Move Cidr translation from iptable to ipset.

[csfmomo]

What this PR does / why we need it:
Ipset is an extension for iptable to store and look up ip blocks in an efficient hash way. Move ip cidr related rule to ipset will improve npm performance.

Which issue this PR fixes
It fixes perf issue when large amount of ip cidr rule got applied.

Special notes for your reviewer:
Examples of ipset and iptables rules with this change.

Release note:

[codecov]

Codecov Report

Merging #582 into master will increase coverage by 3.92%.
The diff coverage is 93.33%.

@@            Coverage Diff             @@
##           master     #582      +/-   ##
==========================================
+ Coverage   49.08%   53.00%   +3.92%     
==========================================
  Files          28       23       -5     
  Lines        3449     2858     -591     
==========================================
- Hits         1693     1515     -178     
+ Misses       1466     1071     -395     
+ Partials      290      272      -18     

[jaer-tsun]

translatepolicy should already remove empty sets

[csfmomo]

No, it didn't.
For the existing return object, including sets, namedPorts, lists, they are []string type and called UniqueStrSlice to remove empty set. However, for ipsetEntries, it's [][]string type and didn't do drop empty entries before returning. I intentionally didn't do that to keep index order for simplicity for deleting ipset when network policy rule updates.

[jaer-tsun]

I don't think this func will work as intended since the length of the set includes all the entries to be deleted

[csfmomo]

What I intend to do here is, delete ipset npm created when translate cidrs rule. Length of the set includes cidrs belong to this rule.
It works as intended. I test it by updating same network policy rules. It will remove and update the target ipset.

[jaer-tsun]

setName should include namespace

[csfmomo]

OK, I'll add ns but remove cidr for setName.

[jaer-tsun]

why do we copy?

[csfmomo]

No need to copy. Let me remove it.
Copied it following previous coding style but is't not needed here.

[jaer-tsun]

why do we copy?

[csfmomo]

Same as comment in line 1515.

[jaer-tsun]

why do we copy?

[csfmomo]

ingressIPCidrs is a local variable which under for loop. If we want to return it outside the for loop, we have to copy it to a non-local variable. Copy it to resultIngressIPCidrs to keep consistency with existing code.

[jaer-tsun]

why do we copy?

[csfmomo]

egressIPCidrs is a local variable which under for loop. If we want to return it outside the for loop, we have to copy it to a non-local variable. Copy it to resultEgressIPCidrs to keep consistency with existing code.

[jaer-tsun]

no need for "cidr" in name to hash

[csfmomo]

OK

[jaer-tsun]

no need for "-cidr", but add namespace

[csfmomo]

OK.

[mainred]

What about keeping the cidr to be more explicit? We just want this name to be unique.
At least we have to worry other ipset formed by podSelector or namespaceSelector from the same networkPolicyPeer in the future.

type NetworkPolicyPeer struct {
	PodSelector *metav1.LabelSelector 

	NamespaceSelector *metav1.LabelSelector

	IPBlock *IPBlock 
}

[csfmomo]

Yes, keep cidr will make it more explicit but it's not a hard request for now. Ipset also has a limitation for the name string length.
Current NPM keeps ipset for pod and namespace already. For pod, npm uses pod label key, pod label key and value as ipset name. For namespace, upm uses the name of namespaces as ipset name. They are not conflicting with IPBlock ipset name.

[jaer-tsun]

we shouldn't have no matches since we're moving to allow based style

[csfmomo]

We can do it in next PR, let's have this PR focus on ip table to ip set change.

[mainred]

Maybe a TODO comment can help move this work to our next PR.

[csfmomo]

Let me add TODO comment.

[mainred]

Left a few comments, but to not block your work, I'll approve your work and leave you and Jaeryn make the last decision

[mainred]

Suggested change

	spec: append([]string{util.IpsetSetListFlag}),
	spec: []string{util.IpsetSetListFlag},

[mainred]

ditto

[mainred]

ditto

[mainred]

what about moving createCidrsRule and removeCidrsRule to ipsm.IpsetManager?

[csfmomo]

what about moving createCidrsRule and removeCidrsRule to ipsm.IpsetManager?

createCidrsRule and removeCidrsRule are only needed during AddPolicy function which locate at nwpolicy.go. They won't be reused any where else. I would like to keep them inside nwpolicy.go. They reuse the functions of CreateSet and AddToSet in ipsm.IpsetManager. ipsm keeps more generic functions.

[mainred]

What about keeping the cidr to be more explicit? We just want this name to be unique.
At least we have to worry other ipset formed by podSelector or namespaceSelector from the same networkPolicyPeer in the future.

type NetworkPolicyPeer struct {
	PodSelector *metav1.LabelSelector 

	NamespaceSelector *metav1.LabelSelector

	IPBlock *IPBlock 
}

[mainred]

Maybe a TODO comment can help move this work to our next PR.

[mainred]

policyName to be more explicit?

[mainred]

Besides IPBLocks, we also have podselector and namespace selector in the following steps, so we cannot continue to next rule item.

[mainred]

We may later refactor this lengthy function to be more clean and easy to maintain.
CC @jaer-tsun

[csfmomo]

Besides IPBLocks, we also have podselector and namespace selector in the following steps, so we cannot continue to next rule item.

We can continue. Please note the continue condition is when j != 0 which means the podselector and namespace selector has already been added in iptable entry when j = 0. It's a key point to improve our performance. When j = 0 which means npm loop through the 1st item in ipBlock, npm will create a cidr ipset, create a iptable entry. When j > 0, npm just need to add cidr to ipset entry, no need to create iptable entries anymore.

[csfmomo]

We may later refactor this lengthy function to be more clean and easy to maintain.
CC @jaer-tsun

Agree, I drafted a PR to refactor translatePolicy.go to remove duplicated code between translateIngress and translateEgress and make it concise.

[mainred]

Suggested change

	func translateEgress(ns string, name string, targetSelector metav1.LabelSelector, rules []networkingv1.NetworkPolicyEgressRule) ([]string, []string, []string, [][]string, []*iptm.IptEntry) {
	func translateEgress(ns string, policyName string, targetSelector metav1.LabelSelector, rules []networkingv1.NetworkPolicyEgressRule) ([]string, []string, []string, [][]string, []*iptm.IptEntry) {

[mainred]

gofmt is also needed.

[csfmomo]

gofmt

Let me open a separate PR for gofmt.

[jaer-tsun]

/lgtm