Add Support for Admin Network Policy #3489
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tssurya
changed the title
tssurya
changed the title
Closed
8 tasks
tssurya
force-pushed
the
ANP-V5
branch
3 times, most recently
from
535ed60
to
0e6dd8a
Compare
the pod's positions are changing or what?! ugh. |
|
/retest-failed |
astoycos
reviewed
May 31, 2023
| c.anpQueue.Forget(anpKey) | ||
| return true | ||
| } | ||
| klog.Infof("SURYA") |
astoycos
reviewed
May 31, 2023
| if err != nil && !apierrors.IsNotFound(err) { | ||
| return err | ||
| } | ||
| klog.Infof("SURYA %v", anp) |
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
We have a new feature called Hierarchical ACLs that is introduced in OVN to enable support for tiered ACLs. This commit ensures all existing ACLs for all features are migrated towards tier2. By default all new ACLs must be added to tier2. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
This commit vendors in a new sigs.k8s.io repo called network-policy-api that brings in the changes needed for admin network policy. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
This PR adds the pieces required to install ANP&BANP CRDs on kind cluster. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
This commit adds the preparation bits needed to be used by the ANP controller in the following commit. It also provides sufficient permissions to the systemaccount to list/watch/patch the new CRDs accordingly. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
This commit adds a level driven controller using workqueues and shared informers inspired off the documentation and recommendations done by sig-api-machinery. This follows suit to existing level driven controllers like services, egressQoS, egressSVC. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
This commit adds an elaborate test that tries to ensure all plausible perms/combs work for ANP and its interaction with pods/namespaces. Steps: "1. creating a pod that will act as subject of admin network policy; check if lsp is created" "2. update the resource version and labels of the pod that matches the subject selector; check if lsp is added to port-group" "3. update the ANP by adding one ingress rule; check if acl is created and added on the port-group" "4. creating a pod that will act as peer of admin network policy; check if lsp is created" "5. update the resource version and labels of the pod that matches the peer selector; check if IP is added to address-set" "6. update the ANP by adding two more ingress rules with allow and pass actions; check if acls are created and added on the port-group" "7. update the ANP by adding three egress rules with deny, allow and pass actions; check if acls are created and added on the port-group" "8. update the labels of the pod that matches the peer selector; check if IPs are updated in address-sets" "9. update the labels of the namespace that matches the peer selector; check if IPs are updated in address-sets" "10. update the subject of admin network policy so that subject pod stops matching; check if port group is updated" "11. update the resource version and labels of the pod that matches the new subject selector; check if port group is updated" "12. update the labels of the namespace that matches the subject selector to stop matching; check if port group is updated" "13. update the labels of the namespace that matches the subject selector to start matching; check if port group is updated" "14. update the ANP by changing its priority and deleting 1 ingress rule & 1 egress rule; check if all objects are re-created correctly" "15. delete pod matching peer selector; check if IPs are updated in address-sets" "16. update the subject pod to go into completed state; check if port group is updated" "17. delete the subject and peer selected namespaces; check if port group and address-set's are updated" "18. update the ANP by deleting all rules; check if all objects are re-created correctly" "19. delete the ANP; check if all objects are re-created correctly" Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
This commit adds an elaborate test that tries to ensure all plausible perms/combs work for BANP and its interaction with pods/namespaces. Steps: "1. creating a pod that will act as subject of baseline admin network policy; check if lsp is created" "2. update the resource version and labels of the pod that matches the subject selector; check if lsp is added to port-group" "3. update the BANP by adding one ingress rule; check if acl is created and added on the port-group" "4. creating a pod that will act as peer of baseline admin network policy; check if lsp is created" "5. update the resource version and labels of the pod that matches the peer selector; check if IP is added to address-set" "6. update the BANP by adding two more ingress rules with allow and pass actions; check if acls are created and added on the port-group" "7. update the BANP by adding three egress rules with deny, allow and pass actions; check if acls are created and added on the port-group" "8. update the labels of the pod that matches the peer selector; check if IPs are updated in address-sets" "9. update the labels of the namespace that matches the peer selector; check if IPs are updated in address-sets" "10. update the subject of baseline admin network policy so that subject pod stops matching; check if port group is updated" "11. update the resource version and labels of the pod that matches the new subject selector; check if port group is updated" "12. update the labels of the namespace that matches the subject selector to stop matching; check if port group is updated" "13. update the labels of the namespace that matches the subject selector to start matching; check if port group is updated" "14. update the BANP by changing its priority and deleting 1 ingress rule & 1 egress rule; check if all objects are re-created correctly" "15. delete pod matching peer selector; check if IPs are updated in address-sets" "16. update the subject pod to go into completed state; check if port group is updated" "17. delete the subject and peer selected namespaces; check if port group and address-set's are updated" "18. update the BANP by deleting all rules; check if all objects are re-created correctly" "19. delete the BANP; check if all objects are re-created correctly" Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
The actual tests are defined upstream, but this commit ensures we can consume them from upstream and run it middlestream. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
The ANP API supports a status.Condition which can be updated according to plugin's implementation. Let's start a basic status update logic that we can build more profusely upon on the future so that users can leverage what went wrong from the status itself Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
The BANP API supports a status.Condition which can be updated according to plugin's implementation. Let's start a basic status update logic that we can build more profusely upon in the future so that users can leverage status to understand what went wrong. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
This was referenced Jun 5, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
EDIT: It was decided in the team meeting to change all our controllers into being like the
servicecontroller where every object change is re-queued back to the main queue and processed in a single place. ANP will also follow this pattern. I am re-working this as a new PR. Hence this PR is stale and will be superseded by #3659Not ready for review, development ongoing.
https://docs.google.com/presentation/d/1Y-PrygN5vfDet0K3l89o83kJ3ryial3Dq2ZE3BDVlzM/edit#slide=id.p captures the implementation details in OVN-Kubernetes
Tasks
Tests
.Spec.Ingressand.Spec.Egressfields kubernetes-sigs/network-policy-api#99 and Add conformance forGressrules kubernetes-sigs/network-policy-api#112 and https://issues.redhat.com/browse/SDN-3975Gressrules kubernetes-sigs/network-policy-api#112Improvements
- What this PR does and why is it needed
This PR adds support for admin network policy in ovn-kubernetes. The API lives at https://github.com/kubernetes-sigs/network-policy-api and is managed by sig-network-policy-api working group. It is currently in v1alpva1 version. Hence until it graduates to beta, we probably will have only a tech preview version of this, not a full GA-ed version.
- Special notes for reviewers
- How to verify it
- Description for the changelog
Closes #3158