Register consecutive priorities in batch (#1331)

* Register consecutive priorities in batch * Fix issue in reassignment function and add more UT
antrea-io · Oct 15, 2020 · 70d3e65 · 70d3e65
1 parent 6c6acbb
commit 70d3e65
Show file tree

Hide file tree

Showing 6 changed files with 594 additions and 470 deletions.
diff --git a/pkg/agent/controller/networkpolicy/cache.go b/pkg/agent/controller/networkpolicy/cache.go
@@ -64,6 +64,8 @@ type rule struct {
 	Action *secv1alpha1.RuleAction
 	// Priority of this rule within the NetworkPolicy. Defaults to -1 for K8s NetworkPolicy.
 	Priority int32
+	// The highest rule Priority within the NetworkPolicy. Defaults to -1 for K8s NetworkPolicy.
+	MaxPriority int32
 	// Priority of the NetworkPolicy to which this rule belong. nil for K8s NetworkPolicy.
 	PolicyPriority *float64
 	// Priority of the tier that the NetworkPolicy belongs to. nil for K8s NetworkPolicy.
@@ -560,7 +562,7 @@ func (c *ruleCache) DeleteAppliedToGroup(group *v1beta1.AppliedToGroup) error {
 }
 
 // toRule converts v1beta1.NetworkPolicyRule to *rule.
-func toRule(r *v1beta1.NetworkPolicyRule, policy *v1beta1.NetworkPolicy) *rule {
+func toRule(r *v1beta1.NetworkPolicyRule, policy *v1beta1.NetworkPolicy, maxPriority int32) *rule {
 	rule := &rule{
 		Direction:       r.Direction,
 		From:            r.From,
@@ -577,9 +579,25 @@ func toRule(r *v1beta1.NetworkPolicyRule, policy *v1beta1.NetworkPolicy) *rule {
 	rule.ID = hashRule(rule)
 	rule.PolicyNamespace = policy.Namespace
 	rule.PolicyName = policy.Name
+	rule.MaxPriority = maxPriority
 	return rule
 }
 
+// getMaxPriority returns the highest rule priority for v1beta1.NetworkPolicy that is created
+// by Antrea-native policies. For K8s NetworkPolicies, it always returns -1.
+func getMaxPriority(policy *v1beta1.NetworkPolicy) int32 {
+	if policy.SourceRef.Type == v1beta1.K8sNetworkPolicy {
+		return -1
+	}
+	maxPriority := int32(-1)
+	for _, r := range policy.Rules {
+		if r.Priority > maxPriority {
+			maxPriority = r.Priority
+		}
+	}
+	return maxPriority
+}
+
 // GetNetworkPolicyNum gets the number of NetworkPolicy.
 func (c *ruleCache) GetNetworkPolicyNum() int {
 	c.policyMapLock.RLock()
@@ -637,8 +655,9 @@ func (c *ruleCache) UpdateNetworkPolicy(policy *v1beta1.NetworkPolicy) error {
 		ruleByID[r.(*rule).ID] = r
 	}
 
+	maxPriority := getMaxPriority(policy)
 	for i := range policy.Rules {
-		r := toRule(&policy.Rules[i], policy)
+		r := toRule(&policy.Rules[i], policy, maxPriority)
 		if _, exists := ruleByID[r.ID]; exists {
 			// If rule already exists, remove it from the map so the ones left finally are orphaned.
 			klog.V(2).Infof("Rule %v was not changed", r.ID)

diff --git a/pkg/agent/controller/networkpolicy/cache_test.go b/pkg/agent/controller/networkpolicy/cache_test.go
@@ -28,6 +28,10 @@ import (
 	"github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1"
 )
 
+var (
+	k8sNPMaxPriority = int32(-1)
+)
+
 func TestAddressGroupIndexFunc(t *testing.T) {
 	tests := []struct {
 		name    string
@@ -106,6 +110,62 @@ func TestAppliedToGroupIndexFunc(t *testing.T) {
 	}
 }
 
+func TestGetMaxPriority(t *testing.T) {
+	networkPolicyRule1 := &v1beta1.NetworkPolicyRule{
+		Direction: v1beta1.DirectionIn,
+		From:      v1beta1.NetworkPolicyPeer{AddressGroups: []string{"addressGroup1"}},
+		To:        v1beta1.NetworkPolicyPeer{},
+		Services:  nil,
+	}
+	networkPolicyRule2 := &v1beta1.NetworkPolicyRule{
+		Direction: v1beta1.DirectionIn,
+		From:      v1beta1.NetworkPolicyPeer{AddressGroups: []string{"addressGroup2"}},
+		To:        v1beta1.NetworkPolicyPeer{},
+		Services:  nil,
+		Priority:  0,
+	}
+	networkPolicyRule3 := &v1beta1.NetworkPolicyRule{
+		Direction: v1beta1.DirectionIn,
+		From:      v1beta1.NetworkPolicyPeer{AddressGroups: []string{"addressGroup3"}},
+		To:        v1beta1.NetworkPolicyPeer{},
+		Services:  nil,
+		Priority:  1,
+	}
+	networkPolicyRule4 := &v1beta1.NetworkPolicyRule{
+		Direction: v1beta1.DirectionOut,
+		From:      v1beta1.NetworkPolicyPeer{AddressGroups: []string{"addressGroup4"}},
+		To:        v1beta1.NetworkPolicyPeer{},
+		Services:  nil,
+		Priority:  0,
+	}
+	k8sNP := &v1beta1.NetworkPolicy{
+		ObjectMeta:      metav1.ObjectMeta{UID: "policy1"},
+		Rules:           []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
+		AppliedToGroups: []string{"addressGroup1"},
+		SourceRef: &v1beta1.NetworkPolicyReference{
+			Type:      v1beta1.K8sNetworkPolicy,
+			Namespace: "ns1",
+			Name:      "name1",
+			UID:       "policy1",
+		},
+	}
+	acnpPriority, acnpTier := 1.0, int32(250)
+	antreaNP := &v1beta1.NetworkPolicy{
+		ObjectMeta:      metav1.ObjectMeta{UID: "policy2"},
+		Priority:        &acnpPriority,
+		TierPriority:    &acnpTier,
+		Rules:           []v1beta1.NetworkPolicyRule{*networkPolicyRule2, *networkPolicyRule3, *networkPolicyRule4},
+		AppliedToGroups: []string{"addressGroup1"},
+		SourceRef: &v1beta1.NetworkPolicyReference{
+			Type: v1beta1.AntreaClusterNetworkPolicy,
+			Name: "acnp1",
+			UID:  "policy-acnp",
+		},
+	}
+	assert.Equal(t, int32(-1), getMaxPriority(k8sNP), "got unexpected maxPriority for K8s NetworkPolicy")
+	assert.Equal(t, int32(1), getMaxPriority(antreaNP), "got unexpected maxPriority for AntreaPolicy")
+}
+
 type dirtyRuleRecorder struct {
 	rules   sets.String
 	eventCh chan string
@@ -385,14 +445,26 @@ func TestRuleCacheReplaceNetworkPolicies(t *testing.T) {
 		ObjectMeta:      metav1.ObjectMeta{UID: "policy1"},
 		Rules:           []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
 		AppliedToGroups: []string{"addressGroup1"},
+		SourceRef: &v1beta1.NetworkPolicyReference{
+			Type:      v1beta1.K8sNetworkPolicy,
+			Namespace: "ns1",
+			Name:      "name1",
+			UID:       "policy1",
+		},
 	}
 	networkPolicy2 := &v1beta1.NetworkPolicy{
 		ObjectMeta:      metav1.ObjectMeta{UID: "policy1"},
 		Rules:           []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
 		AppliedToGroups: []string{"addressGroup2"},
+		SourceRef: &v1beta1.NetworkPolicyReference{
+			Type:      v1beta1.K8sNetworkPolicy,
+			Namespace: "ns1",
+			Name:      "name1",
+			UID:       "policy1",
+		},
 	}
-	rule1 := toRule(networkPolicyRule1, networkPolicy1)
-	rule2 := toRule(networkPolicyRule1, networkPolicy2)
+	rule1 := toRule(networkPolicyRule1, networkPolicy1, k8sNPMaxPriority)
+	rule2 := toRule(networkPolicyRule1, networkPolicy2, k8sNPMaxPriority)
 	tests := []struct {
 		name               string
 		rules              []*rule
@@ -530,14 +602,26 @@ func TestRuleCacheAddNetworkPolicy(t *testing.T) {
 		ObjectMeta:      metav1.ObjectMeta{UID: "policy1", Namespace: "ns1", Name: "name1"},
 		Rules:           nil,
 		AppliedToGroups: []string{"appliedToGroup1"},
+		SourceRef: &v1beta1.NetworkPolicyReference{
+			Type:      v1beta1.K8sNetworkPolicy,
+			Namespace: "ns1",
+			Name:      "name1",
+			UID:       "policy1",
+		},
 	}
 	networkPolicy2 := &v1beta1.NetworkPolicy{
 		ObjectMeta:      metav1.ObjectMeta{UID: "policy2", Namespace: "ns2", Name: "name2"},
 		Rules:           []v1beta1.NetworkPolicyRule{*networkPolicyRule1, *networkPolicyRule2},
 		AppliedToGroups: []string{"appliedToGroup1"},
+		SourceRef: &v1beta1.NetworkPolicyReference{
+			Type:      v1beta1.K8sNetworkPolicy,
+			Namespace: "ns2",
+			Name:      "name2",
+			UID:       "policy2",
+		},
 	}
-	rule1 := toRule(networkPolicyRule1, networkPolicy2)
-	rule2 := toRule(networkPolicyRule2, networkPolicy2)
+	rule1 := toRule(networkPolicyRule1, networkPolicy2, k8sNPMaxPriority)
+	rule2 := toRule(networkPolicyRule2, networkPolicy2, k8sNPMaxPriority)
 	tests := []struct {
 		name               string
 		args               *v1beta1.NetworkPolicy
@@ -904,20 +988,38 @@ func TestRuleCacheUpdateNetworkPolicy(t *testing.T) {
 		ObjectMeta:      metav1.ObjectMeta{UID: "policy1"},
 		Rules:           []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
 		AppliedToGroups: []string{"addressGroup1"},
+		SourceRef: &v1beta1.NetworkPolicyReference{
+			Type:      v1beta1.K8sNetworkPolicy,
+			Namespace: "ns1",
+			Name:      "name1",
+			UID:       "policy1",
+		},
 	}
 	networkPolicy2 := &v1beta1.NetworkPolicy{
 		ObjectMeta:      metav1.ObjectMeta{UID: "policy1"},
 		Rules:           []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
 		AppliedToGroups: []string{"addressGroup2"},
+		SourceRef: &v1beta1.NetworkPolicyReference{
+			Type:      v1beta1.K8sNetworkPolicy,
+			Namespace: "ns1",
+			Name:      "name1",
+			UID:       "policy1",
+		},
 	}
 	networkPolicy3 := &v1beta1.NetworkPolicy{
 		ObjectMeta:      metav1.ObjectMeta{UID: "policy1"},
 		Rules:           []v1beta1.NetworkPolicyRule{*networkPolicyRule1, *networkPolicyRule2},
 		AppliedToGroups: []string{"addressGroup1"},
+		SourceRef: &v1beta1.NetworkPolicyReference{
+			Type:      v1beta1.K8sNetworkPolicy,
+			Namespace: "ns1",
+			Name:      "name1",
+			UID:       "policy1",
+		},
 	}
-	rule1 := toRule(networkPolicyRule1, networkPolicy1)
-	rule2 := toRule(networkPolicyRule1, networkPolicy2)
-	rule3 := toRule(networkPolicyRule2, networkPolicy3)
+	rule1 := toRule(networkPolicyRule1, networkPolicy1, k8sNPMaxPriority)
+	rule2 := toRule(networkPolicyRule1, networkPolicy2, k8sNPMaxPriority)
+	rule3 := toRule(networkPolicyRule2, networkPolicy3, k8sNPMaxPriority)
 	tests := []struct {
 		name               string
 		rules              []*rule