Changes to attach probes at pod start

aws · Feb 21, 2025 · aa8bb64 · aa8bb64
1 parent eb39d03
commit aa8bb64
Show file tree

Hide file tree

Showing 4 changed files with 87 additions and 31 deletions.
diff --git a/cmd/routed-eni-cni-plugin/cni.go b/cmd/routed-eni-cni-plugin/cni.go
@@ -42,7 +42,6 @@ import (
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/utils/cniutils"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/utils/logger"
 	pb "github.com/aws/amazon-vpc-cni-k8s/rpc"
-	"github.com/aws/amazon-vpc-cni-k8s/utils"
 )
 
 const ipamdAddress = "127.0.0.1:50051"
@@ -279,34 +278,33 @@ func add(args *skel.CmdArgs, cniTypes typeswrapper.CNITYPES, grpcClient grpcwrap
 	// dummy interface is appended to PrevResult for use during cleanup
 	result.Interfaces = append(result.Interfaces, dummyInterface)
 
-	if utils.IsStrictMode(r.NetworkPolicyMode) {
-		// Set up a connection to the network policy agent
-		npConn, err := grpcClient.Dial(npAgentAddress, grpc.WithTransportCredentials(insecure.NewCredentials()))
-		if err != nil {
-			log.Errorf("Failed to connect to network policy agent: %v", err)
-			return errors.Wrap(err, "add cmd: failed to connect to network policy agent backend server")
-		}
-		defer npConn.Close()
+	// Set up a connection to the network policy agent
+	npConn, err := grpcClient.Dial(npAgentAddress, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		log.Errorf("Failed to connect to network policy agent: %v", err)
+		return errors.Wrap(err, "add cmd: failed to connect to network policy agent backend server")
+	}
+	defer npConn.Close()
 
-		//Make a GRPC call for network policy agent
-		npc := rpcClient.NewNPBackendClient(npConn)
+	//Make a GRPC call for network policy agent
+	npc := rpcClient.NewNPBackendClient(npConn)
 
-		npr, err := npc.EnforceNpToPod(context.Background(),
-			&pb.EnforceNpRequest{
-				K8S_POD_NAME:      string(k8sArgs.K8S_POD_NAME),
-				K8S_POD_NAMESPACE: string(k8sArgs.K8S_POD_NAMESPACE),
-			})
-
-		// No need to cleanup IP and network, kubelet will send delete.
-		if err != nil || !npr.Success {
-			log.Errorf("Failed to setup default network policy for Pod Name %s and NameSpace %s: GRPC returned - %v Network policy agent returned - %v",
-				string(k8sArgs.K8S_POD_NAME), string(k8sArgs.K8S_POD_NAMESPACE), err, npr)
-			return errors.New("add cmd: failed to setup network policy in strict mode")
-		}
+	npr, err := npc.EnforceNpToPod(context.Background(),
+		&pb.EnforceNpRequest{
+			K8S_POD_NAME:        string(k8sArgs.K8S_POD_NAME),
+			K8S_POD_NAMESPACE:   string(k8sArgs.K8S_POD_NAMESPACE),
+			NETWORK_POLICY_MODE: r.NetworkPolicyMode,
+		})
 
-		log.Debugf("Network Policy agent returned Success : %v", npr.Success)
+	// No need to cleanup IP and network, kubelet will send delete.
+	if err != nil || !npr.Success {
+		log.Errorf("Failed to setup default network policy for Pod Name %s and NameSpace %s: GRPC returned - %v Network policy agent returned - %v",
+			string(k8sArgs.K8S_POD_NAME), string(k8sArgs.K8S_POD_NAMESPACE), err, npr)
+		return errors.New("add cmd: failed to setup network policy")
 	}
 
+	log.Debugf("Network Policy agent for EnforceNpToPod returned Success : %v", npr.Success)
+
 	return cniTypes.PrintResult(result, conf.CNIVersion)
 }
 
@@ -444,6 +442,33 @@ func del(args *skel.CmdArgs, cniTypes typeswrapper.CNITYPES, grpcClient grpcwrap
 	} else {
 		log.Warnf("Container %s did not have a valid IP %s", args.ContainerID, r.IPv4Addr)
 	}
+
+	// Set up a connection to the network policy agent
+	npConn, err := grpcClient.Dial(npAgentAddress, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		log.Errorf("Failed to connect to network policy agent: %v", err)
+	} else {
+		defer npConn.Close()
+
+		//Make a GRPC call for network policy agent
+		npc := rpcClient.NewNPBackendClient(npConn)
+
+		npr, err := npc.DeletePodNp(context.Background(),
+			&pb.DeleteNpRequest{
+				K8S_POD_NAME:      string(k8sArgs.K8S_POD_NAME),
+				K8S_POD_NAMESPACE: string(k8sArgs.K8S_POD_NAMESPACE),
+			})
+
+		// NP agent will never return an error if its not able to delete ebpf probes
+		if err != nil || !npr.Success {
+			log.Errorf("Failed to delete pod network policy for Pod Name %s and NameSpace %s: GRPC returned - %v Network policy agent returned - %v",
+				string(k8sArgs.K8S_POD_NAME), string(k8sArgs.K8S_POD_NAMESPACE), err, npr)
+			return errors.New("del cmd: failed to setup network policy")
+		}
+
+		log.Debugf("Network Policy agent for DeletePodNp returned Success : %v", npr.Success)
+	}
+
 	return nil
 }
 

diff --git a/cmd/routed-eni-cni-plugin/cni_test.go b/cmd/routed-eni-cni-plugin/cni_test.go
@@ -94,6 +94,15 @@ func TestCmdAdd(t *testing.T) {
 	mockC := mock_rpc.NewMockCNIBackendClient(ctrl)
 	mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC)
 
+	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
+
+	mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(npConn, nil)
+	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
+	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP)
+
+	enforceNpReply := &rpc.EnforceNpReply{Success: true}
+	mockNP.EXPECT().EnforceNpToPod(gomock.Any(), gomock.Any()).Return(enforceNpReply, nil)
+
 	addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum, NetworkPolicyMode: "none"}
 	mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, nil)
 
@@ -281,10 +290,18 @@ func TestCmdDel(t *testing.T) {
 	mockC := mock_rpc.NewMockCNIBackendClient(ctrl)
 	mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC)
 
-	delNetworkReply := &rpc.DelNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum}
+	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
+
+	mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(npConn, nil)
+	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
+	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP)
 
+	delNetworkReply := &rpc.DelNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum}
 	mockC.EXPECT().DelNetwork(gomock.Any(), gomock.Any()).Return(delNetworkReply, nil)
 
+	deleteNpReply := &rpc.DeleteNpReply{Success: true}
+	mockNP.EXPECT().DeletePodNp(gomock.Any(), gomock.Any()).Return(deleteNpReply, nil)
+
 	addr := &net.IPNet{
 		IP:   net.ParseIP(delNetworkReply.IPv4Addr),
 		Mask: net.IPv4Mask(255, 255, 255, 255),
@@ -377,10 +394,19 @@ func TestCmdAddForPodENINetwork(t *testing.T) {
 	mockC := mock_rpc.NewMockCNIBackendClient(ctrl)
 	mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC)
 
+	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
+
+	mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(npConn, nil)
+	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
+	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP)
+
 	addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, PodENISubnetGW: "10.0.0.1", PodVlanId: 1,
 		PodENIMAC: "eniHardwareAddr", ParentIfIndex: 2, NetworkPolicyMode: "none"}
 	mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, nil)
 
+	enforceNpReply := &rpc.EnforceNpReply{Success: true}
+	mockNP.EXPECT().EnforceNpToPod(gomock.Any(), gomock.Any()).Return(enforceNpReply, nil)
+
 	addr := &net.IPNet{
 		IP:   net.ParseIP(addNetworkReply.IPv4Addr),
 		Mask: net.IPv4Mask(255, 255, 255, 255),
@@ -414,10 +440,18 @@ func TestCmdDelForPodENINetwork(t *testing.T) {
 	mockC := mock_rpc.NewMockCNIBackendClient(ctrl)
 	mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC)
 
-	delNetworkReply := &rpc.DelNetworkReply{Success: true, IPv4Addr: ipAddr, PodVlanId: 1}
+	npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure())
+
+	mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(npConn, nil)
+	mockNP := mock_rpc.NewMockNPBackendClient(ctrl)
+	mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP)
 
+	delNetworkReply := &rpc.DelNetworkReply{Success: true, IPv4Addr: ipAddr, PodVlanId: 1}
 	mockC.EXPECT().DelNetwork(gomock.Any(), gomock.Any()).Return(delNetworkReply, nil)
 
+	deleteNpReply := &rpc.DeleteNpReply{Success: true}
+	mockNP.EXPECT().DeletePodNp(gomock.Any(), gomock.Any()).Return(deleteNpReply, nil)
+
 	addr := &net.IPNet{
 		IP:   net.ParseIP(delNetworkReply.IPv4Addr),
 		Mask: net.IPv4Mask(255, 255, 255, 255),

diff --git a/rpc/rpc.proto b/rpc/rpc.proto
@@ -71,11 +71,13 @@ message DelNetworkReply {
 // The service definition.
 service NPBackend {
   rpc EnforceNpToPod (EnforceNpRequest) returns (EnforceNpReply) {}
+  rpc DeletePodNp (DeleteNpRequest) returns (DeleteNpReply) {}
 }
 
 message EnforceNpRequest {
   string K8S_POD_NAME = 1;
   string K8S_POD_NAMESPACE = 2;
+  string NETWORK_POLICY_MODE = 3;
 }
 
 message EnforceNpReply {

diff --git a/utils/utils.go b/utils/utils.go
@@ -65,8 +65,3 @@ func IsValidNetworkPolicyEnforcingMode(input string) bool {
 		return false
 	}
 }
-
-// IsStrictMode checks if strict mode is enabled
-func IsStrictMode(input string) bool {
-	return strings.ToLower(input) == string(Strict)
-}