AppliedTo Per Rule for Antrea-native Policies #1396
Conversation
|
Thanks for your PR. The following commands are available:
|
Codecov Report
@@ Coverage Diff @@
## master #1396 +/- ##
==========================================
- Coverage 63.31% 62.52% -0.80%
==========================================
Files 170 181 +11
Lines 14250 15499 +1249
==========================================
+ Hits 9023 9691 +668
- Misses 4292 4786 +494
- Partials 935 1022 +87
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Dyanngg
force-pushed
the
applied-to-per-rule
branch
from
1e886f1
to
8a1828e
Compare
Dyanngg
force-pushed
the
applied-to-per-rule
branch
from
8a1828e
to
c6e0e63
Compare
|
/test-all |
Dyanngg
force-pushed
the
applied-to-per-rule
branch
from
c6e0e63
to
89d8c3d
Compare
|
Thanks for your PR. The following commands are available:
|
Dyanngg
force-pushed
the
applied-to-per-rule
branch
from
89d8c3d
to
2405cca
Compare
Dyanngg
force-pushed
the
applied-to-per-rule
branch
4 times, most recently
from
f09ae26
to
349e3b2
Compare
|
/test-all |
| PodSelectorMatchExp *[]metav1.LabelSelectorRequirement | ||
| NSSelectorMatchExp *[]metav1.LabelSelectorRequirement |
There was a problem hiding this comment.
Not really introduced by this PR, but I don't recall why these have to be pointers, while PodSelector / NSSelector do not. Do you know the reason?
There was a problem hiding this comment.
I'm not sure... Maybe because Maps are already passed by reference?
There was a problem hiding this comment.
that may make sense for function parameters (except if we never mutate the slice), but not really for fields in a struct
There was a problem hiding this comment.
maybe you can punt this to the later commit you mentioned in https://github.com/vmware-tanzu/antrea/pull/1396/files#r539671256
There was a problem hiding this comment.
Opened #1647 for this
Dyanngg
force-pushed
the
applied-to-per-rule
branch
2 times, most recently
from
369a403
to
b41f200
Compare
|
/test-all |
Dyanngg
force-pushed
the
applied-to-per-rule
branch
2 times, most recently
from
8dfc7ed
to
72032c3
Compare
|
/test-all |
Dyanngg
force-pushed
the
applied-to-per-rule
branch
from
0310e18
to
3e958d0
Compare
| } | ||
| numAppliedToInRules := countAppliedToInRules(ingress) + countAppliedToInRules(egress) | ||
| if appliedToInSpec && (numAppliedToInRules > 0) { | ||
| return "appliedTo should not be set in both spec and rules", false |
There was a problem hiding this comment.
Sorry, I must have missed some discussions. But why appliedTo cannot be on both rules and NP?
@abhiraut
There was a problem hiding this comment.
i think we decided to keep the implementation simple and not support a hybrid AppliedTo .. initially i thought we could inherit the appliedTo from the spec in to the rule if no AppliedTo set on the rule.. i am not sure if the implementation becomes too complex to support a hybrid setup?
There was a problem hiding this comment.
Spoke offline, at this moment we will keep the current implementation and disallow the hybrid case
| @@ -111,7 +111,9 @@ func ToNetworkPolicyMsg(in *types.NetworkPolicy, out *controlplane.NetworkPolicy | |||
| } | |||
| // Since stored objects are immutable, we just reference the fields here. | |||
| out.Rules = in.Rules | |||
| out.AppliedToGroups = in.AppliedToGroups | |||
| if !in.AppliedToPerRule { | |||
There was a problem hiding this comment.
maybe add a small comment for this
Dyanngg
force-pushed
the
applied-to-per-rule
branch
from
3e958d0
to
e7e4dbc
Compare
|
/test-all |
| // Select workloads on which this rule will be applied to. Cannot be set in | ||
| // conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. | ||
| // +optional | ||
| AppliedTo []NetworkPolicyPeer `json:"appliedTo,omitempty"` |
There was a problem hiding this comment.
I am not suggesting any change for now. But want to mention I would consider to define a separate struct for AppliedTo instead of using NetworkPolicyPeer, that can be shared by different types of policies, and can remove the requirements of validating unsupported fields of NetworkPolicyPeer.
Check my idea here: https://github.com/vmware-tanzu/antrea/pull/1433/files#diff-820e873e5691a9f56ffc35887e7e006745a9ff4b0c547b994687f06a9db3919fR79. @abhiraut
There was a problem hiding this comment.
I'm working on integrating the ClusterGroup with ACNP/ANP. the struct you are proposing is similar to a Group/ClusterGroup.. do you want to reuse the same CRD for snat policy?
There was a problem hiding this comment.
There was a problem hiding this comment.
I think we want to support multiple groups and maybe mix of groups and selectors for one policy. Then we still need an appliedTo struct for that?
Dyanngg
force-pushed
the
applied-to-per-rule
branch
from
e7e4dbc
to
c85e45e
Compare
|
/test-all |
Correct. #1359 ensures that for Antrea-native policies, the appliedTo field has to be specified at policy level, though does not require it to not be an empty list. But realistically I believe it makes sense to check that there is at least one appliedTo in either policy spec or all of rule spec. |
|
btw I am still wondering if we should support appliedTo per rule with regular selectors or keep it for incoming Group CRDs? or allow both? in that case we may need to propose two fields or @jianjuns any thoughts on this? |
noticed @jianjuns latest reply.. so we need to support hybrid, in that case maybe we need to formally propose the AppliedTo struct as Jianjun was suggesting. |
|
@abhiraut: what is the plan for NP appliedTo? We should NP and rule the same right? |
|
Guess I need to understand your ideas first. |
i was thinking of the following, if we want to support both groups and selectors although this would still require some validation on the referenced Group to not have invalid selectors like |
|
For NP appliedTo, do you plan to support both group and selectors? Another question - do we want to support multiple groups? |
does the following make sense: |
There was a problem hiding this comment.
LGTM
I believe any change of type for the AppliedTo fields would belong in a separate PR (requires an API version change).
We should consider adding unit tests for conversion functions as we introduce more to make sure they behave correctly. I believe upstream K8s does the same.
| @@ -190,6 +191,10 @@ type NetworkPolicyRule struct { | |||
| // EnableLogging is used to indicate if agent should generate logs | |||
| // when rules are matched. Should be default to false. | |||
| EnableLogging bool | |||
| // AppliedToGroups is a list of names of AppliedToGroups to which this rule applies. | |||
| // Cannot be set in conjunction with NetworkPolicy.AppliedToGroups of the NetworkPolicy | |||
| // that this Rule is referred to. | |||
There was a problem hiding this comment.
that this Rule belongs to
|
@abhiraut I feel "[]AppliedTo" looks strange. ApplitedTo sounds like a singular to include all entities. Of course the AppliedTo strcut change should not be in this PR (we are just using this PR to discuss and probably let us move to another thread). I think everyone is on the same page here. |
* Add appliedTo field in rules and update validationWebook * Add appliedTo per rule handling in controller and agent * Add omitempty to appliedTo fields and address test failures * Add testcases for appliedTo per rule * Address comments
* Add appliedTo field in rules and update validationWebook * Add appliedTo per rule handling in controller and agent * Add omitempty to appliedTo fields and address test failures * Add testcases for appliedTo per rule * Address comments
* Add appliedTo field in rules and update validationWebook * Add appliedTo per rule handling in controller and agent * Add omitempty to appliedTo fields and address test failures * Add testcases for appliedTo per rule * Address comments
This PR fixes #1327. Please refer to the issue for more information on this feature.
The following changes are made in terms of implementation: