From 740b2f95892130edb64ff8e3342be4d1cbafe2c9 Mon Sep 17 00:00:00 2001
From: Wenying Dong <wenyingd@vmware.com>
Date: Fri, 21 Feb 2025 07:05:57 -0800
Subject: [PATCH] Filter out the hostNetwork Pods locally on Linux (#7012)

This change is to resolve the issue that "spec.hostNetwork" is not supported as
Pod's field selector since K8s v1.28, so we may hit issues if antrea run on a
cluster with version [1.19, 1.27] .

The fix is to remove the field selector "spec.hostNetwork" in the Pod list
options, and locally filter out the hostNetwork Pods on Linux. This fix includes
changes in both CNIServer and flow-aggregator.

Signed-off-by: Wenying Dong <wenyingd@vmware.com>
---
 pkg/agent/cniserver/server.go         | 13 ++++++++++---
 pkg/agent/cniserver/server_linux.go   | 19 +++++++++----------
 pkg/agent/cniserver/server_windows.go | 15 ++++-----------
 3 files changed, 23 insertions(+), 24 deletions(-)

diff --git a/pkg/agent/cniserver/server.go b/pkg/agent/cniserver/server.go
index 53b216d2a97..dc956438291 100644
--- a/pkg/agent/cniserver/server.go
+++ b/pkg/agent/cniserver/server.go
@@ -29,6 +29,7 @@ import (
 	"github.com/containernetworking/cni/pkg/version"
 	"github.com/containernetworking/plugins/pkg/ip"
 	"google.golang.org/grpc"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
@@ -763,12 +764,18 @@ func (s *CNIServer) interceptCheck(cniConfig *CNIConfig) (*cnipb.CniCmdResponse,
 // | Windows HostProcess Pod          | true             | true                       | No                    | Yes                        |
 func (s *CNIServer) reconcile() error {
 	klog.InfoS("Starting reconciliation for CNI server")
-	pods, err := s.kubeClient.CoreV1().Pods("").List(context.TODO(), s.getPodsListOptions())
+	podListOption := metav1.ListOptions{
+		FieldSelector: fmt.Sprintf("spec.nodeName=%s", s.nodeConfig.Name),
+		// For performance reasons, use ResourceVersion="0" in the ListOptions to ensure the request is served from
+		// the watch cache in kube-apiserver.
+		ResourceVersion: "0",
+	}
+	pods, err := s.kubeClient.CoreV1().Pods("").List(context.TODO(), podListOption)
 	if err != nil {
 		return fmt.Errorf("failed to list Pods running on Node %s: %v", s.nodeConfig.Name, err)
 	}
-
-	return s.podConfigurator.reconcile(pods.Items, s.containerAccess, s.podNetworkWait, s.flowRestoreCompleteWait)
+	filteredPods := s.filterPodsForReconcile(pods)
+	return s.podConfigurator.reconcile(filteredPods, s.containerAccess, s.podNetworkWait, s.flowRestoreCompleteWait)
 }
 
 func init() {
diff --git a/pkg/agent/cniserver/server_linux.go b/pkg/agent/cniserver/server_linux.go
index 9f3f8db76b1..17c31da7602 100644
--- a/pkg/agent/cniserver/server_linux.go
+++ b/pkg/agent/cniserver/server_linux.go
@@ -15,10 +15,8 @@
 package cniserver
 
 import (
-	"fmt"
-
 	current "github.com/containernetworking/cni/pkg/types/100"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
 )
 
 // updateResultDNSConfig updates the DNS config from CNIConfig.
@@ -54,12 +52,13 @@ func (c *CNIConfig) getInfraContainer() string {
 	return c.ContainerId
 }
 
-// getPodsListOptions returns the none host-network Pods running on the current Node.
-func (s *CNIServer) getPodsListOptions() metav1.ListOptions {
-	return metav1.ListOptions{
-		FieldSelector: fmt.Sprintf("spec.nodeName=%s,spec.hostNetwork=false", s.nodeConfig.Name),
-		// For performance reasons, use ResourceVersion="0" in the ListOptions to ensure the request is served from
-		// the watch cache in kube-apiserver.
-		ResourceVersion: "0",
+// filterPodsForReconcile returns Pods that should be reconciled.
+func (s *CNIServer) filterPodsForReconcile(pods *corev1.PodList) []corev1.Pod {
+	validPods := make([]corev1.Pod, 0)
+	for _, pod := range pods.Items {
+		if !pod.Spec.HostNetwork {
+			validPods = append(validPods, pod)
+		}
 	}
+	return validPods
 }
diff --git a/pkg/agent/cniserver/server_windows.go b/pkg/agent/cniserver/server_windows.go
index b45b5587ca9..73f42a1c77e 100644
--- a/pkg/agent/cniserver/server_windows.go
+++ b/pkg/agent/cniserver/server_windows.go
@@ -22,7 +22,7 @@ import (
 	"strings"
 
 	current "github.com/containernetworking/cni/pkg/types/100"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
 )
 
@@ -100,14 +100,7 @@ func (c *CNIConfig) getInfraContainer() string {
 	return getInfraContainer(c.ContainerId, c.Netns)
 }
 
-// getPodsListOptions returns the Pods running on the current Node. Note, the host-network Pods are not filtered
-// out on Windows because they are also managed by antrea as long as "spec.SecurityContext.windowsOptions.hostProcess"
-// is not configured.
-func (s *CNIServer) getPodsListOptions() metav1.ListOptions {
-	return metav1.ListOptions{
-		FieldSelector: fmt.Sprintf("spec.nodeName=%s", s.nodeConfig.Name),
-		// For performance reasons, use ResourceVersion="0" in the ListOptions to ensure the request is served from
-		// the watch cache in kube-apiserver.
-		ResourceVersion: "0",
-	}
+// filterPodsForReconcile returns Pods that should be reconciled.
+func (s *CNIServer) filterPodsForReconcile(pods *corev1.PodList) []corev1.Pod {
+	return pods.Items
 }