New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs #24638
Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs #24638
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
e7ecffd
to
7a0f675
Compare
7a0f675
to
c6b6633
Compare
d9763d4
to
1b055b0
Compare
dce042a
to
10615c4
Compare
pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml
Outdated
Show resolved
Hide resolved
4d15cc5
to
de686ff
Compare
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
de686ff
to
74873ee
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just one super minor nit. Great work. The splitting up of the logic for the refactor vs. the new feature also made the PR much easier to reason about 👏
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-5.4/1754/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Job 'Cilium-PR-K8s-1.16-kernel-4.19' hit: #24697 (88.40% similarity) Edit:
|
This generates the CiliumCIDRGroup type, to reference a group of CIDRs as a single entity in CiliumNetworkPolicies. Co-authored-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Embed `cidrGroupRef` field in api.CIDRRule to reference CiliumCIDRGroup objects in Cilium Network Policies. The field can be used to allow ingress traffic from a set of CIDRs listed in the referenced CiliumCIDRGroup object. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
daa64f1
to
39f51d6
Compare
CNP and CCNP events handling is based on the same code, since each CNP and CCNP is first translated to an intermediate types.SlimCNP representation. To support the handling of CNP/CCNP updates, there are two separate caches, one for CNP and one for CCNP. This commit unify the events handling and the caches, relying on the two event channels to avoid any additional locking mechanism. This sets the stage for the fromCIDRGroupRef feature, where we need to reference another k8s object (CiliumCIDRGroup) to get the CIDRs the policies are going to allow when filtering ingress traffic. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>
39f51d6
to
d30af4e
Compare
Add support for cidrGroupRef field in Ingress rules for Cilium Network Policies. The new field allows to reference a list of CiliumCIDRGroup objects that contain the CIDRs from which we wants to allow traffic from. The feature is implemented as a wrapper to the existing FromCIDRSet Ingress rule. Each policy with a reference to a cidr group is translated in an equivalent "FromCIDRSet policy" after looking up the CIDRs in the referenced CiliumCIDRGroup objects. To do that, we use a single handler for CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy and CiliumCIDRGroup in the k8s watcher, in order to avoid further locking when accessing the CNP/CCNP cache or the CIDRGroup one. Every time the referenced CiliumCIDRGroups are updated, the CNP rules are recalculated, in order to append to the Ingress.FromCIDRSet field the updated lists of CIDRs. In case the referenced CiliumCIDRGroups k8s objects are all empty or deleted, the policy behaviour is default-deny. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>
policy_change_total metric counts all the policies change events and should take into account Cilium Clusterwide Network Policied events too. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Inspired from the CNP watcher. Co-authored-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>
The NoOp* variables are used in pkg/metrics to define metrics that can be disabled. All of those metrics are grouped together as a slice of prometheus.Collector and then registered to the prometheus register. To add a metric of type prometheus.Histogram that can also be disabled, a type that satisfies both `prometheus.Collector` and `prometheus.Observer` is needed, so the NoOpHistogram of type prometheus.histogram is added. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Add a metric to measure the time taken to translate the FromCIDRGroupRef field in CNPs and CCNPs. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Add a gauge metric to count the current number of CNPs and CCNPs that reference at least a CiliumCIDRGroup object. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Assign the following files: - k8s/pkg/watcher/cilium_network_policy.go - k8s/pkg/watcher/cilium_cidr_group.go - k8s/pkg/watcher/cilium_cidr_group_test.go containing the shared handler for CNP, CCNP and CCG objects to sig-policy group. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
d30af4e
to
60506a7
Compare
/test Job 'Cilium-PR-K8s-1.16-kernel-4.19' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.19/916/ If it is a flake and a GitHub issue doesn't already exist to track it, comment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fantastic work!
4.19 hit #24840 |
/test-1.16-4.19 |
Add support for
cidrGroupRef
in CIDR ingress rules in Cilium Network Policies.The new rule allows to reference a list of CiliumCIDRGroup objects that contain the CIDRs from which we want to allow traffic from.
An example of the newly introduced CiliumCIDRGroup CRD is the following:
The feature is implemented as a wrapper to the existing FromCIDR Ingress rule. Each
cidrGroupRef
field is translated to the equivalentfromCIDRSet
block with the CIDRs from the referenced CiliumCIDRGroup object.To do that, we use a single handler for CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy and CiliumCIDRGroup in the k8s watcher.
Every time the referenced CiliumCIDRGroups are updated, the CNP rules are recalculated, in order to append to the Ingress.FromCIDR field the updated lists of CIDRs.
In case the lists of CIDRs in the referenced CiliumCIDRGroups are all empty, the policy will have an Ingress rule with all fields equal to nil, except the
cidrGroupRef
one. That would result in the same behavior as an empty FromCIDR rule, which means default deny.This PR also adds some metrics to get info about the new Ingress rule impact and usage. Specifically:
cidrGroupRef
field into CIDRsFixes #10349