Merge pull request #3305 from /issues/3289-many-namespaces

Make the ipset list size bigger

npc/ipset/ipset.go

@@ -1,6 +1,7 @@
 package ipset
 
 import (
+	"fmt"
 	"log"
 	"os/exec"
 	"strings"
@@ -40,17 +41,19 @@ type entryKey struct {
 type ipset struct {
 	*log.Logger
 	enableComments bool
+	maxListSize    int
 	// List of users per ipset entry. User is either a namespace or a pod.
 	// There might be multiple users for the same ipset & entry pair because
 	// events from k8s API server might be out of order causing duplicate IPs:
 	// https://github.com/weaveworks/weave/issues/2792.
 	users map[entryKey]map[types.UID]struct{}
 }
 
-func New(logger *log.Logger) Interface {
+func New(logger *log.Logger, maxListSize int) Interface {
 	ips := &ipset{
 		Logger:         logger,
 		enableComments: true,
+		maxListSize:    maxListSize,
 		users:          make(map[entryKey]map[types.UID]struct{}),
 	}
 
@@ -71,6 +74,9 @@ func New(logger *log.Logger) Interface {
 
 func (i *ipset) Create(ipsetName Name, ipsetType Type) error {
 	args := []string{"create", string(ipsetName), string(ipsetType)}
+	if ipsetType == ListSet && i.maxListSize > 0 {
+		args = append(args, "size", fmt.Sprintf("%d", i.maxListSize))
+	}
 	if i.enableComments {
 		args = append(args, "comment")
 	}

prog/weave-npc/main.go

@@ -31,6 +31,7 @@ var (
 	allowMcast  bool
 	nodeName    string
 	legacy      bool
+	maxList     int
 )
 
 func handleError(err error) { common.CheckFatal(err) }
@@ -152,7 +153,7 @@ func root(cmd *cobra.Command, args []string) {
 	ipt, err := iptables.New()
 	handleError(err)
 
-	ips := ipset.New(common.LogLogger())
+	ips := ipset.New(common.LogLogger(), maxList)
 
 	handleError(resetIPTables(ipt))
 	handleError(resetIPSets(ips))
@@ -245,6 +246,7 @@ func main() {
 	rootCmd.PersistentFlags().BoolVar(&allowMcast, "allow-mcast", true, "allow all multicast traffic")
 	rootCmd.PersistentFlags().StringVar(&nodeName, "node-name", "", "only generate rules that apply to this node")
 	rootCmd.PersistentFlags().BoolVar(&legacy, "use-legacy-netpol", false, "use legacy network policies (pre k8s 1.7 vsn)")
+	rootCmd.PersistentFlags().IntVar(&maxList, "max-list-size", 1024, "maximum size of ipset list (for namespaces)")
 
 	handleError(rootCmd.Execute())
 }

test/840_weave_kube_3_test.sh

@@ -225,21 +225,46 @@ run_on $HOST1 "$KUBECTL delete netpol allow-nettest-deny"
 # nettest-deny should still not be able to reach nettest pods
 assert_raises "! $SSH $HOST1 $KUBECTL exec $denyPodName -- curl -s -S -f -m 2 http://$DOMAIN:8080/status >/dev/null"
 
-# allow access for all
+# Create many namespaces to stress namespaceSelector
+for n in 1 2 3 4 5 6 7 8 9 10; do
+    run_on $HOST1 "$KUBECTL create namespace namespace${n}"
+done
+
+# allow access from any namespace
 run_on $HOST1 "$KUBECTL apply -f -" <<EOF
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-nettest-deny
+  name: allow-any-namespace
   namespace: default
 spec:
   podSelector: {}
   ingress:
-    - {}
+    - from:
+      - namespaceSelector: {}
 EOF
 
+# Should be able to access from the "deny" pod now
 assert_raises "$SSH $HOST1 $KUBECTL exec $denyPodName -- curl -s -S -f -m 2 http://$DOMAIN:8080/status >/dev/null"
 
+# host should still not be able to reach pods via service virtual IP or NodePort
+# because host is not in a namespace
+assert_raises "! $SSH $HOST1 curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null"
+assert_raises "! $SSH $HOST1 curl -s -S -f -m 2 http://$HOST2:31138/status >/dev/null"
+
+# allow access from anywhere
+run_on $HOST1 "$KUBECTL apply -f -" <<EOF
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-anywhere
+  namespace: default
+spec:
+  podSelector: {}
+  ingress:
+    - {}
+EOF
+
 # Virtual IP and NodePort should now work
 assert_raises "$SSH $HOST1 curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null"
 assert_raises "$SSH $HOST1 curl -s -S -f -m 2 http://$HOST2:31138/status >/dev/null"