Skip to content

Commit

Permalink
Update Emergency Tier's Priority to 50 (#1665)
Browse files Browse the repository at this point in the history 
This PR updates the priority of Tiers created by Antrea, and space them out evenly. The current Antrea generated Tier
priorities do not allow enough room for user defined Tiers to be created, for example Emergency Tier allows only 4 user
created Tiers with higher priority. Since it ultimately is up to the users as to which Tiers go atop and the purpose of
Antrea created Tiers is mainly that of convenience, we decided to distribute the priorities more evenly across available
priority space. For example, setting the priority of the top most Tier of Emergency to a value of 50 gives enough room for
admins to create their own Tier hierarchy without having to rely on Antrea created Tiers.
  • Loading branch information
@abhiraut
abhiraut committed Dec 22, 2020
1 parent 7a43f99 commit 7ce1c75
Show file tree
Hide file tree
Showing 11 changed files with 123 additions and 26 deletions.
5 changes: 5 additions & 0 deletions build/yamls/antrea-aks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1377,6 +1378,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/antrea-eks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1377,6 +1378,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/antrea-gke.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1377,6 +1378,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/antrea-ipsec.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1391,6 +1392,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/antrea.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1382,6 +1383,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
1 change: 1 addition & 0 deletions build/yamls/base/controller-rbac.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/base/controller.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,11 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# Provide ServiceAccount name for validation webhook.
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
ports:
- containerPort: 10349
name: api
Expand Down
16 changes: 8 additions & 8 deletions docs/antrea-network-policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,10 @@ Tier CRD object, that will be enforced after developer-created K8s NetworkPolici
The details for these tiers are shown below:

```text
Emergency -> Tier name "emergency" with priority "5"
SecurityOps -> Tier name "securityops" with priority "50"
NetworkOps -> Tier name "networkops" with priority "100"
Platform -> Tier name "platform" with priority "150"
Emergency -> Tier name "emergency" with priority "50"
SecurityOps -> Tier name "securityops" with priority "100"
NetworkOps -> Tier name "networkops" with priority "150"
Platform -> Tier name "platform" with priority "200"
Application -> Tier name "application" with priority "250"
Baseline -> Tier name "baseline" with priority "253"
```
Expand Down Expand Up @@ -149,10 +149,10 @@ All of the above commands produce output similar to what is shown below:

```text
NAME PRIORITY AGE
emergency 5 27h
securityops 50 27h
networkops 100 27h
platform 150 27h
emergency 50 27h
securityops 100 27h
networkops 150 27h
platform 200 27h
application 250 27h
```

Expand Down
77 changes: 59 additions & 18 deletions pkg/controller/networkpolicy/tier.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,21 @@ var (
BaselineTierPriority = int32(253)
// defaultTierName maintains the name of the default Tier in Antrea.
defaultTierName = "application"
// emergencyTierName maintains the name of the Emergency Tier in Antrea.
emergencyTierName = "emergency"
securityOpsTierName = "securityops"
networkOpsTierName = "networkops"
platformTierName = "platform"
baselineTierName = "baseline"
// priorityMap maintains the Tier priority associated with system generated
// Tier names.
priorityMap = map[string]int32{
"baseline": BaselineTierPriority,
defaultTierName: DefaultTierPriority,
"platform": int32(150),
"networkops": int32(100),
"securityops": int32(50),
"emergency": int32(5),
baselineTierName: BaselineTierPriority,
defaultTierName: DefaultTierPriority,
platformTierName: int32(200),
networkOpsTierName: int32(150),
securityOpsTierName: int32(100),
emergencyTierName: int32(50),
}
// staticTierSet maintains the names of the static tiers such that they can
// be converted to corresponding Tier CRD names.
Expand All @@ -59,10 +65,10 @@ var (
systemGeneratedTiers = []*secv1alpha1.Tier{
{
ObjectMeta: metav1.ObjectMeta{
Name: "baseline",
Name: baselineTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["baseline"],
Priority: priorityMap[baselineTierName],
Description: "[READ-ONLY]: System generated Baseline Tier",
},
},
Expand All @@ -77,37 +83,37 @@ var (
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "platform",
Name: platformTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["platform"],
Priority: priorityMap[platformTierName],
Description: "[READ-ONLY]: System generated Platform Tier",
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "networkops",
Name: networkOpsTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["networkops"],
Priority: priorityMap[networkOpsTierName],
Description: "[READ-ONLY]: System generated NetworkOps Tier",
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "securityops",
Name: securityOpsTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["securityops"],
Priority: priorityMap[securityOpsTierName],
Description: "[READ-ONLY]: System generated SecurityOps Tier",
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "emergency",
Name: emergencyTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["emergency"],
Priority: priorityMap[emergencyTierName],
Description: "[READ-ONLY]: System generated Emergency Tier",
},
},
Expand All @@ -121,10 +127,17 @@ var (
func (n *NetworkPolicyController) InitializeTiers() {
for _, t := range systemGeneratedTiers {
// Check if Tier is already present.
_, err := n.tierLister.Get(t.Name)
oldTier, err := n.tierLister.Get(t.Name)
if err == nil {
// Tier is already present.
klog.V(2).Infof("%s Tier already created", t.Name)
// Update Tier Priority if it is not set to desired Priority.
expPrio := priorityMap[t.Name]
if oldTier.Spec.Priority != expPrio {
tToUpdate := oldTier.DeepCopy()
tToUpdate.Spec.Priority = expPrio
n.updateTier(tToUpdate)
}
continue
}
n.initTier(t)
Expand All @@ -146,7 +159,35 @@ func (n *NetworkPolicyController) initTier(t *secv1alpha1.Tier) {
klog.Warningf("Failed to create %s Tier on init: %v. Retry attempt: %d", t.Name, err, retryAttempt)
// Tier creation may fail because antrea APIService is not yet ready
// to accept requests for validation. Retry fixed number of times
// not exceeding 2 * 5 = 10s.
// not exceeding 8s.
time.Sleep(backoff)
backoff *= 2
if backoff > maxBackoffTime {
backoff = maxBackoffTime
}
retryAttempt += 1
continue
}
return
}
}

// updateTier attempts to update Tiers using an
// exponential backoff period from 1 to max of 8secs.
func (n *NetworkPolicyController) updateTier(t *secv1alpha1.Tier) {
var err error
const maxBackoffTime = 8 * time.Second
backoff := 1 * time.Second
retryAttempt := 1
for {
klog.V(2).Infof("Updating %s Tier", t.Name)
_, err = n.crdClient.SecurityV1alpha1().Tiers().Update(context.TODO(), t, metav1.UpdateOptions{})
// Attempt to update Tier after a backoff.
if err != nil {
klog.Warningf("Failed to update %s Tier on init: %v. Retry attempt: %d", t.Name, err, retryAttempt)
// Tier update may fail because antrea APIService is not yet ready
// to accept requests for validation. Retry fixed number of times
// not exceeding 8s.
time.Sleep(backoff)
backoff *= 2
if backoff > maxBackoffTime {
Expand Down
14 changes: 14 additions & 0 deletions pkg/controller/networkpolicy/validate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,11 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/klog"

secv1alpha1 "github.com/vmware-tanzu/antrea/pkg/apis/security/v1alpha1"
"github.com/vmware-tanzu/antrea/pkg/util/env"
)

// validator interface introduces the set of functions that must be implemented
Expand Down Expand Up @@ -68,6 +70,8 @@ var (
reservedTierNames = sets.NewString("baseline", "application", "platform", "networkops", "securityops", "emergency")
)

const defaultControllerNamespace = "kube-system"

// RegisterAntreaPolicyValidator registers an Antrea-native policy validator
// to the resource registry. A new validator must be registered by calling
// this function before the Run phase of the APIServer.
Expand Down Expand Up @@ -449,6 +453,16 @@ func (t *tierValidator) updateValidate(curObj, oldObj interface{}, userInfo auth
reason := ""
curTier := curObj.(*secv1alpha1.Tier)
oldTier := oldObj.(*secv1alpha1.Tier)
// Retrieve antrea-controller's Namespace
namespace := env.GetPodNamespace()
if namespace == "" {
// antrea-controller by default is created in the kube-system Namespace
namespace = defaultControllerNamespace
}
// Allow exception of Tier Priority updates performed by the antrea-controller
if serviceaccount.MatchesUsername(namespace, env.GetAntreaControllerServiceAccount(), userInfo.Username) {
return "", true
}
if curTier.Spec.Priority != oldTier.Spec.Priority {
allowed = false
reason = "update to Tier priority is not allowed"
Expand Down
11 changes: 11 additions & 0 deletions pkg/util/env/env.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ const (
nodeNameEnvKey = "NODE_NAME"
podNameEnvKey = "POD_NAME"
podNamespaceEnvKey = "POD_NAMESPACE"
svcAcctNameEnvKey = "SERVICEACCOUNT_NAME"

antreaCloudEKSEnvKey = "ANTREA_CLOUD_EKS"
)
Expand Down Expand Up @@ -66,6 +67,16 @@ func GetPodNamespace() string {
return podNamespace
}

// GetAntreaControllerServiceAccountName returns the ServiceAccount name associated with antrea-controller.
func GetAntreaControllerServiceAccount() string {
svcAcctName := os.Getenv(svcAcctNameEnvKey)
if svcAcctName == "" {
// default value set for antrea-controller
svcAcctName = "antrea-controller"
}
return svcAcctName
}

func getBoolEnvVar(name string, defaultValue bool) bool {
if strValue := os.Getenv(name); strValue != "" {
parsedValue, err := strconv.ParseBool(strValue)
Expand Down

0 comments on commit 7ce1c75

Please sign in to comment.