Add Azure-npm to provide k8s network policy support #173
Conversation
saiyan86
force-pushed
the
master
branch
3 times, most recently
from
59bf95f to
c612106
Compare
| set: util.GetHashedName(listName), | ||
| } | ||
|
|
||
| errCode, err := ipsMgr.Run(entry) |
There was a problem hiding this comment.
if err != nil {
if errCode == 1 {
log.Printf("Cannot delete list %s as it's being referred or doesn't exist.\n", listName)
return nil
}
log.Printf("Error deleting ipset %s\n %+v\n", listName, entry)
return err
}
npm/ipsm/ipsm.go
Outdated
| } | ||
|
|
||
| if _, err := ipsMgr.Run(entry); err != nil { | ||
| log.Printf("Error creating ipset rules.\n") |
| return err | ||
| } | ||
|
|
||
| ipsMgr.setMap[setName] = NewIpset(setName) |
There was a problem hiding this comment.
space to stick with styling
npm/ipsm/ipsm.go
Outdated
| } | ||
|
|
||
| if err != nil { | ||
| log.Printf("Error deleting ipset %s", setName) |
There was a problem hiding this comment.
similar comment as above -
if err != nil {
if errCode == 1 {
| log.Printf("rule: %+v\n", entry) | ||
| return err | ||
| } | ||
| ipsMgr.setMap[setName].elements = append(ipsMgr.setMap[setName].elements, ip) |
npm/namespace.go
Outdated
|
|
||
| allNs := npMgr.nsMap[util.KubeAllNamespacesFlag] | ||
| // Create ipset for the namespace. | ||
| ipsMgr := allNs.ipsMgr |
There was a problem hiding this comment.
ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr?
npm/nwpolicy.go
Outdated
| iptMgr := allNs.iptMgr | ||
| for _, iptEntry := range iptEntries { | ||
| if err := iptMgr.Delete(iptEntry); err != nil { | ||
| log.Printf("Error applying iptables rule\n") |
| entries = append(entries, egressEntries...) | ||
|
|
||
| entries = append(entries, getDefaultDropEntries(affectedSets)...) | ||
|
|
There was a problem hiding this comment.
This is a different block. Need space here.
npm/pod.go
Outdated
| return nil | ||
| } | ||
|
|
||
| oldPodObjNs, oldPodObjName, oldPodObjPhase, oldPodObjIP, newPodObjNs, newPodObjName, newPodObjPhase, newPodObjIP := oldPodObj.ObjectMeta.Namespace, oldPodObj.ObjectMeta.Name, oldPodObj.Status.Phase, oldPodObj.Status.PodIP, newPodObj.ObjectMeta.Namespace, newPodObj.ObjectMeta.Name, newPodObj.Status.Phase, newPodObj.Status.PodIP |
There was a problem hiding this comment.
var (
oldPodObjNs = oldPodObj.ObjectMeta.Namespace
...
...
)
npm/pod.go
Outdated
| return nil | ||
| } | ||
|
|
||
| podNs, podName, podNodeName, podLabels := podObj.ObjectMeta.Namespace, podObj.ObjectMeta.Name, podObj.Spec.NodeName, podObj.ObjectMeta.Labels |
There was a problem hiding this comment.
var initialize all of these guys
npm/ipsm/ipsm.go
Outdated
|
|
||
| // NotReferredByNwPolicy checks if a specific ipset is referred by any network policy. | ||
| func (ipsMgr *IpsetManager) NotReferredByNwPolicy(setName string) bool { | ||
| return ipsMgr.setMap[setName].referCount == 0 |
There was a problem hiding this comment.
what if setName is not present in the setMap?
There was a problem hiding this comment.
unused func. It is removed.
| errCode, err := ipsMgr.Run(entry) | ||
| if errCode > 1 && err != nil { | ||
| log.Printf("Error deleting ipset entry.\n") | ||
| log.Printf("%+v\n", entry) |
npm/ipsm/ipsm.go
Outdated
| } | ||
|
|
||
| if err != nil { | ||
| log.Printf("Error deleting ipset %s", setName) |
There was a problem hiding this comment.
similar comment as above -
if err != nil {
if errCode == 1 {
|
|
||
| if msg, failed := err.(*exec.ExitError); failed { | ||
| errCode = msg.Sys().(syscall.WaitStatus).ExitStatus() | ||
| if errCode > 1 { |
There was a problem hiding this comment.
combine these as
if errCode := msg.Sys().(syscall.WaitStatus).ExitStatus(); errCode > 1 {
?
npm/iptm/iptm.go
Outdated
|
|
||
| // InitNpmChains initializes Azure NPM chains in iptables. | ||
| func (iptMgr *IptablesManager) InitNpmChains() error { | ||
| log.Printf("Initializing AZURE-NPM") |
There was a problem hiding this comment.
Is initializing azure-npm same as azure-npm-chain?
There was a problem hiding this comment.
Changed it to "Initializing AZURE-NPM chains"
| util.IptablesJumpFlag, | ||
| util.IptablesAzureChain, | ||
| }, | ||
| } |
There was a problem hiding this comment.
This is one code block. entry is used right after declaration
| return nil | ||
| } | ||
|
|
||
| if err != nil { |
There was a problem hiding this comment.
Similar comment as above about restructure
npm/iptm/iptm.go
Outdated
|
|
||
| // Add adds a rule in iptables. | ||
| func (iptMgr *IptablesManager) Add(entry *IptEntry) error { | ||
| log.Printf("%+v\n", entry) |
There was a problem hiding this comment.
added description.
npm/iptm/iptm.go
Outdated
|
|
||
| // Delete removes a rule in iptables. | ||
| func (iptMgr *IptablesManager) Delete(entry *IptEntry) error { | ||
| log.Printf("%+v\n", entry) |
There was a problem hiding this comment.
added description.
|
|
||
| if msg, failed := err.(*exec.ExitError); failed { | ||
| errCode = msg.Sys().(syscall.WaitStatus).ExitStatus() | ||
| if errCode > 1 { |
There was a problem hiding this comment.
combine these as
if errCode := msg.Sys().(syscall.WaitStatus).ExitStatus(); errCode > 1 {
?
npm/namespace.go
Outdated
| name string | ||
| setMap map[string]string | ||
| podMap map[types.UID]*corev1.Pod | ||
| npMap map[string]*networkingv1.NetworkPolicy // TODO: Optimize to ordered map. |
saiyan86
left a comment
saiyan86
left a comment
There was a problem hiding this comment.
address comments
|
|
||
| allNs := npMgr.nsMap[util.KubeAllNamespacesFlag] | ||
|
|
||
| _, _, iptEntries := parsePolicy(npObj) |
There was a problem hiding this comment.
Can parsePolicy return an error? What happens in case of error?
There was a problem hiding this comment.
This is basically pure string manipulation. This function has no effect by itself. Its return value is used in other functions, and I catch errors there.
|
|
||
| allNs, err := newNs(util.KubeAllNamespacesFlag) | ||
| if err != nil { | ||
| panic(err.Error) |
There was a problem hiding this comment.
Where are you handling these panics? I don't see any recover.
There was a problem hiding this comment.
This error is fatal. It shouldn't be recovered.
npm/parse.go
Outdated
| isAppliedToNs = true | ||
| } | ||
|
|
||
| //TODO: handle IPBlock |
There was a problem hiding this comment.
Nope. Removed. Thanks!
npm/plugin/main.go
Outdated
| log.SetName("azure-npm") | ||
| log.SetLevel(log.LevelInfo) | ||
| err := log.SetTarget(log.TargetLogfile) | ||
| if err != nil { |
There was a problem hiding this comment.
if err := log.SetTarget(log.TargetLogfile); err != nil {
| // Creates the in-cluster config | ||
| config, err := rest.InClusterConfig() | ||
| if err != nil { | ||
| panic(err.Error()) |
There was a problem hiding this comment.
Similar comment to above - where are you handing these panics?
There was a problem hiding this comment.
Addressed. Thanks!
npm/pod.go
Outdated
| podNodeName := podObj.Spec.NodeName | ||
| podLabels := podObj.ObjectMeta.Labels | ||
| podIP := podObj.Status.PodIP | ||
| log.Printf("POD DELETED: %s/%s/%s\n", podNs, podName, podNodeName) |
There was a problem hiding this comment.
Move this to line 138 - which makes sure we log 'deleted' only when the operation is successful
There was a problem hiding this comment.
changed from deleted to deleting
npm/pod_test.go
Outdated
| "testing" | ||
|
|
||
| "github.com/Azure/azure-container-networking/npm/ipsm" | ||
|
|
There was a problem hiding this comment.
any reason for space here?
| @@ -0,0 +1,173 @@ | |||
| package npm | |||
There was a problem hiding this comment.
You added a bunch of new files - I think we need to add correct copyright info in those.
There was a problem hiding this comment.
Where should we add to copyright info?
There was a problem hiding this comment.
check the top of https://github.com/Azure/azure-container-networking/blob/master/cni/network/network.go .
Please check with Sushant if these are needed. I think we need to have Microsoft under copyright statement for new files.
There was a problem hiding this comment.
Thanks. I added Microsoft copyright info.
| } | ||
| } | ||
|
|
||
| func TestUpdatePod(t *testing.T) { |
There was a problem hiding this comment.
You can combine TestUpdatePod and TestAddPod (like TestAddUpdatePod) because 95% of the code is same. Is there any particular reason to have these separate? It's possible to combine delete in this as well. But I don't have any strong push for this
There was a problem hiding this comment.
This is incremental test. This will give a bit more coverage.
| @@ -0,0 +1,42 @@ | |||
| package util | |||
There was a problem hiding this comment.
Can this util package be brought out of npm and at azure-container-networking scope? That way we can build this util and can use it everywhere within azure-container-networking. If easily possible, otherwise no worries.
There was a problem hiding this comment.
Nice suggestion. I'll do it later. But can we check this in first? This is pretty important :D
* azure-npm * set logging file * parameterize telemetry API * avoid null ptr derefence * add telemetry to npm
|
@ashvindeodhar @jaer-tsun Thanks! |
3 participants
What this PR does / why we need it:
This PR adds Azure Network Policy Manager, a.k.a, azure-npm, to Azure CNI.
Azure-npm is a Microsoft Azure's fault-tolerant and scalable implementation of Kubernetes Network Policy plugin.
Azure-npm supports all network policies specified by current version of Kubernetes, and will continue to support future versions.
Azure-npm only supports Kubernetes v1.8 or later, as it requires NetworkPolicy API v1beta1.