Add Tier field for ANP and use UID as keyFunc for internal store

antrea-io · Aug 27, 2020 · e109aa4 · e109aa4
1 parent 0f1e8fb
commit e109aa4
Show file tree

Hide file tree

Showing 13 changed files with 145 additions and 13 deletions.
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -230,6 +230,19 @@ metadata:
     app: antrea
   name: networkpolicies.security.antrea.tanzu.vmware.com
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.tier
+    description: The Tier to which this AntreaNetworkPolicy belongs to.
+    name: Tier
+    type: string
+  - JSONPath: .spec.priority
+    description: The Priority of this AntreaNetworkPolicy relative to other policies.
+    format: float
+    name: Priority
+    type: number
+  - JSONPath: .metadata.creationTimestamp
+    name: Age
+    type: date
   group: security.antrea.tanzu.vmware.com
   names:
     kind: NetworkPolicy
@@ -329,6 +342,14 @@ spec:
               maximum: 10000
               minimum: 1
               type: number
+            tier:
+              enum:
+              - Emergency
+              - SecurityOps
+              - NetworkOps
+              - Platform
+              - Application
+              type: string
           required:
           - appliedTo
           - priority

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -230,6 +230,19 @@ metadata:
     app: antrea
   name: networkpolicies.security.antrea.tanzu.vmware.com
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.tier
+    description: The Tier to which this AntreaNetworkPolicy belongs to.
+    name: Tier
+    type: string
+  - JSONPath: .spec.priority
+    description: The Priority of this AntreaNetworkPolicy relative to other policies.
+    format: float
+    name: Priority
+    type: number
+  - JSONPath: .metadata.creationTimestamp
+    name: Age
+    type: date
   group: security.antrea.tanzu.vmware.com
   names:
     kind: NetworkPolicy
@@ -329,6 +342,14 @@ spec:
               maximum: 10000
               minimum: 1
               type: number
+            tier:
+              enum:
+              - Emergency
+              - SecurityOps
+              - NetworkOps
+              - Platform
+              - Application
+              type: string
           required:
           - appliedTo
           - priority

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -230,6 +230,19 @@ metadata:
     app: antrea
   name: networkpolicies.security.antrea.tanzu.vmware.com
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.tier
+    description: The Tier to which this AntreaNetworkPolicy belongs to.
+    name: Tier
+    type: string
+  - JSONPath: .spec.priority
+    description: The Priority of this AntreaNetworkPolicy relative to other policies.
+    format: float
+    name: Priority
+    type: number
+  - JSONPath: .metadata.creationTimestamp
+    name: Age
+    type: date
   group: security.antrea.tanzu.vmware.com
   names:
     kind: NetworkPolicy
@@ -329,6 +342,14 @@ spec:
               maximum: 10000
               minimum: 1
               type: number
+            tier:
+              enum:
+              - Emergency
+              - SecurityOps
+              - NetworkOps
+              - Platform
+              - Application
+              type: string
           required:
           - appliedTo
           - priority

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -230,6 +230,19 @@ metadata:
     app: antrea
   name: networkpolicies.security.antrea.tanzu.vmware.com
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.tier
+    description: The Tier to which this AntreaNetworkPolicy belongs to.
+    name: Tier
+    type: string
+  - JSONPath: .spec.priority
+    description: The Priority of this AntreaNetworkPolicy relative to other policies.
+    format: float
+    name: Priority
+    type: number
+  - JSONPath: .metadata.creationTimestamp
+    name: Age
+    type: date
   group: security.antrea.tanzu.vmware.com
   names:
     kind: NetworkPolicy
@@ -329,6 +342,14 @@ spec:
               maximum: 10000
               minimum: 1
               type: number
+            tier:
+              enum:
+              - Emergency
+              - SecurityOps
+              - NetworkOps
+              - Platform
+              - Application
+              type: string
           required:
           - appliedTo
           - priority

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -230,6 +230,19 @@ metadata:
     app: antrea
   name: networkpolicies.security.antrea.tanzu.vmware.com
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.tier
+    description: The Tier to which this AntreaNetworkPolicy belongs to.
+    name: Tier
+    type: string
+  - JSONPath: .spec.priority
+    description: The Priority of this AntreaNetworkPolicy relative to other policies.
+    format: float
+    name: Priority
+    type: number
+  - JSONPath: .metadata.creationTimestamp
+    name: Age
+    type: date
   group: security.antrea.tanzu.vmware.com
   names:
     kind: NetworkPolicy
@@ -329,6 +342,14 @@ spec:
               maximum: 10000
               minimum: 1
               type: number
+            tier:
+              enum:
+              - Emergency
+              - SecurityOps
+              - NetworkOps
+              - Platform
+              - Application
+              type: string
           required:
           - appliedTo
           - priority

diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml
@@ -356,6 +356,19 @@ spec:
       - anp
   # Prune any unknown fields
   preserveUnknownFields: false
+  additionalPrinterColumns:
+    - name: Tier
+      type: string
+      description: The Tier to which this AntreaNetworkPolicy belongs to.
+      JSONPath: .spec.tier
+    - name: Priority
+      type: number
+      format: float
+      description: The Priority of this AntreaNetworkPolicy relative to other policies.
+      JSONPath: .spec.priority
+    - name: Age
+      type: date
+      JSONPath: .metadata.creationTimestamp
   validation:
     openAPIV3Schema:
       type: object
@@ -367,6 +380,9 @@ spec:
             - priority
           type: object
           properties:
+            tier:
+              type: string
+              enum: ['Emergency', 'SecurityOps', 'NetworkOps', 'Platform', 'Application']
             priority:
               type: number
               format: float

diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go
@@ -155,13 +155,15 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *secv1alpha1.Net
 			Priority:  int32(idx),
 		})
 	}
+	tierPriority := getTierPriority(np.Spec.Tier)
 	internalNetworkPolicy := &antreatypes.NetworkPolicy{
 		Name:            np.Name,
 		Namespace:       np.Namespace,
 		UID:             np.UID,
 		AppliedToGroups: appliedToGroupNames,
 		Rules:           rules,
 		Priority:        &np.Spec.Priority,
+		TierPriority:    &tierPriority,
 	}
 	return internalNetworkPolicy
 }
diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go
@@ -127,16 +127,6 @@ func (n *NetworkPolicyController) deleteCNP(old interface{}) {
 	n.deleteDereferencedAddressGroups(oldInternalNP)
 }
 
-// getTierPriority retrieves the priority associated with the input Tier name.
-// If the Tier name is empty, by default, the lowest priority Application Tier
-// is returned.
-func getTierPriority(tier string) networking.TierPriority {
-	if tier == "" {
-		return antreatypes.TierApplication
-	}
-	return tierPriorityMap[tier]
-}
-
 // processClusterNetworkPolicy creates an internal NetworkPolicy instance
 // corresponding to the secv1alpha1.ClusterNetworkPolicy object. This method
 // does not commit the internal NetworkPolicy in store, instead returns an

diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go
@@ -128,3 +128,13 @@ func (n *NetworkPolicyController) createAddressGroupForCRD(peer secv1alpha1.Netw
 	n.addressGroupStore.Create(addressGroup)
 	return normalizedUID
 }
+
+// getTierPriority retrieves the priority associated with the input Tier name.
+// If the Tier name is empty, by default, the lowest priority Application Tier
+// is returned.
+func getTierPriority(tier string) networking.TierPriority {
+	if tier == "" {
+		return antreatypes.TierApplication
+	}
+	return tierPriorityMap[tier]
+}
diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go
@@ -77,7 +77,7 @@ const (
 )
 
 var (
-	keyFunc = cache.DeletionHandlingMetaNamespaceKeyFunc
+	keyFunc = InternalNetworkPolicyKeyFunc
 
 	// uuidNamespace is a uuid.UUID type generated from a string to be
 	// used to generate uuid.UUID for internal Antrea objects like
@@ -290,6 +290,10 @@ func (n *NetworkPolicyController) heartbeat(name string) {
 	}
 }
 
+func InternalNetworkPolicyKeyFunc(obj metav1.Object) (string, error) {
+	return string(obj.GetUID()), nil
+}
+
 func (n *NetworkPolicyController) GetNetworkPolicyNum() int {
 	return len(n.internalNetworkPolicyStore.List())
 }

diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_query_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_query_test.go
@@ -24,6 +24,7 @@ import (
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/vmware-tanzu/antrea/pkg/apis/networking/v1beta1"
 )
@@ -86,6 +87,7 @@ var policies = []*networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-ingress-egress",
 			Namespace: "testNamespace",
+			UID:       types.UID("uid-1"),
 		},
 		Spec: networkingv1.NetworkPolicySpec{
 			PodSelector: metav1.LabelSelector{
@@ -123,6 +125,7 @@ var policies = []*networkingv1.NetworkPolicy{
 	{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "default-deny-egress",
+			UID:  types.UID("uid-2"),
 		},
 		Spec: networkingv1.NetworkPolicySpec{
 			PodSelector: metav1.LabelSelector{

diff --git a/pkg/controller/networkpolicy/store/networkpolicy.go b/pkg/controller/networkpolicy/store/networkpolicy.go
@@ -26,7 +26,6 @@ import (
 	"github.com/vmware-tanzu/antrea/pkg/apiserver/storage"
 	"github.com/vmware-tanzu/antrea/pkg/apiserver/storage/ram"
 	"github.com/vmware-tanzu/antrea/pkg/controller/types"
-	"github.com/vmware-tanzu/antrea/pkg/k8s"
 )
 
 const (
@@ -122,7 +121,7 @@ func NetworkPolicyKeyFunc(obj interface{}) (string, error) {
 	if !ok {
 		return "", fmt.Errorf("object is not *types.NetworkPolicy: %v", obj)
 	}
-	return k8s.NamespacedName(policy.Namespace, policy.Name), nil
+	return string(policy.UID), nil
 }
 
 // NewNetworkPolicyStore creates a store of NetworkPolicy.

diff --git a/pkg/controller/networkpolicy/store/networkpolicy_test.go b/pkg/controller/networkpolicy/store/networkpolicy_test.go
@@ -22,6 +22,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
+	apitypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/watch"
 
@@ -156,6 +157,7 @@ func TestGetNetworkPolicyByIndex(t *testing.T) {
 	policy1 := &types.NetworkPolicy{
 		Namespace: "foo",
 		Name:      "bar",
+		UID:       apitypes.UID("uid-1"),
 		Rules: []networking.NetworkPolicyRule{{
 			Direction: networking.DirectionIn,
 			From:      networking.NetworkPolicyPeer{AddressGroups: []string{"addressGroup1"}},
@@ -166,6 +168,7 @@ func TestGetNetworkPolicyByIndex(t *testing.T) {
 	policy2 := &types.NetworkPolicy{
 		Namespace: "foo2",
 		Name:      "bar2",
+		UID:       apitypes.UID("uid-2"),
 		Rules: []networking.NetworkPolicyRule{{
 			Direction: networking.DirectionIn,
 			From:      networking.NetworkPolicyPeer{AddressGroups: []string{"addressGroup1", "addressGroup2"}},