Support Network Policy for UDN namespaces #4690
Conversation
pperiyasamy
force-pushed
the
netpol-udn
branch
from
82c07e0
to
be64f5d
Compare
github-actions
bot
added
the
area/unit-testing
pperiyasamy
requested review from
tssurya and
npinaeva
and removed request for
trozet
|
there are some netpol-related test failures. Also, could you please add a couple of e2es for the new netpol behaviour? |
pperiyasamy
force-pushed
the
netpol-udn
branch
3 times, most recently
from
f55a827
to
259e967
Compare
pperiyasamy
changed the title
|
hit this ci flake #4299 in this run: |
pperiyasamy
force-pushed
the
netpol-udn
branch
2 times, most recently
from
13bb7db
to
95051a1
Compare
| if bnc.NetInfo.IsSecondary() { | ||
| return nil | ||
| } | ||
|
|
||
| // add default hairpin allow acl | ||
| err = bnc.addHairpinAllowACL() |
There was a problem hiding this comment.
Why don't we need the hairpin allow ACLs for primary networks? Add comment.
There was a problem hiding this comment.
added comment about why hairpin allow ACLs disabled now for UDN. will revisit once we have cluster port group exists per network. currently this is not impacting unit tests and e2e's.
There was a problem hiding this comment.
Should we have an issue to track?
There was a problem hiding this comment.
go-controller/pkg/ovn/base_secondary_layer2_network_controller.go
Outdated
Show resolved
Hide resolved
pperiyasamy
force-pushed
the
netpol-udn
branch
from
95051a1
to
26f870a
Compare
pperiyasamy
force-pushed
the
netpol-udn
branch
2 times, most recently
from
954ed21
to
3c24090
Compare
pperiyasamy
changed the title
pperiyasamy
force-pushed
the
netpol-udn
branch
from
3c24090
to
dfb8278
Compare
pperiyasamy
force-pushed
the
netpol-udn
branch
2 times, most recently
from
cc1b738
to
dd13b11
Compare
| func (bnc *BaseNetworkController) UpdateResourceCommon(objType reflect.Type, oldObj, newObj interface{}) error { | ||
| switch objType { | ||
| case factory.PolicyType: | ||
| oldNp, ok := oldObj.(*knet.NetworkPolicy) | ||
| if !ok { | ||
| return fmt.Errorf("could not cast obj of type %T to *knet.NetworkPolicy", oldObj) | ||
| } | ||
| if err := bnc.deleteNetworkPolicy(oldNp); err != nil { | ||
| klog.Infof("NetworkPolicy delete failed for %s/%s, will try again later: %v", | ||
| oldNp.Namespace, oldNp.Name, err) | ||
| return err | ||
| } | ||
| newNp, ok := newObj.(*knet.NetworkPolicy) | ||
| if !ok { | ||
| return fmt.Errorf("could not cast obj of type %T to *knet.NetworkPolicy", newObj) | ||
| } | ||
| if err := bnc.addNetworkPolicy(newNp); err != nil { | ||
| klog.Infof("NetworkPolicy add failed for %s/%s, will try again later: %v", | ||
| newNp.Namespace, newNp.Name, err) | ||
| return err | ||
| } | ||
| default: | ||
| return fmt.Errorf("object type %s not supported", objType) | ||
| } | ||
| return nil | ||
| } |
There was a problem hiding this comment.
I don't think update for network policies is going to be called, from
https://github.com/jcaamano/ovn-kubernetes/blob/14afcbf9621264f6d1de32107bfdcf77f655bbbc/go-controller/pkg/ovn/base_event_handler.go#L25-L26
There was a problem hiding this comment.
right, removed the method as it's no longer needed.
pperiyasamy
force-pushed
the
netpol-udn
branch
2 times, most recently
from
40b8e95
to
aa7e68f
Compare
|
Potential flake |
@pperiyasamy does not look like a flake |
|
|
||
| }, | ||
| ginkgo.Entry( | ||
| "in L2 dualstack primary UDN", |
There was a problem hiding this comment.
the title of this PR says netpol for L3, but here are L2 test cases and changes to layer 2 controller. So is L2 also supported and the title just needs to be updated?
There was a problem hiding this comment.
yes @trozet , updated title and description accordingly now.
pperiyasamy
force-pushed
the
netpol-udn
branch
2 times, most recently
from
c844a21
to
e29cb3e
Compare
pperiyasamy
changed the title
| if ns != namespace { | ||
| continue | ||
| } | ||
| return []string{nadName}, nil |
There was a problem hiding this comment.
This is based on two assumptions:
- There is a single NAD per namespace for primary networks. However, there is nothing currently that prevents this from happening.
- We are aware of the primary network of a pod. However this might be racey.
The first issue should be handled in some way by the NAD controller. It might do that through GetActiveNetworkForNamespace. For the second issue, GetActiveNetworkForNamespace offers a bit more of protection since it will check against the UDN CRDs as well.
I don't want to hold this because of that. But I am entertaining the idea that we could just implement GetActiveNetworkForNamespace in NetInfo that would just end up calling the nad controller GetActiveNetworkForNamespace which is feasible since the nad controller is the one building those NetInfo after all.
There was a problem hiding this comment.
I like the idea of having GetActiveNetworkForNamespace inside netInfo.
| defer func() { | ||
| gomega.Expect(cs.CoreV1().Namespaces().Delete( | ||
| context.Background(), | ||
| namespace, | ||
| metav1.DeleteOptions{}, | ||
| )).To(gomega.Succeed()) | ||
| }() |
There was a problem hiding this comment.
Don't use defer to clean up please, it hinders troubleshooting. Use f.AddNamespacesToDelete; or manually in AfterEach depending on how the framework is configured and if the test case failed or not.
There was a problem hiding this comment.
yes @jcaamano , modified the test to use f.AddNamespacesToDelete.
pperiyasamy
force-pushed
the
netpol-udn
branch
2 times, most recently
from
b43b948
to
87ce669
Compare
|
Is it intended to configure netpol for both default and primary UDN at the same time? |
yes @npinaeva , The netpol for default and primary UDN networks would coexist with this PR as well. The existing shard-conformance CI lane tests netpol over default network and we had few e2e's to test NetPol over UDN network. |
So when primary UDN exists, we will configure network policy both for UDN and for default network, which means 2 times more port groups, acls, address sets, which will not be used (as default network traffic has its own ACLs that deny almost everything already). So UDN netpol will work, but not sure if it is the most optimal solution. |
@npinaeva has a point. So when handling a policy we would have to |
This commit provides Network Policy support for user defined l3 or l2 networks when it is configured as the primary network for namespace. It's done by subscribing to NetPol events from secondary network controllers and handling it appropriately in base network and policy controllers. Signed-off-by: Periyasamy Palanisamy <[email protected]>
When primary UDN exists for the namespace, the current implementation configured network policy for both UDN and default network. The default network traffic has its own ACLs that deny almost everything already so handling network policy for default is unnecessary and not an optimal solution as it programs another set of port groups, acls and address sets which are never going to be used. Hence this commit skips handling network policy events on the default network controller when namespace contains an active user defined network. Signed-off-by: Periyasamy Palanisamy <[email protected]>
pperiyasamy
force-pushed
the
netpol-udn
branch
from
87ce669
to
17985d4
Compare
What this PR does and why is it needed
This PR has required changes to support Network Policy on User Defined Network.
TODOs:
Which issue(s) this PR fixes
Fixes #
Special notes for reviewers
How to verify it
Details to documentation updates
Description for the changelog
Does this PR introduce a user-facing change?