fix Node access underlay pod failed when applying network policy (#5256)

changluyi · changluyi · commit 3eca4f085e21 · 2025-05-20T15:53:19.000+08:00
* fix Node access underlay pod failed when applying  network policy

Signed-off-by: clyi &lt;clyi@alauda.io&gt;
diff --git a/pkg/controller/node.go b/pkg/controller/node.go
@@ -703,9 +703,28 @@ func (c *Controller) retryDelDupChassis(attempts, sleep int, f func(node *v1.Nod
 func (c *Controller) fetchPodsOnNode(nodeName string, pods []*v1.Pod) ([]string, error) {
 	ports := make([]string, 0, len(pods))
 	for _, pod := range pods {
-		if !isPodAlive(pod) || pod.Spec.HostNetwork || pod.Spec.NodeName != nodeName || pod.Annotations[util.LogicalRouterAnnotation] != c.config.ClusterRouter {
+		if !isPodAlive(pod) || pod.Spec.HostNetwork || pod.Spec.NodeName != nodeName {
 			continue
 		}
+
+		if pod.Annotations[util.LogicalRouterAnnotation] != c.config.ClusterRouter {
+			subnetName := pod.Annotations[util.LogicalSwitchAnnotation]
+			if subnetName == "" {
+				klog.V(4).Infof("Pod %s/%s is not on cluster router and has no logical switch annotation, skipping for VLAN check.", pod.Namespace, pod.Name)
+				continue
+			}
+
+			subnet, err := c.subnetsLister.Get(subnetName)
+			if err != nil {
+				klog.Errorf("failed to get subnet %s: %v", subnetName, err)
+				return nil, err
+			}
+
+			if subnet.Spec.Vlan == "" {
+				continue
+			}
+		}
+
 		podName := c.getNameByPod(pod)
 
 		podNets, err := c.getPodKubeovnNets(pod)
diff --git a/test/e2e/framework/iproute/iproute.go b/test/e2e/framework/iproute/iproute.go
@@ -7,6 +7,7 @@ import (
 	"reflect"
 	"slices"
 	"strings"
+	"time"
 
 	"github.com/kubeovn/kube-ovn/test/e2e/framework/docker"
 )
@@ -136,6 +137,44 @@ func AddressShow(device string, execFunc ExecFunc) ([]Link, error) {
 	return links, nil
 }
 
+func AddressDel(device, addr string, execFunc ExecFunc) error {
+	e := execer{fn: execFunc}
+	if err := e.exec("ip a del"+devArg(device)+" "+addr, nil); err != nil {
+		return err
+	}
+	return nil
+}
+
+func AddressDelCheckExist(device, addr string, execFunc ExecFunc) error {
+	found := false
+	for range 10 {
+		showLinks, err := AddressShow(device, execFunc)
+		if err != nil {
+			return err
+		}
+		for _, link := range showLinks {
+			for _, a := range link.AddrInfo {
+				cidr := fmt.Sprintf("%s/%d", a.Local, a.PrefixLen)
+				if cidr == addr {
+					found = true
+					break
+				}
+			}
+			if found {
+				break
+			}
+		}
+		if found {
+			break
+		}
+		time.Sleep(time.Second)
+	}
+	if !found {
+		return fmt.Errorf("address %s not found on %s after waiting", addr, device)
+	}
+	return AddressDel(device, addr, execFunc)
+}
+
 func RouteShow(table, device string, execFunc ExecFunc) ([]Route, error) {
 	e := execer{fn: execFunc}
 	var args string
diff --git a/test/e2e/kube-ovn/underlay/underlay.go b/test/e2e/kube-ovn/underlay/underlay.go
@@ -12,6 +12,9 @@ import (
 
 	dockernetwork "github.com/docker/docker/api/types/network"
 	corev1 "k8s.io/api/core/v1"
+	netv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	clientset "k8s.io/client-go/kubernetes"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
 	e2epodoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
@@ -106,7 +109,7 @@ var _ = framework.SerialDescribe("[group:underlay]", func() {
 	var itFn func(bool)
 	var cs clientset.Interface
 	var nodeNames []string
-	var clusterName, providerNetworkName, vlanName, subnetName, podName, namespaceName string
+	var clusterName, providerNetworkName, vlanName, subnetName, podName, namespaceName, netpolName string
 	var vpcName string
 	var u2oPodNameUnderlay, u2oOverlaySubnetName, u2oPodNameOverlay, u2oOverlaySubnetNameCustomVPC, u2oPodOverlayCustomVPC string
 	var linkMap map[string]*iproute.Link
@@ -118,6 +121,7 @@ var _ = framework.SerialDescribe("[group:underlay]", func() {
 	var vlanClient *framework.VlanClient
 	var providerNetworkClient *framework.ProviderNetworkClient
 	var dockerNetwork *dockernetwork.Inspect
+	var netpolClient *framework.NetworkPolicyClient
 	var containerID string
 
 	ginkgo.BeforeEach(func() {
@@ -128,6 +132,7 @@ var _ = framework.SerialDescribe("[group:underlay]", func() {
 		vpcClient = f.VpcClient()
 		vlanClient = f.VlanClient()
 		providerNetworkClient = f.ProviderNetworkClient()
+		netpolClient = f.NetworkPolicyClient()
 		namespaceName = f.Namespace.Name
 		podName = "pod-" + framework.RandomSuffix()
 		u2oPodNameOverlay = "pod-" + framework.RandomSuffix()
@@ -139,6 +144,7 @@ var _ = framework.SerialDescribe("[group:underlay]", func() {
 		vlanName = "vlan-" + framework.RandomSuffix()
 		providerNetworkName = "pn-" + framework.RandomSuffix()
 		vpcName = "vpc-" + framework.RandomSuffix()
+		netpolName = "netpol-" + framework.RandomSuffix()
 		containerID = ""
 
 		if skip {
@@ -325,6 +331,9 @@ var _ = framework.SerialDescribe("[group:underlay]", func() {
 			framework.ExpectNoError(err)
 		}
 
+		ginkgo.By("Deleting network policy " + netpolName)
+		netpolClient.DeleteSync(netpolName)
+
 		ginkgo.By("Deleting pod " + podName)
 		podClient.DeleteSync(podName)
 
@@ -448,6 +457,150 @@ var _ = framework.SerialDescribe("[group:underlay]", func() {
 		framework.ExpectEqual(links[0].Mtu, docker.MTU)
 	})
 
+	framework.ConformanceIt("should be able to access underlay pod from node after applying network policy", func() {
+		ginkgo.By("Creating provider network " + providerNetworkName)
+		pn := makeProviderNetwork(providerNetworkName, false, linkMap)
+		_ = providerNetworkClient.CreateSync(pn)
+
+		ginkgo.By("Getting docker network " + dockerNetworkName)
+		network, err := docker.NetworkInspect(dockerNetworkName)
+		framework.ExpectNoError(err, "getting docker network "+dockerNetworkName)
+
+		ginkgo.By("Creating vlan " + vlanName)
+		vlan := framework.MakeVlan(vlanName, providerNetworkName, 0)
+		_ = vlanClient.Create(vlan)
+
+		ginkgo.By("Creating subnet " + subnetName)
+		var cidrV4, cidrV6, gatewayV4, gatewayV6 string
+		for _, config := range dockerNetwork.IPAM.Config {
+			switch util.CheckProtocol(config.Subnet) {
+			case apiv1.ProtocolIPv4:
+				if f.HasIPv4() {
+					cidrV4 = config.Subnet
+					gatewayV4 = config.Gateway
+				}
+			case apiv1.ProtocolIPv6:
+				if f.HasIPv6() {
+					cidrV6 = config.Subnet
+					gatewayV6 = config.Gateway
+				}
+			}
+		}
+		cidr := make([]string, 0, 2)
+		gateway := make([]string, 0, 2)
+		if f.HasIPv4() {
+			cidr = append(cidr, cidrV4)
+			gateway = append(gateway, gatewayV4)
+		}
+		if f.HasIPv6() {
+			cidr = append(cidr, cidrV6)
+			gateway = append(gateway, gatewayV6)
+		}
+		excludeIPs := make([]string, 0, len(network.Containers)*2)
+		for _, container := range network.Containers {
+			if container.IPv4Address != "" && f.HasIPv4() {
+				excludeIPs = append(excludeIPs, strings.Split(container.IPv4Address, "/")[0])
+			}
+			if container.IPv6Address != "" && f.HasIPv6() {
+				excludeIPs = append(excludeIPs, strings.Split(container.IPv6Address, "/")[0])
+			}
+		}
+		subnet := framework.MakeSubnet(subnetName, vlanName, strings.Join(cidr, ","), strings.Join(gateway, ","), "", "", excludeIPs, nil, []string{namespaceName})
+		_ = subnetClient.CreateSync(subnet)
+
+		// set iptables to allow traffic between underlay and node network
+		ginkgo.By("Getting nodes")
+		nodes, err := e2enode.GetReadySchedulableNodes(context.Background(), cs)
+		framework.ExpectNoError(err)
+		framework.ExpectNotEmpty(nodes.Items)
+
+		for _, node := range nodes.Items {
+			for _, address := range node.Status.Addresses {
+				if address.Type == corev1.NodeInternalIP {
+					nodeIP := address.Address
+					if util.CheckProtocol(nodeIP) == apiv1.ProtocolIPv4 {
+						cmd1 := exec.Command("sudo", "iptables", "-t", "filter", "-I", "FORWARD", "-s", nodeIP, "-j", "ACCEPT")
+						if output, err := cmd1.CombinedOutput(); err != nil {
+							framework.Logf("failed to add iptables rule: %v, output: %s", err, string(output))
+						}
+						cmd2 := exec.Command("sudo", "iptables", "-t", "filter", "-I", "FORWARD", "-d", nodeIP, "-j", "ACCEPT")
+						if output, err := cmd2.CombinedOutput(); err != nil {
+							framework.Logf("failed to add iptables rule: %v, output: %s", err, string(output))
+						}
+					} else {
+						cmd1 := exec.Command("sudo", "ip6tables", "-t", "filter", "-I", "FORWARD", "-s", nodeIP, "-j", "ACCEPT")
+						if output, err := cmd1.CombinedOutput(); err != nil {
+							framework.Logf("failed to add ip6tables rule: %v, output: %s", err, string(output))
+						}
+						cmd2 := exec.Command("sudo", "ip6tables", "-t", "filter", "-I", "FORWARD", "-d", nodeIP, "-j", "ACCEPT")
+						if output, err := cmd2.CombinedOutput(); err != nil {
+							framework.Logf("failed to add ip6tables rule: %v, output: %s", err, string(output))
+						}
+					}
+				}
+			}
+		}
+
+		// remove underlay ip on bridge
+		kindNodes, _ := kind.ListNodes(clusterName, "")
+		for _, node := range kindNodes {
+			for _, container := range network.Containers {
+				if container.Name != node.Name() {
+					continue
+				}
+				if container.IPv4Address != "" && f.HasIPv4() {
+					err := iproute.AddressDelCheckExist("br-"+providerNetworkName, container.IPv4Address, node.Exec)
+					framework.ExpectNoError(err)
+				}
+				if container.IPv6Address != "" && f.HasIPv6() {
+					err := iproute.AddressDelCheckExist("br-"+providerNetworkName, container.IPv6Address, node.Exec)
+					framework.ExpectNoError(err)
+				}
+			}
+		}
+
+		ginkgo.By("Creating network policy " + netpolName)
+		netpol := &netv1.NetworkPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      netpolName,
+				Namespace: namespaceName,
+			},
+			Spec: netv1.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"app": "agnhost",
+					},
+				},
+				Ingress:     []netv1.NetworkPolicyIngressRule{},
+				PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeIngress},
+			},
+		}
+		_ = netpolClient.Create(netpol)
+
+		ginkgo.By("Creating pod " + podName)
+		labels := map[string]string{
+			"app": "agnhost",
+		}
+		args := []string{"netexec", "--http-port", strconv.Itoa(80)}
+		pod := framework.MakePrivilegedPod(namespaceName, podName, labels, nil, framework.AgnhostImage, nil, args)
+		pod.Spec.Containers[0].ReadinessProbe = &corev1.Probe{
+			ProbeHandler: corev1.ProbeHandler{
+				HTTPGet: &corev1.HTTPGetAction{
+					Port: intstr.FromInt32(80),
+				},
+			},
+		}
+		pod.Spec.Containers[0].LivenessProbe = &corev1.Probe{
+			ProbeHandler: corev1.ProbeHandler{
+				HTTPGet: &corev1.HTTPGetAction{
+					Port: intstr.FromInt32(80),
+				},
+			},
+		}
+
+		_ = podClient.CreateSync(pod)
+	})
+
 	framework.ConformanceIt("should be able to detect duplicate address", func() {
 		f.SkipVersionPriorTo(1, 9, "Duplicate address detection was introduced in v1.9")
 		if !f.HasIPv4() {
