Add service account selector support

Signed-off-by: wgrayson <wgrayson@vmware.com>
antrea-io · Dec 14, 2021 · afdac9f · afdac9f
1 parent c406cca
commit afdac9f
Show file tree

Hide file tree

Showing 22 changed files with 2,651 additions and 5 deletions.
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
diff --git a/build/yamls/antrea-kind.yml b/build/yamls/antrea-kind.yml
diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
diff --git a/build/yamls/base/controller-rbac.yml b/build/yamls/base/controller-rbac.yml
@@ -17,6 +17,7 @@ rules:
       - namespaces
       - services
       - configmaps
+      - serviceaccounts
     verbs:
       - get
       - watch

diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml
diff --git a/cmd/antrea-controller/controller.go b/cmd/antrea-controller/controller.go
@@ -114,6 +114,7 @@ func run(o *Options) error {
 	podInformer := informerFactory.Core().V1().Pods()
 	namespaceInformer := informerFactory.Core().V1().Namespaces()
 	serviceInformer := informerFactory.Core().V1().Services()
+	serviceAccountInformer := informerFactory.Core().V1().ServiceAccounts()
 	networkPolicyInformer := informerFactory.Networking().V1().NetworkPolicies()
 	nodeInformer := informerFactory.Core().V1().Nodes()
 	cnpInformer := crdInformerFactory.Crd().V1alpha1().ClusterNetworkPolicies()
@@ -159,6 +160,7 @@ func run(o *Options) error {
 		groupEntityIndex,
 		namespaceInformer,
 		serviceInformer,
+		serviceAccountInformer,
 		networkPolicyInformer,
 		cnpInformer,
 		anpInformer,

diff --git a/pkg/apis/crd/v1alpha1/types.go b/pkg/apis/crd/v1alpha1/types.go
@@ -434,6 +434,8 @@ type NetworkPolicyPeer struct {
 	//  Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local"
 	//  Wildcard expressions, i.e. "*wayfair.com".
 	FQDN string `json:"fqdn,omitempty"`
+	// ...
+	ServiceAccounts []ServiceAccount `json:"serviceAccounts,omitempty"`
 }
 
 type PeerNamespaces struct {
@@ -591,3 +593,10 @@ type TierList struct {
 
 	Items []Tier `json:"items"`
 }
+
+type ServiceAccount struct {
+	Name              string                `json:"name,omitempty"`
+	Namespace         string                `json:"namespace,omitempty"`
+	LabelSelector     *metav1.LabelSelector `json:"labelSelector,omitempty"`
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+}
diff --git a/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/controller/grouping/custom_label.go b/pkg/controller/grouping/custom_label.go
@@ -0,0 +1,44 @@
+// Copyright 2021 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package grouping
+
+import (
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+const (
+	CustomLabelKeyPrefix   = "antrea.io/reserved-label-"
+	ServiceAccountLabelKey = "service-account"
+)
+
+// getServiceAccountLabel returns a key and a value of a label that is used for
+// ServiceAccount selector. For non-PodEntityType, it will return empty string.
+func getServiceAccountLabel(entityType entityType, obj metav1.Object) (string, string) {
+	if entityType == podEntityType {
+		return CustomLabelKeyPrefix + ServiceAccountLabelKey, obj.(*v1.Pod).Spec.ServiceAccountName
+	}
+	return "", ""
+}
+
+// getAllLabelsKey returns a key string of all labels of a labelItem.
+func getAllLabelsKey(entityType entityType, obj metav1.Object) string {
+	labelsKey := labels.Set(obj.GetLabels()).String()
+	if key, value := getServiceAccountLabel(entityType, obj); key != "" {
+		labelsKey += "," + key + "=" + value
+	}
+	return labelsKey
+}
diff --git a/pkg/controller/grouping/group_entity_index.go b/pkg/controller/grouping/group_entity_index.go
@@ -366,6 +366,7 @@ func (i *GroupEntityIndex) createLabelItem(entityType entityType, eItem *entityI
 		entityItemKeys:   sets.NewString(),
 		selectorItemKeys: sets.NewString(),
 	}
+	addCustomLabel(lItem, entityType, eItem.entity)
 	// Create the labelItem.
 	i.labelItems[eItem.labelItemKey] = lItem
 	// Add it to the labelItemIndex.
@@ -764,7 +765,7 @@ func getEntityItemKeyByName(entityType entityType, namespace, name string) strin
 
 // getLabelItemKey returns the label key used in labelItems.
 func getLabelItemKey(entityType entityType, obj metav1.Object) string {
-	return fmt.Sprint(entityType) + "/" + obj.GetNamespace() + "/" + labels.Set(obj.GetLabels()).String()
+	return fmt.Sprint(entityType) + "/" + obj.GetNamespace() + "/" + getAllLabelsKey(entityType, obj)
 }
 
 // getGroupItemKey returns the group key used in groupItems.
@@ -776,3 +777,14 @@ func getGroupItemKey(groupType GroupType, name string) string {
 func getSelectorItemKey(selector *types.GroupSelector) string {
 	return selector.NormalizedName
 }
+
+// addCustomLabel ...
+func addCustomLabel(labelItem *labelItem, entityType entityType, obj metav1.Object) {
+	if key, value := getServiceAccountLabel(entityType, obj); key != "" {
+		if labelItem.labels == nil {
+			labelItem.labels = make(map[string]string)
+		}
+		labelItem.labels[key] = value
+	}
+	return
+}