search

aws / aws-network-policy-agent

Apache License 2.0
42 stars 25 forks source link

Log and return an error when policy is applied to a period-containing pod name #200

Closed zachdorame closed 5 months ago

zachdorame commented 6 months ago

Issue #, if available: https://github.com/aws/aws-network-policy-agent/issues/118

Description of changes: This change prevents the aws-node pod from entering a crash loop in the case that a networking policy is applied to a pod containing a period. I also added a unit test to ensure this behavior.

Testing:

  1. I built and installed an image of aws-network-policy-agent into aws-node and followed the documentation to enable network policy.
  2. I applied the Sample Policy and Sample Deployment from https://github.com/aws/aws-network-policy-agent/issues/118#issue-1967965139 on the cluster
  3. Rather than crashing, I observed the following logs in /var/logs/aws-routed-eni/network-policy-agent.log 
    {"level":"info","ts":"2024-02-01T22:04:29.495Z","logger":"controllers.policyEndpoints","caller":"controllers/policyendpoints_controller.go:146","msg":"Processing Pod: ","name:":"sample-app.app-7c547489fb-dws7q","namespace:":"default","podIdentifier: ":"sample-app.app-7c547489fb-default"}
{"level":"info","ts":"2024-02-01T22:04:29.495Z","logger":"ebpf-client","caller":"controllers/policyendpoints_controller.go:243","msg":"AttacheBPFProbes for","pod":"sample-app.app-7c547489fb-dws7q"," in namespace":"default"," with hostVethName":"enid066e956460"}
{"level":"info","ts":"2024-02-01T22:04:29.495Z","logger":"ebpf-client","caller":"ebpf/bpf_client.go:412","msg":"Load the eBPF program"}
{"level":"info","ts":"2024-02-01T22:04:29.495Z","logger":"ebpf-client","caller":"ebpf/bpf_client.go:412","msg":"Pod identifier cannot contain '.'"}

    I also observed the following in /var/logs/aws-routed-eni/ebpf-sdk.log

    {"level":"error","ts":"2024-02-01T04:12:45.931Z","caller":"ebpf/bpf_client.go:517","msg":"while loading egress program \"handle egress\" on fd -1: invalid argument"}

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

zachdorame commented 5 months ago

Had a discussion with Apurup, going to explore alternatives to resolving the bug. I don't think we'll proceed with the fix proposed in the PR so I'm closing it.