CNP Tier integration (antrea-io#956)

Add support for Tiered ClusterNetworkPolicies by associating a CNP with Tier name. This PR adds the following: Add a new field tier to CNP and native NP specs Add "Emergency, SecurityOps, NetworkOps, Platform, Application" as choices for tier names Add Tier column to the CNP kubectl get cnp output Update internal NetworkPolicy types to include the TierPriority associated with above tier names A CNP without any association to any tier will be created in the default lowest priority tier i.e. "Application Tier". The same applies for all existing CNP created prior to the Tier introduction. The tiers have the following precedence: Emergency > SecurityOps > NetworkOps > Platform > Application i.e. all policies associated with Emergency Tiers will be evaluated before any policy associated with SecurityOps tier and so on. The K8s NetworkPolicies will be evaluated once all Tiers are evaluated i.e. after the Application Tier.
antoninbas · Aug 6, 2020 · 1ff54b5 · 1ff54b5
1 parent 74055d7
commit 1ff54b5
Show file tree

Hide file tree

Showing 19 changed files with 558 additions and 104 deletions.
diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -46,6 +46,10 @@ metadata:
   name: clusternetworkpolicies.security.antrea.tanzu.vmware.com
 spec:
   additionalPrinterColumns:
+  - JSONPath: .spec.tier
+    description: The Tier to which this ClusterNetworkPolicy belongs to.
+    name: Tier
+    type: string
   - JSONPath: .spec.priority
     description: The Priority of this ClusterNetworkPolicy relative to other policies.
     format: float
@@ -150,6 +154,14 @@ spec:
               maximum: 10000
               minimum: 1
               type: number
+            tier:
+              enum:
+              - Emergency
+              - SecurityOps
+              - NetworkOps
+              - Platform
+              - Application
+              type: string
           required:
           - appliedTo
           - priority

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -46,6 +46,10 @@ metadata:
   name: clusternetworkpolicies.security.antrea.tanzu.vmware.com
 spec:
   additionalPrinterColumns:
+  - JSONPath: .spec.tier
+    description: The Tier to which this ClusterNetworkPolicy belongs to.
+    name: Tier
+    type: string
   - JSONPath: .spec.priority
     description: The Priority of this ClusterNetworkPolicy relative to other policies.
     format: float
@@ -150,6 +154,14 @@ spec:
               maximum: 10000
               minimum: 1
               type: number
+            tier:
+              enum:
+              - Emergency
+              - SecurityOps
+              - NetworkOps
+              - Platform
+              - Application
+              type: string
           required:
           - appliedTo
           - priority

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -46,6 +46,10 @@ metadata:
   name: clusternetworkpolicies.security.antrea.tanzu.vmware.com
 spec:
   additionalPrinterColumns:
+  - JSONPath: .spec.tier
+    description: The Tier to which this ClusterNetworkPolicy belongs to.
+    name: Tier
+    type: string
   - JSONPath: .spec.priority
     description: The Priority of this ClusterNetworkPolicy relative to other policies.
     format: float
@@ -150,6 +154,14 @@ spec:
               maximum: 10000
               minimum: 1
               type: number
+            tier:
+              enum:
+              - Emergency
+              - SecurityOps
+              - NetworkOps
+              - Platform
+              - Application
+              type: string
           required:
           - appliedTo
           - priority

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -46,6 +46,10 @@ metadata:
   name: clusternetworkpolicies.security.antrea.tanzu.vmware.com
 spec:
   additionalPrinterColumns:
+  - JSONPath: .spec.tier
+    description: The Tier to which this ClusterNetworkPolicy belongs to.
+    name: Tier
+    type: string
   - JSONPath: .spec.priority
     description: The Priority of this ClusterNetworkPolicy relative to other policies.
     format: float
@@ -150,6 +154,14 @@ spec:
               maximum: 10000
               minimum: 1
               type: number
+            tier:
+              enum:
+              - Emergency
+              - SecurityOps
+              - NetworkOps
+              - Platform
+              - Application
+              type: string
           required:
           - appliedTo
           - priority

diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml
@@ -221,6 +221,10 @@ spec:
   # Prune any unknown fields
   preserveUnknownFields: false
   additionalPrinterColumns:
+  - name: Tier
+    type: string
+    description: The Tier to which this ClusterNetworkPolicy belongs to.
+    JSONPath: .spec.tier
   - name: Priority
     type: number
     format: float
@@ -240,6 +244,9 @@ spec:
             - priority
           type: object
           properties:
+            tier:
+              type: string
+              enum: ['Emergency', 'SecurityOps', 'NetworkOps', 'Platform', 'Application']
             priority:
               type: number
               format: float

diff --git a/pkg/apis/networking/types.go b/pkg/apis/networking/types.go
@@ -146,6 +146,10 @@ type AddressGroupList struct {
 	Items []AddressGroup
 }
 
+// TierPriority specifies the relative ordering among Tiers. A lower
+// TierPriority indicates higher precedence.
+type TierPriority uint32
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // NetworkPolicy is the message format of antrea/pkg/controller/types.NetworkPolicy in an API response.
 type NetworkPolicy struct {
@@ -155,9 +159,12 @@ type NetworkPolicy struct {
 	Rules []NetworkPolicyRule
 	// AppliedToGroups is a list of names of AppliedToGroups to which this policy applies.
 	AppliedToGroups []string
-	// Priority represents the relative priority of this Network Policy as compared to
-	// other Network Policies. Priority will be unset (nil) for K8s Network Policy.
+	// Priority represents the relative priority of this NetworkPolicy as compared to
+	// other NetworkPolicies. Priority will be unset (nil) for K8s NetworkPolicy.
 	Priority *float64
+	// TierPriority represents the priority of the Tier associated with this NetworkPolicy.
+	// The TierPriority will remain nil for K8s NetworkPolicy.
+	TierPriority *TierPriority
 }
 
 // Direction defines traffic direction of NetworkPolicyRule.
@@ -185,7 +192,7 @@ type NetworkPolicyRule struct {
 	Priority int32
 	// Action specifies the action to be applied on the rule. i.e. Allow/Drop. An empty
 	// action “nil” defaults to Allow action, which would be the case for rules created for
-	// K8s Network Policy.
+	// K8s NetworkPolicy.
 	Action *secv1alpha1.RuleAction
 }