Reorder the steps in iptables-alerter

danwinship · openshift-cherrypick-robot · commit 276838792dd8 · 2025-04-30T19:14:17.000Z
Check if iptables rules exist for the pod before checking if we've
already logged an event; no reason to ping the apiserver for every pod
since most of them won't have iptables rules.
diff --git a/bindata/network/iptables-alerter/002-script.yaml b/bindata/network/iptables-alerter/002-script.yaml
@@ -47,13 +47,6 @@ data:
             fi
             netns=$(basename "${netns_path}")
 
-            # Check if we already logged an event for it
-            events=$(kubectl get events -n "${pod_namespace}" -l pod-uid="${pod_uid}" 2>/dev/null)
-            if [[ -n "${events}" ]]; then
-                echo "Skipping pod ${pod_namespace}/${pod_name} which we already logged an event for."
-                continue
-            fi
-
             # Set iptables_output to the first iptables rule in the pod's network
             # namespace, if any. (We use `awk` here rather than `grep` intentionally
             # to avoid awkwardness with grep's exit status on no match.)
@@ -66,6 +59,13 @@ data:
                 continue
             fi
 
+            # Check if we already logged an event for it
+            events=$(kubectl get events -n "${pod_namespace}" -l pod-uid="${pod_uid}" 2>/dev/null)
+            if [[ -n "${events}" ]]; then
+                echo "Skipping pod ${pod_namespace}/${pod_name} which we already logged an event for."
+                continue
+            fi
+
             echo "Logging event for ${pod_namespace}/${pod_name} which has iptables rules"
 
             # eg "2023-10-19T15:45:10.353846Z"
