func()

in npm/pkg/dataplane/dataplane.go [480:593]


func (dp *DataPlane) addPolicies(netPols []*policies.NPMNetworkPolicy) error {
	if !dp.netPolInBackground && len(netPols) != 1 {
		klog.Errorf("[DataPlane] expected to have one NetPol in dp.addPolicies() since dp.netPolInBackground == false")
		metrics.SendErrorLogAndMetric(util.DaemonDataplaneID, "[DataPlane] expected to have one NetPol in dp.addPolicies() since dp.netPolInBackground == false")
		return ErrIncorrectNumberOfNetPols
	}

	if len(netPols) == 0 {
		// TODO: Refactor non-error/warning klogs with Zap and set the following logs to "debug" level
		// klog.Infof("[DataPlane] expected to have at least one NetPol in dp.addPolicies()")
		return nil
	}

	inBootupPhase := false
	if dp.applyInBackground {
		dp.applyInfo.Lock()
		inBootupPhase = dp.applyInfo.inBootupPhase
		if inBootupPhase {
			// keep holding the lock to block FinishBootupPhase() and prevent PodController from
			// coming back online and causing race issues from updatePod() within applyDataPlaneNow()
			defer dp.applyInfo.Unlock()
		} else {
			dp.applyInfo.Unlock()
		}
	}

	if dp.hadRemovePolicyFailure() {
		if inBootupPhase {
			// this should never happen because bootup phase is for windows, but just in case, we don't want to applyDataplaneNow() or else there will be a deadlock on dp.applyInfo
			msg := fmt.Sprintf("[DataPlane] [%s] at risk of improperly applying a policy which is removed then readded", contextAddNetPolPrecaution)
			klog.Warning(msg)
			metrics.SendErrorLogAndMetric(util.DaemonDataplaneID, msg)
		} else {
			// prevent #2977
			if err := dp.applyDataPlaneNow(contextAddNetPolPrecaution); err != nil {
				return err // nolint:wrapcheck // unnecessary to wrap error since the provided context is included in the error
			}
		}
	}

	// 1. Add IPSets and apply for each NetPol.
	// Apply IPSets after each NetworkPolicy unless ApplyInBackground=true and we're in the bootup phase (only happens for Windows currently)
	for _, netPol := range netPols {
		// Create and add references for Selector IPSets first
		err := dp.createIPSetsAndReferences(netPol.AllPodSelectorIPSets(), netPol.PolicyKey, ipsets.SelectorType)
		if err != nil {
			klog.Infof("[DataPlane] error while adding Selector IPSet references: %s", err.Error())
			return fmt.Errorf("[DataPlane] error while adding Selector IPSet references: %w", err)
		}

		// Create and add references for Rule IPSets
		err = dp.createIPSetsAndReferences(netPol.RuleIPSets, netPol.PolicyKey, ipsets.NetPolType)
		if err != nil {
			klog.Infof("[DataPlane] error while adding Rule IPSet references: %s", err.Error())
			return fmt.Errorf("[DataPlane] error while adding Rule IPSet references: %w", err)
		}

		if inBootupPhase {
			// This branch can only be taken in Windows.
			// During bootup phase, the Pod controller will not be running.
			// We don't need to worry about adding Policies to Endpoints, so we don't need IPSets in the kernel yet.
			// Ideally, we get all NetworkPolicies in the cache before the Pod controller starts

			// increment batch and apply IPSets if needed
			dp.applyInfo.numBatches++
			newCount := dp.applyInfo.numBatches
			// TODO: Refactor non-error/warning klogs with Zap and set the following logs to "debug" level
			// klog.Infof("[DataPlane] [%s] new batch count: %d", contextAddNetPolBootup, newCount)
			if newCount >= dp.ApplyMaxBatches {
				// TODO: Refactor non-error/warning klogs with Zap and set the following logs to "debug" level
				// klog.Infof("[DataPlane] [%s] applying now since reached maximum batch count: %d", contextAddNetPolBootup, newCount)
				// klog.Infof("[DataPlane] [%s] starting to apply ipsets", contextAddNetPolBootup)
				err = dp.ipsetMgr.ApplyIPSets()
				if err != nil {
					return fmt.Errorf("[DataPlane] [%s] error while applying IPSets: %w", contextAddNetPolBootup, err)
				}
				// TODO: Refactor non-error/warning klogs with Zap and set the following logs to "debug" level
				// klog.Infof("[DataPlane] [%s] finished applying ipsets", contextAddNetPolBootup)

				// see comment in RemovePolicy() for why this is here
				dp.setRemovePolicyFailure(false)

				dp.applyInfo.numBatches = 0
			}

			continue
		}

		// not in bootup phase
		// this codepath is always taken in Linux
		err = dp.applyDataPlaneNow(contextAddNetPol)
		if err != nil {
			return err
		}
	}

	// 2. Add NetPols in policyMgr
	var endpointList map[string]string
	var err error
	if !inBootupPhase {
		endpointList, err = dp.getEndpointsToApplyPolicies(netPols)
		if err != nil {
			return fmt.Errorf("[DataPlane] error while getting endpoints to apply policy after applying dataplane: %w", err)
		}
	}

	// during bootup phase, endpointList will be nil
	err = dp.policyMgr.AddPolicies(netPols, endpointList)
	if err != nil {
		return fmt.Errorf("[DataPlane] [%s] error while adding policies: %w", contextAddNetPolBootup, err)
	}

	return nil
}