Warn if NPC can't start rather than fatal error

If the ip_set kernel module is not available we should warn that the network policy controller can not start rather than cause a fatal error. Also adds module probing and config checks for ip_set.
2020-01-14 12:53:51 -07:00 · 2020-01-14 12:53:51 -07:00 · 5b98d10e4b
parent d14faf95ba
commit 5b98d10e4b
4 changed files with 18 additions and 20 deletions
--- a/contrib/util/check-config.sh
+++ b/contrib/util/check-config.sh
@ -410,11 +410,12 @@ flags="
  NET_CLS_CGROUP $netprio
  CFS_BANDWIDTH FAIR_GROUP_SCHED RT_GROUP_SCHED
  IP_NF_TARGET_REDIRECT
+  IP_SET
  IP_VS
  IP_VS_NFCT
  IP_VS_PROTO_TCP
  IP_VS_PROTO_UDP
-   IP_VS_RR
+  IP_VS_RR
 "
 check_flags $flags

--- a/pkg/agent/netpol/network_policy.go
+++ b/pkg/agent/netpol/network_policy.go
@ -5,11 +5,17 @@ import (
 	"time"

 	"github.com/rancher/k3s/pkg/daemons/config"
+	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 )

 func Run(ctx context.Context, nodeConfig *config.Node) error {
+	if _, err := NewSavedIPSet(false); err != nil {
+		logrus.Warnf("Skipping network policy controller start, ipset unavailable: %v", err)
+		return nil
+	}
+
 	restConfig, err := clientcmd.BuildConfigFromFlags("", nodeConfig.AgentConfig.KubeConfigK3sController)
 	if err != nil {
 		return err
--- a/pkg/agent/netpol/network_policy_controller.go
+++ b/pkg/agent/netpol/network_policy_controller.go
@ -934,13 +934,9 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
 	if err != nil {
 		log.Fatalf("failed to initialize iptables command executor due to %s", err.Error())
 	}
-	ipsets, err := NewIPSet(false)
+	ipset, err := NewSavedIPSet(false)
 	if err != nil {
-		log.Fatalf("failed to create ipsets command executor due to %s", err.Error())
-	}
-	err = ipsets.Save()
-	if err != nil {
-		log.Fatalf("failed to initialize ipsets command executor due to %s", err.Error())
+		log.Fatalf("failed to create ipset command executor due to %s", err.Error())
 	}

 	// get the list of chains created for pod firewall and network policies
@ -957,7 +953,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
 			}
 		}
 	}
-	for _, set := range ipsets.Sets {
+	for _, set := range ipset.Sets {
 		if strings.HasPrefix(set.Name, kubeSourceIPSetPrefix) ||
 			strings.HasPrefix(set.Name, kubeDestinationIPSetPrefix) {
 			if _, ok := activePolicyIPSets[set.Name]; !ok {
@ -1605,11 +1601,7 @@ func (npc *NetworkPolicyController) Cleanup() {
 	}

 	// delete all ipsets
-	ipset, err := NewIPSet(false)
-	if err != nil {
-		log.Errorf("Failed to clean up ipsets: " + err.Error())
-	}
-	err = ipset.Save()
+	ipset, err := NewSavedIPSet(false)
 	if err != nil {
 		log.Errorf("Failed to clean up ipsets: " + err.Error())
 	}
@ -1719,11 +1711,7 @@ func NewNetworkPolicyController(
 	}
 	npc.nodeIP = nodeIP

-	ipset, err := NewIPSet(false)
-	if err != nil {
-		return nil, err
-	}
-	err = ipset.Save()
+	ipset, err := NewSavedIPSet(false)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/agent/netpol/utils.go
+++ b/pkg/agent/netpol/utils.go
@ -152,8 +152,8 @@ func (ipset *IPSet) runWithStdin(stdin *bytes.Buffer, args ...string) (string, e
 	return stdout.String(), nil
 }

-// NewIPSet create a new IPSet with ipSetPath initialized.
-func NewIPSet(isIpv6 bool) (*IPSet, error) {
+// NewSavedIPSet create a new IPSet with ipSetPath initialized.
+func NewSavedIPSet(isIpv6 bool) (*IPSet, error) {
 	ipSetPath, err := getIPSetPath()
 	if err != nil {
 		return nil, err
@ -163,6 +163,9 @@ func NewIPSet(isIpv6 bool) (*IPSet, error) {
 		Sets:      make(map[string]*Set),
 		isIpv6:    isIpv6,
 	}
+	if err := ipSet.Save(); err != nil {
+		return nil, err
+	}
 	return ipSet, nil
 }