworkPolicyChainPrefix) {
@ -989,7 +990,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
} }
} }
// cleanup FORWARD chain rules to jump to pod firewall // remove stale iptables chain references from the filter table chains
for _, chain := range cleanupPodFwChains { for _, chain := range cleanupPodFwChains {
forwardChainRules, err := iptablesCmdHandler.List("filter", "FORWARD") forwardChainRules, err := iptablesCmdHandler.List("filter", "FORWARD")
@ -1042,7 +1043,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
for _, policyChain := range cleanupPolicyChains { for _, policyChain := range cleanupPolicyChains {
glog.V(2).Infof("Found policy chain to cleanup %s", policyChain) glog.V(2).Infof("Found policy chain to cleanup %s", policyChain)
// first clean up any references from pod firewall chain // first clean up any references from active pod firewall chains
for podFwChain := range activePodFwChains { for podFwChain := range activePodFwChains {
podFwChainRules, err := iptablesCmdHandler.List("filter", podFwChain) podFwChainRules, err := iptablesCmdHandler.List("filter", podFwChain)
if err != nil { if err != nil {
@ -1059,6 +1060,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
} }
} }
// now that all stale and active references to the network policy chain have been removed, delete the chain
err = iptablesCmdHandler.ClearChain("filter", policyChain) err = iptablesCmdHandler.ClearChain("filter", policyChain)
if err != nil { if err != nil {
return fmt.Errorf("Failed to flush the rules in chain %s due to %s", policyChain, err) return fmt.Errorf("Failed to flush the rules in chain %s due to %s", policyChain, err)