iptables: Do not block in case of a failed reconciliation

In case of a failed iptables reconciliation, unblock the waiting goroutines closing the channel. This is done to avoid keeping the consumer goroutines stuck forever and potentially blocking other and more important agent operations. In case of an error, the reconciler retries the iptables rules update at a later time, in order to achieve eventual consistency. Signed-off-by: Fabio Falzoi <[email protected]>
checorone · Apr 16, 2024 · 316e126 · 316e126
1 parent 9ddfdf7
commit 316e126
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/pkg/datapath/iptables/reconciler.go b/pkg/datapath/iptables/reconciler.go
@@ -256,12 +256,15 @@ stop:
 				health.OK("iptables rules full reconciliation completed")
 				firstInit = false
 				stateChanged = false
-				// close all channels waiting for reconciliation
-				for _, ch := range updatedChs {
-					close(ch)
-				}
-				updatedChs = updatedChs[:0]
 			}
+
+			// close all channels waiting for reconciliation
+			// do this even in case of a failed reconciliation, to avoid
+			// blocking consumer goroutines indefinitely.
+			for _, ch := range updatedChs {
+				close(ch)
+			}
+			updatedChs = updatedChs[:0]
 		}
 	}