Internal Antrea NetworkPolicy supports references to ExternalEntity. #774
Conversation
|
Thanks for your PR. The following commands are available:
These commands can only be run by members of the vmware-tanzu organization. |
pkg/apis/networking/types.go
Outdated
| } | ||
|
|
||
| // GroupMemberExternalEntity represents an ExternalEntity related member to be populated in Groups. | ||
| type GroupMemberExternalEntity struct { |
There was a problem hiding this comment.
@tnqn: again should we use an unified struct for both Pod and ExternalEntity?
There was a problem hiding this comment.
If they can share almost same fields and we can come up with a good name for the struct, I think we can have a unified struct.
There was a problem hiding this comment.
Again first do you think shared structs can enable more code sharing?
For GroupMemberExternalEntity and GroupMemberPod, one difference is that GroupMemberExternalEntity could include multiple endpoints, but GroupMemberPod includes only a single IP. Would you change Pod to use multiple endpoints as well?
There was a problem hiding this comment.
I am ok with code sharing, but I think implementation wise it may be too wide spread a change. Do u think it is reasonable that we define a new common structure; and this new common structure shall only be used for ExternalEntity passing for now.
In subsequent releases, we can fully migrate to this new common structure?
There was a problem hiding this comment.
we can define something like
type NetworkEntityReference struct {
name string
namespace string
kind string
}
type Endpoint struct {
IP IPAddress
Ports []NamedPort
}
type NetworkEntity struct {
Reference NetworkEntityReference
Endpoints []Endpoint
}
this can eventually be used to carry Pod info as well. But to limit the impact, we will only used it externalEntity, will that work for u?
There was a problem hiding this comment.
-
I think the internal ExternalEntity defined here is consistent with external facing one at Add API types for Namespaced Antrea NetworkPolicy #716. I assume it is agreed upon. The reason that Abishek defined as such I assume it is because it is more flexible allowing different ports being exported on different IP?
-
whole we definitely can do as suggested to use the common GroupMemberSource . May I suggest we keep the existing PodGroupMember, so that we don't need to change a lot of agent/controller code?
There was a problem hiding this comment.
- I apologize that I didn't notice this detail when reviewing Add API types for Namespaced Antrea NetworkPolicy #716, but I think it's unnecessary to make named port various for a single Entity. Originally we got NamedPort from all ports of all container of a Pod, and it's guaranteed to not conflict. Besides, named port is not used to describe which ports are exported but used to resolve port names for Policies. It doesn't require an ExternalEntity must have a named port when we have a Policy selecting it and allowing a port number, e.g. 80. A named port is only required when the Policy allows a port name, e.g. api.
- If we agree on the common struct, I agree that you could probably just use the common struct for ExternalEntity and keep GroupMemberPod as is, we can then have another PR to migrate GroupMemberPod to the common struct.
There was a problem hiding this comment.
Regarding to 1), Initially I have the similar feeling, but I kind of grow to the current ExternalEndPoint as I believe @abhiraut must have thought it through. It allows us describes a use case where VM has multiple IPs, and some services(ports) exposed via one IP, others with another IP. Unlikely yes; possible, why not?
There was a problem hiding this comment.
IMO in this case the object would be a bit complicated to use. Say a VM have multiple IPs and user wants to define a named port "etcd" to "2379", the named port needs to be repeated in every Endpoint, otherwise agent won't resolve "etcd" to "2379" for those Endpoints that don't have this named port, while it would be redundant for most cases that a name maps to a port for all IPs. I think it's not very worth to ask redundant input for for most cases to support some unlikely needed cases.
I don't mean to make the change in this PR, but want to better understand the motivation of NamedPorts per IP as the API and code could be simpler without it. Any idea? @jianjuns @Dyanngg
There was a problem hiding this comment.
@quan, What u said is true.
I don't know the reason @abhiraut have, but I kind of like it because it offers flexibility. In most use cases, it is no issue because Pod/VM generally has single IP. In case there are multiple IPs on VM, for security reasons, it is common practice that services generally open only on primary IP.
Incidentally, since u r online, can u please approve this. I lost the approval while re push to deal with CI stability issue
|
Hi @jianjuns @tnqn @antoninbas, I wonder if u guys could give a quick response. The reason is that the implementations on controller, agent and antrea plus are pending because of this change. And I apologize that we have not pushed this for review earlier. |
|
/test-all |
1 similar comment
|
/test-all |
|
@tnqn @jianjuns
I hope this works out for everyone. |
| @@ -26,6 +26,8 @@ type AppliedToGroup struct { | |||
| metav1.ObjectMeta | |||
| // Pods is a list of Pods selected by this group. | |||
| Pods []GroupMemberPod | |||
| // GroupMembers is a list of resources selected by this group. | |||
| GroupMembers []GroupMember | |||
There was a problem hiding this comment.
So if I understand this correctly the externalEntities should be computed and stored in GroupMember, while current code usage of GroupMemberPod will be migrated to GroupMember later?
There was a problem hiding this comment.
yes, that is the intention
|
/test-all |
1 similar comment
|
/test-all |
|
/test-e2e |
|
/test-networkpolicy |
|
/test-conformance |
|
/test-e2e |
|
/test-all |
|
/test-e2e |
This change allows controller to compute for new AntreaNetworkPolicy (antrea-io#716), and incorporates ExternalEnitity information in the internal NetworkPolicy between controller and agents.
|
/test-all |
|
/test-e2e |
|
/test-conformance |
…ntrea-io#774) This change allows controller to compute for new AntreaNetworkPolicy (antrea-io#716), and incorporates ExternalEnitity information in the internal NetworkPolicy between controller and agents.
This change allows controller to compute for new AntreaNetworkPolicy
(#716), and incorporates ExternalEnitity
information in the internal NetworkPolicy between controller and agents.