mirrors/kube-router
1
0
Fork 0
mirror of https://github.com/cloudnativelabs/kube-router.git synced 2025-11-19 12:01:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(NPC): add warning for unsupported family

Browse Source 
Rather than just silently not adding policies for controllers that don't
support a given address family, emit a warning so that it is more
obvious in the logs that kube-router isn't able to add a policy for a
given family when the controller doesn't have that family enabled.
This commit is contained in:
Aaron U'Ren 2023-01-22 18:11:03 -06:00 committed by Aaron U'Ren
parent 4e1679f03b
commit e51ee3ae71
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
pkg/controllers/netpol/policy.go
View File

@ -475,6 +475,8 @@ func (npc *NetworkPolicyController) appendRuleToPolicyChain(policyChainName, com
func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyInfo, error) { func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyInfo, error) {
NetworkPolicies := make([]networkPolicyInfo, 0) NetworkPolicies := make([]networkPolicyInfo, 0)
_, isIPv4Enabled := npc.ipSetHandlers[api.IPv4Protocol]
_, isIPv6Enabled := npc.ipSetHandlers[api.IPv6Protocol]
for _, policyObj := range npc.npLister.List() { for _, policyObj := range npc.npLister.List() {
@ -560,6 +562,18 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyI
} }
} }
peerIPBlock := npc.evalIPBlockPeer(peer) peerIPBlock := npc.evalIPBlockPeer(peer)
_, foundIPv4Addresses := peerIPBlock[api.IPv4Protocol]
_, foundIPv6Addresses := peerIPBlock[api.IPv6Protocol]
if foundIPv4Addresses && !isIPv4Enabled {
klog.Warningf("Ignoring IPv4 source IP blocks %s from policy %s because we are not IPv4 "+
"Enabled!", peerIPBlock[api.IPv4Protocol], policy.Name)
}
if foundIPv6Addresses && !isIPv6Enabled {
klog.Warningf("Ignoring IPv6 source IP blocks %s from policy %s because we are not IPv6 "+
"Enabled!", peerIPBlock[api.IPv6Protocol], policy.Name)
}
ingressRule.srcIPBlocks[api.IPv4Protocol] = append( ingressRule.srcIPBlocks[api.IPv4Protocol] = append(
ingressRule.srcIPBlocks[api.IPv4Protocol], ingressRule.srcIPBlocks[api.IPv4Protocol],
peerIPBlock[api.IPv4Protocol]..., peerIPBlock[api.IPv4Protocol]...,
@ -624,6 +638,18 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyI
} }
peerIPBlock := npc.evalIPBlockPeer(peer) peerIPBlock := npc.evalIPBlockPeer(peer)
_, foundIPv4Addresses := peerIPBlock[api.IPv4Protocol]
_, foundIPv6Addresses := peerIPBlock[api.IPv6Protocol]
if foundIPv4Addresses && !isIPv4Enabled {
klog.Warningf("Ignoring IPv4 dest IP blocks %s from policy %s because we are not IPv4 "+
"Enabled!", peerIPBlock[api.IPv4Protocol], policy.Name)
}
if foundIPv6Addresses && !isIPv6Enabled {
klog.Warningf("Ignoring IPv6 dest IP blocks %s from policy %s because we are not IPv6 "+
"Enabled!", peerIPBlock[api.IPv6Protocol], policy.Name)
}
egressRule.dstIPBlocks[api.IPv4Protocol] = append( egressRule.dstIPBlocks[api.IPv4Protocol] = append(
egressRule.dstIPBlocks[api.IPv4Protocol], egressRule.dstIPBlocks[api.IPv4Protocol],
peerIPBlock[api.IPv4Protocol]..., peerIPBlock[api.IPv4Protocol]...,