Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Register consecutive priorities in batch #1331

Merged
merged 2 commits into from Oct 15, 2020
Merged

Register consecutive priorities in batch #1331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b9647ff
Register consecutive priorities in batch
Dyanngg Sep 30, 2020
6a1f0bd
Fix issue in reassignment function and add more UT
Dyanngg Oct 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
23 changes: 21 additions & 2 deletions pkg/agent/controller/networkpolicy/cache.go
View file
Open in desktop
Expand Up @@ -64,6 +64,8 @@ type rule struct {
Action *secv1alpha1.RuleAction
// Priority of this rule within the NetworkPolicy. Defaults to -1 for K8s NetworkPolicy.
Priority int32
// The highest rule Priority within the NetworkPolicy. Defaults to -1 for K8s NetworkPolicy.
MaxPriority int32
// Priority of the NetworkPolicy to which this rule belong. nil for K8s NetworkPolicy.
PolicyPriority *float64
// Priority of the tier that the NetworkPolicy belongs to. nil for K8s NetworkPolicy.
Expand Down Expand Up @@ -560,7 +562,7 @@ func (c *ruleCache) DeleteAppliedToGroup(group *v1beta1.AppliedToGroup) error {
}

// toRule converts v1beta1.NetworkPolicyRule to *rule.
func toRule(r *v1beta1.NetworkPolicyRule, policy *v1beta1.NetworkPolicy) *rule {
func toRule(r *v1beta1.NetworkPolicyRule, policy *v1beta1.NetworkPolicy, maxPriority int32) *rule {
rule := &rule{
Direction: r.Direction,
From: r.From,
Expand All @@ -577,9 +579,25 @@ func toRule(r *v1beta1.NetworkPolicyRule, policy *v1beta1.NetworkPolicy) *rule {
rule.ID = hashRule(rule)
rule.PolicyNamespace = policy.Namespace
rule.PolicyName = policy.Name
rule.MaxPriority = maxPriority
return rule
}

// getMaxPriority returns the highest rule priority for v1beta1.NetworkPolicy that is created
// by Antrea-native policies. For K8s NetworkPolicies, it always returns -1.
func getMaxPriority(policy *v1beta1.NetworkPolicy) int32 {
if policy.SourceRef.Type == v1beta1.K8sNetworkPolicy {
return -1
}
maxPriority := int32(-1)
for _, r := range policy.Rules {
if r.Priority > maxPriority {
maxPriority = r.Priority
}
}
return maxPriority
}

// GetNetworkPolicyNum gets the number of NetworkPolicy.
func (c *ruleCache) GetNetworkPolicyNum() int {
c.policyMapLock.RLock()
Expand Down Expand Up @@ -637,8 +655,9 @@ func (c *ruleCache) UpdateNetworkPolicy(policy *v1beta1.NetworkPolicy) error {
ruleByID[r.(*rule).ID] = r
}

maxPriority := getMaxPriority(policy)
for i := range policy.Rules {
r := toRule(&policy.Rules[i], policy)
r := toRule(&policy.Rules[i], policy, maxPriority)
if _, exists := ruleByID[r.ID]; exists {
// If rule already exists, remove it from the map so the ones left finally are orphaned.
klog.V(2).Infof("Rule %v was not changed", r.ID)
Expand Down
116 changes: 109 additions & 7 deletions pkg/agent/controller/networkpolicy/cache_test.go
View file
Open in desktop
Expand Up @@ -28,6 +28,10 @@ import (
"github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta1"
)

var (
k8sNPMaxPriority = int32(-1)
)

func TestAddressGroupIndexFunc(t *testing.T) {
tests := []struct {
name string
Expand Down Expand Up @@ -106,6 +110,62 @@ func TestAppliedToGroupIndexFunc(t *testing.T) {
}
}

func TestGetMaxPriority(t *testing.T) {
networkPolicyRule1 := &v1beta1.NetworkPolicyRule{
Direction: v1beta1.DirectionIn,
From: v1beta1.NetworkPolicyPeer{AddressGroups: []string{"addressGroup1"}},
To: v1beta1.NetworkPolicyPeer{},
Services: nil,
}
networkPolicyRule2 := &v1beta1.NetworkPolicyRule{
Direction: v1beta1.DirectionIn,
From: v1beta1.NetworkPolicyPeer{AddressGroups: []string{"addressGroup2"}},
To: v1beta1.NetworkPolicyPeer{},
Services: nil,
Priority: 0,
}
networkPolicyRule3 := &v1beta1.NetworkPolicyRule{
Direction: v1beta1.DirectionIn,
From: v1beta1.NetworkPolicyPeer{AddressGroups: []string{"addressGroup3"}},
To: v1beta1.NetworkPolicyPeer{},
Services: nil,
Priority: 1,
}
networkPolicyRule4 := &v1beta1.NetworkPolicyRule{
Direction: v1beta1.DirectionOut,
From: v1beta1.NetworkPolicyPeer{AddressGroups: []string{"addressGroup4"}},
To: v1beta1.NetworkPolicyPeer{},
Services: nil,
Priority: 0,
}
k8sNP := &v1beta1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{UID: "policy1"},
Rules: []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
AppliedToGroups: []string{"addressGroup1"},
SourceRef: &v1beta1.NetworkPolicyReference{
Type: v1beta1.K8sNetworkPolicy,
Namespace: "ns1",
Name: "name1",
UID: "policy1",
},
}
acnpPriority, acnpTier := 1.0, int32(250)
antreaNP := &v1beta1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{UID: "policy2"},
Priority: &acnpPriority,
TierPriority: &acnpTier,
Rules: []v1beta1.NetworkPolicyRule{*networkPolicyRule2, *networkPolicyRule3, *networkPolicyRule4},
AppliedToGroups: []string{"addressGroup1"},
SourceRef: &v1beta1.NetworkPolicyReference{
Type: v1beta1.AntreaClusterNetworkPolicy,
Name: "acnp1",
UID: "policy-acnp",
},
}
assert.Equal(t, int32(-1), getMaxPriority(k8sNP), "got unexpected maxPriority for K8s NetworkPolicy")
assert.Equal(t, int32(1), getMaxPriority(antreaNP), "got unexpected maxPriority for AntreaPolicy")
}

type dirtyRuleRecorder struct {
rules sets.String
eventCh chan string
Expand Down Expand Up @@ -385,14 +445,26 @@ func TestRuleCacheReplaceNetworkPolicies(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{UID: "policy1"},
Rules: []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
AppliedToGroups: []string{"addressGroup1"},
SourceRef: &v1beta1.NetworkPolicyReference{
Type: v1beta1.K8sNetworkPolicy,
Namespace: "ns1",
Name: "name1",
UID: "policy1",
},
}
networkPolicy2 := &v1beta1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{UID: "policy1"},
Rules: []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
AppliedToGroups: []string{"addressGroup2"},
SourceRef: &v1beta1.NetworkPolicyReference{
Type: v1beta1.K8sNetworkPolicy,
Namespace: "ns1",
Name: "name1",
UID: "policy1",
},
}
rule1 := toRule(networkPolicyRule1, networkPolicy1)
rule2 := toRule(networkPolicyRule1, networkPolicy2)
rule1 := toRule(networkPolicyRule1, networkPolicy1, k8sNPMaxPriority)
rule2 := toRule(networkPolicyRule1, networkPolicy2, k8sNPMaxPriority)
tests := []struct {
name string
rules []*rule
Expand Down Expand Up @@ -530,14 +602,26 @@ func TestRuleCacheAddNetworkPolicy(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{UID: "policy1", Namespace: "ns1", Name: "name1"},
Rules: nil,
AppliedToGroups: []string{"appliedToGroup1"},
SourceRef: &v1beta1.NetworkPolicyReference{
Type: v1beta1.K8sNetworkPolicy,
Namespace: "ns1",
Name: "name1",
UID: "policy1",
},
}
networkPolicy2 := &v1beta1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{UID: "policy2", Namespace: "ns2", Name: "name2"},
Rules: []v1beta1.NetworkPolicyRule{*networkPolicyRule1, *networkPolicyRule2},
AppliedToGroups: []string{"appliedToGroup1"},
SourceRef: &v1beta1.NetworkPolicyReference{
Type: v1beta1.K8sNetworkPolicy,
Namespace: "ns2",
Name: "name2",
UID: "policy2",
},
}
rule1 := toRule(networkPolicyRule1, networkPolicy2)
rule2 := toRule(networkPolicyRule2, networkPolicy2)
rule1 := toRule(networkPolicyRule1, networkPolicy2, k8sNPMaxPriority)
rule2 := toRule(networkPolicyRule2, networkPolicy2, k8sNPMaxPriority)
tests := []struct {
name string
args *v1beta1.NetworkPolicy
Expand Down Expand Up @@ -904,20 +988,38 @@ func TestRuleCacheUpdateNetworkPolicy(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{UID: "policy1"},
Rules: []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
AppliedToGroups: []string{"addressGroup1"},
SourceRef: &v1beta1.NetworkPolicyReference{
Type: v1beta1.K8sNetworkPolicy,
Namespace: "ns1",
Name: "name1",
UID: "policy1",
},
}
networkPolicy2 := &v1beta1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{UID: "policy1"},
Rules: []v1beta1.NetworkPolicyRule{*networkPolicyRule1},
AppliedToGroups: []string{"addressGroup2"},
SourceRef: &v1beta1.NetworkPolicyReference{
Type: v1beta1.K8sNetworkPolicy,
Namespace: "ns1",
Name: "name1",
UID: "policy1",
},
}
networkPolicy3 := &v1beta1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{UID: "policy1"},
Rules: []v1beta1.NetworkPolicyRule{*networkPolicyRule1, *networkPolicyRule2},
AppliedToGroups: []string{"addressGroup1"},
SourceRef: &v1beta1.NetworkPolicyReference{
Type: v1beta1.K8sNetworkPolicy,
Namespace: "ns1",
Name: "name1",
UID: "policy1",
},
}
rule1 := toRule(networkPolicyRule1, networkPolicy1)
rule2 := toRule(networkPolicyRule1, networkPolicy2)
rule3 := toRule(networkPolicyRule2, networkPolicy3)
rule1 := toRule(networkPolicyRule1, networkPolicy1, k8sNPMaxPriority)
rule2 := toRule(networkPolicyRule1, networkPolicy2, k8sNPMaxPriority)
rule3 := toRule(networkPolicyRule2, networkPolicy3, k8sNPMaxPriority)
tests := []struct {
name string
rules []*rule
Expand Down