imp: flow controller check bridge before adding flows

filanov · filanov · commit 5e394700037e · 2025-06-08T18:05:51.000+03:00
flow controller will check if relevant bridge was marked by rail cni befor trying to add flows
it will avoid adding flows to a non relevant interfaces

Signed-off-by: Michael Filanov &lt;mfilanov@nvidia.com&gt;
diff --git a/internal/controller/flow_controller.go b/internal/controller/flow_controller.go
@@ -125,6 +125,18 @@ func (r *FlowReconciler) handlePodFlows(ctx context.Context, pod *corev1.Pod, re
 			continue
 		}
 
+		isManaged, err := r.Flows.IsBridgeManagedByRailCNI(bridge, string(pod.UID))
+		if err != nil {
+			logr.Error(err, fmt.Sprintf("failed to check if bridge %s is managed by rail cni", bridge))
+			errs = multierr.Append(errs, err)
+			continue
+		}
+
+		if !isManaged {
+			logr.Info(fmt.Sprintf("skipping bridge [%s], not managed by rail cni", bridge))
+			continue
+		}
+
 		if err = r.Flows.AddPodRailFlows(cookie, rep, bridge, ns.IPs[0], ns.Mac); err != nil {
 			logr.Error(err, fmt.Sprintf("failed to add flows to rail %s", ns.Interface))
 			errs = multierr.Append(errs, err)
diff --git a/internal/controller/flow_controller_test.go b/internal/controller/flow_controller_test.go
@@ -200,13 +200,15 @@ var _ = Describe("Pod Controller", func() {
 				Execute("ovs-vsctl --no-heading --columns=name find Port external_ids:contIface=net1 external_ids:contPodUid="+string(pod.UID)).
 				Return("pod-vf-1", nil).Times(1)
 			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-1").Return("br-rail1", nil).Times(1)
+			flowsMock.EXPECT().IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).Return(true, nil).Times(1)
 			flowsMock.EXPECT().AddPodRailFlows(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
 
 			// rail2
 			execMock.EXPECT().
 				Execute("ovs-vsctl --no-heading --columns=name find Port external_ids:contIface=net2 external_ids:contPodUid="+string(pod.UID)).
 				Return("pod-vf-2", nil)
 			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-2").Return("br-rail2", nil)
+			flowsMock.EXPECT().IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).Return(true, nil).Times(1)
 			flowsMock.EXPECT().AddPodRailFlows(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
 
 			result, err := flowController.Reconcile(ctx, pod)
@@ -225,6 +227,7 @@ var _ = Describe("Pod Controller", func() {
 				Execute("ovs-vsctl --no-heading --columns=name find Port external_ids:contIface=net2 external_ids:contPodUid="+string(pod.UID)).
 				Return("pod-vf-2", nil)
 			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-2").Return("br-rail2", nil)
+			flowsMock.EXPECT().IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).Return(true, nil).Times(1)
 			flowsMock.EXPECT().AddPodRailFlows(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
 
 			result, err := flowController.Reconcile(ctx, pod)
@@ -245,6 +248,7 @@ var _ = Describe("Pod Controller", func() {
 				Return("pod-vf-2", nil)
 			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-2").Return("br-rail2", nil)
 
+			flowsMock.EXPECT().IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).Return(true, nil).Times(1)
 			flowsMock.EXPECT().AddPodRailFlows(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
 			result, err := flowController.Reconcile(ctx, pod)
 			Expect(err).Should(HaveOccurred())
@@ -257,6 +261,7 @@ var _ = Describe("Pod Controller", func() {
 				Execute("ovs-vsctl --no-heading --columns=name find Port external_ids:contIface=net1 external_ids:contPodUid="+string(pod.UID)).
 				Return("pod-vf-1", nil).Times(1)
 			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-1").Return("br-rail1", nil).Times(1)
+			flowsMock.EXPECT().IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).Return(true, nil).Times(1)
 			flowsMock.EXPECT().AddPodRailFlows(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
 				Return(fmt.Errorf("failed to add flows to rail"))
 
@@ -265,12 +270,55 @@ var _ = Describe("Pod Controller", func() {
 				Execute("ovs-vsctl --no-heading --columns=name find Port external_ids:contIface=net2 external_ids:contPodUid="+string(pod.UID)).
 				Return("pod-vf-2", nil)
 			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-2").Return("br-rail2", nil)
+			flowsMock.EXPECT().IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).Return(true, nil).Times(1)
 			flowsMock.EXPECT().AddPodRailFlows(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
 
 			result, err := flowController.Reconcile(ctx, pod)
 			Expect(err).Should(HaveOccurred())
 			Expect(result).To(Equal(reconcile.Result{}))
 		})
 
+		It("skip when bridge is not managed by rail cni", func() {
+			// rail1
+			execMock.EXPECT().
+				Execute("ovs-vsctl --no-heading --columns=name find Port external_ids:contIface=net1 external_ids:contPodUid="+string(pod.UID)).
+				Return("pod-vf-1", nil).Times(1)
+			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-1").Return("br-rail1", nil).Times(1)
+			flowsMock.EXPECT().IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).Return(false, nil).Times(1)
+
+			// rail2
+			execMock.EXPECT().
+				Execute("ovs-vsctl --no-heading --columns=name find Port external_ids:contIface=net2 external_ids:contPodUid="+string(pod.UID)).
+				Return("pod-vf-2", nil)
+			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-2").Return("br-rail2", nil)
+			flowsMock.EXPECT().IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).Return(true, nil).Times(1)
+			flowsMock.EXPECT().AddPodRailFlows(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
+
+			result, err := flowController.Reconcile(ctx, pod)
+			Expect(err).Should(Succeed())
+			Expect(result).To(Equal(reconcile.Result{}))
+		})
+
+		It("failed to check if bridge is managed by rail cni", func() {
+			// rail1
+			execMock.EXPECT().
+				Execute("ovs-vsctl --no-heading --columns=name find Port external_ids:contIface=net1 external_ids:contPodUid="+string(pod.UID)).
+				Return("pod-vf-1", nil).Times(1)
+			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-1").Return("br-rail1", nil).Times(1)
+			flowsMock.EXPECT().
+				IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).
+				Return(false, fmt.Errorf("failed to check if bridge is managed by rail cni"))
+
+			// rail2
+			execMock.EXPECT().
+				Execute("ovs-vsctl --no-heading --columns=name find Port external_ids:contIface=net2 external_ids:contPodUid="+string(pod.UID)).
+				Return("pod-vf-2", nil)
+			execMock.EXPECT().Execute("ovs-vsctl iface-to-br pod-vf-2").Return("br-rail2", nil)
+			flowsMock.EXPECT().IsBridgeManagedByRailCNI(gomock.Any(), gomock.Any()).Return(true, nil).Times(1)
+			flowsMock.EXPECT().AddPodRailFlows(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
+			result, err := flowController.Reconcile(ctx, pod)
+			Expect(err).Should(HaveOccurred())
+			Expect(result).To(Equal(reconcile.Result{}))
+		})
 	})
 })
diff --git a/internal/controller/flows.go b/internal/controller/flows.go
@@ -37,6 +37,7 @@ const (
 type FlowsAPI interface {
 	AddPodRailFlows(cookie uint64, vf, bridge, podIP, podMAC string) error
 	DeletePodRailFlows(cookie uint64, podID string) error
+	IsBridgeManagedByRailCNI(bridge, podID string) (bool, error)
 }
 
 var _ FlowsAPI = &Flows{}
@@ -141,6 +142,15 @@ func (f *Flows) DeletePodRailFlows(cookie uint64, podID string) error {
 	return errs
 }
 
+func (f *Flows) IsBridgeManagedByRailCNI(bridge, podID string) (bool, error) {
+	out, err := f.Exec.Execute(fmt.Sprintf("ovs-vsctl br-get-external-id %s %s", bridge, podID))
+	if err != nil {
+		return false, fmt.Errorf("failed to get external id for bridge %s, output: %s, err: %v", bridge, out, err)
+	}
+
+	return out == RailPodID, nil
+}
+
 func (f *Flows) getTorMac(torIP string) (string, error) {
 	// nsenter --target 1 --net -- arping 2.0.0.3 -c 1
 	// nsenter --target 1 --net -- ip neighbor | grep 2.0.0.3 | awk '{print $5}'
diff --git a/internal/controller/flows_test.go b/internal/controller/flows_test.go
@@ -295,4 +295,30 @@ var _ = Describe("Flows", func() {
 			Expect(err.Error()).Should(ContainSubstring("failed to delete flows"))
 		})
 	})
+
+	Context("IsBridgeManagedByRailCNI", func() {
+		It("should return true if bridge is managed by rail cni", func() {
+			execMock.EXPECT().Execute("ovs-vsctl br-get-external-id br-rail1 test-pod-uid").
+				Return("rail_pod_id", nil)
+			isManaged, err := flows.IsBridgeManagedByRailCNI("br-rail1", "test-pod-uid")
+			Expect(err).Should(Succeed())
+			Expect(isManaged).Should(BeTrue())
+		})
+
+		It("should return false if bridge is not managed by rail cni", func() {
+			execMock.EXPECT().Execute("ovs-vsctl br-get-external-id br-rail1 test-pod-uid").
+				Return("", nil)
+			isManaged, err := flows.IsBridgeManagedByRailCNI("br-rail1", "test-pod-uid")
+			Expect(err).Should(Succeed())
+			Expect(isManaged).Should(BeFalse())
+		})
+
+		It("should return error if failed to get external id", func() {
+			execMock.EXPECT().Execute("ovs-vsctl br-get-external-id br-rail1 test-pod-uid").
+				Return("", fmt.Errorf("failed to get external id"))
+			isManaged, err := flows.IsBridgeManagedByRailCNI("br-rail1", "test-pod-uid")
+			Expect(err).Should(HaveOccurred())
+			Expect(isManaged).Should(BeFalse())
+		})
+	})
 })
diff --git a/internal/controller/mock_flows.go b/internal/controller/mock_flows.go
