fix(networkpolicy): improve cilium chainer detection and handling

- Use node capabilities to determine if cilium chainer is present
- Check for existence of cilium_net link as a fallback- Add unit tests for allowEBPFNetworkPolicy function
- Update integration tests to cover new behavior

Signed-off-by: l1b0k <[email protected]>

Author: l1b0k

cmd/terway-cli/cni_linux.go

@@ -38,12 +38,26 @@ func switchDataPathV2() bool {
 // new node ( based on user require).
 // true -> false: keep cilium chain, but disable policy
 func allowEBPFNetworkPolicy(require bool) (bool, error) {
-	has, err := hasCilium()
-	if err != nil {
+	store := nodecap.NewFileNodeCapabilities(nodeCapabilitiesFile)
+	if err := store.Load(); err != nil {
 		return false, err
 	}
-	if has {
+	switch store.Get(nodecap.NodeCapabilityHasCiliumChainer) {
+	case True:
+		fmt.Printf("has prev cilium chainer\n")
 		return true, nil
+	case False:
+		fmt.Printf("no prev cilium chainer\n")
+		return false, nil
+	}
+
+	_, err := netlink.LinkByName("cilium_net")
+	if err == nil {
+		fmt.Printf("link cilium_net exist\n")
+		return true, nil
+	}
+	if !errors.As(err, &netlink.LinkNotFoundError{}) {
+		return false, err
 	}
 
 	return require, nil

cmd/terway-cli/cni_linux_test.go

@@ -274,3 +274,7 @@ func Test_isMounted(t *testing.T) {
 	_, err := isMounted("/sys/fs/cgroup")
 	assert.NoError(t, err)
 }
+
+func Test_allowEBPFNetworkPolicy(t *testing.T) {
+
+}

cmd/terway-cli/cni_test.go

@@ -1,8 +1,10 @@
 package main
 
 import (
+	"os"
 	"testing"
 
+	"github.com/AliyunContainerService/terway/pkg/utils/nodecap"
 	"github.com/Jeffail/gabs/v2"
 	"github.com/stretchr/testify/assert"
 )
@@ -202,6 +204,8 @@ func TestVeth(t *testing.T) {
 	_switchDataPathV2 = func() bool {
 		return true
 	}
+
+	_ = os.Remove(nodeCapabilitiesFile)
 	out, err := mergeConfigList([][]byte{
 		[]byte(`{
 			"type":"terway",
@@ -225,6 +229,8 @@ func TestVethWithNoPolicy(t *testing.T) {
 	_switchDataPathV2 = func() bool {
 		return true
 	}
+
+	_ = os.Remove(nodeCapabilitiesFile)
 	out, err := mergeConfigList([][]byte{
 		[]byte(`{
 			"type":"terway",
@@ -249,6 +255,8 @@ func TestVethToDatapathV2(t *testing.T) {
 	_switchDataPathV2 = func() bool {
 		return true
 	}
+
+	_ = os.Remove(nodeCapabilitiesFile)
 	out, err := mergeConfigList([][]byte{
 		[]byte(`{
 			"type":"terway",
@@ -269,3 +277,34 @@ func TestVethToDatapathV2(t *testing.T) {
 	assert.Equal(t, "datapathv2", g.Path("plugins.0.eniip_virtual_type").Data())
 	assert.Equal(t, "cilium-cni", g.Path("plugins.1.type").Data())
 }
+
+func TestVethNotAllowToSwitch(t *testing.T) {
+	_switchDataPathV2 = func() bool {
+		return true
+	}
+
+	_ = os.Remove(nodeCapabilitiesFile)
+	store := nodecap.NewFileNodeCapabilities(nodeCapabilitiesFile)
+	store.Set(nodecap.NodeCapabilityHasCiliumChainer, False)
+	err := store.Save()
+	assert.NoError(t, err)
+
+	out, err := mergeConfigList([][]byte{
+		[]byte(`{
+			"type":"terway",
+			"foo":"bar",
+            "network_policy_provider": "ebpf"
+		}`)}, &feature{
+		EBPF:                true,
+		EDT:                 true,
+		EnableNetworkPolicy: true,
+	})
+	assert.NoError(t, err)
+
+	g, err := gabs.ParseJSON([]byte(out))
+	assert.NoError(t, err)
+
+	assert.Equal(t, "terway", g.Path("plugins.0.type").Data())
+	assert.Equal(t, 1, len(g.Path("plugins").Children()))
+	assert.Equal(t, "veth", g.Path("plugins.0.eniip_virtual_type").Data())
+}