-
Notifications
You must be signed in to change notification settings - Fork 346
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add FQDN policy feature in Antrea-native policies #2613
Conversation
eb56a6a
to
2387559
Compare
a588fff
to
c7414cb
Compare
Codecov Report
@@ Coverage Diff @@
## main #2613 +/- ##
==========================================
+ Coverage 60.41% 65.56% +5.14%
==========================================
Files 283 285 +2
Lines 22509 26453 +3944
==========================================
+ Hits 13599 17343 +3744
- Misses 7480 7531 +51
- Partials 1430 1579 +149
Flags with carried forward coverage won't be shown. Click here to find out more.
|
0cd120c
to
b6a574c
Compare
/test-all |
b6a574c
to
fa79ca0
Compare
/test-all |
for port := range addedPods { | ||
addedOFAddrs = append(addedOFAddrs, openflow.NewOFPortAddress(port)) | ||
} | ||
if err := f.ofClient.AddAddressToDNSConjunction(dnsInterceptRuleID, addedOFAddrs); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that if the call fails, the pod never gets another chance to be added to the conjunction.
We may have the same problem in the normal policy too. Please add a TODO for this defect. We should fix them later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took a look at that and where this function is called from. addFQDNRule
is called from computeOFRulesForAdd
, which is a bit surprising to me because based on the name of the function and from previous usage, I would expect that this function compute things and doesn't actually install flows...
computeOFRulesForAdd
already has this TODO:
// TODO: Handle the case that the following processing fails or partially succeeds.
I don't have good knowledge of this code but here is what I did:
- log error returned by
addFQDNRule
instead of ignoring it - add a new TODO / comment at the
addFQDNRule
call site
5ee2d44
to
16439c9
Compare
@tnqn I tried to address all your comments Look like there are some test failures I need to look at and I did to review the code myself |
16439c9
to
1caed77
Compare
df62403
to
51baa43
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/test-all |
/test-windows-conformance |
/test-windows-networkpolicy |
/test-windows-conformance |
There seems to be some issue with the Windows testbeds, which I believe are unrelated to this PR as we observe these issues consistently. I'll merge this PR but we should address the testbed issues before the 1.3 release so we can validate it on Windows. cc @lzhecheng |
/test-windows-conformance |
51baa43
to
3632540
Compare
/test-all |
I root caused and addressed the Windows issue: the FQDN controller was looking for environment variables which were not defined on Windows. I added these environment variables when running the Agent as a DaemonSet using wins. I also added a fallback to the FQDN controller code (using the default local DNS resolver and the |
LGTM. Thanks for fixing this! |
All tests passing. Will squash manually on my laptop before I merge, in order to fix author information. |
This PR adds an `fqdn` field to the egress rules of Antrea-native policy. It can be used to restrict egress access to the Fully Qualified Domain Names, specified either by exact name or wildcard matchPatterns. Supported formats for the `fqdn` field are: * Exact FQDNs, i.e. `facebook.com`, `maps.google.com` or `db-svc.default.svc.cluster.local`. * Wildcard expressions, i.e. `*wayfair.com` or `*.edu`. The standard `Allow`, `Drop` and `Reject` actions apply to FQDN egress rules. In a single NetworkPolicyPeer, `fqdn` should not be specified together with pod/namespaceSelectors, ClusterGroups or IPBlocks. Note that this feature is not a L7 policy and only works at L3/L4. DNS packets are intercepted and inspected only to help the fqdn controller cache resolved addresses. DNS response packets will only be dropped if the client's requested FQDN is matched by a FQDN policy rule, but the datapath reconciliation for that rule fails. Co-authored-by: Antonin Bas <abas@vmware.com> Co-authored-by: Grayson Wu <wgrayson@vmware.com> Signed-off-by: Antonin Bas <abas@vmware.com>
3632540
to
f149509
Compare
Fixes issue #2611 .
This PR adds an
fqdn
field to the egress rules of Antrea-native policy. It can be used to restrict egress access to the Fully Qualified Domain Names, specified either by exact name or wildcard matchPatterns.Supported formats for the
fqdn
field are:facebook.com
,maps.google.com
ordb-svc.default.svc.cluster.local
.*wayfair.com
or*.edu
.The standard
Allow
,Drop
andReject
actions apply to FQDN egress rules. In a single NetworkPolicyPeer,fqdn
should not be specified together with pod/namespaceSelectors, ClusterGroups or IPBlocks.Note that this feature is not a L7 policy and only works at L3/L4. DNS packets are intercepted and inspected only to help the fqdn controller cache resolved addresses. DNS response packets will only be dropped if the client's requested FQDN is matched by a FQDN policy rule, but the datapath reconciliation for that rule fails.
Added by Grayson Wu:
reconcile.go
when Antrea Policy is disabled.dnsServerOverride
when running UT fqdn_test and networkpolicy_test.