mirrors/kube-router
1
0
Fork 0
mirror of https://github.com/cloudnativelabs/kube-router.git synced 2025-11-18 19:41:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

bug fixes

Browse Source
This commit is contained in:
Murali Reddy 2021-06-25 02:51:19 +05:30 committed by Aaron U'Ren
parent 3d407dc451
commit 93fe004ce6
2 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/controllers/netpol/network_policy_controller.go
View File

@ -255,7 +255,7 @@ func (npc *NetworkPolicyController) fullPolicySync() {
}
if err := utils.Restore("filter", npc.filterTableRules.Bytes()); err != nil {
klog.Errorf("Aborting sync. Failed to run iptables-restore: %v" + err.Error())
klog.Errorf("Aborting sync. Failed to run iptables-restore: %v\n%s", err.Error(), npc.filterTableRules.String())
return
}
@ -433,6 +433,9 @@ func (npc *NetworkPolicyController) cleanupStaleRules(activePolicyChains, active
}
for _, chain := range chains {
if strings.HasPrefix(chain, kubeNetworkPolicyChainPrefix) {
if chain == kubeDefaultNetpolChain {
continue
}
if _, ok := activePolicyChains[chain]; !ok {
cleanupPolicyChains = append(cleanupPolicyChains, chain)
}

12
pkg/controllers/netpol/pod.go
View File

@ -142,8 +142,8 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(networkPoliciesInfo []
// set mark to indicate traffic from/to the pod passed network policies.
// Mark will be checked to explictly ACCEPT the traffic
comment := "set mark to ACCEPT traffic that comply to network policies"
args := []string{"-A", podFwChainName, "-m", "comment", "--comment", comment, "-j", "MARK", "--set-mark", "0x20000/0x20000"}
comment := "\"set mark to ACCEPT traffic that comply to network policies\""
args := []string{"-A", podFwChainName, "-m", "comment", "--comment", comment, "-j", "MARK", "--set-mark", "0x20000/0x20000", "\n"}
npc.filterTableRules.WriteString(strings.Join(args, " "))
}
@ -171,8 +171,8 @@ func (npc *NetworkPolicyController) setupPodIngressRules(pod *podInfo, podFwChai
// if pod does not have any network policy which applies rules for pod's ingress traffic
// then apply default network policy
if !npc.isIngressNetworkPolicyEnabledPod(networkPoliciesInfo, pod) {
comment := "run through default ingress policy chain"
args := []string{"-I", podFwChainName, "1", "-d", pod.ip, "-m", "comment", "--comment", comment, "-j", kubeDefaultNetpolChain}
comment := "\"run through default ingress policy chain\""
args := []string{"-I", podFwChainName, "1", "-d", pod.ip, "-m", "comment", "--comment", comment, "-j", kubeDefaultNetpolChain, "\n"}
npc.filterTableRules.WriteString(strings.Join(args, " "))
}
@ -229,8 +229,8 @@ func (npc *NetworkPolicyController) setupPodEgressRules(pod *podInfo, podFwChain
// if pod does not have any network policy which applies rules for pod's egress traffic
// then apply default network policy
if !npc.isEgressNetworkPolicyEnabledPod(networkPoliciesInfo, pod) {
comment := "run through default network policy chain"
args := []string{"-I", podFwChainName, "1", "-s", pod.ip, "-m", "comment", "--comment", comment, "-j", kubeDefaultNetpolChain}
comment := "\"run through default network policy chain\""
args := []string{"-I", podFwChainName, "1", "-s", pod.ip, "-m", "comment", "--comment", comment, "-j", kubeDefaultNetpolChain, "\n"}
npc.filterTableRules.WriteString(strings.Join(args, " "))
}