mirror of https://github.com/k3s-io/k3s
Warn if NPC can't start rather than fatal error
If the ip_set kernel module is not available we should warn that the network policy controller can not start rather than cause a fatal error. Also adds module probing and config checks for ip_set.pull/1298/head
Erik Wilson
parent
d14faf95ba
commit
5b98d10e4b
|
|
@ -410,11 +410,12 @@ flags="
|
||||||
NET_CLS_CGROUP $netprio
|
NET_CLS_CGROUP $netprio
|
||||||
CFS_BANDWIDTH FAIR_GROUP_SCHED RT_GROUP_SCHED
|
CFS_BANDWIDTH FAIR_GROUP_SCHED RT_GROUP_SCHED
|
||||||
IP_NF_TARGET_REDIRECT
|
IP_NF_TARGET_REDIRECT
|
||||||
|
IP_SET
|
||||||
IP_VS
|
IP_VS
|
||||||
IP_VS_NFCT
|
IP_VS_NFCT
|
||||||
IP_VS_PROTO_TCP
|
IP_VS_PROTO_TCP
|
||||||
IP_VS_PROTO_UDP
|
IP_VS_PROTO_UDP
|
||||||
IP_VS_RR
|
IP_VS_RR
|
||||||
"
|
"
|
||||||
check_flags $flags
|
check_flags $flags
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,11 +5,17 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/rancher/k3s/pkg/daemons/config"
|
"github.com/rancher/k3s/pkg/daemons/config"
|
||||||
|
"github.com/sirupsen/logrus"
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/client-go/tools/clientcmd"
|
"k8s.io/client-go/tools/clientcmd"
|
||||||
)
|
)
|
||||||
|
|
||||||
func Run(ctx context.Context, nodeConfig *config.Node) error {
|
func Run(ctx context.Context, nodeConfig *config.Node) error {
|
||||||
|
if _, err := NewSavedIPSet(false); err != nil {
|
||||||
|
logrus.Warnf("Skipping network policy controller start, ipset unavailable: %v", err)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
restConfig, err := clientcmd.BuildConfigFromFlags("", nodeConfig.AgentConfig.KubeConfigK3sController)
|
restConfig, err := clientcmd.BuildConfigFromFlags("", nodeConfig.AgentConfig.KubeConfigK3sController)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
|
||||||
|
|
@ -934,13 +934,9 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("failed to initialize iptables command executor due to %s", err.Error())
|
log.Fatalf("failed to initialize iptables command executor due to %s", err.Error())
|
||||||
}
|
}
|
||||||
ipsets, err := NewIPSet(false)
|
ipset, err := NewSavedIPSet(false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("failed to create ipsets command executor due to %s", err.Error())
|
log.Fatalf("failed to create ipset command executor due to %s", err.Error())
|
||||||
}
|
|
||||||
err = ipsets.Save()
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("failed to initialize ipsets command executor due to %s", err.Error())
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// get the list of chains created for pod firewall and network policies
|
// get the list of chains created for pod firewall and network policies
|
||||||
|
|
@ -957,7 +953,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for _, set := range ipsets.Sets {
|
for _, set := range ipset.Sets {
|
||||||
if strings.HasPrefix(set.Name, kubeSourceIPSetPrefix) ||
|
if strings.HasPrefix(set.Name, kubeSourceIPSetPrefix) ||
|
||||||
strings.HasPrefix(set.Name, kubeDestinationIPSetPrefix) {
|
strings.HasPrefix(set.Name, kubeDestinationIPSetPrefix) {
|
||||||
if _, ok := activePolicyIPSets[set.Name]; !ok {
|
if _, ok := activePolicyIPSets[set.Name]; !ok {
|
||||||
|
|
@ -1605,11 +1601,7 @@ func (npc *NetworkPolicyController) Cleanup() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// delete all ipsets
|
// delete all ipsets
|
||||||
ipset, err := NewIPSet(false)
|
ipset, err := NewSavedIPSet(false)
|
||||||
if err != nil {
|
|
||||||
log.Errorf("Failed to clean up ipsets: " + err.Error())
|
|
||||||
}
|
|
||||||
err = ipset.Save()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Errorf("Failed to clean up ipsets: " + err.Error())
|
log.Errorf("Failed to clean up ipsets: " + err.Error())
|
||||||
}
|
}
|
||||||
|
|
@ -1719,11 +1711,7 @@ func NewNetworkPolicyController(
|
||||||
}
|
}
|
||||||
npc.nodeIP = nodeIP
|
npc.nodeIP = nodeIP
|
||||||
|
|
||||||
ipset, err := NewIPSet(false)
|
ipset, err := NewSavedIPSet(false)
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
err = ipset.Save()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -152,8 +152,8 @@ func (ipset *IPSet) runWithStdin(stdin *bytes.Buffer, args ...string) (string, e
|
||||||
return stdout.String(), nil
|
return stdout.String(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewIPSet create a new IPSet with ipSetPath initialized.
|
// NewSavedIPSet create a new IPSet with ipSetPath initialized.
|
||||||
func NewIPSet(isIpv6 bool) (*IPSet, error) {
|
func NewSavedIPSet(isIpv6 bool) (*IPSet, error) {
|
||||||
ipSetPath, err := getIPSetPath()
|
ipSetPath, err := getIPSetPath()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
@ -163,6 +163,9 @@ func NewIPSet(isIpv6 bool) (*IPSet, error) {
|
||||||
Sets: make(map[string]*Set),
|
Sets: make(map[string]*Set),
|
||||||
isIpv6: isIpv6,
|
isIpv6: isIpv6,
|
||||||
}
|
}
|
||||||
|
if err := ipSet.Save(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
return ipSet, nil
|
return ipSet, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue