Merge pull request #2585 from weaveworks/merge-weave-npc

Merge weave npc

.gitignore

@@ -46,6 +46,7 @@ prog/weaveutil/weaveutil
 prog/*/Dockerfile.weaveworks
 prog/kube-peers/kube-peers
 prog/weave-kube/kube-peers
+prog/weave-npc/weave-npc
 prog/plugin/plugin
 testing/cover/cover
 testing/runner/runner

.gitmodules

@@ -106,3 +106,15 @@
 [submodule "vendor/k8s.io/client-go"]
 	path = vendor/k8s.io/client-go
 	url = https://github.com/kubernetes/client-go
+[submodule "vendor/github.com/pkg/errors"]
+	path = vendor/github.com/pkg/errors
+	url = https://github.com/pkg/errors
+[submodule "vendor/github.com/spf13/cobra"]
+	path = vendor/github.com/spf13/cobra
+	url = https://github.com/spf13/cobra
+[submodule "vendor/github.com/spf13/plag"]
+	path = vendor/github.com/spf13/plag
+	url = https://github.com/spf13/pflag
+[submodule "vendor/github.com/spf13/pflag"]
+	path = vendor/github.com/spf13/pflag
+	url = https://github.com/spf13/pflag

Makefile

@@ -1,4 +1,4 @@
-PUBLISH=publish_weave publish_weaveexec publish_plugin publish_weave-kube
+PUBLISH=publish_weave publish_weaveexec publish_plugin publish_weave-kube publish_weave-npc
 
 .DEFAULT: all
 .PHONY: all exes testrunner update tests lint publish $(PUBLISH) clean clean-bin prerequisites build run-smoketests
@@ -17,6 +17,7 @@ WEAVER_EXE=prog/weaver/weaver
 WEAVEPROXY_EXE=prog/weaveproxy/weaveproxy
 SIGPROXY_EXE=prog/sigproxy/sigproxy
 KUBEPEERS_EXE=prog/kube-peers/kube-peers
+WEAVENPC_EXE=prog/weave-npc/weave-npc
 WEAVEWAIT_EXE=prog/weavewait/weavewait
 WEAVEWAIT_NOOP_EXE=prog/weavewait/weavewait_noop
 WEAVEWAIT_NOMCAST_EXE=prog/weavewait/weavewait_nomcast
@@ -25,25 +26,27 @@ PLUGIN_EXE=prog/plugin/plugin
 RUNNER_EXE=tools/runner/runner
 TEST_TLS_EXE=test/tls/tls
 
-EXES=$(WEAVER_EXE) $(SIGPROXY_EXE) $(KUBEPEERS_EXE) $(WEAVEPROXY_EXE) $(WEAVEWAIT_EXE) $(WEAVEWAIT_NOOP_EXE) $(WEAVEWAIT_NOMCAST_EXE) $(WEAVEUTIL_EXE) $(PLUGIN_EXE) $(TEST_TLS_EXE)
+EXES=$(WEAVER_EXE) $(SIGPROXY_EXE) $(KUBEPEERS_EXE) $(WEAVENPC_EXE) $(WEAVEPROXY_EXE) $(WEAVEWAIT_EXE) $(WEAVEWAIT_NOOP_EXE) $(WEAVEWAIT_NOMCAST_EXE) $(WEAVEUTIL_EXE) $(PLUGIN_EXE) $(TEST_TLS_EXE)
 
 BUILD_UPTODATE=.build.uptodate
 WEAVER_UPTODATE=.weaver.uptodate
 WEAVEEXEC_UPTODATE=.weaveexec.uptodate
 PLUGIN_UPTODATE=.plugin.uptodate
 WEAVEKUBE_UPTODATE=.weavekube.uptodate
+WEAVENPC_UPTODATE=.weavenpc.uptodate
 WEAVEDB_UPTODATE=.weavedb.uptodate
 
-IMAGES_UPTODATE=$(WEAVER_UPTODATE) $(WEAVEEXEC_UPTODATE) $(PLUGIN_UPTODATE) $(WEAVEKUBE_UPTODATE) $(WEAVEDB_UPTODATE)
+IMAGES_UPTODATE=$(WEAVER_UPTODATE) $(WEAVEEXEC_UPTODATE) $(PLUGIN_UPTODATE) $(WEAVEKUBE_UPTODATE) $(WEAVENPC_UPTODATE) $(WEAVEDB_UPTODATE)
 
 WEAVER_IMAGE=$(DOCKERHUB_USER)/weave
 WEAVEEXEC_IMAGE=$(DOCKERHUB_USER)/weaveexec
 PLUGIN_IMAGE=$(DOCKERHUB_USER)/plugin
 WEAVEKUBE_IMAGE=$(DOCKERHUB_USER)/weave-kube
+WEAVENPC_IMAGE=$(DOCKERHUB_USER)/weave-npc
 BUILD_IMAGE=$(DOCKERHUB_USER)/weavebuild
 WEAVEDB_IMAGE=$(DOCKERHUB_USER)/weavedb
 
-IMAGES=$(WEAVER_IMAGE) $(WEAVEEXEC_IMAGE) $(PLUGIN_IMAGE) $(WEAVEKUBE_IMAGE) $(WEAVEDB_IMAGE)
+IMAGES=$(WEAVER_IMAGE) $(WEAVEEXEC_IMAGE) $(PLUGIN_IMAGE) $(WEAVEKUBE_IMAGE) $(WEAVENPC_IMAGE) $(WEAVEDB_IMAGE)
 
 WEAVE_EXPORT=weave.tar.gz
 
@@ -71,6 +74,7 @@ $(WEAVEPROXY_EXE): proxy/*.go prog/weaveproxy/*.go
 $(WEAVEUTIL_EXE): prog/weaveutil/*.go net/*.go
 $(SIGPROXY_EXE): prog/sigproxy/*.go
 $(KUBEPEERS_EXE): prog/kube-peers/*.go
+$(WEAVENPC_EXE): prog/weave-npc/*.go npc/*.go npc/*/*.go
 $(PLUGIN_EXE): prog/plugin/*.go plugin/*/*.go api/*.go common/*.go common/docker/*.go net/*.go
 $(TEST_TLS_EXE): test/tls/*.go
 $(WEAVEWAIT_NOOP_EXE): prog/weavewait/*.go
@@ -103,7 +107,7 @@ else
 endif
 	$(NETGO_CHECK)
 
-$(WEAVEUTIL_EXE) $(KUBEPEERS_EXE):
+$(WEAVEUTIL_EXE) $(KUBEPEERS_EXE) $(WEAVENPC_EXE):
 	go build $(BUILD_FLAGS) -o $@ ./$(@D)
 	$(NETGO_CHECK)
 
@@ -160,6 +164,10 @@ $(WEAVEKUBE_UPTODATE): prog/weave-kube/Dockerfile.$(DOCKERHUB_USER) prog/weave-k
 	$(SUDO) docker build -f prog/weave-kube/Dockerfile.$(DOCKERHUB_USER) -t $(WEAVEKUBE_IMAGE) prog/weave-kube
 	touch $@
 
+$(WEAVENPC_UPTODATE): prog/weave-npc/Dockerfile $(WEAVENPC_EXE) prog/weave-npc/ulogd.conf
+	$(SUDO) docker build -f prog/weave-npc/Dockerfile -t $(WEAVENPC_IMAGE) prog/weave-npc
+	touch $@
+
 $(WEAVEDB_UPTODATE): prog/weavedb/Dockerfile
 	$(SUDO) docker build -t $(WEAVEDB_IMAGE) prog/weavedb
 	touch $@

docs/weavenpc-design.md

@@ -0,0 +1,100 @@
+# Overview
+
+# ipsets
+
+The policy controller maintains a number of ipsets which are
+subsequently referred to by the iptables rules used to effect network
+policy specifications. These ipsets are created, modified and
+destroyed automatically in response to Pod, Namespace and
+NetworkPolicy object updates from the k8s API server:
+
+* A `hash:ip` set per namespace, containing the IP addresses of all
+  pods in that namespace
+* A `list:set` per distinct (across all network policies in all
+  namespaces) namespace selector mentioned in a network policy,
+  containing the names of any of the above hash:ip sets whose
+  corresponding namespace labels match the selector
+* A `hash:ip` set for each distinct (within the scope of the
+  containing network policy's namespace) pod selector mentioned in a
+  network policy, containing the IP addresses of all pods in the
+  namespace whose labels match that selector
+
+ipset names are generated deterministically from a string
+representation of the corresponding label selector. Because ipset
+names are limited to 31 characters in length, this is done by taking a
+SHA hash of the selector string and then printing that out as a base
+85 string with a "weave-" prefix e.g.:
+
+    weave-k?Z;25^M}|1s7P3|H9i;*;MhG
+
+Because pod selectors are scoped to a namespace, we need to make sure
+that if the same selector definition is used in different namespaces
+that we maintain distinct ipsets. Consequently, for such selectors the
+namespace name is prepended to the label selector string before
+hashing to avoid clashes.
+
+# iptables chains
+
+The policy controller maintains two iptables chains in response to
+changes to pods, namespaces and network policies. One chain contains
+the ingress rules that implement the network policy specifications,
+and the other is used to bypass the ingress rules for namespaces which
+have an ingress isolation policy of `DefaultAllow`.
+
+## Dynamically maintained `WEAVE-NPC-DEFAULT` chain
+
+The policy controller maintains a rule in this chain for every
+namespace whose ingress isolation policy is `DefaultAllow`. The
+purpose of this rule is simply to ACCEPT any traffic destined for such
+namespaces before it reaches the ingress chain.
+
+```
+iptables -A WEAVE-NPC-DEFAULT -m set --match-set $NSIPSET dst -j ACCEPT
+```
+
+## Dynamically maintained `WEAVE-NPC-INGRESS` chain
+
+For each namespace network policy ingress rule peer/port combination:
+
+```
+iptables -A WEAVE-NPC-INGRESS -p $PROTO [-m set --match-set $SRCSET] -m set --match-set $DSTSET --dport $DPORT -j ACCEPT
+```
+
+## Static `WEAVE-NPC` chain
+
+Static configuration:
+
+```
+iptables -A WEAVE-NPC -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-DEFAULT
+iptables -A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-INGRESS
+```
+
+# Steering traffic into the policy engine
+
+To direct traffic into the policy engine:
+
+iptables -A FORWARD -o weave -m physdev ! --physdev-out vethwe-bridge -j WEAVE-NPC
+iptables -A FORWARD -o weave -m physdev ! --physdev-out vethwe-bridge -j DROP
+
+Note this only affects traffic which egresses the bridge on a physical
+port which is not the Weave Net router - in other words, it is
+destined for an application container veth. The following traffic is
+affected:
+
+* Traffic bridged between local application containers
+* Traffic bridged from the router to a local application container
+* Traffic originating from the internet destined for nodeports - this
+  is routed via the FORWARD chain to a container pod IP after DNAT
+
+The following traffic is NOT affected:
+
+* Traffic bridged from a local application container to the router
+* Traffic originating from processes in the host network namespace
+  (e.g. kubelet health checks)
+* Traffic routed from an application container to the internet
+
+See these resources for helpful context:
+
+* http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html
+* https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg

npc/analyser.go

@@ -0,0 +1,114 @@
+package npc
+
+import (
+	"fmt"
+
+	"k8s.io/client-go/pkg/api"
+	extnapi "k8s.io/client-go/pkg/apis/extensions/v1beta1"
+	"k8s.io/client-go/pkg/util/intstr"
+
+	"github.com/weaveworks/weave/npc/ipset"
+)
+
+func (ns *ns) analysePolicy(policy *extnapi.NetworkPolicy) (
+	rules map[string]*ruleSpec,
+	nsSelectors, podSelectors map[string]*selectorSpec,
+	err error) {
+
+	nsSelectors = make(map[string]*selectorSpec)
+	podSelectors = make(map[string]*selectorSpec)
+	rules = make(map[string]*ruleSpec)
+
+	dstSelector, err := newSelectorSpec(&policy.Spec.PodSelector, ns.name, ipset.HashIP)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	podSelectors[dstSelector.key] = dstSelector
+
+	for _, ingressRule := range policy.Spec.Ingress {
+		if ingressRule.Ports != nil && len(ingressRule.Ports) == 0 {
+			// Ports is empty, this rule matches no ports (no traffic matches).
+			continue
+		}
+
+		if ingressRule.From != nil && len(ingressRule.From) == 0 {
+			// From is empty, this rule matches no sources (no traffic matches).
+			continue
+		}
+
+		if ingressRule.From == nil {
+			// From is not provided, this rule matches all sources (traffic not restricted by source).
+			if ingressRule.Ports == nil {
+				// Ports is not provided, this rule matches all ports (traffic not restricted by port).
+				rule := newRuleSpec(nil, nil, dstSelector, nil)
+				rules[rule.key] = rule
+			} else {
+				// Ports is present and contains at least one item, then this rule allows traffic
+				// only if the traffic matches at least one port in the ports list.
+				withNormalisedProtoAndPort(ingressRule.Ports, func(proto, port string) {
+					rule := newRuleSpec(&proto, nil, dstSelector, &port)
+					rules[rule.key] = rule
+				})
+			}
+		} else {
+			// From is present and contains at least on item, this rule allows traffic only if the
+			// traffic matches at least one item in the from list.
+			for _, peer := range ingressRule.From {
+				var srcSelector *selectorSpec
+				if peer.PodSelector != nil {
+					srcSelector, err = newSelectorSpec(peer.PodSelector, ns.name, ipset.HashIP)
+					if err != nil {
+						return nil, nil, nil, err
+					}
+					podSelectors[srcSelector.key] = srcSelector
+				}
+				if peer.NamespaceSelector != nil {
+					srcSelector, err = newSelectorSpec(peer.NamespaceSelector, "", ipset.ListSet)
+					if err != nil {
+						return nil, nil, nil, err
+					}
+					nsSelectors[srcSelector.key] = srcSelector
+				}
+
+				if ingressRule.Ports == nil {
+					// Ports is not provided, this rule matches all ports (traffic not restricted by port).
+					rule := newRuleSpec(nil, srcSelector, dstSelector, nil)
+					rules[rule.key] = rule
+				} else {
+					// Ports is present and contains at least one item, then this rule allows traffic
+					// only if the traffic matches at least one port in the ports list.
+					withNormalisedProtoAndPort(ingressRule.Ports, func(proto, port string) {
+						rule := newRuleSpec(&proto, srcSelector, dstSelector, &port)
+						rules[rule.key] = rule
+					})
+				}
+			}
+		}
+	}
+
+	return rules, nsSelectors, podSelectors, nil
+}
+
+func withNormalisedProtoAndPort(npps []extnapi.NetworkPolicyPort, f func(proto, port string)) {
+	for _, npp := range npps {
+		// If no proto is specified, default to TCP
+		proto := string(api.ProtocolTCP)
+		if npp.Protocol != nil {
+			proto = string(*npp.Protocol)
+		}
+
+		// If no port is specified, match any port. Let iptables executable handle
+		// service name resolution
+		port := "0:65535"
+		if npp.Port != nil {
+			switch npp.Port.Type {
+			case intstr.Int:
+				port = fmt.Sprintf("%d", npp.Port.IntVal)
+			case intstr.String:
+				port = npp.Port.StrVal
+			}
+		}
+
+		f(proto, port)
+	}
+}

npc/betatypes.go

@@ -0,0 +1,40 @@
+package npc
+
+// These types are defined in https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/network-policy.md
+// but not in the k8s API yet. Copies are included here for decoding the `net.beta.kubernetes.io/network-policy`
+// annotation specified in the above document.
+
+type IngressIsolationPolicy string
+
+const (
+	// Deny all ingress traffic to pods in this namespace. Ingress means
+	// any incoming traffic to pods, whether that be from other pods within this namespace
+	// or any source outside of this namespace.
+	DefaultDeny IngressIsolationPolicy = "DefaultDeny"
+)
+
+// Standard NamespaceSpec object, modified to include a new
+// NamespaceNetworkPolicy field.
+type NamespaceSpec struct {
+	// This is a pointer so that it can be left undefined.
+	NetworkPolicy *NamespaceNetworkPolicy `json:"networkPolicy,omitempty"`
+}
+
+type NamespaceNetworkPolicy struct {
+	// Ingress configuration for this namespace.  This config is
+	// applied to all pods within this namespace. For now, only
+	// ingress is supported.  This field is optional - if not
+	// defined, then the cluster default for ingress is applied.
+	Ingress *NamespaceIngressPolicy `json:"ingress,omitempty"`
+}
+
+// Configuration for ingress to pods within this namespace.
+// For now, this only supports specifying an isolation policy.
+type NamespaceIngressPolicy struct {
+	// The isolation policy to apply to pods in this namespace.
+	// Currently this field only supports "DefaultDeny", but could
+	// be extended to support other policies in the future.  When set to DefaultDeny,
+	// pods in this namespace are denied ingress traffic by default.  When not defined,
+	// the cluster default ingress isolation policy is applied (currently allow all).
+	Isolation *IngressIsolationPolicy `json:"isolation,omitempty"`
+}

npc/constants.go

@@ -0,0 +1,9 @@
+package npc
+
+const (
+	TableFilter = "filter"
+
+	MainChain    = "WEAVE-NPC"
+	DefaultChain = "WEAVE-NPC-DEFAULT"
+	IngressChain = "WEAVE-NPC-INGRESS"
+)