Find the host veth name before attaching or detaching probes

aws · Feb 19, 2025 · 2a91e6d · 2a91e6d
1 parent 3bc8ec7
commit 2a91e6d
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 12 deletions.
diff --git a/go.mod b/go.mod
@@ -13,6 +13,7 @@ require (
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.6.0
+	github.com/hashicorp/go-multierror v1.1.1
 	github.com/onsi/ginkgo/v2 v2.22.1
 	github.com/onsi/gomega v1.36.2
 	github.com/pkg/errors v0.9.1
@@ -49,6 +50,7 @@ require (
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -88,3 +90,7 @@ require (
 )
 
 replace golang.org/x/net => golang.org/x/net v0.23.0
+
+// This is to make unit tests and build pass for the PR.
+// Once we merge the fix in CNI repo, I will update the go dependency with a rc image tag before merging this PR
+replace github.com/aws/amazon-vpc-cni-k8s => github.com/Pavani-Panakanti/amazon-vpc-cni-k8s v0.0.0-20250206004828-41aa1a1d5d22
diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
-github.com/aws/amazon-vpc-cni-k8s v1.19.3-rc1 h1:xhW7QKlgA5fWK8zLmRU0R47eunOH7DL6IU/mWVSDjwQ=
-github.com/aws/amazon-vpc-cni-k8s v1.19.3-rc1/go.mod h1:WzIsGmsfmDQa6NG+9kQhHZ+Ot1sClEzjNsxcmQnnOHg=
+github.com/Pavani-Panakanti/amazon-vpc-cni-k8s v0.0.0-20250206004828-41aa1a1d5d22 h1:qsHwjXktC128RVLeljh1UCGzgXxOVgrxegxufoIIJ4I=
+github.com/Pavani-Panakanti/amazon-vpc-cni-k8s v0.0.0-20250206004828-41aa1a1d5d22/go.mod h1:DraLPZhnoCoLbgsFWo5Rt1BzWJFdKObtDnn47wFnFvM=
 github.com/aws/aws-ebpf-sdk-go v1.0.12 h1:ceFVCvTptFZKm9PToVQJZY4uZx9dt5Thj0ZinKhw6GI=
 github.com/aws/aws-ebpf-sdk-go v1.0.12/go.mod h1:iOJ9wFCFfBJK1UGFwIY6KR/xXtESnPPUf5mLJGyJus0=
 github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
@@ -57,6 +57,11 @@ github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/Z
 github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=

diff --git a/pkg/ebpf/bpf_client.go b/pkg/ebpf/bpf_client.go
@@ -62,6 +62,7 @@ var (
 	DEFAULT_DENY                               = 2
 	LOCAL_IPAMD_ADDRESS                        = "127.0.0.1:50051"
 	POD_STATE_MAP_KEY                          = 0
+	BRANCH_ENI_VETH_PREFIX                     = "vlan"
 )
 
 var (
@@ -163,7 +164,7 @@ func NewBpfClient(policyEndpointeBPFContext *sync.Map, nodeIP string, enablePoli
 	var err error
 
 	ebpfClient.bpfSDKClient = goelf.New()
-	ebpfClient.bpfTCClient = tc.New([]string{POD_VETH_PREFIX})
+	ebpfClient.bpfTCClient = tc.New([]string{POD_VETH_PREFIX, BRANCH_ENI_VETH_PREFIX})
 
 	//Set RLIMIT
 	err = ebpfClient.bpfSDKClient.IncreaseRlimit()
@@ -606,7 +607,13 @@ func (l *bpfClient) AttacheBPFProbes(pod types.NamespacedName, podIdentifier str
 	// We attach the TC probes to the hostVeth interface of the pod. Derive the hostVeth
 	// name from the Name and Namespace of the Pod.
 	// Note: The below naming convention is tied to VPC CNI and isn't meant to be generic
-	hostVethName := utils.GetHostVethName(pod.Name, pod.Namespace)
+	hostVethName, err := utils.GetHostVethName(pod.Name, pod.Namespace, []string{POD_VETH_PREFIX, BRANCH_ENI_VETH_PREFIX})
+
+	if err != nil {
+		l.logger.Info("Failed to find host interface for", "pod: ", pod.Name, " in namespace", pod.Namespace, "error", err)
+		return err
+	}
+
 	l.logger.Info("AttacheBPFProbes for", "pod", pod.Name, " in namespace", pod.Namespace, " with hostVethName", hostVethName)
 	podNamespacedName := utils.GetPodNamespacedName(pod.Name, pod.Namespace)
 
@@ -639,7 +646,6 @@ func (l *bpfClient) AttacheBPFProbes(pod types.NamespacedName, podIdentifier str
 		currentPodSet, _ := l.EgressProgToPodsMap.LoadOrStore(progFD, make(map[string]struct{}))
 		currentPodSet.(map[string]struct{})[podNamespacedName] = struct{}{}
 	}
-
 	return nil
 }
 

diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
@@ -11,6 +11,8 @@ import (
 
 	"github.com/aws/aws-network-policy-agent/api/v1alpha1"
 	"github.com/go-logr/logr"
+	multierror "github.com/hashicorp/go-multierror"
+	"github.com/vishvananda/netlink"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -150,10 +152,23 @@ func GetParentNPNameFromPEName(policyEndpointName string) string {
 	return policyEndpointName[0:strings.LastIndex(policyEndpointName, "-")]
 }
 
-func GetHostVethName(podName, podNamespace string) string {
+func GetHostVethName(podName, podNamespace string, interfacePrefixes []string) (string, error) {
+	var interfaceName string
+	var errors error
+
 	h := sha1.New()
 	h.Write([]byte(fmt.Sprintf("%s.%s", podNamespace, podName)))
-	return fmt.Sprintf("%s%s", "eni", hex.EncodeToString(h.Sum(nil))[:11])
+
+	for _, prefix := range interfacePrefixes {
+		interfaceName = fmt.Sprintf("%s%s", prefix, hex.EncodeToString(h.Sum(nil))[:11])
+		if _, err := netlink.LinkByName(interfaceName); err == nil {
+			return interfaceName, nil
+		} else {
+			errors = multierror.Append(errors, fmt.Errorf("failed to find link %s: %w", interfaceName, err))
+		}
+	}
+
+	return interfaceName, errors
 }
 
 func ComputeTrieKey(n net.IPNet, isIPv6Enabled bool) []byte {

diff --git a/pkg/utils/utils_test.go b/pkg/utils/utils_test.go
@@ -643,8 +643,9 @@ func TestIsNonHostCIDR(t *testing.T) {
 
 func TestGetHostVethName(t *testing.T) {
 	type args struct {
-		podName      string
-		podNamespace string
+		podName         string
+		podNamespace    string
+		interfacePrefix []string
 	}
 
 	tests := []struct {
@@ -655,15 +656,26 @@ func TestGetHostVethName(t *testing.T) {
 		{
 			name: "Sample Pod",
 			args: args{
-				podName:      "foo",
-				podNamespace: "bar",
+				podName:         "foo",
+				podNamespace:    "bar",
+				interfacePrefix: []string{"eni"},
 			},
 			want: "eni9cfdfc6963c",
 		},
+		{
+			name: "Sample Pod",
+			args: args{
+				podName:         "foo",
+				podNamespace:    "bar",
+				interfacePrefix: []string{"eni", "vlan"},
+			},
+			want: "vlan9cfdfc6963c",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := GetHostVethName(tt.args.podName, tt.args.podNamespace)
+			got, e := GetHostVethName(tt.args.podName, tt.args.podNamespace, tt.args.interfacePrefix)
+			assert.Error(t, e)
 			assert.Equal(t, tt.want, got)
 		})
 	}