From 76efdd4b5a2210b8a7cc1b4a9ddb21bd0d3b2cf5 Mon Sep 17 00:00:00 2001 From: Dyanngg Date: Thu, 3 Dec 2020 17:22:53 -0800 Subject: [PATCH] Add sort-by effectivePriority for antctl get networkpolicy (#1530) * Add sort-by effectivePriority for antctl get networkpolicy * Address comments and move sort logic to the client side * Add value check for sort-by flag --- docs/antctl.md | 9 ++ docs/antrea-network-policy.md | 27 +++++- .../handlers/networkpolicy/handler.go | 2 - pkg/antctl/antctl.go | 2 + pkg/antctl/command_definition.go | 46 +++++++--- pkg/antctl/command_definition_test.go | 19 ++-- .../transform/addressgroup/transform.go | 9 +- .../transform/appliedtogroup/transform.go | 9 +- .../transform/controllerinfo/transform.go | 2 +- .../transform/networkpolicy/transform.go | 87 +++++++++++++++++-- pkg/antctl/transform/utils.go | 8 +- pkg/antctl/transform/version/transform.go | 4 +- .../networkpolicy/antreanetworkpolicy_test.go | 6 +- .../clusternetworkpolicy_test.go | 16 ++-- pkg/controller/networkpolicy/crd_utils.go | 4 +- pkg/controller/networkpolicy/tier.go | 12 +-- 16 files changed, 196 insertions(+), 66 deletions(-) diff --git a/docs/antctl.md b/docs/antctl.md index 3767fdecd0c..5388553fa3f 100644 --- a/docs/antctl.md +++ b/docs/antctl.md @@ -172,6 +172,15 @@ antctl get appliedtogroup [name] [-o yaml] antctl get addressgroup [name] [-o yaml] ``` +NetworkPolicy also supports `sort-by=effectivePriority` option, which can be used to +view the effective order in which the NetworkPolicies are evaluated. Antrea-native +NetworkPolicy ordering is documented [here]( +antrea-network-policy.md#antrea-native-policy-ordering-based-on-priorities). + +```bash +antctl get networkpolicy --sort-by=effectivePriority +``` + Antrea Agent additionally supports printing NetworkPolicies applied to a specified local Pod using this `antctl` command: diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md index 1cd8756ef6d..49ddfb5b84a 100644 --- a/docs/antrea-network-policy.md +++ b/docs/antrea-network-policy.md @@ -481,10 +481,10 @@ policies will be enforced last. Within a tier, Antrea-native Policy CRDs are ordered by the `priority` at the policy level. Thus, the policy with the highest precedence (lowest priority number value) is enforced first. This ordering is performed solely based on the -`priority` assigned as opposed to the "Kind" of the resource, i.e. the relative -ordering between a [ClusterNetworkPolicy resource](#antrea-clusternetworkpolicy) and an [Antrea NetworkPolicy -resource](#antrea-networkpolicy) within a Tier depends only on the `priority` -set in each of the two resources. +`priority` assigned, as opposed to the "Kind" of the resource, i.e. the relative +ordering between a [ClusterNetworkPolicy resource](#antrea-clusternetworkpolicy) and +an [Antrea NetworkPolicy resource](#antrea-networkpolicy) within a Tier depends only +on the `priority` set in each of the two resources. ### Rule enforcement based on priorities @@ -505,6 +505,25 @@ policy rules match, the packet is then enforced for rules created for K8s NP. If the packet still does not match any rule for K8s NP, it will then be evaluated against policies created in the "baseline" Tier. +The [antctl command](antctl.md#networkPolicy-commands) with 'sort-by=effectivePriority' +flag can be used to check the order of policy enforcement. +An example output will look like the following: + +```text +antctl get netpol --sort-by=effectivePriority +NAME APPLIED-TO RULES SOURCE TIER-PRIORITY PRIORITY +4c504456-9158-4838-bfab-f81665dfae12 85b88ddb-b474-5b44-93d3-c9192c09085e 1 AntreaClusterNetworkPolicy:acnp-1 250 1 +41e510e0-e430-4606-b4d9-261424184fba e36f8beb-9b0b-5b49-b1b7-5c5307cddd83 1 AntreaClusterNetworkPolicy:acnp-2 250 2 +819b8482-ede5-4423-910c-014b731fdba6 bb6711a1-87c7-5a15-9a4a-71bf49a78056 2 AntreaNetworkPolicy:anp-10 250 10 +4d18e031-f05a-48f6-bd91-0197b556ccca e216c104-770c-5731-bfd3-ff4ccbc38c39 2 K8sNetworkPolicy:default/test-1 +c547002a-d8c7-40f1-bdd1-8eb6d0217a67 e216c104-770c-5731-bfd3-ff4ccbc38c39 1 K8sNetworkPolicy:default/test-2 +aac8b8bc-f3bf-4c41-b6e0-2af1863204eb bb6711a1-87c7-5a15-9a4a-71bf49a78056 3 AntreaClusterNetworkPolicy:baseline 253 10 +``` + +The [ovs-pipeline doc](design/ovs-pipeline.md) contains more information on how +policy rules are realized by OpenFlow, and how the priority of flows reflects the +order in which they are enforced. + ## RBAC Antrea-native Policy CRDs are meant for admins to manage the security of their diff --git a/pkg/agent/apiserver/handlers/networkpolicy/handler.go b/pkg/agent/apiserver/handlers/networkpolicy/handler.go index 8d7748064c7..083bc092d14 100644 --- a/pkg/agent/apiserver/handlers/networkpolicy/handler.go +++ b/pkg/agent/apiserver/handlers/networkpolicy/handler.go @@ -48,7 +48,6 @@ func HandleFunc(aq agentquerier.AgentQuerier) http.HandlerFunc { } else { nps = npq.GetNetworkPolicies(npFilter) } - obj = cpv1beta.NetworkPolicyList{Items: nps} if err := json.NewEncoder(w).Encode(obj); err != nil { @@ -80,7 +79,6 @@ func newFilterFromURLQuery(query url.Values) (*querier.NetworkPolicyQueryFilter, } source := query.Get("source") - name := query.Get("name") if name != "" && (source != "" || namespace != "" || pod != "" || strSourceType != "") { return nil, fmt.Errorf("with a name, none of the other fields can be set") diff --git a/pkg/antctl/antctl.go b/pkg/antctl/antctl.go index a6ac9739f68..4767e0e76b4 100644 --- a/pkg/antctl/antctl.go +++ b/pkg/antctl/antctl.go @@ -109,6 +109,8 @@ var CommandList = &commandList{ $ antctl get networkpolicy 6001549b-ba63-4752-8267-30f52b4332db Get the list of all control plane NetworkPolicies $ antctl get networkpolicy + Get the list of all control plane NetworkPolicies, sorted by the order in which the policies are evaluated. + $ antctl get networkpolicy --sort-by=effectivePriority Get the control plane NetworkPolicy with a specific source (supported by agent only) $ antctl get networkpolicy -S allow-http -n ns1 Get the list of control plane NetworkPolicies whose source NetworkPolicies are in a Namespace (supported by agent only) diff --git a/pkg/antctl/command_definition.go b/pkg/antctl/command_definition.go index c77c9699170..91fec0e5682 100644 --- a/pkg/antctl/command_definition.go +++ b/pkg/antctl/command_definition.go @@ -47,7 +47,8 @@ const ( ) const ( - maxTableOutputColumnLength int = 50 + maxTableOutputColumnLength int = 50 + sortByEffectivePriority string = "effectivePriority" ) // commandGroup is used to group commands, it could be specified in commandDefinition. @@ -127,6 +128,14 @@ func (e *resourceEndpoint) flags() []flagInfo { usage: "Filter the resource by namespace", }) } + if e.groupVersionResource == &v1beta2.NetworkPolicyVersionResource { + flags = append(flags, flagInfo{ + name: "sort-by", + defaultValue: "", + supportedValues: []string{sortByEffectivePriority}, + usage: "Get NetworkPolicies in specific order. Current supported value is effectivePriority.", + }) + } return flags } @@ -151,16 +160,17 @@ type endpoint struct { // addonTransform is used to transform or update the response data received // from the handler, it must returns an interface which has same type as // TransformedResponse. - addonTransform func(reader io.Reader, single bool) (interface{}, error) + addonTransform func(reader io.Reader, single bool, opts map[string]string) (interface{}, error) } // flagInfo represents a command-line flag that can be provided when invoking an antctl command. type flagInfo struct { - name string - shorthand string - defaultValue string - arg bool - usage string + name string + shorthand string + defaultValue string + supportedValues []string + arg bool + usage string } // rawCommand defines a full function cobra.Command which lets developers @@ -200,7 +210,7 @@ func (cd *commandDefinition) namespaced() bool { return false } -func (cd *commandDefinition) getAddonTransform() func(reader io.Reader, single bool) (interface{}, error) { +func (cd *commandDefinition) getAddonTransform() func(reader io.Reader, single bool, opts map[string]string) (interface{}, error) { if runtime.Mode == runtime.ModeAgent && cd.agentEndpoint != nil { return cd.agentEndpoint.addonTransform } else if runtime.Mode == runtime.ModeController && cd.controllerEndpoint != nil { @@ -681,7 +691,7 @@ func (cd *commandDefinition) tableOutput(obj interface{}, writer io.Writer) erro // format. If the AddonTransform is set, it will use the function to transform // the data first. It will try to output the resp in the format ft specified after // doing transform. -func (cd *commandDefinition) output(resp io.Reader, writer io.Writer, ft formatterType, single bool) (err error) { +func (cd *commandDefinition) output(resp io.Reader, writer io.Writer, ft formatterType, single bool, args map[string]string) (err error) { var obj interface{} addonTransform := cd.getAddonTransform() @@ -695,7 +705,7 @@ func (cd *commandDefinition) output(resp io.Reader, writer io.Writer, ft formatt return fmt.Errorf("error when decoding response %v: %w", resp, err) } } else { - obj, err = addonTransform(resp, single) + obj, err = addonTransform(resp, single, args) if err != nil { return fmt.Errorf("error when doing local transform: %w", err) } @@ -718,7 +728,7 @@ func (cd *commandDefinition) output(resp io.Reader, writer io.Writer, ft formatt return cd.tableOutput(obj, writer) } default: - return fmt.Errorf("unsupport format type: %v", ft) + return fmt.Errorf("unsupported format type: %v", ft) } return nil } @@ -734,6 +744,9 @@ func (cd *commandDefinition) collectFlags(cmd *cobra.Command, args []string) (ma } else { vs, err := cmd.Flags().GetString(f.name) if err == nil && len(vs) != 0 { + if f.supportedValues != nil && !cd.validateFlagValue(vs, f.supportedValues) { + return nil, fmt.Errorf("unsupported value %s for flag %s", vs, f.name) + } argMap[f.name] = vs continue } @@ -746,6 +759,15 @@ func (cd *commandDefinition) collectFlags(cmd *cobra.Command, args []string) (ma return argMap, nil } +func (cd *commandDefinition) validateFlagValue(val string, supportedValues []string) bool { + for _, s := range supportedValues { + if s == val { + return true + } + } + return false +} + // newCommandRunE creates the RunE function for the command. The RunE function // checks the args according to argOption and flags. func (cd *commandDefinition) newCommandRunE(c *client) func(*cobra.Command, []string) error { @@ -780,7 +802,7 @@ func (cd *commandDefinition) newCommandRunE(c *client) func(*cobra.Command, []st return err } isSingle := cd.getEndpoint().OutputType() != multiple && (cd.getEndpoint().OutputType() == single || argGet) - return cd.output(resp, os.Stdout, formatterType(outputFormat), isSingle) + return cd.output(resp, os.Stdout, formatterType(outputFormat), isSingle, argMap) } } diff --git a/pkg/antctl/command_definition_test.go b/pkg/antctl/command_definition_test.go index 1f87fd94206..58570a98ec0 100644 --- a/pkg/antctl/command_definition_test.go +++ b/pkg/antctl/command_definition_test.go @@ -45,6 +45,11 @@ type Foobar struct { Foo string `json:"foo"` } +var ( + AntreaPolicyTierPriority = int32(250) + AntreaPolicyPriority = float64(1.0) +) + func TestCommandList_tableOutputForGetCommands(t *testing.T) { for _, tc := range []struct { name string @@ -172,6 +177,8 @@ foo2 ObjectMeta: metav1.ObjectMeta{ Name: "880db7e8-fc2a-4030-aefe-09afc5f341ad", }, + TierPriority: &AntreaPolicyTierPriority, + Priority: &AntreaPolicyPriority, AppliedToGroups: []string{"32ef631b-6817-5a18-86eb-93f4abf0467c"}, Rules: []cpv1beta.NetworkPolicyRule{ { @@ -192,9 +199,9 @@ foo2 }, }, }, - expected: `NAME APPLIED-TO RULES SOURCE -6001549b-ba63-4752-8267-30f52b4332db 32ef631b-6817-5a18-86eb-93f4abf0467c + 1 more... 1 K8sNetworkPolicy:default/allow-all -880db7e8-fc2a-4030-aefe-09afc5f341ad 32ef631b-6817-5a18-86eb-93f4abf0467c 2 AntreaNetworkPolicy:default/allow-all + expected: `NAME APPLIED-TO RULES SOURCE TIER-PRIORITY PRIORITY +6001549b-ba63-4752-8267-30f52b4332db 32ef631b-6817-5a18-86eb-93f4abf0467c + 1 more... 1 K8sNetworkPolicy:default/allow-all +880db7e8-fc2a-4030-aefe-09afc5f341ad 32ef631b-6817-5a18-86eb-93f4abf0467c 2 AntreaNetworkPolicy:default/allow-all 250 1 `, }, { @@ -297,7 +304,7 @@ func TestFormat(t *testing.T) { for _, tc := range []struct { name string single bool - transform func(reader io.Reader, single bool) (interface{}, error) + transform func(reader io.Reader, single bool, opts map[string]string) (interface{}, error) rawResponseData interface{} responseStruct reflect.Type expected string @@ -321,7 +328,7 @@ func TestFormat(t *testing.T) { { name: "StructureData-Transform-Single-Yaml", single: true, - transform: func(reader io.Reader, single bool) (i interface{}, err error) { + transform: func(reader io.Reader, single bool, opts map[string]string) (i interface{}, err error) { foo := &Foobar{} err = json.NewDecoder(reader).Decode(foo) return &struct{ Bar string }{Bar: foo.Foo}, err @@ -356,7 +363,7 @@ func TestFormat(t *testing.T) { responseData, err := json.Marshal(tc.rawResponseData) assert.Nil(t, err) var outputBuf bytes.Buffer - err = opt.output(bytes.NewBuffer(responseData), &outputBuf, tc.formatter, tc.single) + err = opt.output(bytes.NewBuffer(responseData), &outputBuf, tc.formatter, tc.single, map[string]string{}) assert.Nil(t, err) assert.Equal(t, tc.expected, outputBuf.String()) }) diff --git a/pkg/antctl/transform/addressgroup/transform.go b/pkg/antctl/transform/addressgroup/transform.go index 31fdbfae1c5..a34929e67a6 100644 --- a/pkg/antctl/transform/addressgroup/transform.go +++ b/pkg/antctl/transform/addressgroup/transform.go @@ -28,18 +28,18 @@ type Response struct { Pods []common.GroupMember `json:"pods,omitempty"` } -func listTransform(l interface{}) (interface{}, error) { +func listTransform(l interface{}, opts map[string]string) (interface{}, error) { groups := l.(*cpv1beta.AddressGroupList) result := []interface{}{} for i := range groups.Items { item := groups.Items[i] - o, _ := objectTransform(&item) + o, _ := objectTransform(&item, opts) result = append(result, o.(Response)) } return result, nil } -func objectTransform(o interface{}) (interface{}, error) { +func objectTransform(o interface{}, _ map[string]string) (interface{}, error) { group := o.(*cpv1beta.AddressGroup) var pods []common.GroupMember for _, pod := range group.GroupMembers { @@ -48,12 +48,13 @@ func objectTransform(o interface{}) (interface{}, error) { return Response{Name: group.Name, Pods: pods}, nil } -func Transform(reader io.Reader, single bool) (interface{}, error) { +func Transform(reader io.Reader, single bool, opts map[string]string) (interface{}, error) { return transform.GenericFactory( reflect.TypeOf(cpv1beta.AddressGroup{}), reflect.TypeOf(cpv1beta.AddressGroupList{}), objectTransform, listTransform, + opts, )(reader, single) } diff --git a/pkg/antctl/transform/appliedtogroup/transform.go b/pkg/antctl/transform/appliedtogroup/transform.go index 33d9201dc2c..d4298ad9ef8 100644 --- a/pkg/antctl/transform/appliedtogroup/transform.go +++ b/pkg/antctl/transform/appliedtogroup/transform.go @@ -28,18 +28,18 @@ type Response struct { Pods []common.GroupMember `json:"pods,omitempty"` } -func listTransform(l interface{}) (interface{}, error) { +func listTransform(l interface{}, opts map[string]string) (interface{}, error) { groups := l.(*cpv1beta.AppliedToGroupList) result := []Response{} for i := range groups.Items { group := groups.Items[i] - o, _ := objectTransform(&group) + o, _ := objectTransform(&group, opts) result = append(result, o.(Response)) } return result, nil } -func objectTransform(o interface{}) (interface{}, error) { +func objectTransform(o interface{}, _ map[string]string) (interface{}, error) { group := o.(*cpv1beta.AppliedToGroup) var pods []common.GroupMember for _, pod := range group.GroupMembers { @@ -48,12 +48,13 @@ func objectTransform(o interface{}) (interface{}, error) { return Response{Name: group.GetName(), Pods: pods}, nil } -func Transform(reader io.Reader, single bool) (interface{}, error) { +func Transform(reader io.Reader, single bool, opts map[string]string) (interface{}, error) { return transform.GenericFactory( reflect.TypeOf(cpv1beta.AppliedToGroup{}), reflect.TypeOf(cpv1beta.AppliedToGroupList{}), objectTransform, listTransform, + opts, )(reader, single) } diff --git a/pkg/antctl/transform/controllerinfo/transform.go b/pkg/antctl/transform/controllerinfo/transform.go index d11594fb775..a5ebca49328 100644 --- a/pkg/antctl/transform/controllerinfo/transform.go +++ b/pkg/antctl/transform/controllerinfo/transform.go @@ -38,7 +38,7 @@ type Response struct { ControllerConditions []clusterinfo.ControllerCondition `json:"controllerConditions,omitempty"` // Controller condition contains types like ControllerHealthy } -func Transform(reader io.Reader, _ bool) (interface{}, error) { +func Transform(reader io.Reader, _ bool, _ map[string]string) (interface{}, error) { b, err := ioutil.ReadAll(reader) if err != nil { return nil, err diff --git a/pkg/antctl/transform/networkpolicy/transform.go b/pkg/antctl/transform/networkpolicy/transform.go index d2cb671a249..094d82efe82 100644 --- a/pkg/antctl/transform/networkpolicy/transform.go +++ b/pkg/antctl/transform/networkpolicy/transform.go @@ -17,50 +17,121 @@ package networkpolicy import ( "io" "reflect" + "sort" "strconv" "github.com/vmware-tanzu/antrea/pkg/antctl/transform" "github.com/vmware-tanzu/antrea/pkg/antctl/transform/common" cpv1beta "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta2" + "github.com/vmware-tanzu/antrea/pkg/controller/networkpolicy" ) type Response struct { *cpv1beta.NetworkPolicy } -func objectTransform(o interface{}) (interface{}, error) { +func objectTransform(o interface{}, _ map[string]string) (interface{}, error) { return Response{o.(*cpv1beta.NetworkPolicy)}, nil } -func listTransform(l interface{}) (interface{}, error) { +func listTransform(l interface{}, opts map[string]string) (interface{}, error) { policyList := l.(*cpv1beta.NetworkPolicyList) + sortBy := "" + if sb, ok := opts["sort-by"]; ok { + sortBy = sb + } + npSorter := &NPSorter{ + networkPolicies: policyList.Items, + sortBy: sortBy, + } + sort.Sort(npSorter) result := make([]Response, 0, len(policyList.Items)) - for i := range policyList.Items { - o, _ := objectTransform(&policyList.Items[i]) + for i := range npSorter.networkPolicies { + o, _ := objectTransform(&npSorter.networkPolicies[i], opts) result = append(result, o.(Response)) } return result, nil } -func Transform(reader io.Reader, single bool) (interface{}, error) { +func Transform(reader io.Reader, single bool, opts map[string]string) (interface{}, error) { return transform.GenericFactory( reflect.TypeOf(cpv1beta.NetworkPolicy{}), reflect.TypeOf(cpv1beta.NetworkPolicyList{}), objectTransform, listTransform, + opts, )(reader, single) } +const sortByEffectivePriority = "effectivePriority" + +// Compute a tierPriority value in between the application tier and the baseline tier, +// which can be used to sort all policies by tier. +var effectiveTierPriorityK8sNP = (networkpolicy.DefaultTierPriority + networkpolicy.BaselineTierPriority) / 2 + +type NPSorter struct { + networkPolicies []cpv1beta.NetworkPolicy + sortBy string +} + +func (nps *NPSorter) Len() int { return len(nps.networkPolicies) } +func (nps *NPSorter) Swap(i, j int) { + nps.networkPolicies[i], nps.networkPolicies[j] = nps.networkPolicies[j], nps.networkPolicies[i] +} +func (nps *NPSorter) Less(i, j int) bool { + switch nps.sortBy { + case sortByEffectivePriority: + var ti, tj int32 + if nps.networkPolicies[i].TierPriority == nil { + ti = effectiveTierPriorityK8sNP + } else { + ti = *nps.networkPolicies[i].TierPriority + } + if nps.networkPolicies[j].TierPriority == nil { + tj = effectiveTierPriorityK8sNP + } else { + tj = *nps.networkPolicies[j].TierPriority + } + if ti != tj { + return ti < tj + } + pi, pj := nps.networkPolicies[i].Priority, nps.networkPolicies[j].Priority + if pi != nil && pj != nil && *pi != *pj { + return *pi < *pj + } + fallthrough + default: + // Do not need a tie-breaker here since NetworkPolicy names are set as UID + // of the source policy and will be unique. + return nps.networkPolicies[i].Name < nps.networkPolicies[j].Name + } +} + +func priorityToString(p interface{}) string { + if reflect.ValueOf(p).IsNil() { + return "" + } else if pInt32, ok := p.(*int32); ok { + return strconv.Itoa(int(*pInt32)) + } else { + pFloat64, _ := p.(*float64) + return strconv.FormatFloat(*pFloat64, 'f', -1, 64) + } +} + var _ common.TableOutput = new(Response) func (r Response) GetTableHeader() []string { - return []string{"NAME", "APPLIED-TO", "RULES", "SOURCE"} + return []string{"NAME", "APPLIED-TO", "RULES", "SOURCE", "TIER-PRIORITY", "PRIORITY"} } func (r Response) GetTableRow(maxColumnLength int) []string { - return []string{r.Name, common.GenerateTableElementWithSummary(r.AppliedToGroups, maxColumnLength), strconv.Itoa(len(r.Rules)), r.SourceRef.ToString()} + return []string{ + r.Name, common.GenerateTableElementWithSummary(r.AppliedToGroups, maxColumnLength), + strconv.Itoa(len(r.Rules)), r.SourceRef.ToString(), + priorityToString(r.TierPriority), priorityToString(r.Priority), + } } func (r Response) SortRows() bool { - return true + return false } diff --git a/pkg/antctl/transform/utils.go b/pkg/antctl/transform/utils.go index 215fb49e7ef..fa023f17fe6 100644 --- a/pkg/antctl/transform/utils.go +++ b/pkg/antctl/transform/utils.go @@ -20,10 +20,10 @@ import ( "reflect" ) -type unary func(interface{}) (interface{}, error) +type unary func(interface{}, map[string]string) (interface{}, error) type FuncType func(reader io.Reader, single bool) (interface{}, error) -func GenericFactory(objType, listType reflect.Type, objTransform, listTransform unary) FuncType { +func GenericFactory(objType, listType reflect.Type, objTransform, listTransform unary, opts map[string]string) FuncType { return func(reader io.Reader, single bool) (interface{}, error) { var refType reflect.Type if single { @@ -36,9 +36,9 @@ func GenericFactory(objType, listType reflect.Type, objTransform, listTransform return nil, err } if single && objTransform != nil { - return objTransform(refVal.Interface()) + return objTransform(refVal.Interface(), opts) } else if !single && listTransform != nil { - return listTransform(refVal.Interface()) + return listTransform(refVal.Interface(), opts) } return refVal.Interface(), nil } diff --git a/pkg/antctl/transform/version/transform.go b/pkg/antctl/transform/version/transform.go index efc44aadfeb..bd4b839ede3 100644 --- a/pkg/antctl/transform/version/transform.go +++ b/pkg/antctl/transform/version/transform.go @@ -35,7 +35,7 @@ type Response struct { // AgentVersion is the AddonTransform for the version command. This function // will try to parse the response as a AgentVersionResponse and then populate // it with the version of antctl to a transformedVersionResponse object. -func AgentTransform(reader io.Reader, _ bool) (interface{}, error) { +func AgentTransform(reader io.Reader, _ bool, _ map[string]string) (interface{}, error) { b, err := ioutil.ReadAll(reader) if err != nil { return nil, err @@ -60,7 +60,7 @@ func AgentTransform(reader io.Reader, _ bool) (interface{}, error) { return resp, nil } -func ControllerTransform(reader io.Reader, _ bool) (interface{}, error) { +func ControllerTransform(reader io.Reader, _ bool, _ map[string]string) (interface{}, error) { b, err := ioutil.ReadAll(reader) if err != nil { return nil, err diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go index 020f2bb5170..e1e4cacec3e 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go @@ -98,7 +98,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { UID: "uidA", }, Priority: &p10, - TierPriority: &defaultTierPriority, + TierPriority: &DefaultTierPriority, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -183,7 +183,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { UID: "uidB", }, Priority: &p10, - TierPriority: &defaultTierPriority, + TierPriority: &DefaultTierPriority, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -286,7 +286,7 @@ func TestAddANP(t *testing.T) { UID: "uidA", }, Priority: &p10, - TierPriority: &defaultTierPriority, + TierPriority: &DefaultTierPriority, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index 3dc37dab62f..7da52d70cef 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -101,7 +101,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { UID: "uidA", }, Priority: &p10, - TierPriority: &defaultTierPriority, + TierPriority: &DefaultTierPriority, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -185,7 +185,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { UID: "uidB", }, Priority: &p10, - TierPriority: &defaultTierPriority, + TierPriority: &DefaultTierPriority, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -333,7 +333,7 @@ func TestAddCNP(t *testing.T) { appTier := secv1alpha1.Tier{ ObjectMeta: metav1.ObjectMeta{Name: "application", UID: "tA"}, Spec: secv1alpha1.TierSpec{ - Priority: defaultTierPriority, + Priority: DefaultTierPriority, }, } allowAction := secv1alpha1.RuleActionAllow @@ -390,7 +390,7 @@ func TestAddCNP(t *testing.T) { UID: "uidA", }, Priority: &p10, - TierPriority: &defaultTierPriority, + TierPriority: &DefaultTierPriority, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -448,7 +448,7 @@ func TestAddCNP(t *testing.T) { UID: "uidB", }, Priority: &p10, - TierPriority: &defaultTierPriority, + TierPriority: &DefaultTierPriority, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -640,7 +640,7 @@ func TestAddCNP(t *testing.T) { UID: "uidF", }, Priority: &p10, - TierPriority: &defaultTierPriority, + TierPriority: &DefaultTierPriority, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -724,7 +724,7 @@ func TestAddCNP(t *testing.T) { UID: "uidG", }, Priority: &p10, - TierPriority: &defaultTierPriority, + TierPriority: &DefaultTierPriority, Rules: []controlplane.NetworkPolicyRule{ { Direction: controlplane.DirectionIn, @@ -810,7 +810,7 @@ func TestGetTierPriority(t *testing.T) { { name: "empty-tier-name", inputTier: nil, - expPrio: defaultTierPriority, + expPrio: DefaultTierPriority, }, { name: "tier10", diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go index cd1fcf81569..56b8bfc82af 100644 --- a/pkg/controller/networkpolicy/crd_utils.go +++ b/pkg/controller/networkpolicy/crd_utils.go @@ -136,7 +136,7 @@ func (n *NetworkPolicyController) createAddressGroupForCRD(peer secv1alpha1.Netw // is returned. func (n *NetworkPolicyController) getTierPriority(tier string) int32 { if tier == "" { - return defaultTierPriority + return DefaultTierPriority } // If the tier name is part of the static tier name set, we need to convert // tier name to lowercase to match the corresponding Tier CRD name. This is @@ -151,7 +151,7 @@ func (n *NetworkPolicyController) getTierPriority(tier string) int32 { if err != nil { // This error should ideally not occur as we perform validation. klog.Errorf("Failed to retrieve Tier %s. Setting default tier priority: %v", tier, err) - return defaultTierPriority + return DefaultTierPriority } return t.Spec.Priority } diff --git a/pkg/controller/networkpolicy/tier.go b/pkg/controller/networkpolicy/tier.go index 1a41fcffe54..2246c968663 100644 --- a/pkg/controller/networkpolicy/tier.go +++ b/pkg/controller/networkpolicy/tier.go @@ -34,19 +34,19 @@ var ( // maxSupportedTiers is the soft limit on the maximum number of supported // Tiers. maxSupportedTiers = 20 - // defaultTierPriority maintains the priority for the system generated default Tier. + // DefaultTierPriority maintains the priority for the system generated default Tier. // This is the lowest priority for tiers that will be enforced before K8s NetworkPolicies. - defaultTierPriority = int32(250) - // baselineTierPriority maintains the priority for the system generated baseline Tier. + DefaultTierPriority = int32(250) + // BaselineTierPriority maintains the priority for the system generated baseline Tier. // This is the tier that will be enforced after K8s NetworkPolicies. - baselineTierPriority = int32(253) + BaselineTierPriority = int32(253) // defaultTierName maintains the name of the default Tier in Antrea. defaultTierName = "application" // priorityMap maintains the Tier priority associated with system generated // Tier names. priorityMap = map[string]int32{ - "baseline": baselineTierPriority, - defaultTierName: defaultTierPriority, + "baseline": BaselineTierPriority, + defaultTierName: DefaultTierPriority, "platform": int32(150), "networkops": int32(100), "securityops": int32(50),