If the NetNS path does not exist, error should not be returned, otherwise it may cause ip leakage #685
Comments
silenceper
added a commit
to silenceper/plugins
that referenced
this issue
Jan 6, 2022
silenceper
added a commit
to silenceper/plugins
that referenced
this issue
Jan 6, 2022
Signed-off-by: silenceper <silenceper@gmail.com>
MikeZappa87
pushed a commit
to MikeZappa87/plugins
that referenced
this issue
Jan 20, 2022
Signed-off-by: silenceper <silenceper@gmail.com>
6 tasks
aanm
pushed a commit
to cilium/cilium
that referenced
this issue
Jul 28, 2022
If the network namespace has been deleted before CNI DEL is invoked, Cilium CNI should still invoke the delegated IPAM plugin to release the IP address. This matches the behavior of the "bridge" reference plugin, which invokes delegated plugin DEL when the network namespace has been deleted: containernetworking/plugins#685 containernetworking/plugins#686 I tested the changes in a kind cluster configuring Cilium CNI to use the reference host-local plugin for IPAM. The cilium connectivity tests pass. I also repeatedly deleted pods from a deployment to trigger the "Unable to enter namespace" warning in the Cilium CNI logs, then verified that the delegated IPAM plugin DEL was invoked to release the IPs. Signed-off-by: Will Daly <widaly@microsoft.com>
dezmodue
pushed a commit
to dezmodue/cilium
that referenced
this issue
Aug 10, 2022
If the network namespace has been deleted before CNI DEL is invoked, Cilium CNI should still invoke the delegated IPAM plugin to release the IP address. This matches the behavior of the "bridge" reference plugin, which invokes delegated plugin DEL when the network namespace has been deleted: containernetworking/plugins#685 containernetworking/plugins#686 I tested the changes in a kind cluster configuring Cilium CNI to use the reference host-local plugin for IPAM. The cilium connectivity tests pass. I also repeatedly deleted pods from a deployment to trigger the "Unable to enter namespace" warning in the Cilium CNI logs, then verified that the delegated IPAM plugin DEL was invoked to release the IPs. Signed-off-by: Will Daly <widaly@microsoft.com>
nbusseneau
pushed a commit
to nbusseneau/cilium
that referenced
this issue
Aug 10, 2022
[ upstream commit 645c8d5 ] If the network namespace has been deleted before CNI DEL is invoked, Cilium CNI should still invoke the delegated IPAM plugin to release the IP address. This matches the behavior of the "bridge" reference plugin, which invokes delegated plugin DEL when the network namespace has been deleted: containernetworking/plugins#685 containernetworking/plugins#686 I tested the changes in a kind cluster configuring Cilium CNI to use the reference host-local plugin for IPAM. The cilium connectivity tests pass. I also repeatedly deleted pods from a deployment to trigger the "Unable to enter namespace" warning in the Cilium CNI logs, then verified that the delegated IPAM plugin DEL was invoked to release the IPs. Signed-off-by: Will Daly <widaly@microsoft.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
tklauser
pushed a commit
to cilium/cilium
that referenced
this issue
Aug 11, 2022
[ upstream commit 645c8d5 ] If the network namespace has been deleted before CNI DEL is invoked, Cilium CNI should still invoke the delegated IPAM plugin to release the IP address. This matches the behavior of the "bridge" reference plugin, which invokes delegated plugin DEL when the network namespace has been deleted: containernetworking/plugins#685 containernetworking/plugins#686 I tested the changes in a kind cluster configuring Cilium CNI to use the reference host-local plugin for IPAM. The cilium connectivity tests pass. I also repeatedly deleted pods from a deployment to trigger the "Unable to enter namespace" warning in the Cilium CNI logs, then verified that the delegated IPAM plugin DEL was invoked to release the IPs. Signed-off-by: Will Daly <widaly@microsoft.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
tjjh89017
pushed a commit
to tjjh89017/plugins
that referenced
this issue
Aug 18, 2022
Signed-off-by: silenceper <silenceper@gmail.com>
mccv1r0
pushed a commit
to mccv1r0/plugins
that referenced
this issue
Jan 4, 2023
Signed-off-by: silenceper <silenceper@gmail.com>
mccv1r0
pushed a commit
to mccv1r0/plugins
that referenced
this issue
Jan 10, 2023
Signed-off-by: silenceper <silenceper@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are some situations that may cause the netns file (/proc/xxx/net/ns) to not exist, such as when the upper-level kubelet component cleans up pods.
Related discussion: kubernetes/kubernetes#43014 (comment)
ip release failed, resulting in ip leak :
kubernetes/kubernetes#107371
multus-cni also fixed this problem:
k8snetworkplumbingwg/multus-cni#120
The text was updated successfully, but these errors were encountered: