Merge pull request #27914 from yifan-gu/fix_kubenet_hostport

Automatic merge from submit-queue

kubenet: Fix host port for rktnetes.

Because rkt pod runs after plugin.SetUpPod() is called, so
getRunningPods() does not return the newly created pod, which
causes the hostport iptable rules to be missing for this new pod.

cc @dcbw @freehan 

A follow up fix for https://github.com/kubernetes/kubernetes/pull/27878#issuecomment-227898936

pkg/kubelet/network/hostport/hostport.go

@@ -42,7 +42,7 @@ const (
 )
 
 type HostportHandler interface {
-	OpenPodHostportsAndSync(newPod *api.Pod, natInterfaceName string, runningPods []*RunningPod) error
+	OpenPodHostportsAndSync(newPod *RunningPod, natInterfaceName string, runningPods []*RunningPod) error
 	SyncHostports(natInterfaceName string, runningPods []*RunningPod) error
 }
 
@@ -172,12 +172,24 @@ func hostportChainName(cp api.ContainerPort, podFullName string) utiliptables.Ch
 
 // OpenPodHostportsAndSync opens hostports for a new pod, gathers all hostports on
 // node, sets up iptables rules enable them. And finally clean up stale hostports
-func (h *handler) OpenPodHostportsAndSync(newPod *api.Pod, natInterfaceName string, runningPods []*RunningPod) error {
+func (h *handler) OpenPodHostportsAndSync(newPod *RunningPod, natInterfaceName string, runningPods []*RunningPod) error {
 	// try to open pod host port if specified
-	if err := h.openHostports(newPod); err != nil {
+	if err := h.openHostports(newPod.Pod); err != nil {
 		return err
 	}
 
+	// Add the new pod to running pods if it's not running already (e.g. in rkt's case).
+	var found bool
+	for _, p := range runningPods {
+		if p.Pod.UID == newPod.Pod.UID {
+			found = true
+			break
+		}
+	}
+	if !found {
+		runningPods = append(runningPods, newPod)
+	}
+
 	return h.SyncHostports(natInterfaceName, runningPods)
 }
 

pkg/kubelet/network/hostport/hostport_test.go

@@ -185,7 +185,7 @@ func TestOpenPodHostports(t *testing.T) {
 		})
 	}
 
-	err := h.OpenPodHostportsAndSync(tests[0].pod, "br0", runningPods)
+	err := h.OpenPodHostportsAndSync(&RunningPod{Pod: tests[0].pod, IP: net.ParseIP(tests[0].ip)}, "br0", runningPods)
 	if err != nil {
 		t.Fatalf("Failed to OpenPodHostportsAndSync: %v", err)
 	}

pkg/kubelet/network/hostport/testing/fake.go

@@ -19,7 +19,6 @@ package testing
 import (
 	"fmt"
 
-	"k8s.io/kubernetes/pkg/api"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/network/hostport"
 )
@@ -30,8 +29,8 @@ func NewFakeHostportHandler() hostport.HostportHandler {
 	return &fakeHandler{}
 }
 
-func (h *fakeHandler) OpenPodHostportsAndSync(newPod *api.Pod, natInterfaceName string, runningPods []*hostport.RunningPod) error {
-	return h.SyncHostports(natInterfaceName, runningPods)
+func (h *fakeHandler) OpenPodHostportsAndSync(newPod *hostport.RunningPod, natInterfaceName string, runningPods []*hostport.RunningPod) error {
+	return h.SyncHostports(natInterfaceName, append(runningPods, newPod))
 }
 
 func (h *fakeHandler) SyncHostports(natInterfaceName string, runningPods []*hostport.RunningPod) error {

pkg/kubelet/network/kubenet/kubenet_linux.go

@@ -349,7 +349,9 @@ func (plugin *kubenetNetworkPlugin) setup(namespace string, name string, id kube
 	if err != nil {
 		return err
 	}
-	if err := plugin.hostportHandler.OpenPodHostportsAndSync(pod, BridgeName, runningPods); err != nil {
+
+	newPod := &hostport.RunningPod{Pod: pod, IP: ip4}
+	if err := plugin.hostportHandler.OpenPodHostportsAndSync(newPod, BridgeName, runningPods); err != nil {
 		return err
 	}