defer operations so we can add new logic for admin network policies

kubernetes-sigs · Apr 21, 2024 · c769cd7 · c769cd7
1 parent abbebb6
commit c769cd7
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 13 deletions.
diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go
@@ -300,28 +300,36 @@ func (c *Controller) Run(ctx context.Context) error {
 
 	// Parse the packet and check if should be accepted
 	fn := func(a nfqueue.Attribute) int {
+		verdict := nfqueue.NfDrop
+		if c.config.FailOpen {
+			verdict = nfqueue.NfAccept
+		}
+
 		startTime := time.Now()
 		klog.V(2).Infof("Processing sync for packet %d", *a.PacketID)
 
 		packet, err := parsePacket(*a.Payload)
 		if err != nil {
 			klog.Infof("Can not process packet %d accepting it: %v", *a.PacketID, err)
-			c.nfq.SetVerdict(*a.PacketID, nfqueue.NfAccept) //nolint:errcheck
+			c.nfq.SetVerdict(*a.PacketID, verdict) //nolint:errcheck
 			return 0
 		}
 
-		verdict := c.acceptPacket(packet)
-		if verdict {
-			c.nfq.SetVerdict(*a.PacketID, nfqueue.NfAccept) //nolint:errcheck
+		defer func() {
+			processingTime := float64(time.Since(startTime).Microseconds())
+			packetProcessingHist.WithLabelValues(string(packet.proto), string(packet.family)).Observe(processingTime)
+			packetProcessingSum.Observe(processingTime)
+			packetCounterVec.WithLabelValues(string(packet.proto), string(packet.family)).Inc()
+			klog.V(2).Infof("Finished syncing packet %d took: %v accepted: %v", *a.PacketID, time.Since(startTime), verdict == nfqueue.NfAccept)
+		}()
+
+		// Network Policy
+		if c.acceptNetworkPolicy(packet) {
+			verdict = nfqueue.NfAccept
 		} else {
-			c.nfq.SetVerdict(*a.PacketID, nfqueue.NfDrop) //nolint:errcheck
+			verdict = nfqueue.NfDrop
 		}
-
-		processingTime := float64(time.Since(startTime).Microseconds())
-		packetProcessingHist.WithLabelValues(string(packet.proto), string(packet.family)).Observe(processingTime)
-		packetProcessingSum.Observe(processingTime)
-		packetCounterVec.WithLabelValues(string(packet.proto), string(packet.family)).Inc()
-		klog.V(2).Infof("Finished syncing packet %d took: %v accepted: %v", *a.PacketID, time.Since(startTime), verdict)
+		c.nfq.SetVerdict(*a.PacketID, verdict) //nolint:errcheck
 		return 0
 	}
 

diff --git a/pkg/networkpolicy/networkpolicy.go b/pkg/networkpolicy/networkpolicy.go
@@ -23,7 +23,7 @@ func (c *Controller) getNetworkPoliciesForPod(pod *v1.Pod) []*networkingv1.Netwo
 	return networkPolices
 }
 
-func (c *Controller) acceptPacket(p packet) bool {
+func (c *Controller) acceptNetworkPolicy(p packet) bool {
 	srcIP := p.srcIP
 	srcPod := c.getPodAssignedToIP(srcIP.String())
 	srcPort := p.srcPort

diff --git a/pkg/networkpolicy/networkpolicy_test.go b/pkg/networkpolicy/networkpolicy_test.go
@@ -519,7 +519,7 @@ func TestSyncPacket(t *testing.T) {
 				}
 			}
 
-			ok := controller.acceptPacket(tt.p)
+			ok := controller.acceptNetworkPolicy(tt.p)
 			if ok != tt.expect {
 				t.Errorf("expected %v got  %v", ok, tt.expect)
 			}