Network policy: use shared pod selector address sets #3329
Merged
Commits on Mar 16, 2023
-
Unlock shared default deny port group early, when no db changes
required, to unlock other handlers from the same namespace. Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
-
Add PodSelectorAddressSet object, that should be used to manage
address sets for pod selector (network policy object is only responsible for local pods and peer namespace-only handlers). The locking mechanism is copied from networkPolicy. Update deletre logic for completed pods: match collided pod not only by podSeelctor, but also by namespace selector. PeerPod functions were moved from policy.go and gress_policy.go. Update syncNetworkPolicies to cleanup policies based on acls, and not address sets, since address sets are not created for policies without peers with selectors, and it doesn't cleanup default deny port groups. New sync is based on acls, it will only skip empty policies without any gress rules. This should be fixed later with proper ownership indexing for port groups. Rename metrics from peer/network_policy to pod_selector_address_set. Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
-
Rework gressPolicy ACLs build: previously all gress policies with at
least one selector had peerAddressSet, and empty gress (allow all) was identified by "gp.sizeOfAddressSet() > 0". Now we don't create address sets like that, therefore a new hasPeerSelector field was added to distinguish empty gress from the one that just doesn't have any address sets added yet. Previously l3Match for gress with namespace selector that doesn't select anything looked like "ip4.src == {<empty address set>}", now it will be "ip4.src == {}". Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com> update 2 Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com> -
Add PodSelectorAddressSet tests.
Add new functions to FakeAddressSetFactory for more insight into existing address sets. Add tests for PodSelectorAddressSet Update Netpol-owned address sets to be shared. Add netpol test that verifies that default deny port groups and port groups for policies without peer selectors (IpBlock) are cleaned up on sync. Move completed pod test from policy_test to pod_selector_address_set_test, simplify the test and make sure ip will be removed when collided pod is not selected by the address set. Update policy sync tests with existing policy in every namespace to make sure port groups won't be deleted as stale before being updated. Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
-
don't create acl if no namespace address sets are selected.
Previously "ip4.dst == {}" match was created, and ovn-controller throws an error on such acl Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.