Handle ipmasq agent errors

rezamt · Oct 14, 2019 · 751bfb6 · 751bfb6
1 parent b870f1c
commit 751bfb6
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 10 deletions.
diff --git a/images/kindnetd/cmd/kindnetd/main.go b/images/kindnetd/cmd/kindnetd/main.go
@@ -69,10 +69,15 @@ func main() {
 
 	// enforce ip masquerade rules
 	// TODO: dual stack...?
-	masqAgent := NewIPMasqAgent(net.IsIPv6String(hostIP), []string{os.Getenv("POD_SUBNET")})
-	// TODO: handle the errors and logging here, temporally the agent will run forever
+	masqAgent, err := NewIPMasqAgent(net.IsIPv6String(hostIP), []string{os.Getenv("POD_SUBNET")})
+	if err != nil {
+		panic(err.Error())
+	}
+	// run the masqAgent and panic if is not able to install the rules to no masquerade the pod to pod traffic
 	go func() {
-		masqAgent.SyncRulesForever(time.Second * 60)
+		if err := masqAgent.SyncRulesForever(time.Second * 60); err != nil {
+			panic(err.Error())
+		}
 	}()
 
 	// setup nodes reconcile function, closes over arguments

diff --git a/images/kindnetd/cmd/kindnetd/masq.go b/images/kindnetd/cmd/kindnetd/masq.go
@@ -24,35 +24,47 @@ import (
 )
 
 // NewIPMasqAgent returns a new IPMasqAgent
-func NewIPMasqAgent(ipv6 bool, noMasqueradeCIDRs []string) *IPMasqAgent {
+func NewIPMasqAgent(ipv6 bool, noMasqueradeCIDRs []string) (*IPMasqAgent, error) {
 	protocol := iptables.ProtocolIPv4
 	if ipv6 {
 		protocol = iptables.ProtocolIPv6
 	}
-	ipt, _ := iptables.NewWithProtocol(protocol)
+	ipt, err := iptables.NewWithProtocol(protocol)
+	if err != nil {
+		return nil, err
+	}
 
 	// TODO: validate cidrs
 	return &IPMasqAgent{
 		iptables:          ipt,
 		masqChain:         masqChainName,
 		noMasqueradeCIDRs: noMasqueradeCIDRs,
-	}
+	}, nil
 }
 
 // IPMasqAgent is based on https://github.com/kubernetes-incubator/ip-masq-agent
-// but collapsed into kindnetd and made ipv6 aware in an opionated and simplified
-// fashion using "github.com/coreos/go-iptables" instead of k8s/pkg/util/iptables
+// but collapsed into kindnetd and made ipv6 aware in an opinionated and simplified
+// fashion using "github.com/coreos/go-iptables"
 type IPMasqAgent struct {
 	iptables          *iptables.IPTables
 	masqChain         string
 	noMasqueradeCIDRs []string
 }
 
 // SyncRulesForever syncs ip masquerade rules forever
-func (ma *IPMasqAgent) SyncRulesForever(interval time.Duration) {
+// these rules only needs to be installed once, but we run it periodically to check that are
+// not deleted by an external program. It fails if can't sync the rules during 3 iterations
+// TODO: aggregate errors
+func (ma *IPMasqAgent) SyncRulesForever(interval time.Duration) error {
+	errs := 0
 	for {
 		if err := ma.SyncRules(); err != nil {
-			fmt.Printf("Error syncing iptables non-masq rules %v, retrying ... \n", err)
+			errs++
+			if errs > 3 {
+				return fmt.Errorf("Can't synchronize rules after 3 attempts: %v", err)
+			}
+		} else {
+			errs = 0
 		}
 		time.Sleep(interval)
 	}