-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Network Policy for UDN namespaces #4690
base: master
Are you sure you want to change the base?
Conversation
82c07e0
to
be64f5d
Compare
there are some netpol-related test failures. Also, could you please add a couple of e2es for the new netpol behaviour? |
f55a827
to
259e967
Compare
hit this ci flake #4299 in this run: |
13bb7db
to
95051a1
Compare
if bnc.NetInfo.IsSecondary() { | ||
return nil | ||
} | ||
|
||
// add default hairpin allow acl | ||
err = bnc.addHairpinAllowACL() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why don't we need the hairpin allow ACLs for primary networks? Add comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added comment about why hairpin allow ACLs disabled now for UDN. will revisit once we have cluster port group exists per network. currently this is not impacting unit tests and e2e's.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have an issue to track?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
go-controller/pkg/ovn/base_secondary_layer2_network_controller.go
Outdated
Show resolved
Hide resolved
95051a1
to
26f870a
Compare
954ed21
to
3c24090
Compare
3c24090
to
dfb8278
Compare
cc1b738
to
dd13b11
Compare
func (bnc *BaseNetworkController) UpdateResourceCommon(objType reflect.Type, oldObj, newObj interface{}) error { | ||
switch objType { | ||
case factory.PolicyType: | ||
oldNp, ok := oldObj.(*knet.NetworkPolicy) | ||
if !ok { | ||
return fmt.Errorf("could not cast obj of type %T to *knet.NetworkPolicy", oldObj) | ||
} | ||
if err := bnc.deleteNetworkPolicy(oldNp); err != nil { | ||
klog.Infof("NetworkPolicy delete failed for %s/%s, will try again later: %v", | ||
oldNp.Namespace, oldNp.Name, err) | ||
return err | ||
} | ||
newNp, ok := newObj.(*knet.NetworkPolicy) | ||
if !ok { | ||
return fmt.Errorf("could not cast obj of type %T to *knet.NetworkPolicy", newObj) | ||
} | ||
if err := bnc.addNetworkPolicy(newNp); err != nil { | ||
klog.Infof("NetworkPolicy add failed for %s/%s, will try again later: %v", | ||
newNp.Namespace, newNp.Name, err) | ||
return err | ||
} | ||
default: | ||
return fmt.Errorf("object type %s not supported", objType) | ||
} | ||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think update for network policies is going to be called, from
https://github.com/jcaamano/ovn-kubernetes/blob/14afcbf9621264f6d1de32107bfdcf77f655bbbc/go-controller/pkg/ovn/base_event_handler.go#L25-L26
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, removed the method as it's no longer needed.
40b8e95
to
aa7e68f
Compare
Potential flake |
@pperiyasamy does not look like a flake |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor comment nits, lgtm
|
||
}, | ||
ginkgo.Entry( | ||
"in L2 dualstack primary UDN", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the title of this PR says netpol for L3, but here are L2 test cases and changes to layer 2 controller. So is L2 also supported and the title just needs to be updated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes @trozet , updated title and description accordingly now.
c844a21
to
e29cb3e
Compare
if ns != namespace { | ||
continue | ||
} | ||
return []string{nadName}, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is based on two assumptions:
- There is a single NAD per namespace for primary networks. However, there is nothing currently that prevents this from happening.
- We are aware of the primary network of a pod. However this might be racey.
The first issue should be handled in some way by the NAD controller. It might do that through GetActiveNetworkForNamespace
. For the second issue, GetActiveNetworkForNamespace
offers a bit more of protection since it will check against the UDN CRDs as well.
I don't want to hold this because of that. But I am entertaining the idea that we could just implement GetActiveNetworkForNamespace
in NetInfo that would just end up calling the nad controller GetActiveNetworkForNamespace
which is feasible since the nad controller is the one building those NetInfo after all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea of having GetActiveNetworkForNamespace
inside netInfo.
defer func() { | ||
gomega.Expect(cs.CoreV1().Namespaces().Delete( | ||
context.Background(), | ||
namespace, | ||
metav1.DeleteOptions{}, | ||
)).To(gomega.Succeed()) | ||
}() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't use defer to clean up please, it hinders troubleshooting. Use f.AddNamespacesToDelete
; or manually in AfterEach
depending on how the framework is configured and if the test case failed or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes @jcaamano , modified the test to use f.AddNamespacesToDelete
.
b43b948
to
87ce669
Compare
Is it intended to configure netpol for both default and primary UDN at the same time? |
yes @npinaeva , The netpol for default and primary UDN networks would coexist with this PR as well. The existing shard-conformance CI lane tests netpol over default network and we had few e2e's to test NetPol over UDN network. |
So when primary UDN exists, we will configure network policy both for UDN and for default network, which means 2 times more port groups, acls, address sets, which will not be used (as default network traffic has its own ACLs that deny almost everything already). So UDN netpol will work, but not sure if it is the most optimal solution. |
@npinaeva has a point. So when handling a policy we would have to |
This commit provides Network Policy support for user defined l3 or l2 networks when it is configured as the primary network for namespace. It's done by subscribing to NetPol events from secondary network controllers and handling it appropriately in base network and policy controllers. Signed-off-by: Periyasamy Palanisamy <[email protected]>
When primary UDN exists for the namespace, the current implementation configured network policy for both UDN and default network. The default network traffic has its own ACLs that deny almost everything already so handling network policy for default is unnecessary and not an optimal solution as it programs another set of port groups, acls and address sets which are never going to be used. Hence this commit skips handling network policy events on the default network controller when namespace contains an active user defined network. Signed-off-by: Periyasamy Palanisamy <[email protected]>
87ce669
to
17985d4
Compare
What this PR does and why is it needed
This PR has required changes to support Network Policy on User Defined Network.
TODOs:
Which issue(s) this PR fixes
Fixes #
Special notes for reviewers
How to verify it
Details to documentation updates
Description for the changelog
Does this PR introduce a user-facing change?