Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Normal policy support for host-* endpoints #2228

Merged
merged 46 commits into from
Apr 7, 2020
Merged

Normal policy support for host-* endpoints #2228

merged 46 commits into from
Apr 7, 2020

Conversation

lmm
Copy link
Contributor

@lmm lmm commented Mar 5, 2020
edited
Loading

Description

* hostendpoints currently only support pre-DNAT global network policy. This PR will (eventually) add normal policy support for * hostendpoints.

Some notes on semantics:

  • If a * hostendpoint and a "named" (e.g. eth0) hostendpoint exist, the named hostendpoint will be used. (This is existing behaviour and isn't changing here.)
  • Host-> pod traffic is always allowed. With this change, we would continue to have default-allow semantics. (This desired behaviour to be confirmed)

Todos

  • Unit tests (full coverage)
  • Integration tests (delete as appropriate) In plan/Not needed/Done
  • Documentation
  • Backport
  • Release note

Release Note

all-interfaces host endpoints now supports normal network policy in addition to pre-dnat policy

lmm
lmm commented Mar 5, 2020
View reviewed changes
rules/dispatch.go Outdated Show resolved Hide resolved
nelljerram
nelljerram reviewed Mar 6, 2020
View reviewed changes
Copy link
Member

@nelljerram nelljerram left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lmm I think the shape of this is looking pretty good. I've made one specific comment. Apart from that, my concern is just to be sure about what we decided in the spec about:

  • defaults
  • ordering (applying workload policy before WHEP policy, for traffic from a workload to its own host, and meshing with the existing hardcoded rules)
  • optionally deduplication (in the case where the same policy applies to the workload and the WHEP)

and then obviously making sure that the code reflects that, ideally with copious tests.

rules/dispatch.go Outdated Show resolved Hide resolved
lmm and others added 14 commits March 15, 2020 21:26
@lmm
wip2
4f1fdb3
@lmm
wip3
477ab18
@lmm
undo commenting out felix cleanup
474530a
Don't apply WHEP policy for traffic going to a local workload
3f468e6
Don't believe we need the dropIfNoProfilesMatched parameter
7db4539
Different default chain names for from and to directions
6b03015
Normal GNP now applies to WHEP; adjust existing FVs accordingly
7d84dd5
HEP forward chain must dispatch to cali-thfw-any-interface-at-all
f5f5261 
Not to cali-th-any-interface-at-all.  (And similarly for the From
direction.)
Add back a nice blank line
3990f9d
WHEP allows traffic by default when there is no applicable policy
003b9f5
Dispatch to WHEP if there is applicable AOF but not normal policy
db7de5c
Self-review: revert unused preDNAT parameter in hostDispatchChains
fb37a4b
Self-review: Revert commenting in pre_dnat_test.go
fe89fd3
AOF WHEP policy _does_ apply to traffic to a local workload
38e362c
@lmm lmm changed the title wip: normal policy support for host-* endpoints Normal policy support for host-* endpoints Mar 19, 2020
@lmm lmm marked this pull request as ready for review March 19, 2020 15:44
@lmm lmm requested a review from a team as a code owner March 19, 2020 15:44
fasaxc
fasaxc requested changes Mar 23, 2020
View reviewed changes
Copy link
Member

@fasaxc fasaxc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few questions from me. Also, this will need thorough tests in the FV framework

rules/dispatch_test.go Show resolved Hide resolved
rules/endpoints.go Outdated Show resolved Hide resolved
rules/endpoints.go Outdated Show resolved Hide resolved
fv/vxlan_test.go Show resolved Hide resolved
nelljerram
nelljerram previously requested changes Mar 24, 2020
View reviewed changes
rules/dispatch.go Outdated Show resolved Hide resolved
lmm added 3 commits March 24, 2020 12:27
@lmm
Fix bugs from 7690a42
f2205ae 
- toEndForwardRules was updated with wrong rules
- in the `fromOnly` case (for pre-DNAT) we use HostFromEndpointPfx not HostFromEndpointForwardPfx,
  so the end rules passed to the dispatch chain builder were incorrect.
@lmm
Re-enable host-* case in apply_on_forward_test
58dda6e
@lmm
Update dispatch tests to include default interface name
84762c5
@lmm lmm force-pushed the lmm-all-hep-policy branch 4 times, most recently from 1c342e7 to 068aad0 Compare April 6, 2020 06:17
fasaxc
fasaxc requested changes Apr 6, 2020
View reviewed changes
Copy link
Member

@fasaxc fasaxc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We discussed the AoF case on slack so I think we got to the bottom of that (test is failing due to AoF policy applying at workload egress for WHEPs, but not HEPs).

Good emphasis on testing in this PR; with lots of test being upgraded to cover the new case. Well worth that effort, I think!

Found a few nits in the tests.

fv/apply_on_forward_test.go Outdated Show resolved Hide resolved
fv/host_port_test.go Show resolved Hide resolved
fv/host_port_test.go Outdated Show resolved Hide resolved
fv/host_port_test.go Outdated Show resolved Hide resolved
fv/host_port_test.go Outdated Show resolved Hide resolved
fv/hostendpoints_test.go Outdated Show resolved Hide resolved
fv/hostendpoints_test.go Outdated Show resolved Hide resolved
fv/hostendpoints_test.go Outdated Show resolved Hide resolved
fv/vxlan_test.go Outdated Show resolved Hide resolved
rules/endpoints.go Outdated Show resolved Hide resolved
fasaxc
fasaxc approved these changes Apr 7, 2020
View reviewed changes
Copy link
Member

@fasaxc fasaxc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

fv/ipip_test.go Outdated Show resolved Hide resolved
@nelljerram nelljerram dismissed their stale review April 7, 2020 14:22

Concerns have now been addressed.

@lmm lmm merged commit 79efdd9 into projectcalico:master Apr 7, 2020
@lmm lmm deleted the lmm-all-hep-policy branch April 7, 2020 15:58
@tmjd tmjd mentioned this pull request Apr 23, 2020
Merged
3 tasks
@caseydavenport caseydavenport added this to the Calico v3.14.0 milestone Apr 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fasaxc fasaxc fasaxc approved these changes

@nelljerram nelljerram nelljerram left review comments

Assignees
No one assigned
Labels
docs-completed release-note-required
Projects
None yet
Milestone
Calico v3.14.0
Development

Successfully merging this pull request may close these issues.
5 participants
@lmm @fasaxc @nelljerram @caseydavenport @marvin-tigera