Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Emergency Tier's Priority to 50 #1665

Merged
merged 8 commits into from
Dec 22, 2020
Merged

Update Emergency Tier's Priority to 50 #1665

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
6086591
Update Emergency Tier's Priority to 20
abhiraut Dec 16, 2020
a4221fa
Force update Tier priority in antrea-controller
abhiraut Dec 16, 2020
d4eb5fb
Update Tier prios for other tiers as well
abhiraut Dec 17, 2020
26edfd5
Use env var
abhiraut Dec 18, 2020
5a6b167
Update comment
abhiraut Dec 18, 2020
eb95012
Get ns from env
abhiraut Dec 18, 2020
ab88447
Define a constant for kube-system
abhiraut Dec 18, 2020
2bd0c76
Remove oldPriorityMap
abhiraut Dec 21, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions build/yamls/antrea-aks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1377,6 +1378,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/antrea-eks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1377,6 +1378,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/antrea-gke.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1377,6 +1378,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/antrea-ipsec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1391,6 +1392,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/antrea.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down Expand Up @@ -1382,6 +1383,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
name: antrea-controller
Expand Down
1 change: 1 addition & 0 deletions build/yamls/base/controller-rbac.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ rules:
- watch
- list
- create
- update
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/base/controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,11 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# Provide ServiceAccount name for validation webhook.
- name: SERVICEACCOUNT_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
ports:
- containerPort: 10349
name: api
Expand Down
16 changes: 8 additions & 8 deletions docs/antrea-network-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,10 @@ Tier CRD object, that will be enforced after developer-created K8s NetworkPolici
The details for these tiers are shown below:

```text
Emergency -> Tier name "emergency" with priority "5"
SecurityOps -> Tier name "securityops" with priority "50"
NetworkOps -> Tier name "networkops" with priority "100"
Platform -> Tier name "platform" with priority "150"
Emergency -> Tier name "emergency" with priority "50"
SecurityOps -> Tier name "securityops" with priority "100"
NetworkOps -> Tier name "networkops" with priority "150"
Platform -> Tier name "platform" with priority "200"
Application -> Tier name "application" with priority "250"
Baseline -> Tier name "baseline" with priority "253"
```
Expand Down Expand Up @@ -149,10 +149,10 @@ All of the above commands produce output similar to what is shown below:

```text
NAME PRIORITY AGE
emergency 5 27h
securityops 50 27h
networkops 100 27h
platform 150 27h
emergency 50 27h
securityops 100 27h
networkops 150 27h
platform 200 27h
application 250 27h
```

Expand Down
77 changes: 59 additions & 18 deletions pkg/controller/networkpolicy/tier.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,21 @@ var (
BaselineTierPriority = int32(253)
// defaultTierName maintains the name of the default Tier in Antrea.
defaultTierName = "application"
// emergencyTierName maintains the name of the Emergency Tier in Antrea.
emergencyTierName = "emergency"
securityOpsTierName = "securityops"
networkOpsTierName = "networkops"
platformTierName = "platform"
baselineTierName = "baseline"
// priorityMap maintains the Tier priority associated with system generated
// Tier names.
priorityMap = map[string]int32{
"baseline": BaselineTierPriority,
defaultTierName: DefaultTierPriority,
"platform": int32(150),
"networkops": int32(100),
"securityops": int32(50),
"emergency": int32(5),
baselineTierName: BaselineTierPriority,
defaultTierName: DefaultTierPriority,
platformTierName: int32(200),
networkOpsTierName: int32(150),
securityOpsTierName: int32(100),
emergencyTierName: int32(50),
}
// staticTierSet maintains the names of the static tiers such that they can
// be converted to corresponding Tier CRD names.
Expand All @@ -59,10 +65,10 @@ var (
systemGeneratedTiers = []*secv1alpha1.Tier{
{
ObjectMeta: metav1.ObjectMeta{
Name: "baseline",
Name: baselineTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["baseline"],
Priority: priorityMap[baselineTierName],
Description: "[READ-ONLY]: System generated Baseline Tier",
},
},
Expand All @@ -77,37 +83,37 @@ var (
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "platform",
Name: platformTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["platform"],
Priority: priorityMap[platformTierName],
Description: "[READ-ONLY]: System generated Platform Tier",
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "networkops",
Name: networkOpsTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["networkops"],
Priority: priorityMap[networkOpsTierName],
Description: "[READ-ONLY]: System generated NetworkOps Tier",
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "securityops",
Name: securityOpsTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["securityops"],
Priority: priorityMap[securityOpsTierName],
Description: "[READ-ONLY]: System generated SecurityOps Tier",
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "emergency",
Name: emergencyTierName,
},
Spec: secv1alpha1.TierSpec{
Priority: priorityMap["emergency"],
Priority: priorityMap[emergencyTierName],
Description: "[READ-ONLY]: System generated Emergency Tier",
},
},
Expand All @@ -121,10 +127,17 @@ var (
func (n *NetworkPolicyController) InitializeTiers() {
for _, t := range systemGeneratedTiers {
// Check if Tier is already present.
_, err := n.tierLister.Get(t.Name)
oldTier, err := n.tierLister.Get(t.Name)
if err == nil {
// Tier is already present.
klog.V(2).Infof("%s Tier already created", t.Name)
// Update Tier Priority if it is not set to desired Priority.
expPrio := priorityMap[t.Name]
if oldTier.Spec.Priority != expPrio {
tToUpdate := oldTier.DeepCopy()
tToUpdate.Spec.Priority = expPrio
n.updateTier(tToUpdate)
}
continue
}
n.initTier(t)
Expand All @@ -146,7 +159,35 @@ func (n *NetworkPolicyController) initTier(t *secv1alpha1.Tier) {
klog.Warningf("Failed to create %s Tier on init: %v. Retry attempt: %d", t.Name, err, retryAttempt)
// Tier creation may fail because antrea APIService is not yet ready
// to accept requests for validation. Retry fixed number of times
// not exceeding 2 * 5 = 10s.
// not exceeding 8s.
time.Sleep(backoff)
backoff *= 2
if backoff > maxBackoffTime {
backoff = maxBackoffTime
}
retryAttempt += 1
continue
}
return
}
}

// updateTier attempts to update Tiers using an
// exponential backoff period from 1 to max of 8secs.
func (n *NetworkPolicyController) updateTier(t *secv1alpha1.Tier) {
var err error
const maxBackoffTime = 8 * time.Second
backoff := 1 * time.Second
retryAttempt := 1
for {
klog.V(2).Infof("Updating %s Tier", t.Name)
_, err = n.crdClient.SecurityV1alpha1().Tiers().Update(context.TODO(), t, metav1.UpdateOptions{})
// Attempt to update Tier after a backoff.
if err != nil {
klog.Warningf("Failed to update %s Tier on init: %v. Retry attempt: %d", t.Name, err, retryAttempt)
// Tier update may fail because antrea APIService is not yet ready
// to accept requests for validation. Retry fixed number of times
// not exceeding 8s.
time.Sleep(backoff)
backoff *= 2
if backoff > maxBackoffTime {
Expand Down
14 changes: 14 additions & 0 deletions pkg/controller/networkpolicy/validate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,11 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/klog"

secv1alpha1 "github.com/vmware-tanzu/antrea/pkg/apis/security/v1alpha1"
"github.com/vmware-tanzu/antrea/pkg/util/env"
)

// validator interface introduces the set of functions that must be implemented
Expand Down Expand Up @@ -68,6 +70,8 @@ var (
reservedTierNames = sets.NewString("baseline", "application", "platform", "networkops", "securityops", "emergency")
)

const defaultControllerNamespace = "kube-system"

// RegisterAntreaPolicyValidator registers an Antrea-native policy validator
// to the resource registry. A new validator must be registered by calling
// this function before the Run phase of the APIServer.
Expand Down Expand Up @@ -449,6 +453,16 @@ func (t *tierValidator) updateValidate(curObj, oldObj interface{}, userInfo auth
reason := ""
curTier := curObj.(*secv1alpha1.Tier)
oldTier := oldObj.(*secv1alpha1.Tier)
// Retrieve antrea-controller's Namespace
namespace := env.GetPodNamespace()
if namespace == "" {
// antrea-controller by default is created in the kube-system Namespace
namespace = defaultControllerNamespace
}
// Allow exception of Tier Priority updates performed by the antrea-controller
if serviceaccount.MatchesUsername(namespace, env.GetAntreaControllerServiceAccount(), userInfo.Username) {
return "", true
}
if curTier.Spec.Priority != oldTier.Spec.Priority {
allowed = false
reason = "update to Tier priority is not allowed"
Expand Down
11 changes: 11 additions & 0 deletions pkg/util/env/env.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ const (
nodeNameEnvKey = "NODE_NAME"
podNameEnvKey = "POD_NAME"
podNamespaceEnvKey = "POD_NAMESPACE"
svcAcctNameEnvKey = "SERVICEACCOUNT_NAME"

antreaCloudEKSEnvKey = "ANTREA_CLOUD_EKS"
)
Expand Down Expand Up @@ -66,6 +67,16 @@ func GetPodNamespace() string {
return podNamespace
}

// GetAntreaControllerServiceAccountName returns the ServiceAccount name associated with antrea-controller.
func GetAntreaControllerServiceAccount() string {
svcAcctName := os.Getenv(svcAcctNameEnvKey)
if svcAcctName == "" {
// default value set for antrea-controller
svcAcctName = "antrea-controller"
}
return svcAcctName
}

func getBoolEnvVar(name string, defaultValue bool) bool {
if strValue := os.Getenv(name); strValue != "" {
parsedValue, err := strconv.ParseBool(strValue)
Expand Down