Skip to content

[NPM] Windows Policy Manager changes for OS22 #1062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 27 commits into from
Oct 28, 2021
Merged

[NPM] Windows Policy Manager changes for OS22 #1062

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
a11cf9e
[NPM] Windows Policy Manager changes for OS22
Oct 15, 2021
c6cc5fd
Merge branch 'master' into vakr/npmwindowslogic
Oct 15, 2021
8bb02a7
Adding new NPM ACLSettings with ID
Oct 15, 2021
5b50744
first pass on both add and remove policies
Oct 16, 2021
f43a2b9
merge conflict
Oct 16, 2021
5fa1cfd
fixing a merge issue
Oct 16, 2021
44224fd
Working 1st level Setpolicy CRUD operations
Oct 18, 2021
799cc22
have NPMACl to HNSACL conversion logic ready
Oct 19, 2021
8f84627
updating policy endpoints only after adding policy to an endpoint
Oct 20, 2021
ba2c798
updating policy endpoints only after adding policy to an endpoint
Oct 20, 2021
cc25352
Merge branch 'master' into vakr/npmwindowslogic
Oct 20, 2021
59ddfbb
fixing a build issue
Oct 20, 2021
e54ddfc
fixing merge conflicts
Oct 20, 2021
002707a
fixing issue in linux files
Oct 20, 2021
33693d9
Addressing some comments and also completing some integrations with V…
Oct 21, 2021
0d268d7
Updating policy ID logic and update pod
Oct 22, 2021
24c7ce5
Updating policy ID logic and update pod
Oct 22, 2021
d1f7f5b
Addressing some comments
Oct 22, 2021
9b27bf3
adding basic reset bits
Oct 22, 2021
5d29953
fixnig build issue in linux
Oct 25, 2021
5a484c7
fixnig build issue in linux
Oct 25, 2021
0563e2b
Fixing the _linux_test.go build failures
Oct 25, 2021
a1da271
fix lints
Oct 25, 2021
66b091b
Addressing some comments and correcting windows logic to apply set po…
Oct 26, 2021
35ff0f0
cleaning up logic for calculating set policies
Oct 26, 2021
95e0995
Applying some feedback.
Oct 27, 2021
5f8ed65
fixing a failing test and panic
Oct 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions network/hnswrapper/hnsv2wrapper.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ func (Hnsv2wrapper) DeleteNetwork(network *hcn.HostComputeNetwork) error {
return network.Delete()
}

func (Hnsv2wrapper) ModifyNetworkSettings(network *hcn.HostComputeNetwork, request *hcn.ModifyNetworkSettingRequest) error {
return network.ModifyNetworkSettings(request)
}

func (Hnsv2wrapper) AddNetworkPolicy(network *hcn.HostComputeNetwork, networkPolicy hcn.PolicyNetworkRequest) error {
return network.AddPolicy(networkPolicy)
}
Expand Down
12 changes: 8 additions & 4 deletions network/hnswrapper/hnsv2wrapperfake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ func (f Hnsv2wrapperFake) DeleteNetwork(network *hcn.HostComputeNetwork) error {
return nil
}

func (Hnsv2wrapperFake) ModifyNetworkSettings(network *hcn.HostComputeNetwork, request *hcn.ModifyNetworkSettingRequest) error {
return nil
}

func (Hnsv2wrapperFake) AddNetworkPolicy(network *hcn.HostComputeNetwork, networkPolicy hcn.PolicyNetworkRequest) error {
return nil
}
Expand All @@ -33,13 +37,13 @@ func (Hnsv2wrapperFake) GetNetworkByName(networkName string) (*hcn.HostComputeNe
return &hcn.HostComputeNetwork{}, nil
}

func (f Hnsv2wrapperFake) GetNetworkByID(networkId string) (*hcn.HostComputeNetwork, error) {
network := &hcn.HostComputeNetwork{Id: "c84257e3-3d60-40c4-8c47-d740a1c260d3"}
func (f Hnsv2wrapperFake) GetNetworkByID(networkID string) (*hcn.HostComputeNetwork, error) {
network := &hcn.HostComputeNetwork{Id: networkID}
return network, nil
}

func (f Hnsv2wrapperFake) GetEndpointByID(endpointId string) (*hcn.HostComputeEndpoint, error) {
endpoint := &hcn.HostComputeEndpoint{Id: "7a2ae98a-0c84-4b35-9684-1c02a2bf7e03"}
func (f Hnsv2wrapperFake) GetEndpointByID(endpointID string) (*hcn.HostComputeEndpoint, error) {
endpoint := &hcn.HostComputeEndpoint{Id: endpointID}
return endpoint, nil
}

Expand Down
1 change: 1 addition & 0 deletions network/hnswrapper/hnsv2wrapperinterface.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ type HnsV2WrapperInterface interface {
DeleteEndpoint(endpoint *hcn.HostComputeEndpoint) error
CreateNetwork(network *hcn.HostComputeNetwork) (*hcn.HostComputeNetwork, error)
DeleteNetwork(network *hcn.HostComputeNetwork) error
ModifyNetworkSettings(network *hcn.HostComputeNetwork, request *hcn.ModifyNetworkSettingRequest) error
AddNetworkPolicy(network *hcn.HostComputeNetwork, networkPolicy hcn.PolicyNetworkRequest) error
RemoveNetworkPolicy(network *hcn.HostComputeNetwork, networkPolicy hcn.PolicyNetworkRequest) error
GetNamespaceByID(netNamespacePath string) (*hcn.HostComputeNamespace, error)
Expand Down
12 changes: 11 additions & 1 deletion npm/cmd/start.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,13 @@ import (
"math/rand"
"time"

"github.com/Azure/azure-container-networking/common"
"github.com/Azure/azure-container-networking/log"
"github.com/Azure/azure-container-networking/npm"
npmconfig "github.com/Azure/azure-container-networking/npm/config"
restserver "github.com/Azure/azure-container-networking/npm/http/server"
"github.com/Azure/azure-container-networking/npm/metrics"
"github.com/Azure/azure-container-networking/npm/pkg/dataplane"
"github.com/Azure/azure-container-networking/npm/util"
"github.com/spf13/cobra"
"github.com/spf13/viper"
Expand Down Expand Up @@ -105,7 +107,15 @@ func start(config npmconfig.Config) error {
factory := informers.NewSharedInformerFactory(clientset, resyncPeriod)

k8sServerVersion := k8sServerVersion(clientset)
npMgr := npm.NewNetworkPolicyManager(config, factory, nil, exec.New(), version, k8sServerVersion)

var dp dataplane.GenericDataplane
if config.Toggles.EnableV2Controllers {
dp, err = dataplane.NewDataPlane(npm.GetNodeName(), common.NewIOShim())
if err != nil {
return fmt.Errorf("failed to create dataplane with error %w", err)
}
}
npMgr := npm.NewNetworkPolicyManager(config, factory, dp, exec.New(), version, k8sServerVersion)
err = metrics.CreateTelemetryHandle(version, npm.GetAIMetadata())
if err != nil {
klog.Infof("CreateTelemetryHandle failed with error %v.", err)
Expand Down
18 changes: 12 additions & 6 deletions npm/npm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,12 @@ type CacheKey string

// NPMCache Key Contract for Json marshal and unmarshal
const (
NodeName CacheKey = "NodeName"
NsMap CacheKey = "NsMap"
PodMap CacheKey = "PodMap"
ListMap CacheKey = "ListMap"
SetMap CacheKey = "SetMap"
NodeName CacheKey = "NodeName"
NsMap CacheKey = "NsMap"
PodMap CacheKey = "PodMap"
ListMap CacheKey = "ListMap"
SetMap CacheKey = "SetMap"
EnvNodeName = "HOSTNAME"
)

// NetworkPolicyManager contains informers for pod, namespace and networkpolicy.
Expand Down Expand Up @@ -97,7 +98,7 @@ func NewNetworkPolicyManager(config npmconfig.Config,
ipsMgr: ipsm.NewIpsetManager(exec),
npmNamespaceCacheV1: &controllersv1.NpmNamespaceCache{NsMap: make(map[string]*controllersv1.Namespace)},
k8sServerVersion: k8sServerVersion,
NodeName: os.Getenv("HOSTNAME"),
NodeName: GetNodeName(),
version: npmVersion,
TelemetryEnabled: true,
}
Expand Down Expand Up @@ -254,3 +255,8 @@ func (npMgr *NetworkPolicyManager) Start(config npmconfig.Config, stopCh <-chan

return nil
}

func GetNodeName() string {
nodeName := os.Getenv(EnvNodeName)
return nodeName
}
14 changes: 7 additions & 7 deletions npm/pkg/controlplane/controllers/v2/namespacecontroller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,9 +326,9 @@ func (nsc *NamespaceController) syncAddNamespace(nsObj *corev1.Namespace) error
npmNs.appendLabels(map[string]string{nsLabelKey: nsLabelVal}, appendToExistingLabels)
}

nsc.dp.CreateIPSet(append(namespaceSets, setsToAddNamespaceTo...))
nsc.dp.CreateIPSets(append(namespaceSets, setsToAddNamespaceTo...))

if err := nsc.dp.AddToLists(setsToAddNamespaceTo, namespaceSets, nil); err != nil {
if err := nsc.dp.AddToLists(setsToAddNamespaceTo, namespaceSets); err != nil {
return fmt.Errorf("failed to sync add namespace with error %w", err)
}

Expand Down Expand Up @@ -365,7 +365,7 @@ func (nsc *NamespaceController) syncUpdateNamespace(newNsObj *corev1.Namespace)
toBeAdded := []*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(newNsName, ipsets.Namespace)}

klog.Infof("Deleting namespace %s from ipset list %s", newNsName, labelKey)
if err = nsc.dp.RemoveFromList(labelKeySet, toBeAdded, nil); err != nil {
if err = nsc.dp.RemoveFromList(labelKeySet, toBeAdded); err != nil {
metrics.SendErrorLogAndMetric(util.NSID, "[UpdateNamespace] Error: failed to delete namespace %s from ipset list %s with err: %v", newNsName, labelKey, err)
return fmt.Errorf("failed to remove from list during sync update namespace with err %w", err)
}
Expand All @@ -385,7 +385,7 @@ func (nsc *NamespaceController) syncUpdateNamespace(newNsObj *corev1.Namespace)
labelKeySet := []*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(nsLabelVal, ipsets.KeyLabelOfNamespace)}
toBeAdded := []*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(newNsName, ipsets.Namespace)}

if err = nsc.dp.AddToLists(labelKeySet, toBeAdded, nil); err != nil {
if err = nsc.dp.AddToLists(labelKeySet, toBeAdded); err != nil {
metrics.SendErrorLogAndMetric(util.NSID, "[UpdateNamespace] Error: failed to add namespace %s to ipset list %s with err: %v", newNsName, nsLabelVal, err)
return fmt.Errorf("failed to add %v sets to %v lists during addtolists in sync update namespace with err %w", toBeAdded, labelKeySet, err)
}
Expand Down Expand Up @@ -425,7 +425,7 @@ func (nsc *NamespaceController) cleanDeletedNamespace(cachedNsKey string) error

labelIpsetName := util.GetNSNameWithPrefix(nsLabelKey)
klog.Infof("Deleting namespace %s from ipset list %s", cachedNsKey, labelIpsetName)
if err = nsc.dp.RemoveFromList(labelKey, toBeDeletedKey, nil); err != nil {
if err = nsc.dp.RemoveFromList(labelKey, toBeDeletedKey); err != nil {
metrics.SendErrorLogAndMetric(util.NSID, "[DeleteNamespace] Error: failed to delete namespace %s from ipset list %s with err: %v", cachedNsKey, labelIpsetName, err)
return fmt.Errorf("failed to clean deleted namespace when deleting key with err %w", err)
}
Expand All @@ -435,7 +435,7 @@ func (nsc *NamespaceController) cleanDeletedNamespace(cachedNsKey string) error

labelIpsetName = util.GetNSNameWithPrefix(util.GetIpSetFromLabelKV(nsLabelKey, nsLabelVal))
klog.Infof("Deleting namespace %s from ipset list %s", cachedNsKey, labelIpsetName)
if err = nsc.dp.RemoveFromList(labelKeyValue, toBeDeletedKeyValue, nil); err != nil {
if err = nsc.dp.RemoveFromList(labelKeyValue, toBeDeletedKeyValue); err != nil {
metrics.SendErrorLogAndMetric(util.NSID, "[DeleteNamespace] Error: failed to delete namespace %s from ipset list %s with err: %v", cachedNsKey, labelIpsetName, err)
return fmt.Errorf("failed to clean deleted namespace when deleting key value with err %w", err)
}
Expand All @@ -448,7 +448,7 @@ func (nsc *NamespaceController) cleanDeletedNamespace(cachedNsKey string) error
toBeDeletedCachedKey := []*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(cachedNsKey, ipsets.Namespace)}

// Delete the namespace from all-namespace ipset list.
if err = nsc.dp.RemoveFromList(allNamespacesSet, toBeDeletedCachedKey, nil); err != nil {
if err = nsc.dp.RemoveFromList(allNamespacesSet, toBeDeletedCachedKey); err != nil {
metrics.SendErrorLogAndMetric(util.NSID, "[DeleteNamespace] Error: failed to delete namespace %s from ipset list %s with err: %v", cachedNsKey, util.KubeAllNamespacesFlag, err)
return fmt.Errorf("failed to remove from list during clean deleted namespace %w", err)
}
Expand Down
30 changes: 15 additions & 15 deletions npm/pkg/controlplane/controllers/v2/podcontroller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -371,11 +371,11 @@ func (c *PodController) syncAddedPod(podObj *corev1.Pod) error {
namespaceSet := []*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(podObj.Namespace, ipsets.Namespace)}

klog.Infof("Creating ipset %s for namespace if it doesn't already exist", podObj.Namespace)
c.dp.CreateIPSet(namespaceSet)
c.dp.CreateIPSets(namespaceSet)

// Add the pod ip information into namespace's ipset.
klog.Infof("Adding pod %s to ipset %s", podObj.Status.PodIP, podObj.Namespace)
if err = c.dp.AddToSet(namespaceSet, podMetadata); err != nil {
if err = c.dp.AddToSets(namespaceSet, podMetadata); err != nil {
return fmt.Errorf("[syncAddedPod] Error: failed to add pod to namespace ipset with err: %w", err)
}

Expand All @@ -392,15 +392,15 @@ func (c *PodController) syncAddedPod(podObj *corev1.Pod) error {
allSets := []*ipsets.IPSetMetadata{targetSetKey, targetSetKeyValue}

klog.Infof("Creating ipsets %v if it does not already exist", allSets)
c.dp.CreateIPSet(allSets)
c.dp.CreateIPSets(allSets)

klog.Infof("Adding pod %s to ipset %s", npmPodObj.PodIP, labelKey)
if err = c.dp.AddToSet([]*ipsets.IPSetMetadata{targetSetKey}, podMetadata); err != nil {
if err = c.dp.AddToSets([]*ipsets.IPSetMetadata{targetSetKey}, podMetadata); err != nil {
return fmt.Errorf("[syncAddedPod] Error: failed to add pod to label ipset with err: %w", err)
}

klog.Infof("Adding pod %s to ipset %s", npmPodObj.PodIP, podIPSetName)
if err = c.dp.AddToSet([]*ipsets.IPSetMetadata{targetSetKeyValue}, podMetadata); err != nil {
if err = c.dp.AddToSets([]*ipsets.IPSetMetadata{targetSetKeyValue}, podMetadata); err != nil {
return fmt.Errorf("[syncAddedPod] Error: failed to add pod to label ipset with err: %w", err)
}
npmPodObj.appendLabels(map[string]string{labelKey: labelVal}, appendToExistingLabels)
Expand Down Expand Up @@ -430,9 +430,9 @@ func (c *PodController) syncAddAndUpdatePod(newPodObj *corev1.Pod) error {
// Create ipset related to namespace which this pod belong to if it does not exist.

toBeAdded := []*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(newPodObj.Namespace, ipsets.Namespace)}
c.dp.CreateIPSet([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(newPodObj.Namespace, ipsets.Namespace)})
c.dp.CreateIPSets([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(newPodObj.Namespace, ipsets.Namespace)})

if err = c.dp.AddToLists([]*ipsets.IPSetMetadata{kubeAllNamespaces}, toBeAdded, newPodMetadata); err != nil {
if err = c.dp.AddToLists([]*ipsets.IPSetMetadata{kubeAllNamespaces}, toBeAdded); err != nil {
c.npmNamespaceCache.Unlock()
return fmt.Errorf("[syncAddAndUpdatePod] Error: failed to add %s to all-namespace ipset list with err: %w", newPodObj.Namespace, err)
}
Expand Down Expand Up @@ -483,7 +483,7 @@ func (c *PodController) syncAddAndUpdatePod(newPodObj *corev1.Pod) error {
// todo: verify pulling nodename from newpod
cachedPodMetadata := dataplane.NewPodMetadata(podKey, cachedNpmPod.PodIP, newPodMetadata.NodeName)

if err = c.dp.RemoveFromSet([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(podIPSetName, ipsets.KeyLabelOfPod)}, cachedPodMetadata); err != nil {
if err = c.dp.RemoveFromSets([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(podIPSetName, ipsets.KeyLabelOfPod)}, cachedPodMetadata); err != nil {
return fmt.Errorf("[syncAddAndUpdatePod] Error: failed to delete pod from label ipset with err: %w", err)
}
// {IMPORTANT} The order of compared list will be key and then key+val. NPM should only append after both key
Expand All @@ -499,10 +499,10 @@ func (c *PodController) syncAddAndUpdatePod(newPodObj *corev1.Pod) error {

klog.Infof("Creating ipset %s if it doesn't already exist", addIPSetName)

c.dp.CreateIPSet([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(addIPSetName, ipsets.CIDRBlocks)})
c.dp.CreateIPSets([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(addIPSetName, ipsets.CIDRBlocks)})

klog.Infof("Adding pod %s to ipset %s", newPodObj.Status.PodIP, addIPSetName)
if err = c.dp.AddToSet([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(addIPSetName, ipsets.CIDRBlocks)}, newPodMetadata); err != nil {
if err = c.dp.AddToSets([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(addIPSetName, ipsets.CIDRBlocks)}, newPodMetadata); err != nil {
return fmt.Errorf("[syncAddAndUpdatePod] Error: failed to add pod to label ipset with err: %w", err)
}
// {IMPORTANT} Same as above order is assumed to be key and then key+val. NPM should only append to existing labels
Expand Down Expand Up @@ -554,7 +554,7 @@ func (c *PodController) cleanUpDeletedPod(cachedNpmPodKey string) error {
var err error
// Delete the pod from its namespace's ipset.
// note: NodeName empty is not going to call update pod
if err = c.dp.RemoveFromSet(
if err = c.dp.RemoveFromSets(
[]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(cachedNpmPod.Namespace, ipsets.Namespace)},
dataplane.NewPodMetadata(cachedNpmPod.PodIP, cachedNpmPodKey, "")); err != nil {
return fmt.Errorf("[cleanUpDeletedPod] Error: failed to delete pod from namespace ipset with err: %w", err)
Expand All @@ -563,15 +563,15 @@ func (c *PodController) cleanUpDeletedPod(cachedNpmPodKey string) error {
// Get lists of podLabelKey and podLabelKey + podLavelValue ,and then start deleting them from ipsets
for labelKey, labelVal := range cachedNpmPod.Labels {
klog.Infof("Deleting pod %s from ipset %s", cachedNpmPod.PodIP, labelKey)
if err = c.dp.RemoveFromSet(
if err = c.dp.RemoveFromSets(
[]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(labelKey, ipsets.KeyLabelOfPod)},
dataplane.NewPodMetadata(cachedNpmPod.PodIP, cachedNpmPodKey, "")); err != nil {
return fmt.Errorf("[cleanUpDeletedPod] Error: failed to delete pod from label ipset with err: %w", err)
}

podIPSetName := util.GetIpSetFromLabelKV(labelKey, labelVal)
klog.Infof("Deleting pod %s from ipset %s", cachedNpmPod.PodIP, podIPSetName)
if err = c.dp.RemoveFromSet(
if err = c.dp.RemoveFromSets(
[]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(podIPSetName, ipsets.KeyValueLabelOfPod)},
dataplane.NewPodMetadata(cachedNpmPod.PodIP, cachedNpmPodKey, "")); err != nil {
return fmt.Errorf("[cleanUpDeletedPod] Error: failed to delete pod from label ipset with err: %w", err)
Expand Down Expand Up @@ -612,11 +612,11 @@ func (c *PodController) manageNamedPortIpsets(portList []corev1.ContainerPort, p
podMetadata := dataplane.NewPodMetadata(podKey, namedPortIpsetEntry, "")
switch namedPortOperation {
case deleteNamedPort:
if err := c.dp.RemoveFromSet([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(namedPort, ipsets.NamedPorts)}, podMetadata); err != nil {
if err := c.dp.RemoveFromSets([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(namedPort, ipsets.NamedPorts)}, podMetadata); err != nil {
return fmt.Errorf("failed to remove from set when deleting named port with err %w", err)
}
case addNamedPort:
if err := c.dp.AddToSet([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(namedPort, ipsets.NamedPorts)}, podMetadata); err != nil {
if err := c.dp.AddToSets([]*ipsets.IPSetMetadata{ipsets.NewIPSetMetadata(namedPort, ipsets.NamedPorts)}, podMetadata); err != nil {
return fmt.Errorf("failed to add to set when deleting named port with err %w", err)
}
}
Expand Down
Loading