controller: migrate acl tier after upgrade (#5351)

zhangzujian · web-flow · commit 49bbed8d320e · 2025-06-12T16:12:28.000+08:00
Signed-off-by: zhangzujian &lt;zhangzujian.7@gmail.com&gt;
diff --git a/mocks/pkg/ovs/interface.go b/mocks/pkg/ovs/interface.go
diff --git a/pkg/controller/init.go b/pkg/controller/init.go
@@ -28,8 +28,12 @@ import (
 
 func (c *Controller) InitOVN() error {
 	var err error
+	if err = c.migrateACLTier(); err != nil {
+		klog.Errorf("failed to migrate ACL tier: %v", err)
+		return err
+	}
 
-	if err := c.InitDefaultVpc(); err != nil {
+	if err = c.InitDefaultVpc(); err != nil {
 		klog.Errorf("init default vpc failed: %v", err)
 		return err
 	}
@@ -64,6 +68,13 @@ func (c *Controller) InitOVN() error {
 	return nil
 }
 
+// migrate tier field of ACL rules created in versions prior to v1.13.0
+// after upgrading, the tier field has a default value of zero, which is not the value used in versions >= v1.13.0
+// we need to migrate the tier field to the correct value
+func (c *Controller) migrateACLTier() error {
+	return c.OVNNbClient.MigrateACLTier()
+}
+
 func (c *Controller) InitDefaultVpc() error {
 	cachedVpc, err := c.vpcsLister.Get(c.config.ClusterRouter)
 	if err != nil {
diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go
@@ -171,6 +171,7 @@ type ACL interface {
 	DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string) error
 	DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string) ([]ovsdb.Operation, error)
 	UpdateAnpRuleACLOps(pgName, asName, protocol, aclName string, priority int, aclAction ovnnb.ACLAction, logACLActions []ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error)
+	MigrateACLTier() error
 }
 
 type AddressSet interface {
diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go
@@ -1453,3 +1453,36 @@ func newAnpACLMatch(pgName, asName, protocol, direction string, rulePorts []v1al
 	}
 	return matches
 }
+
+func (c *OVNNbClient) MigrateACLTier() error {
+	ctx, cancel := context.WithTimeout(context.Background(), c.Timeout)
+	defer cancel()
+
+	var aclList []ovnnb.ACL
+	if err := c.ovsDbClient.WhereCache(func(acl *ovnnb.ACL) bool { return acl.Tier == 0 }).List(ctx, &aclList); err != nil {
+		err = fmt.Errorf("failed to list acls with tier 0: %w", err)
+		klog.Error(err)
+		return err
+	}
+
+	ops := make([]ovsdb.Operation, 0, len(aclList))
+	for _, acl := range aclList {
+		acl.Tier = util.NetpolACLTier
+		op, err := c.Where(&acl).Update(&acl, &acl.Tier)
+		if err != nil {
+			klog.Error(err)
+			return fmt.Errorf("failed to generate operations for updating acl %s tier: %w", acl.UUID, err)
+		}
+		ops = append(ops, op...)
+	}
+	if len(ops) == 0 {
+		return nil
+	}
+
+	if err := c.Transact("acl-migrate-tier", ops); err != nil {
+		klog.Error(err)
+		return fmt.Errorf("failed to migrate acl tier: %w", err)
+	}
+
+	return nil
+}

Original file line number	Diff line number	Diff line change
`@@ -171,6 +171,7 @@ type ACL interface {`
`171`	`171`	`DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string) error`
`172`	`172`	`DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string) ([]ovsdb.Operation, error)`
`173`	`173`	`UpdateAnpRuleACLOps(pgName, asName, protocol, aclName string, priority int, aclAction ovnnb.ACLAction, logACLActions []ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error)`
	`174`	`+ MigrateACLTier() error`
`174`	`175`	`}`
`175`	`176`
`176`	`177`	`type AddressSet interface {`