-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Report policy revision implemented by the proxy in Endpoint model #3151
Conversation
test/k8sT/Updates.go
Outdated
"github.com/cilium/cilium/test/helpers" | ||
|
||
. "github.com/onsi/ginkgo" | ||
. "github.com/onsi/gomega" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should not use dot imports
test/k8sT/Updates.go
Outdated
|
||
"github.com/cilium/cilium/test/helpers" | ||
|
||
. "github.com/onsi/ginkgo" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should not use dot imports
pkg/envoy/endpoint.go
Outdated
return | ||
} | ||
|
||
func NewNetworkPolicyEventList() *NetworkPolicyEventList { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported function NewNetworkPolicyEventList should have comment or be unexported
pkg/envoy/cilium/npds.pb.go
Outdated
@@ -68,6 +72,13 @@ func (m *NetworkPolicy) GetEgressPerPortPolicies() []*PortNetworkPolicy { | |||
return nil | |||
} | |||
|
|||
func (m *NetworkPolicy) GetPolicy() uint64 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported method NetworkPolicy.GetPolicy should have comment or be unexported
pkg/envoy/cilium/npds.pb.go
Outdated
} | ||
|
||
func (m *NetworkPolicy) Reset() { *m = NetworkPolicy{} } | ||
func (m *NetworkPolicy) String() string { return proto.CompactTextString(m) } | ||
func (*NetworkPolicy) ProtoMessage() {} | ||
func (*NetworkPolicy) Descriptor() ([]byte, []int) { return fileDescriptor3, []int{0} } | ||
|
||
func (m *NetworkPolicy) GetPolicy() uint64 { | ||
func (m *NetworkPolicy) GetName() string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported method NetworkPolicy.GetName should have comment or be unexported
021447f
to
b52efd1
Compare
api/v1/openapi.yaml
Outdated
@@ -823,6 +823,9 @@ definitions: | |||
policy-revision: | |||
description: The policy revision this endpoint is running on | |||
type: integer | |||
proxy-policy-revision: | |||
description: The policy revision currently in use in the proxy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in use -> enforced (?)
pkg/envoy/endpoint.go
Outdated
) | ||
|
||
var ( | ||
defaultipToBindingSize = 64 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const
pkg/envoy/endpoint.go
Outdated
GetIdentity() identity.NumericIdentity | ||
|
||
// OnProxyPolicyUpdate is called when the proxy confirms that it | ||
// has implemented a policy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
implemented -> applied
pkg/envoy/endpoint.go
Outdated
|
||
var ( | ||
defaultipToBindingSize = 64 | ||
unackedNPDSUpdates *NetworkPolicyEventList |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a TODO(rlenglet) comment: move this into the XDSServer.
pkg/envoy/endpoint.go
Outdated
} | ||
} | ||
|
||
// Remove an endpoint from the list so that it no longer receives callbacks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove removes ...
pkg/envoy/server.go
Outdated
name := strconv.FormatUint(uint64(id), 10) | ||
NetworkPolicyCache.Upsert(NetworkPolicyTypeURL, name, networkPolicy, false) | ||
// When successful, push them into the cache. | ||
unackedNPDSUpdates.Insert(ep, policy.Revision, NetworkPolicyCache.GetVersion()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Call wg.AddCompletion()
to get a Completion
and pass that to the Insert
call to store it in the binding.
@@ -148,21 +148,21 @@ func (d *Daemon) RemoveProxyRedirect(e *endpoint.Endpoint, id string) error { | |||
|
|||
// UpdateNetworkPolicy adds or updates a network policy in the set | |||
// published to L7 proxies. | |||
func (d *Daemon) UpdateNetworkPolicy(id identity.NumericIdentity, policy *policy.L4Policy, | |||
func (d *Daemon) UpdateNetworkPolicy(e *endpoint.Endpoint, policy *policy.L4Policy, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a wg *completion.WaitGroup
parameter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
envoy/cilium/npds.proto
Outdated
// The policy identifier associated with the network policy. Corresponds to | ||
// remote_policies entries in PortNetworkPolicyRule. | ||
// Optional. | ||
uint64 policy = 4; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a nitpick. I would move this up and use the following labels:
string name = 1;
uint64 policy = 2;
repeated PortNetworkPolicy ingress_per_port_policies = 3;
repeated PortNetworkPolicy egress_per_port_policies = 4;
pkg/endpoint/endpoint.go
Outdated
@@ -1883,6 +1885,17 @@ func (e *Endpoint) bumpPolicyRevision(revision uint64) { | |||
e.Mutex.Unlock() | |||
} | |||
|
|||
// OnProxyPolicyUpdate is a callback used to update the Endpoint's | |||
// proxyPolicyRevision when the specified revision has been implemented in the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
implemented -> applied
@@ -53,12 +53,12 @@ type Owner interface { | |||
|
|||
// UpdateNetworkPolicy adds or updates a network policy in the set | |||
// published to L7 proxies. | |||
UpdateNetworkPolicy(id identity.NumericIdentity, policy *policy.L4Policy, | |||
UpdateNetworkPolicy(e *Endpoint, policy *policy.L4Policy, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a wg *completion.WaitGroup
parameter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
b52efd1
to
18be553
Compare
Signed-off-by: Joe Stringer <joe@covalent.io>
18be553
to
f7f8ba6
Compare
} | ||
|
||
func (m *NetworkPolicy) Reset() { *m = NetworkPolicy{} } | ||
func (m *NetworkPolicy) String() string { return proto.CompactTextString(m) } | ||
func (*NetworkPolicy) ProtoMessage() {} | ||
func (*NetworkPolicy) Descriptor() ([]byte, []int) { return fileDescriptor3, []int{0} } | ||
|
||
func (m *NetworkPolicy) GetName() string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported method NetworkPolicy.GetName should have comment or be unexported
f7f8ba6
to
9631842
Compare
Addressed comments and rewrote to reuse AckingResourceMutatorWrapper. Please review.
labelsMap identity.IdentityCache, deniedIngressIdentities, deniedEgressIdentities map[identity.NumericIdentity]bool) error { | ||
if d.l7Proxy == nil { | ||
return fmt.Errorf("can't update network policy, proxy disabled") | ||
} | ||
return d.l7Proxy.UpdateNetworkPolicy(id, policy, labelsMap, deniedIngressIdentities, deniedEgressIdentities) | ||
// TODO(jrajahalme): Pass e.ProxyWaitGroup down |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- @jrajahalme you'll need to pass
e.ProxyWaitGroup
down as part of your changes.
labelsMap identity.IdentityCache, deniedIngressIdentities, deniedEgressIdentities map[identity.NumericIdentity]bool) error { | ||
if d.l7Proxy == nil { | ||
return fmt.Errorf("can't update network policy, proxy disabled") | ||
} | ||
return d.l7Proxy.UpdateNetworkPolicy(id, policy, labelsMap, deniedIngressIdentities, deniedEgressIdentities) | ||
// TODO(jrajahalme): Pass e.ProxyWaitGroup down |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jrajahalme heads up. We can't pass a WaitGroup yet, because no proxy is querying + acking the NetworkPolicy resources yet, so all regenerations would fail if we did.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for doing this! I just have 4 nitpicks. Nothing blocking.
pkg/envoy/server.go
Outdated
ep.GetIPv4Address(), | ||
} | ||
policies := []*cilium.NetworkPolicy{} | ||
for i := range ips { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: for _, ip := range ips {
then use ip
instead of ips[i]
.
pkg/envoy/server.go
Outdated
name := strconv.FormatUint(uint64(id), 10) | ||
NetworkPolicyCache.Upsert(NetworkPolicyTypeURL, name, networkPolicy, false) | ||
// When successful, push them into the cache. | ||
for i := range policies { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: for _, p := range policies {
then use p
instead of policies[i]
.
pkg/envoy/server.go
Outdated
} else { | ||
c = wg.AddCompletionWithCallback(callback) | ||
} | ||
nodeIDs := []string{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick:
nodeIDs := make([]string, 0, 1)
pkg/envoy/xds/cache.go
Outdated
@@ -254,3 +254,8 @@ func (c *Cache) GetResources(ctx context.Context, typeURL string, lastVersion *u | |||
cacheLog.Debugf("returning %d resources out of %d requested", len(res.Resources), len(resourceNames)) | |||
return res, nil | |||
} | |||
|
|||
// GetVersion returns the version for the cache at the current point in time. | |||
func (c *Cache) GetVersion() uint64 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove. That seems unused.
Anyway it is not thread-safe as-is. This would require locking.
Something fishy happening in the unit tests, upserts into |
@joestringer Maybe the order of initialization of variables in resources.go? |
You could move the initialization of the variables into an |
@joestringer which unit tests are failing? |
@rlenglet I tried shifting the mutator update into an |
I think the problem is that we moved |
e36829f
to
5830763
Compare
Good call. |
Since there is endpoint-specific configuration which affects policy, this patch changes network policies to be applied per endpoint (via IPs) rather than per identity. Do this by defining an interface of the relevant portions of the endpoint that are used when updating network policy (NetworkPolicyEndpoint), and simplify UpdateNetworkPolicy() and RemoveNetworkPolicy() to pass this new NetworkPolicyEndpoint around. Fixes: cilium#3122 Signed-off-by: Joe Stringer <joe@covalent.io>
The existing path was updating the L7 Network Policies in the potentially dry-run path inside regeneratePolicy(), however it should only be applied when we are actually going to apply the policy changes to the datapath. Refactor the function and call it later from regenerateBPF(). Signed-off-by: Joe Stringer <joe@covalent.io>
A while ago, the spec was updated to use double graves to indicate fields, to be compatible with sphinx notation for where these fields end up in the documentation. We didn't update the API definitions at the time. Do so. This should be a functional no-op. Signed-off-by: Joe Stringer <joe@covalent.io>
An upcoming commit will need to identify which policy revision was used to generate an L4/L7 policy, so when we construct the L4Policy, cache the current policy repository revision in the L4Policy object. Signed-off-by: Joe Stringer <joe@covalent.io>
This new field will report the policy revision that has been acknowledged by the proxy, so it is clear to see whether the proxy is synchronised with Cilium or not. Signed-off-by: Joe Stringer <joe@covalent.io>
This callback will be called when the completion socket is closed. It allows an interested party to immediately apply some behaviour at the time that the completion occurs, rather than waiting on the completion in the outer code. It will be used in an upcoming commit to reflect the policy revision from proxy acknowledgements up to the endpoint. Signed-off-by: Joe Stringer <joe@covalent.io>
When the NetworkPolicyDiscoveryService acknowledges oustanding NetworkPolicyUpdates for an endpoint, push the corresponding policy revision number into the endpoint. Fixes: cilium#3144 Signed-off-by: Joe Stringer <joe@covalent.io>
5830763
to
d4024cd
Compare
test-me-please |
The last test failed. A priori unrelated to this PR. This test seems flaky. |
Suspecting another test flake in |
test-me-please |
@tgraf could you please review this? Thanks! |
This PR plumbs the Repository revision and endpoints into the
NetworkPolicyDiscoveryService
, where these are cached and associated withNetworkPolicyCache
versions. When Envoy receives the relevant resources and acknowledges them, it looks up in this cache to determine which policy revision is being acked and calls back into the endpoint objects to update a new field,proxyPolicyRevision
.For more details, see #3144.
Fixes: #3122
Fixes: #3144