Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CNP Tier integration #956

Merged
merged 10 commits into from
Aug 6, 2020
Merged

CNP Tier integration #956

merged 10 commits into from
Aug 6, 2020

Conversation

abhiraut
Copy link
Contributor

@abhiraut abhiraut commented Jul 15, 2020

Add support for Tiered ClusterNetworkPolicies by associating a CNP with Tier name. This PR adds the following:

  • Add a new field tier to CNP and native NP specs
  • Add "Emergency, SecurityOps, NetworkOps, Platform, Application" as choices for tier names
  • Add Tier column to the CNP kubectl get cnp output
  • Update internal NetworkPolicy types to include the TierPriority associated with above tier names
  • Add unit tests

A CNP without any association to any tier will be created in the default lowest priority tier i.e. "Application Tier". The same
applies for all existing CNP created prior to the Tier introduction.
The tiers have the following precedence:
Emergency > SecurityOps > NetworkOps > Platform > Application
i.e. all policies associated with Emergency Tiers will be evaluated before any policy associated with SecurityOps tier and so on.
The K8s NetworkPolicies will be evaluated once all Tiers are evaluated i.e. after the Application Tier.

Related-Issue: #917

@antrea-bot
Copy link
Collaborator

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

  • /test-e2e: to trigger e2e tests.
  • /skip-e2e: to skip e2e tests.
  • /test-conformance: to trigger conformance tests.
  • /skip-conformance: to skip conformance tests.
  • /test-whole-conformance: to trigger all conformance tests on linux.
  • /skip-whole-conformance: to skip all conformance tests on linux.
  • /test-networkpolicy: to trigger networkpolicy tests.
  • /skip-networkpolicy: to skip networkpolicy tests.
  • /test-windows-conformance: to trigger windows conformance tests.
  • /skip-windows-conformance: to skip windows conformance tests.
  • /test-windows-networkpolicy: to trigger windows networkpolicy tests.
  • /skip-windows-networkpolicy: to skip windows networkpolicy tests.
  • /test-all: to trigger all tests (except whole conformance).
  • /skip-all: to skip all tests (except whole conformance).

These commands can only be run by members of the vmware-tanzu organization.

@abhiraut abhiraut force-pushed the cnp-tier-ctrl branch 3 times, most recently from 3e74f76 to aaf87ff Compare July 21, 2020 00:10
@abhiraut abhiraut changed the title WIP: Cnp tier integration CNP Tier integration Jul 21, 2020
@abhiraut abhiraut requested review from Dyanngg, tnqn and jianjuns July 21, 2020 22:04
Dyanngg
Dyanngg previously approved these changes Jul 21, 2020
Copy link
Contributor

@Dyanngg Dyanngg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, minor nit

Signed-off-by: abhiraut <rauta@vmware.com>
@abhiraut abhiraut requested a review from Dyanngg July 24, 2020 19:25
@abhiraut abhiraut added this to the Antrea v0.9.0 release milestone Jul 24, 2020
Copy link
Contributor

@Dyanngg Dyanngg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@antrea-bot
Copy link
Collaborator

Can one of the admins verify this patch?

Copy link
Contributor

@Dyanngg Dyanngg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--- a/pkg/controller/networkpolicy/networkpolicy_controller.go
+++ b/pkg/controller/networkpolicy/networkpolicy_controller.go
@@ -1324,6 +1324,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key string) error {
                Rules:           internalNP.Rules,
                AppliedToGroups: internalNP.AppliedToGroups,
                Priority:        internalNP.Priority,
+               TierPriority:    internalNP.TierPriority,

Without this line, the Tier info for the Internal NetworkPolicy would be lost each time a span update happens for example.

@abhiraut abhiraut requested a review from Dyanngg July 29, 2020 19:29
@abhiraut
Copy link
Contributor Author

/test-all

@abhiraut
Copy link
Contributor Author

/test-windows-networkpolicy

Dyanngg
Dyanngg previously approved these changes Jul 30, 2020
Copy link
Contributor

@Dyanngg Dyanngg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, this PR is also used for integration testing in #986 and result is good.

@antrea-bot
Copy link
Collaborator

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

  • /test-e2e: to trigger e2e tests.
  • /skip-e2e: to skip e2e tests.
  • /test-conformance: to trigger conformance tests.
  • /skip-conformance: to skip conformance tests.
  • /test-whole-conformance: to trigger all conformance tests on linux.
  • /skip-whole-conformance: to skip all conformance tests on linux.
  • /test-networkpolicy: to trigger networkpolicy tests.
  • /skip-networkpolicy: to skip networkpolicy tests.
  • /test-windows-conformance: to trigger windows conformance tests.
  • /skip-windows-conformance: to skip windows conformance tests.
  • /test-windows-networkpolicy: to trigger windows networkpolicy tests.
  • /skip-windows-networkpolicy: to skip windows networkpolicy tests.
  • /test-hw-offload: to trigger ovs hardware offload test.
  • /skip-hw-offload: to skip ovs hardware offload test.
  • /test-all: to trigger all tests (except whole conformance).
  • /skip-all: to skip all tests (except whole conformance).

These commands can only be run by members of the vmware-tanzu organization.

jianjuns
jianjuns previously approved these changes Aug 4, 2020
@abhiraut
Copy link
Contributor Author

abhiraut commented Aug 4, 2020

/test-all

build/yamls/base/crds.yml Outdated Show resolved Hide resolved
// Tier's Priority and the NetworkPolicy's own Priority. If not specified,
// this policy will be created in the Application Tier right above the K8s
// NetworkPolicy which resides at the bottom.
Tier string `json:"tier,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am curious about why we do not do something like this in this file:

type Tier string
const (
    TierEmergency    Tier = "Emergency"
    TierSecurityOps  Tier = "SecurityOps"
    # ...
)

Since my understanding based on the openAPI schema for the CRDs is that we constrain the tiers to a predefined set.
This seems to be pretty common in K8s APIs: https://godoc.org/k8s.io/api/core/v1#RestartPolicy

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i left it as string because idea is to replace the static tiers to CRDs where the name of the tier may not necessarily be part of the enum..

@abhiraut
Copy link
Contributor Author

abhiraut commented Aug 4, 2020

/test-all

Dyanngg
Dyanngg previously approved these changes Aug 4, 2020
antoninbas
antoninbas previously approved these changes Aug 5, 2020
Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, two minor comments.

pkg/controller/networkpolicy/clusternetworkpolicy_test.go Outdated Show resolved Hide resolved
if in.TierPriority != nil {
inTierPriority := uint32(*in.TierPriority)
out.TierPriority = &inTierPriority
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we assume objects in store will always be overridden when it's updated, so it should be safe to just copy the pointer like other fields. AppliedToGroups is a slice, Priority is *float64, we don't make a copy too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated.. needed to do conversion from type TierPriority to uint32 .. moved the TierPriority type to networking types.. so this conversion is no longer needed. PTAL

@abhiraut abhiraut dismissed stale reviews from antoninbas and Dyanngg via ce0ef2e August 5, 2020 19:13
@abhiraut
Copy link
Contributor Author

abhiraut commented Aug 5, 2020

/test-all

@abhiraut abhiraut requested review from Dyanngg, antoninbas and tnqn August 5, 2020 21:37
Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving again, it seems Quan's comments have been addressed

@abhiraut
Copy link
Contributor Author

abhiraut commented Aug 6, 2020

/test-windows-conformance

Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@abhiraut abhiraut merged commit 1ff54b5 into antrea-io:master Aug 6, 2020
@abhiraut abhiraut deleted the cnp-tier-ctrl branch August 6, 2020 06:03
GraysonWu pushed a commit to GraysonWu/antrea that referenced this pull request Sep 22, 2020
Add support for Tiered ClusterNetworkPolicies by associating a CNP with Tier name. This PR adds the following:

Add a new field tier to CNP and native NP specs
Add "Emergency, SecurityOps, NetworkOps, Platform, Application" as choices for tier names
Add Tier column to the CNP kubectl get cnp output
Update internal NetworkPolicy types to include the TierPriority associated with above tier names
A CNP without any association to any tier will be created in the default lowest priority tier i.e. "Application Tier". The same
applies for all existing CNP created prior to the Tier introduction.
The tiers have the following precedence:
Emergency > SecurityOps > NetworkOps > Platform > Application
i.e. all policies associated with Emergency Tiers will be evaluated before any policy associated with SecurityOps tier and
so on. The K8s NetworkPolicies will be evaluated once all Tiers are evaluated i.e. after the Application Tier.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants