Skip handling NetPol events on default network for UDN

When primary UDN exists for the namespace, the current implementation configured
network policy for both UDN and default network. The default network traffic
has its own ACLs that deny almost everything already so handling network policy
for default is unnecessary and not an optimal solution as it programs another
set of port groups, acls and address sets which are never going to be used.
Hence this commit skips handling network policy events on the default network
controller when namespace contains an active user defined network.

Signed-off-by: Periyasamy Palanisamy <[email protected]>

go-controller/pkg/ovn/base_network_controller.go

@@ -3,7 +3,6 @@ package ovn
 import (
 	"fmt"
 	"net"
-	"reflect"
 	"sync"
 	"time"
 
@@ -31,7 +30,6 @@ import (
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/util"
 
 	kapi "k8s.io/api/core/v1"
-	knet "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -931,39 +929,6 @@ func (bnc *BaseNetworkController) findMigratablePodIPsForSubnets(subnets []*net.
 	return ipList, nil
 }
 
-func (bnc *BaseNetworkController) AddResourceCommon(objType reflect.Type, obj interface{}) error {
-	switch objType {
-	case factory.PolicyType:
-		np, ok := obj.(*knet.NetworkPolicy)
-		if !ok {
-			return fmt.Errorf("could not cast %T object to *knet.NetworkPolicy", obj)
-		}
-
-		if err := bnc.addNetworkPolicy(np); err != nil {
-			klog.Infof("Network Policy add failed for %s/%s, will try again later: %v",
-				np.Namespace, np.Name, err)
-			return err
-		}
-	default:
-		klog.Errorf("Can not process add resource event, object type %s is not supported", objType)
-	}
-	return nil
-}
-
-func (bnc *BaseNetworkController) DeleteResourceCommon(objType reflect.Type, obj interface{}) error {
-	switch objType {
-	case factory.PolicyType:
-		knp, ok := obj.(*knet.NetworkPolicy)
-		if !ok {
-			return fmt.Errorf("could not cast obj of type %T to *knet.NetworkPolicy", obj)
-		}
-		return bnc.deleteNetworkPolicy(knp)
-	default:
-		klog.Errorf("Can not process delete resource event, object type %s is not supported", objType)
-	}
-	return nil
-}
-
 func initLoadBalancerGroups(nbClient libovsdbclient.Client, netInfo util.NetInfo) (
 	clusterLoadBalancerGroupUUID, switchLoadBalancerGroupUUID, routerLoadBalancerGroupUUID string, err error) {
 

go-controller/pkg/ovn/base_network_controller_secondary.go

@@ -25,6 +25,7 @@ import (
 	utilerrors "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/util/errors"
 
 	kapi "k8s.io/api/core/v1"
+	knet "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/klog/v2"
 	utilnet "k8s.io/utils/net"
@@ -69,6 +70,18 @@ func (bsnc *BaseSecondaryNetworkController) AddSecondaryNetworkResourceCommon(ob
 		}
 		return bsnc.AddNamespaceForSecondaryNetwork(ns)
 
+	case factory.PolicyType:
+		np, ok := obj.(*knet.NetworkPolicy)
+		if !ok {
+			return fmt.Errorf("could not cast %T object to *knet.NetworkPolicy", obj)
+		}
+
+		if err := bsnc.addNetworkPolicy(np); err != nil {
+			klog.Infof("Network Policy add failed for %s/%s, will try again later: %v",
+				np.Namespace, np.Name, err)
+			return err
+		}
+
 	case factory.MultiNetworkPolicyType:
 		mp, ok := obj.(*mnpapi.MultiNetworkPolicy)
 		if !ok {
@@ -92,7 +105,7 @@ func (bsnc *BaseSecondaryNetworkController) AddSecondaryNetworkResourceCommon(ob
 		return nil
 
 	default:
-		return bsnc.AddResourceCommon(objType, obj)
+		klog.Errorf("Can not process add resource event, object type %s is not supported", objType)
 	}
 	return nil
 }
@@ -154,7 +167,7 @@ func (bsnc *BaseSecondaryNetworkController) UpdateSecondaryNetworkResourceCommon
 		return nil
 
 	default:
-		return fmt.Errorf("object type %s not supported", objType)
+		klog.Errorf("Can not process update resource event, object type %s is not supported", objType)
 	}
 	return nil
 }
@@ -178,6 +191,13 @@ func (bsnc *BaseSecondaryNetworkController) DeleteSecondaryNetworkResourceCommon
 		ns := obj.(*kapi.Namespace)
 		return bsnc.deleteNamespace4SecondaryNetwork(ns)
 
+	case factory.PolicyType:
+		knp, ok := obj.(*knet.NetworkPolicy)
+		if !ok {
+			return fmt.Errorf("could not cast obj of type %T to *knet.NetworkPolicy", obj)
+		}
+		return bsnc.deleteNetworkPolicy(knp)
+
 	case factory.MultiNetworkPolicyType:
 		mp, ok := obj.(*mnpapi.MultiNetworkPolicy)
 		if !ok {
@@ -214,7 +234,7 @@ func (bsnc *BaseSecondaryNetworkController) DeleteSecondaryNetworkResourceCommon
 		klog.Infof("Released IPs %q for network %q", ipamClaim.Status.IPs, ipamClaim.Spec.Network)
 
 	default:
-		return bsnc.DeleteResourceCommon(objType, obj)
+		klog.Errorf("Can not process delete resource event, object type %s is not supported", objType)
 	}
 	return nil
 }

go-controller/pkg/ovn/default_network_controller.go

@@ -727,6 +727,26 @@ func (h *defaultNetworkControllerEventHandler) AddResource(obj interface{}, from
 		}
 		return h.oc.ensurePod(nil, pod, true)
 
+	case factory.PolicyType:
+		np, ok := obj.(*knet.NetworkPolicy)
+		if !ok {
+			return fmt.Errorf("could not cast %T object to *knet.NetworkPolicy", obj)
+		}
+
+		netinfo, err := h.oc.getActiveNetworkForNamespace(np.Namespace)
+		if err != nil {
+			return fmt.Errorf("could not get active network for namespace %s: %v", np.Namespace, err)
+		}
+		if !netinfo.IsDefault() {
+			return nil
+		}
+
+		if err = h.oc.addNetworkPolicy(np); err != nil {
+			klog.Infof("Network Policy add failed for %s/%s, will try again later: %v",
+				np.Namespace, np.Name, err)
+			return err
+		}
+
 	case factory.NodeType:
 		node, ok := obj.(*kapi.Node)
 		if !ok {
@@ -832,8 +852,10 @@ func (h *defaultNetworkControllerEventHandler) AddResource(obj interface{}, from
 		return h.oc.AddNamespace(ns)
 
 	default:
-		return h.oc.AddResourceCommon(h.objType, obj)
+		klog.Errorf("Can not process add resource event, object type %s is not supported", h.objType)
 	}
+
+	return nil
 }
 
 // UpdateResource updates the specified object in the cluster to its version in newObj according to its
@@ -999,8 +1021,10 @@ func (h *defaultNetworkControllerEventHandler) UpdateResource(oldObj, newObj int
 	case factory.NamespaceType:
 		oldNs, newNs := oldObj.(*kapi.Namespace), newObj.(*kapi.Namespace)
 		return h.oc.updateNamespace(oldNs, newNs)
+	default:
+		klog.Errorf("Can not process update resource event, object type %s is not supported", h.objType)
 	}
-	return fmt.Errorf("no update function for object type %s", h.objType)
+	return nil
 }
 
 // DeleteResource deletes the object from the cluster according to the delete logic of its resource type.
@@ -1017,6 +1041,22 @@ func (h *defaultNetworkControllerEventHandler) DeleteResource(obj, cachedObj int
 		}
 		return h.oc.removePod(pod, portInfo)
 
+	case factory.PolicyType:
+		knp, ok := obj.(*knet.NetworkPolicy)
+		if !ok {
+			return fmt.Errorf("could not cast obj of type %T to *knet.NetworkPolicy", obj)
+		}
+
+		netinfo, err := h.oc.getActiveNetworkForNamespace(knp.Namespace)
+		if err != nil {
+			return fmt.Errorf("could not get active network for namespace %s: %v", knp.Namespace, err)
+		}
+		if !netinfo.IsDefault() {
+			return nil
+		}
+
+		return h.oc.deleteNetworkPolicy(knp)
+
 	case factory.NodeType:
 		node, ok := obj.(*kapi.Node)
 		if !ok {
@@ -1063,8 +1103,9 @@ func (h *defaultNetworkControllerEventHandler) DeleteResource(obj, cachedObj int
 		return h.oc.deleteNamespace(ns)
 
 	default:
-		return h.oc.DeleteResourceCommon(h.objType, obj)
+		klog.Errorf("Can not process delete resource event, object type %s is not supported", h.objType)
 	}
+	return nil
 }
 
 func (h *defaultNetworkControllerEventHandler) SyncFunc(objs []interface{}) error {