search

cybozu-go / coil

CNI plugin for Kubernetes designed for scalability and extensibility
Apache License 2.0
158 stars 18 forks source link

Fix to avoid adding FoU devices for pods that don't use its egress #265

Closed terassyi closed 5 months ago

terassyi commented 7 months ago

This PR is related: #253

Background

From coil v2.5, coild runs EgressWatcher to watch Egress resources.

When Egress resources are modified(or created, deleted), EgressWatcher reflects its configuration to pods that use its Egress.

What

When reflecting the change to the pod, EgressWatcher picks the wrong network namespace and creates a device for the wrong pod.

Why

EgressWatcher gets the network namespace associated with the target pod by the pods' IP addresses.

https://github.com/cybozu-go/coil/blob/ea4d2acd1c80362477472a42bf682b5678f1aa9d/v2/pkg/nodenet/pod.go#L425

In this code, either c.IPv4.Equal(podIPv4) or c.IPv6.Equal(podIPv6) return true in almost case. In the case of IPv4(or IPv6) single stack, this condition always returns true, and netNsPath is updated in every loop. As a result, the wrong network namespace is picked.