Merge pull request #1796 from jcaamano/milti-networkpolicies-rbac

Add multi-networkpolicies support for OVN

bindata/network/ovn-kubernetes/common/003-rbac-controller.yaml

@@ -122,6 +122,7 @@ rules:
   - k8s.cni.cncf.io
   resources:
   - network-attachment-definitions
+  - multi-networkpolicies
   verbs: ["list", "get", "watch"]
 
 

bindata/network/ovn-kubernetes/managed/004-config.yaml

@@ -39,6 +39,9 @@ data:
 {{- if .OVN_MULTI_NETWORK_ENABLE }}
     enable-multi-network=true
 {{- end }}
+{{- if .OVN_MULTI_NETWORK_POLICY_ENABLE }}
+    enable-multi-networkpolicy=true
+{{- end }}
 
     [gateway]
     mode={{.OVN_GATEWAY_MODE}}

bindata/network/ovn-kubernetes/managed/ovnkube-master.yaml

@@ -872,6 +872,11 @@ spec:
             multi_network_enabled_flag="--enable-multi-network"
           fi
 
+          multi_network_policy_enabled_flag=
+          if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+            multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
+          fi
+
           echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-master - start ovnkube --init-master ${K8S_NODE}"
           exec /usr/bin/ovnkube \
             --init-master "${K8S_NODE}" \
@@ -898,6 +903,7 @@ spec:
             --node-server-privkey ${TLS_PK} \
             --node-server-cert ${TLS_CERT} \
             ${multi_network_enabled_flag} \
+            ${multi_network_policy_enabled_flag} \
             --acl-logging-rate-limit "{{.OVNPolicyAuditRateLimit}}"
         volumeMounts:
         - mountPath: /etc/ovn

bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml

@@ -460,6 +460,11 @@ spec:
           if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" == "true" ]]; then
             multi_network_enabled_flag="--enable-multi-network"
           fi
+          
+          multi_network_policy_enabled_flag=
+          if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+            multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
+          fi
 
           exec /usr/bin/ovnkube --init-node "${K8S_NODE}" \
             --nb-address "{{.OVN_NB_DB_ENDPOINT}}" \
@@ -487,6 +492,7 @@ spec:
             --disable-snat-multiple-gws \
             ${export_network_flows_flags} \
             ${multi_network_enabled_flag} \
+            ${multi_network_policy_enabled_flag} \
             ${gw_interface_flag}
         env:
         # for kubectl

bindata/network/ovn-kubernetes/self-hosted/004-config.yaml

@@ -42,6 +42,9 @@ data:
 {{- if .OVN_MULTI_NETWORK_ENABLE }}
     enable-multi-network=true
 {{- end }}
+{{- if .OVN_MULTI_NETWORK_POLICY_ENABLE }}
+    enable-multi-networkpolicy=true
+{{- end }}
 
     [gateway]
     mode={{.OVN_GATEWAY_MODE}}

bindata/network/ovn-kubernetes/self-hosted/ovnkube-master.yaml

@@ -833,6 +833,11 @@ spec:
             multi_network_enabled_flag="--enable-multi-network"
           fi
 
+          multi_network_policy_enabled_flag=
+          if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+            multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
+          fi
+
           echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-master - start ovnkube --init-master ${K8S_NODE}"
           exec /usr/bin/ovnkube \
             --init-master "${K8S_NODE}" \
@@ -856,6 +861,7 @@ spec:
             --enable-multicast \
             --disable-snat-multiple-gws \
             ${multi_network_enabled_flag} \
+            ${multi_network_policy_enabled_flag} \
             --acl-logging-rate-limit "{{.OVNPolicyAuditRateLimit}}"
         volumeMounts:
         # for checking ovs-configuration service

bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml

@@ -368,6 +368,11 @@ spec:
             multi_network_enabled_flag="--enable-multi-network"
           fi
 
+          multi_network_policy_enabled_flag=
+          if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+            multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
+          fi
+
           exec /usr/bin/ovnkube --init-node "${K8S_NODE}" \
             --nb-address "{{.OVN_NB_DB_LIST}}" \
             --sb-address "{{.OVN_SB_DB_LIST}}" \
@@ -394,6 +399,7 @@ spec:
             --disable-snat-multiple-gws \
             ${export_network_flows_flags} \
             ${multi_network_enabled_flag} \
+            ${multi_network_policy_enabled_flag} \
             ${gw_interface_flag}
         env:
         # for kubectl

pkg/network/ovn_kubernetes.go

@@ -364,8 +364,13 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo
 	}
 
 	data.Data["OVN_MULTI_NETWORK_ENABLE"] = true
+	data.Data["OVN_MULTI_NETWORK_POLICY_ENABLE"] = false
 	if conf.DisableMultiNetwork != nil && *conf.DisableMultiNetwork {
 		data.Data["OVN_MULTI_NETWORK_ENABLE"] = false
+	} else if conf.UseMultiNetworkPolicy != nil && *conf.UseMultiNetworkPolicy {
+		// Multi-network policy support requires multi-network support to be
+		// enabled
+		data.Data["OVN_MULTI_NETWORK_POLICY_ENABLE"] = true
 	}
 
 	var manifestSubDir string

pkg/network/ovn_kubernetes_test.go

@@ -172,15 +172,16 @@ func TestRenderOVNKubernetesIPv6(t *testing.T) {
 
 func TestRenderedOVNKubernetesConfig(t *testing.T) {
 	type testcase struct {
-		desc                string
-		expected            string
-		hybridOverlayConfig *operv1.HybridOverlayConfig
-		gatewayConfig       *operv1.GatewayConfig
-		egressIPConfig      *operv1.EgressIPConfig
-		masterIPs           []string
-		v4InternalSubnet    string
-		disableGRO          bool
-		disableMultiNet     bool
+		desc                   string
+		expected               string
+		hybridOverlayConfig    *operv1.HybridOverlayConfig
+		gatewayConfig          *operv1.GatewayConfig
+		egressIPConfig         *operv1.EgressIPConfig
+		masterIPs              []string
+		v4InternalSubnet       string
+		disableGRO             bool
+		disableMultiNet        bool
+		enableMultiNetPolicies bool
 	}
 	testcases := []testcase{
 		{
@@ -574,6 +575,71 @@ nodeport=true`,
 			masterIPs:       []string{"1.2.3.4", "2.3.4.5"},
 			disableMultiNet: true,
 		},
+		{
+			desc: "enable multi-network policies",
+			expected: `
+[default]
+mtu="1500"
+cluster-subnets="10.128.0.0/15/23,10.0.0.0/14/24"
+encap-port="8061"
+enable-lflow-cache=true
+lflow-cache-limit-kb=1048576
+enable-udp-aggregation=true
+
+[kubernetes]
+service-cidrs="172.30.0.0/16"
+ovn-config-namespace="openshift-ovn-kubernetes"
+apiserver="https://testing.test:8443"
+host-network-namespace="openshift-host-network"
+platform-type="GCP"
+healthz-bind-address="0.0.0.0:10256"
+
+[ovnkubernetesfeature]
+enable-egress-ip=true
+enable-egress-firewall=true
+enable-egress-qos=true
+egressip-node-healthcheck-port=9107
+enable-multi-network=true
+enable-multi-networkpolicy=true
+
+[gateway]
+mode=shared
+nodeport=true`,
+			masterIPs:              []string{"1.2.3.4", "2.3.4.5"},
+			enableMultiNetPolicies: true,
+		},
+		{
+			desc: "enable multi-network policies without multi-network support",
+			expected: `
+[default]
+mtu="1500"
+cluster-subnets="10.128.0.0/15/23,10.0.0.0/14/24"
+encap-port="8061"
+enable-lflow-cache=true
+lflow-cache-limit-kb=1048576
+enable-udp-aggregation=true
+
+[kubernetes]
+service-cidrs="172.30.0.0/16"
+ovn-config-namespace="openshift-ovn-kubernetes"
+apiserver="https://testing.test:8443"
+host-network-namespace="openshift-host-network"
+platform-type="GCP"
+healthz-bind-address="0.0.0.0:10256"
+
+[ovnkubernetesfeature]
+enable-egress-ip=true
+enable-egress-firewall=true
+enable-egress-qos=true
+egressip-node-healthcheck-port=9107
+
+[gateway]
+mode=shared
+nodeport=true`,
+			masterIPs:              []string{"1.2.3.4", "2.3.4.5"},
+			disableMultiNet:        true,
+			enableMultiNetPolicies: true,
+		},
 	}
 	g := NewGomegaWithT(t)
 
@@ -597,6 +663,7 @@ nodeport=true`,
 			}
 
 			OVNKubeConfig.Spec.DisableMultiNetwork = &tc.disableMultiNet
+			OVNKubeConfig.Spec.UseMultiNetworkPolicy = &tc.enableMultiNetPolicies
 
 			crd := OVNKubeConfig.DeepCopy()
 			config := &crd.Spec