fix: add default deny acl (#1935)

kubeovn · Oct 9, 2022 · b3a1cf6 · b3a1cf6
1 parent 903eff0
commit b3a1cf6
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 3 deletions.
diff --git a/.github/workflows/build-x86-image.yaml b/.github/workflows/build-x86-image.yaml
@@ -270,6 +270,13 @@ jobs:
           sudo chmod -R 777 /home/runner/.kube/
           make e2e-underlay-single-nic
 
+      - name: Run networkpolicy E2E
+        working-directory: test/networkpolicy-cyclonus/
+        run: |
+          sudo cp -r /root/.kube/ /home/runner/.kube/
+          sudo chmod -R 777 /home/runner/.kube/
+          bash ./start-test.sh
+
       - name: Cleanup
         run: |
           sh -c 'while :; do if [ $(kubectl get --no-headers subnet | wc -l) -eq 2 ]; then break; fi; sleep 5; done'
@@ -376,7 +383,7 @@ jobs:
     needs: build
     name: ipv6-e2e
     runs-on: ubuntu-20.04
-    timeout-minutes: 30
+    timeout-minutes: 45
     steps:
       - name: Check out code
         uses: actions/checkout@v2
@@ -421,6 +428,13 @@ jobs:
           sudo chmod -R 777 /home/runner/.kube/
           make e2e-ipv6
 
+      - name: Run networkpolicy E2E
+        working-directory: test/networkpolicy-cyclonus/
+        run: |
+          sudo cp -r /root/.kube/ /home/runner/.kube/
+          sudo chmod -R 777 /home/runner/.kube/
+          bash ./start-test.sh
+
       - name: Cleanup
         run: |
           sh -c 'while :; do if [ $(kubectl get --no-headers subnet | wc -l) -eq 2 ]; then break; fi; sleep 5; done'
@@ -599,6 +613,13 @@ jobs:
           sudo chmod -R 777 /home/runner/.kube/
           make e2e
 
+      - name: Run networkpolicy E2E
+        working-directory: test/networkpolicy-cyclonus/
+        run: |
+          sudo cp -r /root/.kube/ /home/runner/.kube/
+          sudo chmod -R 777 /home/runner/.kube/
+          bash ./start-test.sh
+
       - name: Cleanup
         run: |
           sh -c 'while :; do if [ $(kubectl get --no-headers subnet | wc -l) -eq 2 ]; then break; fi; sleep 5; done'
@@ -608,7 +629,7 @@ jobs:
     needs: build
     name: dual-stack-underlay-e2e-single-nic
     runs-on: ubuntu-20.04
-    timeout-minutes: 30
+    timeout-minutes: 45
     steps:
       - name: Check out code
         uses: actions/checkout@v2
@@ -653,6 +674,13 @@ jobs:
           sudo chmod -R 777 /home/runner/.kube/
           make e2e-underlay-single-nic
 
+      - name: Run networkpolicy E2E
+        working-directory: test/networkpolicy-cyclonus/
+        run: |
+          sudo cp -r /root/.kube/ /home/runner/.kube/
+          sudo chmod -R 777 /home/runner/.kube/
+          bash ./start-test.sh
+
       - name: Cleanup
         run: |
           sh -c 'while :; do if [ $(kubectl get --no-headers subnet | wc -l) -eq 2 ]; then break; fi; sleep 5; done'
@@ -678,7 +706,7 @@ jobs:
     needs: build
     name: dual-stack-underlay-logical-gateway-e2e
     runs-on: ubuntu-20.04
-    timeout-minutes: 30
+    timeout-minutes: 45
     steps:
       - name: Check out code
         uses: actions/checkout@v2
@@ -723,6 +751,13 @@ jobs:
           sudo chmod -R 777 /home/runner/.kube/
           make e2e
 
+      - name: Run networkpolicy E2E
+        working-directory: test/networkpolicy-cyclonus/
+        run: |
+          sudo cp -r /root/.kube/ /home/runner/.kube/
+          sudo chmod -R 777 /home/runner/.kube/
+          bash ./start-test.sh
+
       - name: Cleanup
         run: |
           sh -c 'while :; do if [ $(kubectl get --no-headers subnet | wc -l) -eq 2 ]; then break; fi; sleep 5; done'

diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -313,6 +313,11 @@ func (c *Controller) handleUpdateNp(key string) error {
 						klog.Errorf("failed to create ingress acls for np %s, %v", key, err)
 						return err
 					}
+				} else {
+					if err = c.ovnLegacyClient.CreateIngressACL(pgName, ingressAllowAsName, ingressExceptAsName, svcAsName, protocol, []netv1.NetworkPolicyPort{}, logEnable); err != nil {
+						klog.Errorf("failed to create default deny all ingress acls for np %s, %v", key, err)
+						return err
+					}
 				}
 			}
 			if len(np.Spec.Ingress) == 0 {

diff --git a/test/networkpolicy-cyclonus/cyclonus.yaml b/test/networkpolicy-cyclonus/cyclonus.yaml
@@ -0,0 +1,25 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cyclonus
+  namespace: kube-system
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - command:
+            - ./cyclonus
+            - generate
+            - --exclude=
+            - --include=upstream-e2e
+            - --retries=3
+            - --noisy=true
+            - --ignore-loopback=true
+            - --cleanup-namespaces=true
+            - --server-port=80
+            - --server-protocol=tcp
+          name: cyclonus
+          imagePullPolicy: IfNotPresent
+          image: mfenwick100/cyclonus:v0.5.0
+      serviceAccount: cyclonus
diff --git a/test/networkpolicy-cyclonus/start-test.sh b/test/networkpolicy-cyclonus/start-test.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+set -xv
+
+# set up cyclonus
+kubectl create clusterrolebinding cyclonus --clusterrole=cluster-admin --serviceaccount=kube-system:cyclonus
+kubectl create sa cyclonus -n kube-system
+kubectl create -f ./cyclonus.yaml
+
+# don't fail on errors, so we can dump the logs.
+set +e
+
+time kubectl wait --for=condition=complete --timeout=60m -n kube-system job.batch/cyclonus
+rc=$?
+
+# grab the job logs
+LOG_FILE=$(mktemp)
+kubectl logs -n kube-system job.batch/cyclonus > "$LOG_FILE"
+cat "$LOG_FILE"
+
+# if 'failure' is in the logs, fail; otherwise succeed
+cat "$LOG_FILE" | grep "failure" > /dev/null 2>&1 && rc=1
+exit $rc