From ac4d1c335f5a0e09490d901b24cb80b19ba56420 Mon Sep 17 00:00:00 2001 From: Hao Zhou Date: Fri, 15 Mar 2024 21:55:53 +0000 Subject: [PATCH] ignore host network pods in all endpoints --- pkg/resolvers/endpoints.go | 65 +++++++++++++++++++++++---------- pkg/resolvers/endpoints_test.go | 47 ++++++++++++++++++++++++ 2 files changed, 92 insertions(+), 20 deletions(-) diff --git a/pkg/resolvers/endpoints.go b/pkg/resolvers/endpoints.go index 7f4b86c..c3288c4 100644 --- a/pkg/resolvers/endpoints.go +++ b/pkg/resolvers/endpoints.go @@ -107,15 +107,17 @@ func (r *defaultEndpointsResolver) computePodSelectorEndpoints(ctx context.Conte if err != nil { return nil, errors.Wrap(err, "unable to get pod selector") } - podList := &corev1.PodList{} - if err := r.k8sClient.List(ctx, podList, &client.ListOptions{ + + podList, err := r.getNonHostNetworkPodList(ctx, &client.ListOptions{ LabelSelector: podSelector, Namespace: policy.Namespace, - }); err != nil { + }) + + if err != nil { r.logger.Info("Unable to List Pods", "err", err) return nil, err } - for _, pod := range podList.Items { + for _, pod := range podList { podIP := k8s.GetPodIP(&pod) if len(podIP) > 0 { podEndpoints = append(podEndpoints, policyinfo.PodEndpoint{ @@ -212,18 +214,19 @@ func (r *defaultEndpointsResolver) resolveNetworkPeers(ctx context.Context, poli } func (r *defaultEndpointsResolver) getIngressRulesPorts(ctx context.Context, policyNamespace string, policyPodSelector *metav1.LabelSelector, ports []networking.NetworkPolicyPort) []policyinfo.Port { - podList := &corev1.PodList{} - if err := r.k8sClient.List(ctx, podList, &client.ListOptions{ + podList, err := r.getNonHostNetworkPodList(ctx, &client.ListOptions{ LabelSelector: r.createPodLabelSelector(policyPodSelector), Namespace: policyNamespace, - }); err != nil { + }) + + if err != nil { r.logger.Info("Unable to List Pods", "err", err) return nil } - r.logger.V(2).Info("list pods for ingress", "podList", *podList, "namespace", policyNamespace, "selector", *policyPodSelector) + r.logger.V(2).Info("list pods for ingress", "podList", podList, "namespace", policyNamespace, "selector", *policyPodSelector) var portList []policyinfo.Port - for _, pod := range podList.Items { + for _, pod := range podList { portList = append(portList, r.getPortList(pod, ports)...) r.logger.Info("Got ingress port from pod", "pod", types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}.String()) } @@ -338,17 +341,18 @@ func (r *defaultEndpointsResolver) getMatchingPodAddresses(ctx context.Context, } // populate src pods for ingress and dst pods for egress - podList := &corev1.PodList{} - if err := r.k8sClient.List(ctx, podList, &client.ListOptions{ + podList, err := r.getNonHostNetworkPodList(ctx, &client.ListOptions{ LabelSelector: r.createPodLabelSelector(ls), Namespace: namespace, - }); err != nil { + }) + if err != nil { r.logger.Info("Unable to List Pods", "err", err) return nil } - r.logger.V(1).Info("Got pods for label selector", "count", len(podList.Items), "selector", ls.String()) - for _, pod := range podList.Items { + r.logger.V(1).Info("Got pods for label selector", "count", len(podList), "selector", ls.String()) + + for _, pod := range podList { podIP := k8s.GetPodIP(&pod) if len(podIP) == 0 { r.logger.Info("pod IP not assigned yet", "pod", k8s.NamespacedName(&pod)) @@ -464,19 +468,21 @@ func (r *defaultEndpointsResolver) getMatchingServicePort(ctx context.Context, s if err != nil { return 0, err } - podList := &corev1.PodList{} - if err := r.k8sClient.List(ctx, podList, &client.ListOptions{ + + podList, err := r.getNonHostNetworkPodList(ctx, &client.ListOptions{ LabelSelector: podSelector, Namespace: svc.Namespace, - }); err != nil { + }) + if err != nil { r.logger.Info("Unable to List Pods", "err", err) return 0, err } - for i := range podList.Items { - if portVal, err := k8s.LookupListenPortFromPodSpec(svc, &podList.Items[i], *port, protocol); err == nil { + + for i := range podList { + if portVal, err := k8s.LookupListenPortFromPodSpec(svc, &podList[i], *port, protocol); err == nil { return portVal, nil } else { - r.logger.Info("The pod doesn't have port matched", "err", err, "pod", podList.Items[i]) + r.logger.Info("The pod doesn't have port matched", "err", err, "pod", podList[i]) } } return 0, errors.Errorf("unable to find matching service listen port %s for service %s", port.String(), k8s.NamespacedName(svc)) @@ -503,3 +509,22 @@ func dedupPorts(policyPorts []policyinfo.Port) []policyinfo.Port { } return nil } + +func (r *defaultEndpointsResolver) getNonHostNetworkPodList(ctx context.Context, opts client.ListOption) ([]corev1.Pod, error) { + podList := &corev1.PodList{} + var pods []corev1.Pod + err := r.k8sClient.List(ctx, podList, opts) + if err != nil { + r.logger.Info("Unable to List Pods", "err", err) + } else { + for _, pod := range podList.Items { + if !pod.Spec.HostNetwork { + pods = append(pods, pod) + } else { + r.logger.Info("skipping host network pod", "pod", k8s.NamespacedName(&pod)) + } + } + } + + return pods, err +} diff --git a/pkg/resolvers/endpoints_test.go b/pkg/resolvers/endpoints_test.go index ccf99f2..b2fdd73 100644 --- a/pkg/resolvers/endpoints_test.go +++ b/pkg/resolvers/endpoints_test.go @@ -251,6 +251,24 @@ func TestEndpointsResolver_Resolve(t *testing.T) { }, }, } + ingressPolicyOnHostNetwork := &networking.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "host-network-policy", + Namespace: "ns", + }, + Spec: networking.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{}, + Ingress: []networking.NetworkPolicyIngressRule{ + { + From: []networking.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{}, + }, + }, + }, + }, + }, + } pod1 := corev1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: "pod1", @@ -278,6 +296,18 @@ func TestEndpointsResolver_Resolve(t *testing.T) { }, }, } + podHostNetwork := corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod-host-network", + Namespace: "ns", + Annotations: map[string]string{ + "vpc.amazonaws.com/pod-ips": "1.0.0.4", + }, + }, + Spec: corev1.PodSpec{ + HostNetwork: true, + }, + } podNoIP := corev1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: "pod-no-ip", @@ -326,6 +356,23 @@ func TestEndpointsResolver_Resolve(t *testing.T) { {PodIP: "1.0.0.3", Name: "pod3", Namespace: "ns"}, }, }, + { + name: "host network pods should be ignored", + args: args{ + netpol: ingressPolicyOnHostNetwork, + podListCalls: []podListCall{ + { + pods: []corev1.Pod{pod1, podHostNetwork}, + }, + }, + }, + wantIngressEndpoints: []policyinfo.EndpointInfo{ + {CIDR: "1.0.0.1"}, + }, + wantPodEndpoints: []policyinfo.PodEndpoint{ + {PodIP: "1.0.0.1", Name: "pod1", Namespace: "ns"}, + }, + }, { name: "ingress rules", args: args{