From e73cf1287ac88d57b9f6689f4f078a85aaa9387d Mon Sep 17 00:00:00 2001 From: Wenying Dong Date: Fri, 21 Feb 2025 11:10:29 +0800 Subject: [PATCH] Filter out the hostNetwork Pods locally on Linux This change is to resolve the issue that "spec.hostNetwork" is supported as Pod's field selector after K8s v1.28 (including 1.28), which means we may not use the option on the clusters before version 1.27 (including 1.27). The fix is to remove the field selector "spec.hostNetwork" in the Pod list options, and locally filters out the hostNetwork Pod on Linux. This fix includes changes in both CNIServer and flow-aggregator. Signed-off-by: Wenying Dong --- cmd/flow-aggregator/flow-aggregator.go | 5 +---- pkg/agent/cniserver/server.go | 13 ++++++++++--- pkg/agent/cniserver/server_linux.go | 19 +++++++++---------- pkg/agent/cniserver/server_windows.go | 15 ++++----------- 4 files changed, 24 insertions(+), 28 deletions(-) diff --git a/cmd/flow-aggregator/flow-aggregator.go b/cmd/flow-aggregator/flow-aggregator.go index e156e42ec10..2cb698781ae 100644 --- a/cmd/flow-aggregator/flow-aggregator.go +++ b/cmd/flow-aggregator/flow-aggregator.go @@ -21,7 +21,6 @@ import ( "time" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/fields" coreinformers "k8s.io/client-go/informers/core/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" @@ -64,9 +63,7 @@ func run(configFile string) error { metav1.NamespaceAll, informerDefaultResync, cache.Indexers{}, - func(options *metav1.ListOptions) { - options.FieldSelector = fields.OneTermEqualSelector("spec.hostNetwork", "false").String() - }, + nil, ) podInformer.SetTransform(k8s.NewTrimmer(k8s.TrimPod)) podStore := podstore.NewPodStore(podInformer) diff --git a/pkg/agent/cniserver/server.go b/pkg/agent/cniserver/server.go index 53b216d2a97..dc956438291 100644 --- a/pkg/agent/cniserver/server.go +++ b/pkg/agent/cniserver/server.go @@ -29,6 +29,7 @@ import ( "github.com/containernetworking/cni/pkg/version" "github.com/containernetworking/plugins/pkg/ip" "google.golang.org/grpc" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/cache" "k8s.io/klog/v2" @@ -763,12 +764,18 @@ func (s *CNIServer) interceptCheck(cniConfig *CNIConfig) (*cnipb.CniCmdResponse, // | Windows HostProcess Pod | true | true | No | Yes | func (s *CNIServer) reconcile() error { klog.InfoS("Starting reconciliation for CNI server") - pods, err := s.kubeClient.CoreV1().Pods("").List(context.TODO(), s.getPodsListOptions()) + podListOption := metav1.ListOptions{ + FieldSelector: fmt.Sprintf("spec.nodeName=%s", s.nodeConfig.Name), + // For performance reasons, use ResourceVersion="0" in the ListOptions to ensure the request is served from + // the watch cache in kube-apiserver. + ResourceVersion: "0", + } + pods, err := s.kubeClient.CoreV1().Pods("").List(context.TODO(), podListOption) if err != nil { return fmt.Errorf("failed to list Pods running on Node %s: %v", s.nodeConfig.Name, err) } - - return s.podConfigurator.reconcile(pods.Items, s.containerAccess, s.podNetworkWait, s.flowRestoreCompleteWait) + filteredPods := s.filterPodsForReconcile(pods) + return s.podConfigurator.reconcile(filteredPods, s.containerAccess, s.podNetworkWait, s.flowRestoreCompleteWait) } func init() { diff --git a/pkg/agent/cniserver/server_linux.go b/pkg/agent/cniserver/server_linux.go index 9f3f8db76b1..86c91cb3b51 100644 --- a/pkg/agent/cniserver/server_linux.go +++ b/pkg/agent/cniserver/server_linux.go @@ -15,10 +15,8 @@ package cniserver import ( - "fmt" - current "github.com/containernetworking/cni/pkg/types/100" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" ) // updateResultDNSConfig updates the DNS config from CNIConfig. @@ -54,12 +52,13 @@ func (c *CNIConfig) getInfraContainer() string { return c.ContainerId } -// getPodsListOptions returns the none host-network Pods running on the current Node. -func (s *CNIServer) getPodsListOptions() metav1.ListOptions { - return metav1.ListOptions{ - FieldSelector: fmt.Sprintf("spec.nodeName=%s,spec.hostNetwork=false", s.nodeConfig.Name), - // For performance reasons, use ResourceVersion="0" in the ListOptions to ensure the request is served from - // the watch cache in kube-apiserver. - ResourceVersion: "0", +// filterPodsForReconcile returns the non-HostNetwork Pods. +func (s *CNIServer) filterPodsForReconcile(reconciledPods *corev1.PodList) []corev1.Pod { + pods := make([]corev1.Pod, 0) + for _, pod := range reconciledPods.Items { + if !pod.Spec.HostNetwork { + pods = append(pods, pod) + } } + return pods } diff --git a/pkg/agent/cniserver/server_windows.go b/pkg/agent/cniserver/server_windows.go index b45b5587ca9..0182392a311 100644 --- a/pkg/agent/cniserver/server_windows.go +++ b/pkg/agent/cniserver/server_windows.go @@ -22,7 +22,7 @@ import ( "strings" current "github.com/containernetworking/cni/pkg/types/100" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" "k8s.io/klog/v2" ) @@ -100,14 +100,7 @@ func (c *CNIConfig) getInfraContainer() string { return getInfraContainer(c.ContainerId, c.Netns) } -// getPodsListOptions returns the Pods running on the current Node. Note, the host-network Pods are not filtered -// out on Windows because they are also managed by antrea as long as "spec.SecurityContext.windowsOptions.hostProcess" -// is not configured. -func (s *CNIServer) getPodsListOptions() metav1.ListOptions { - return metav1.ListOptions{ - FieldSelector: fmt.Sprintf("spec.nodeName=%s", s.nodeConfig.Name), - // For performance reasons, use ResourceVersion="0" in the ListOptions to ensure the request is served from - // the watch cache in kube-apiserver. - ResourceVersion: "0", - } +// filterPodsForReconcile returns all Pods from the given reconciledPods. +func (s *CNIServer) filterPodsForReconcile(reconciledPods *corev1.PodList) []corev1.Pod { + return reconciledPods.Items }