Report policy revision implemented by the proxy in Endpoint model #3151
Conversation
joestringer
added
wip
area/proxy
test/k8sT/Updates.go
Outdated
| "github.com/cilium/cilium/test/helpers" | ||
|
|
||
| . "github.com/onsi/ginkgo" | ||
| . "github.com/onsi/gomega" |
test/k8sT/Updates.go
Outdated
|
|
||
| "github.com/cilium/cilium/test/helpers" | ||
|
|
||
| . "github.com/onsi/ginkgo" |
pkg/envoy/endpoint.go
Outdated
| return | ||
| } | ||
|
|
||
| func NewNetworkPolicyEventList() *NetworkPolicyEventList { |
There was a problem hiding this comment.
exported function NewNetworkPolicyEventList should have comment or be unexported
pkg/envoy/cilium/npds.pb.go
Outdated
| @@ -68,6 +72,13 @@ func (m *NetworkPolicy) GetEgressPerPortPolicies() []*PortNetworkPolicy { | |||
| return nil | |||
| } | |||
|
|
|||
| func (m *NetworkPolicy) GetPolicy() uint64 { | |||
There was a problem hiding this comment.
exported method NetworkPolicy.GetPolicy should have comment or be unexported
pkg/envoy/cilium/npds.pb.go
Outdated
| } | ||
|
|
||
| func (m *NetworkPolicy) Reset() { *m = NetworkPolicy{} } | ||
| func (m *NetworkPolicy) String() string { return proto.CompactTextString(m) } | ||
| func (*NetworkPolicy) ProtoMessage() {} | ||
| func (*NetworkPolicy) Descriptor() ([]byte, []int) { return fileDescriptor3, []int{0} } | ||
|
|
||
| func (m *NetworkPolicy) GetPolicy() uint64 { | ||
| func (m *NetworkPolicy) GetName() string { |
There was a problem hiding this comment.
exported method NetworkPolicy.GetName should have comment or be unexported
joestringer
force-pushed
the
submit/report-npds-revision
branch
from
021447f
to
b52efd1
Compare
api/v1/openapi.yaml
Outdated
| @@ -823,6 +823,9 @@ definitions: | |||
| policy-revision: | |||
| description: The policy revision this endpoint is running on | |||
| type: integer | |||
| proxy-policy-revision: | |||
| description: The policy revision currently in use in the proxy | |||
pkg/envoy/endpoint.go
Outdated
| ) | ||
|
|
||
| var ( | ||
| defaultipToBindingSize = 64 |
pkg/envoy/endpoint.go
Outdated
| GetIdentity() identity.NumericIdentity | ||
|
|
||
| // OnProxyPolicyUpdate is called when the proxy confirms that it | ||
| // has implemented a policy. |
pkg/envoy/endpoint.go
Outdated
|
|
||
| var ( | ||
| defaultipToBindingSize = 64 | ||
| unackedNPDSUpdates *NetworkPolicyEventList |
There was a problem hiding this comment.
Add a TODO(rlenglet) comment: move this into the XDSServer.
pkg/envoy/endpoint.go
Outdated
| } | ||
| } | ||
|
|
||
| // Remove an endpoint from the list so that it no longer receives callbacks |
pkg/envoy/server.go
Outdated
| name := strconv.FormatUint(uint64(id), 10) | ||
| NetworkPolicyCache.Upsert(NetworkPolicyTypeURL, name, networkPolicy, false) | ||
| // When successful, push them into the cache. | ||
| unackedNPDSUpdates.Insert(ep, policy.Revision, NetworkPolicyCache.GetVersion()) |
There was a problem hiding this comment.
Call wg.AddCompletion() to get a Completion and pass that to the Insert call to store it in the binding.
| @@ -148,21 +148,21 @@ func (d *Daemon) RemoveProxyRedirect(e *endpoint.Endpoint, id string) error { | |||
|
|
|||
| // UpdateNetworkPolicy adds or updates a network policy in the set | |||
| // published to L7 proxies. | |||
| func (d *Daemon) UpdateNetworkPolicy(id identity.NumericIdentity, policy *policy.L4Policy, | |||
| func (d *Daemon) UpdateNetworkPolicy(e *endpoint.Endpoint, policy *policy.L4Policy, | |||
There was a problem hiding this comment.
Add a wg *completion.WaitGroup parameter.
envoy/cilium/npds.proto
Outdated
| // The policy identifier associated with the network policy. Corresponds to | ||
| // remote_policies entries in PortNetworkPolicyRule. | ||
| // Optional. | ||
| uint64 policy = 4; |
There was a problem hiding this comment.
Just a nitpick. I would move this up and use the following labels:
string name = 1;
uint64 policy = 2;
repeated PortNetworkPolicy ingress_per_port_policies = 3;
repeated PortNetworkPolicy egress_per_port_policies = 4;
pkg/endpoint/endpoint.go
Outdated
| @@ -1883,6 +1885,17 @@ func (e *Endpoint) bumpPolicyRevision(revision uint64) { | |||
| e.Mutex.Unlock() | |||
| } | |||
|
|
|||
| // OnProxyPolicyUpdate is a callback used to update the Endpoint's | |||
| // proxyPolicyRevision when the specified revision has been implemented in the | |||
| @@ -53,12 +53,12 @@ type Owner interface { | |||
|
|
|||
| // UpdateNetworkPolicy adds or updates a network policy in the set | |||
| // published to L7 proxies. | |||
| UpdateNetworkPolicy(id identity.NumericIdentity, policy *policy.L4Policy, | |||
| UpdateNetworkPolicy(e *Endpoint, policy *policy.L4Policy, | |||
There was a problem hiding this comment.
Add a wg *completion.WaitGroup parameter.
joestringer
force-pushed
the
submit/report-npds-revision
branch
from
b52efd1
to
18be553
Compare
Signed-off-by: Joe Stringer <joe@covalent.io>
joestringer
force-pushed
the
submit/report-npds-revision
branch
from
18be553
to
f7f8ba6
Compare
| } | ||
|
|
||
| func (m *NetworkPolicy) Reset() { *m = NetworkPolicy{} } | ||
| func (m *NetworkPolicy) String() string { return proto.CompactTextString(m) } | ||
| func (*NetworkPolicy) ProtoMessage() {} | ||
| func (*NetworkPolicy) Descriptor() ([]byte, []int) { return fileDescriptor3, []int{0} } | ||
|
|
||
| func (m *NetworkPolicy) GetName() string { |
There was a problem hiding this comment.
exported method NetworkPolicy.GetName should have comment or be unexported
joestringer
force-pushed
the
submit/report-npds-revision
branch
from
f7f8ba6
to
9631842
Compare
joestringer
dismissed
rlenglet’s stale review
Addressed comments and rewrote to reuse AckingResourceMutatorWrapper. Please review.
| labelsMap identity.IdentityCache, deniedIngressIdentities, deniedEgressIdentities map[identity.NumericIdentity]bool) error { | ||
| if d.l7Proxy == nil { | ||
| return fmt.Errorf("can't update network policy, proxy disabled") | ||
| } | ||
| return d.l7Proxy.UpdateNetworkPolicy(id, policy, labelsMap, deniedIngressIdentities, deniedEgressIdentities) | ||
| // TODO(jrajahalme): Pass e.ProxyWaitGroup down |
There was a problem hiding this comment.
- @jrajahalme you'll need to pass
e.ProxyWaitGroupdown as part of your changes.
| labelsMap identity.IdentityCache, deniedIngressIdentities, deniedEgressIdentities map[identity.NumericIdentity]bool) error { | ||
| if d.l7Proxy == nil { | ||
| return fmt.Errorf("can't update network policy, proxy disabled") | ||
| } | ||
| return d.l7Proxy.UpdateNetworkPolicy(id, policy, labelsMap, deniedIngressIdentities, deniedEgressIdentities) | ||
| // TODO(jrajahalme): Pass e.ProxyWaitGroup down |
There was a problem hiding this comment.
@jrajahalme heads up. We can't pass a WaitGroup yet, because no proxy is querying + acking the NetworkPolicy resources yet, so all regenerations would fail if we did.
pkg/envoy/server.go
Outdated
| ep.GetIPv4Address(), | ||
| } | ||
| policies := []*cilium.NetworkPolicy{} | ||
| for i := range ips { |
There was a problem hiding this comment.
Nitpick: for _, ip := range ips { then use ip instead of ips[i].
pkg/envoy/server.go
Outdated
| name := strconv.FormatUint(uint64(id), 10) | ||
| NetworkPolicyCache.Upsert(NetworkPolicyTypeURL, name, networkPolicy, false) | ||
| // When successful, push them into the cache. | ||
| for i := range policies { |
There was a problem hiding this comment.
Nitpick: for _, p := range policies { then use p instead of policies[i].
pkg/envoy/server.go
Outdated
| } else { | ||
| c = wg.AddCompletionWithCallback(callback) | ||
| } | ||
| nodeIDs := []string{} |
There was a problem hiding this comment.
Nitpick:
nodeIDs := make([]string, 0, 1)
pkg/envoy/xds/cache.go
Outdated
| @@ -254,3 +254,8 @@ func (c *Cache) GetResources(ctx context.Context, typeURL string, lastVersion *u | |||
| cacheLog.Debugf("returning %d resources out of %d requested", len(res.Resources), len(resourceNames)) | |||
| return res, nil | |||
| } | |||
|
|
|||
| // GetVersion returns the version for the cache at the current point in time. | |||
| func (c *Cache) GetVersion() uint64 { | |||
There was a problem hiding this comment.
Remove. That seems unused.
Anyway it is not thread-safe as-is. This would require locking.
|
Something fishy happening in the unit tests, upserts into |
|
@joestringer Maybe the order of initialization of variables in resources.go? |
|
You could move the initialization of the variables into an |
|
@joestringer which unit tests are failing? |
|
@rlenglet I tried shifting the mutator update into an |
|
I think the problem is that we moved |
joestringer
force-pushed
the
submit/report-npds-revision
branch
2 times, most recently
from
e36829f
to
5830763
Compare
|
Good call. |
Since there is endpoint-specific configuration which affects policy, this patch changes network policies to be applied per endpoint (via IPs) rather than per identity. Do this by defining an interface of the relevant portions of the endpoint that are used when updating network policy (NetworkPolicyEndpoint), and simplify UpdateNetworkPolicy() and RemoveNetworkPolicy() to pass this new NetworkPolicyEndpoint around. Fixes: cilium#3122 Signed-off-by: Joe Stringer <joe@covalent.io>
The existing path was updating the L7 Network Policies in the potentially dry-run path inside regeneratePolicy(), however it should only be applied when we are actually going to apply the policy changes to the datapath. Refactor the function and call it later from regenerateBPF(). Signed-off-by: Joe Stringer <joe@covalent.io>
A while ago, the spec was updated to use double graves to indicate fields, to be compatible with sphinx notation for where these fields end up in the documentation. We didn't update the API definitions at the time. Do so. This should be a functional no-op. Signed-off-by: Joe Stringer <joe@covalent.io>
An upcoming commit will need to identify which policy revision was used to generate an L4/L7 policy, so when we construct the L4Policy, cache the current policy repository revision in the L4Policy object. Signed-off-by: Joe Stringer <joe@covalent.io>
This new field will report the policy revision that has been acknowledged by the proxy, so it is clear to see whether the proxy is synchronised with Cilium or not. Signed-off-by: Joe Stringer <joe@covalent.io>
This callback will be called when the completion socket is closed. It allows an interested party to immediately apply some behaviour at the time that the completion occurs, rather than waiting on the completion in the outer code. It will be used in an upcoming commit to reflect the policy revision from proxy acknowledgements up to the endpoint. Signed-off-by: Joe Stringer <joe@covalent.io>
When the NetworkPolicyDiscoveryService acknowledges oustanding NetworkPolicyUpdates for an endpoint, push the corresponding policy revision number into the endpoint. Fixes: cilium#3144 Signed-off-by: Joe Stringer <joe@covalent.io>
joestringer
force-pushed
the
submit/report-npds-revision
branch
from
5830763
to
d4024cd
Compare
|
test-me-please |
|
The last test failed. A priori unrelated to this PR. This test seems flaky. |
|
Suspecting another test flake in |
|
test-me-please |
|
@tgraf could you please review this? Thanks! |
This PR plumbs the Repository revision and endpoints into the
NetworkPolicyDiscoveryService, where these are cached and associated withNetworkPolicyCacheversions. When Envoy receives the relevant resources and acknowledges them, it looks up in this cache to determine which policy revision is being acked and calls back into the endpoint objects to update a new field,proxyPolicyRevision.For more details, see #3144.
Fixes: #3122
Fixes: #3144