Skip to content

Commit

Permalink
fix(NPC): add warning for unsupported family
Browse files Browse the repository at this point in the history
Rather than just silently not adding policies for controllers that don't
support a given address family, emit a warning so that it is more
obvious in the logs that kube-router isn't able to add a policy for a
given family when the controller doesn't have that family enabled.
  • Loading branch information
aauren committed Jan 23, 2023
1 parent 9663070 commit e6d64a2
Showing 1 changed file with 26 additions and 0 deletions.
26 changes: 26 additions & 0 deletions pkg/controllers/netpol/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -475,6 +475,8 @@ func (npc *NetworkPolicyController) appendRuleToPolicyChain(policyChainName, com
func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyInfo, error) {

NetworkPolicies := make([]networkPolicyInfo, 0)
_, isIPv4Enabled := npc.ipSetHandlers[api.IPv4Protocol]
_, isIPv6Enabled := npc.ipSetHandlers[api.IPv6Protocol]

for _, policyObj := range npc.npLister.List() {

Expand Down Expand Up @@ -560,6 +562,18 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyI
}
}
peerIPBlock := npc.evalIPBlockPeer(peer)

_, foundIPv4Addresses := peerIPBlock[api.IPv4Protocol]
_, foundIPv6Addresses := peerIPBlock[api.IPv6Protocol]
if foundIPv4Addresses && !isIPv4Enabled {
klog.Warningf("Ignoring IPv4 source IP blocks %s from policy %s because we are not IPv4 "+
"Enabled!", peerIPBlock[api.IPv4Protocol], policy.Name)
}
if foundIPv6Addresses && !isIPv6Enabled {
klog.Warningf("Ignoring IPv6 source IP blocks %s from policy %s because we are not IPv6 "+
"Enabled!", peerIPBlock[api.IPv6Protocol], policy.Name)
}

ingressRule.srcIPBlocks[api.IPv4Protocol] = append(
ingressRule.srcIPBlocks[api.IPv4Protocol],
peerIPBlock[api.IPv4Protocol]...,
Expand Down Expand Up @@ -624,6 +638,18 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() ([]networkPolicyI

}
peerIPBlock := npc.evalIPBlockPeer(peer)

_, foundIPv4Addresses := peerIPBlock[api.IPv4Protocol]
_, foundIPv6Addresses := peerIPBlock[api.IPv6Protocol]
if foundIPv4Addresses && !isIPv4Enabled {
klog.Warningf("Ignoring IPv4 dest IP blocks %s from policy %s because we are not IPv4 "+
"Enabled!", peerIPBlock[api.IPv4Protocol], policy.Name)
}
if foundIPv6Addresses && !isIPv6Enabled {
klog.Warningf("Ignoring IPv6 dest IP blocks %s from policy %s because we are not IPv6 "+
"Enabled!", peerIPBlock[api.IPv6Protocol], policy.Name)
}

egressRule.dstIPBlocks[api.IPv4Protocol] = append(
egressRule.dstIPBlocks[api.IPv4Protocol],
peerIPBlock[api.IPv4Protocol]...,
Expand Down

0 comments on commit e6d64a2

Please sign in to comment.