mirror of https://github.com/k3s-io/k3s
Warn if NPC can't start rather than fatal error
If the ip_set kernel module is not available we should warn that the network policy controller can not start rather than cause a fatal error. Also adds module probing and config checks for ip_set.pull/1298/head
parent
d14faf95ba
commit
5b98d10e4b
|
@ -410,11 +410,12 @@ flags="
|
|||
NET_CLS_CGROUP $netprio
|
||||
CFS_BANDWIDTH FAIR_GROUP_SCHED RT_GROUP_SCHED
|
||||
IP_NF_TARGET_REDIRECT
|
||||
IP_SET
|
||||
IP_VS
|
||||
IP_VS_NFCT
|
||||
IP_VS_PROTO_TCP
|
||||
IP_VS_PROTO_UDP
|
||||
IP_VS_RR
|
||||
IP_VS_RR
|
||||
"
|
||||
check_flags $flags
|
||||
|
||||
|
|
|
@ -5,11 +5,17 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/rancher/k3s/pkg/daemons/config"
|
||||
"github.com/sirupsen/logrus"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
)
|
||||
|
||||
func Run(ctx context.Context, nodeConfig *config.Node) error {
|
||||
if _, err := NewSavedIPSet(false); err != nil {
|
||||
logrus.Warnf("Skipping network policy controller start, ipset unavailable: %v", err)
|
||||
return nil
|
||||
}
|
||||
|
||||
restConfig, err := clientcmd.BuildConfigFromFlags("", nodeConfig.AgentConfig.KubeConfigK3sController)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
|
@ -934,13 +934,9 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
|
|||
if err != nil {
|
||||
log.Fatalf("failed to initialize iptables command executor due to %s", err.Error())
|
||||
}
|
||||
ipsets, err := NewIPSet(false)
|
||||
ipset, err := NewSavedIPSet(false)
|
||||
if err != nil {
|
||||
log.Fatalf("failed to create ipsets command executor due to %s", err.Error())
|
||||
}
|
||||
err = ipsets.Save()
|
||||
if err != nil {
|
||||
log.Fatalf("failed to initialize ipsets command executor due to %s", err.Error())
|
||||
log.Fatalf("failed to create ipset command executor due to %s", err.Error())
|
||||
}
|
||||
|
||||
// get the list of chains created for pod firewall and network policies
|
||||
|
@ -957,7 +953,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
|
|||
}
|
||||
}
|
||||
}
|
||||
for _, set := range ipsets.Sets {
|
||||
for _, set := range ipset.Sets {
|
||||
if strings.HasPrefix(set.Name, kubeSourceIPSetPrefix) ||
|
||||
strings.HasPrefix(set.Name, kubeDestinationIPSetPrefix) {
|
||||
if _, ok := activePolicyIPSets[set.Name]; !ok {
|
||||
|
@ -1605,11 +1601,7 @@ func (npc *NetworkPolicyController) Cleanup() {
|
|||
}
|
||||
|
||||
// delete all ipsets
|
||||
ipset, err := NewIPSet(false)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to clean up ipsets: " + err.Error())
|
||||
}
|
||||
err = ipset.Save()
|
||||
ipset, err := NewSavedIPSet(false)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to clean up ipsets: " + err.Error())
|
||||
}
|
||||
|
@ -1719,11 +1711,7 @@ func NewNetworkPolicyController(
|
|||
}
|
||||
npc.nodeIP = nodeIP
|
||||
|
||||
ipset, err := NewIPSet(false)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
err = ipset.Save()
|
||||
ipset, err := NewSavedIPSet(false)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
@ -152,8 +152,8 @@ func (ipset *IPSet) runWithStdin(stdin *bytes.Buffer, args ...string) (string, e
|
|||
return stdout.String(), nil
|
||||
}
|
||||
|
||||
// NewIPSet create a new IPSet with ipSetPath initialized.
|
||||
func NewIPSet(isIpv6 bool) (*IPSet, error) {
|
||||
// NewSavedIPSet create a new IPSet with ipSetPath initialized.
|
||||
func NewSavedIPSet(isIpv6 bool) (*IPSet, error) {
|
||||
ipSetPath, err := getIPSetPath()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -163,6 +163,9 @@ func NewIPSet(isIpv6 bool) (*IPSet, error) {
|
|||
Sets: make(map[string]*Set),
|
||||
isIpv6: isIpv6,
|
||||
}
|
||||
if err := ipSet.Save(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return ipSet, nil
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue