-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CNP Tier integration #956
CNP Tier integration #956
Conversation
Thanks for your PR. The following commands are available:
These commands can only be run by members of the vmware-tanzu organization. |
3e74f76
to
aaf87ff
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, minor nit
Signed-off-by: abhiraut <rauta@vmware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Can one of the admins verify this patch? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--- a/pkg/controller/networkpolicy/networkpolicy_controller.go
+++ b/pkg/controller/networkpolicy/networkpolicy_controller.go
@@ -1324,6 +1324,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key string) error {
Rules: internalNP.Rules,
AppliedToGroups: internalNP.AppliedToGroups,
Priority: internalNP.Priority,
+ TierPriority: internalNP.TierPriority,
Without this line, the Tier info for the Internal NetworkPolicy would be lost each time a span update happens for example.
/test-all |
/test-windows-networkpolicy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, this PR is also used for integration testing in #986 and result is good.
Thanks for your PR. The following commands are available:
These commands can only be run by members of the vmware-tanzu organization. |
/test-all |
// Tier's Priority and the NetworkPolicy's own Priority. If not specified, | ||
// this policy will be created in the Application Tier right above the K8s | ||
// NetworkPolicy which resides at the bottom. | ||
Tier string `json:"tier,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am curious about why we do not do something like this in this file:
type Tier string
const (
TierEmergency Tier = "Emergency"
TierSecurityOps Tier = "SecurityOps"
# ...
)
Since my understanding based on the openAPI schema for the CRDs is that we constrain the tiers to a predefined set.
This seems to be pretty common in K8s APIs: https://godoc.org/k8s.io/api/core/v1#RestartPolicy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i left it as string because idea is to replace the static tiers to CRDs where the name of the tier may not necessarily be part of the enum..
/test-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, two minor comments.
if in.TierPriority != nil { | ||
inTierPriority := uint32(*in.TierPriority) | ||
out.TierPriority = &inTierPriority | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we assume objects in store will always be overridden when it's updated, so it should be safe to just copy the pointer like other fields. AppliedToGroups
is a slice, Priority
is *float64
, we don't make a copy too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated.. needed to do conversion from type TierPriority to uint32 .. moved the TierPriority type to networking types.. so this conversion is no longer needed. PTAL
/test-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving again, it seems Quan's comments have been addressed
/test-windows-conformance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Add support for Tiered ClusterNetworkPolicies by associating a CNP with Tier name. This PR adds the following: Add a new field tier to CNP and native NP specs Add "Emergency, SecurityOps, NetworkOps, Platform, Application" as choices for tier names Add Tier column to the CNP kubectl get cnp output Update internal NetworkPolicy types to include the TierPriority associated with above tier names A CNP without any association to any tier will be created in the default lowest priority tier i.e. "Application Tier". The same applies for all existing CNP created prior to the Tier introduction. The tiers have the following precedence: Emergency > SecurityOps > NetworkOps > Platform > Application i.e. all policies associated with Emergency Tiers will be evaluated before any policy associated with SecurityOps tier and so on. The K8s NetworkPolicies will be evaluated once all Tiers are evaluated i.e. after the Application Tier.
Add support for Tiered ClusterNetworkPolicies by associating a CNP with Tier name. This PR adds the following:
tier
to CNP and native NP specskubectl get cnp
outputTierPriority
associated with above tier namesA CNP without any association to any tier will be created in the default lowest priority tier i.e. "Application Tier". The same
applies for all existing CNP created prior to the Tier introduction.
The tiers have the following precedence:
Emergency > SecurityOps > NetworkOps > Platform > Application
i.e. all policies associated with Emergency Tiers will be evaluated before any policy associated with SecurityOps tier and so on.
The K8s NetworkPolicies will be evaluated once all Tiers are evaluated i.e. after the Application Tier.
Related-Issue: #917