This repository has been archived by the owner on Jun 20, 2024. It is now read-only.
npc: Track ipset entries per user and refcount default-allow ipsets #3181
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a bug in handling "default-allow" ipsets - it could not
cope with out of order receive of Pod updates. E.g:
1) AddPod(Pod_A, PodIP_A),
2) AddPod(Pod_B, PodIP_A),
3) DeletePod(Pod_A),
would result with PodIP_A being removed from "default-allow" ipset,
as such ipset entries were not refcounted. Bypassing of refcounting
was due to the fact that adding a netpol which dst-selects a Pod which
IP addr is in "default-allow" ipset has to remove the IP addr from
the ipset regardless of refcount value of the IP addr entry in the
ipset. So, refcounting in such case didn't make sense and it was
bypassed.
This commit changes the way entries are refcounted in ipsets, and
it makes "default-allow" ipset the same citizen as other ipsets, so
from now "default-allow" ipset is refcounted.
bboreham
approved these changes
Nov 22, 2017
| return nil | ||
| } | ||
|
|
||
| i.Logger.Printf("added entry %s to %s of %s", entry, ipsetName, user) |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
| return nil | ||
| } | ||
| return i.DelEntry(ipsetName, entry) | ||
| i.Logger.Printf("deleted entry %s from %s of %s", entry, ipsetName, user) |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a bug in handling
default-allowipsets - it could not cope with out of order receive of Pod updates. E.g:AddPod(Pod_A, PodIP_A),AddPod(Pod_B, PodIP_A),DeletePod(Pod_A),would result with
PodIP_Abeing removed fromdefault-allowipset, as such ipset entries were not refcounted. Bypassing of refcounting was due to the fact that adding a netpol which dst-selects a Pod which IP addr is indefault-allowipset has to remove the IP addr from the ipset regardless of refcount value of the IP addr entry in the ipset. So, refcounting in such case didn't make sense and it was bypassed.This commit changes the way entries are refcounted in ipsets, and it makes
default-allowipset the same citizen as other ipsets, so from nowdefault-allowipset is refcounted.Fix #3177