DNM: testing

contrib/kind.sh

@@ -737,7 +737,7 @@ create_kind_cluster() {
   jinjanate "${KIND_CONFIG}" -o "${KIND_CONFIG_LCL}"
 
   # Create KIND cluster. For additional debug, add '--verbosity <int>': 0 None .. 3 Debug
-  if kind get clusters | grep ovn; then
+  if kind get clusters | grep "${KIND_CLUSTER_NAME}"; then
     delete
   fi
 

dist/images/Dockerfile.fedora

@@ -27,7 +27,7 @@ RUN INSTALL_PKGS=" \
     python3-pip python3-pyyaml bind-utils procps-ng openssl numactl-libs firewalld-filesystem \
     libpcap hostname kubernetes-client util-linux \
     ovn ovn-central ovn-host python3-openvswitch tcpdump openvswitch-test python3-pyOpenSSL \
-    iptables iproute iputils strace socat koji \
+    iptables nftables iproute iputils strace socat koji \
     libreswan openvswitch-ipsec \
     " && \
     dnf install --best --refresh -y --setopt=tsflags=nodocs $INSTALL_PKGS && \

dist/images/Dockerfile.fedora.dev

@@ -64,7 +64,7 @@ FROM fedora:39
 
 # Install needed dependencies.
 RUN INSTALL_PKGS=" \
-    iptables iproute iputils hostname unbound-libs kubernetes-client kmod" && \
+    iptables nftables iproute iputils hostname unbound-libs kubernetes-client kmod" && \
     dnf install --best --refresh -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
     dnf clean all && rm -rf /var/cache/dnf/*
 

dist/images/Dockerfile.ubuntu

@@ -12,7 +12,7 @@ FROM ubuntu:24.04
 
 USER root
 
-RUN apt-get update && apt-get install -y iproute2 curl software-properties-common util-linux
+RUN apt-get update && apt-get install -y iproute2 curl software-properties-common util-linux nftables
 
 RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
 

dist/templates/ovnkube-node.yaml.j2

@@ -87,6 +87,10 @@ spec:
         - mountPath: /var/run/netns
           name: host-netns
           mountPropagation: Bidirectional
+        - mountPath: /run/systemd/private
+          name: run-systemd
+          subPath: private
+          readOnly: true
        {%- if ovnkube_app_name!="ovnkube-node-dpu-host" %}
         # ovnkube-node only mounts (non dpu related)
         - mountPath: /var/run/openvswitch/
@@ -408,6 +412,9 @@ spec:
       - name: host-netns
         hostPath:
           path: /var/run/netns
+      - name: run-systemd
+        hostPath:
+          path: /run/systemd
       {%- if ovnkube_app_name!="ovnkube-node-dpu-host" %}
       # non DPU related volumes
       - name: host-var-log-ovs

dist/templates/ovnkube-single-node-zone.yaml.j2

@@ -295,6 +295,10 @@ spec:
         - mountPath: /etc/ovn/
           name: host-var-lib-ovs
           readOnly: true
+        - mountPath: /run/systemd/private
+          name: run-systemd
+          subPath: private
+          readOnly: true
 
         resources:
           requests:
@@ -620,6 +624,9 @@ spec:
       - name: host-var-lib-ovs
         hostPath:
           path: /var/lib/openvswitch
+      - name: run-systemd
+        hostPath:
+          path: /run/systemd
 
       tolerations:
       - operator: "Exists"

go-controller/go.mod

@@ -11,6 +11,7 @@ require (
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.2.0
 	github.com/coreos/go-iptables v0.6.0
+	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/gaissmai/cidrtree v0.1.4
 	github.com/go-logr/logr v1.4.1
@@ -59,6 +60,7 @@ require (
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	kubevirt.io/api v1.0.0-alpha.0
 	sigs.k8s.io/controller-runtime v0.18.4
+	sigs.k8s.io/knftables v0.0.17
 	sigs.k8s.io/network-policy-api v0.1.5
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1
 )
@@ -78,6 +80,7 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -142,4 +145,5 @@ replace (
 	github.com/coreos/go-iptables => github.com/trozet/go-iptables v0.0.0-20240328221912-077e672b3808
 	github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2
 	github.com/j-keck/arping => github.com/JacobTanenbaum/arping v0.0.0-20240209152419-3987db83bd51
+	sigs.k8s.io/knftables => github.com/npinaeva/knftables v0.0.0-20240902075500-53185f303a2a
 )

go-controller/go.sum

@@ -224,6 +224,8 @@ github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
 github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@@ -339,6 +341,9 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4
 github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU=
 github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -590,6 +595,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/npinaeva/knftables v0.0.0-20240902075500-53185f303a2a h1:MwfXP9CchUNrHNfxflr5dmWztji7OQNT8VjpVnEsv6k=
+github.com/npinaeva/knftables v0.0.0-20240902075500-53185f303a2a/go.mod h1:f/5ZLKYEUPUhVjUCg6l80ACdL7CIIyeL0DxfgojGRTk=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=

go-controller/pkg/node/default_node_network_controller.go

@@ -112,12 +112,14 @@ type DefaultNodeNetworkController struct {
 	retryEndpointSlices *retry.RetryFramework
 
 	apbExternalRouteNodeController *apbroute.ExternalGatewayNodeController
+
+	udnHostIsolationManager *UDNHostIsolationManager
 }
 
 func newDefaultNodeNetworkController(cnnci *CommonNodeNetworkControllerInfo, stopChan chan struct{},
 	wg *sync.WaitGroup, routeManager *routemanager.Controller) *DefaultNodeNetworkController {
 
-	return &DefaultNodeNetworkController{
+	c := &DefaultNodeNetworkController{
 		BaseNodeNetworkController: BaseNodeNetworkController{
 			CommonNodeNetworkControllerInfo: *cnnci,
 			NetInfo:                         &util.DefaultNetInfo{},
@@ -126,6 +128,11 @@ func newDefaultNodeNetworkController(cnnci *CommonNodeNetworkControllerInfo, sto
 		},
 		routeManager: routeManager,
 	}
+	if util.IsNetworkSegmentationSupportEnabled() {
+		c.udnHostIsolationManager = NewUDNHostIsolationManager(config.IPv4Mode, config.IPv6Mode,
+			cnnci.watchFactory.PodCoreInformer(), cnnci.watchFactory.NADInformer().Lister())
+	}
+	return c
 }
 
 // NewDefaultNodeNetworkController creates a new network controller for node management of the default network
@@ -766,6 +773,15 @@ func (nc *DefaultNodeNetworkController) Start(ctx context.Context) error {
 		if err != nil {
 			return err
 		}
+		if nc.udnHostIsolationManager != nil {
+			if err = nc.udnHostIsolationManager.Start(ctx); err != nil {
+				return err
+			}
+		} else {
+			if err = CleanupUDNHostIsolation(); err != nil {
+				return fmt.Errorf("failed cleaning up UDN host isolation: %w", err)
+			}
+		}
 	}
 
 	// First wait for the node logical switch to be created by the Master, timeout is 300s.

go-controller/pkg/node/gateway_init.go

@@ -13,6 +13,7 @@ import (
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/config"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/factory"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/kube"
+	nodenft "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/nftables"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/routemanager"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/types"
 	util "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/util"
@@ -541,6 +542,9 @@ func CleanupClusterNode(name string) error {
 	// Delete iptable rules for management port
 	DelMgtPortIptRules()
 
+	// Delete nftables rules
+	nodenft.CleanupNFTables()
+
 	return nil
 }
 

go-controller/pkg/node/healthcheck_node_test.go

@@ -85,6 +85,7 @@ var _ = Describe("Node healthcheck tests", func() {
 	)
 
 	BeforeEach(func() {
+		config.PrepareTestConfig()
 		stopCh = make(chan struct{})
 		wg = &sync.WaitGroup{}
 		os.Setenv("POD_NAME", ovnkNodePodName)

go-controller/pkg/node/nftables/helpers.go

@@ -0,0 +1,62 @@
+//go:build linux
+// +build linux
+
+package nftables
+
+import (
+	"context"
+
+	"sigs.k8s.io/knftables"
+)
+
+const OVNKubernetesNFTablesName = "ovn-kubernetes"
+
+// put all chain names from OVNKubernetesNFTablesName here to avoid conflicts.
+const (
+	UDNIsolationChain = "udn-isolation"
+)
+
+var nftHelper knftables.Interface
+
+// SetFakeNFTablesHelper creates a fake knftables.Interface
+func SetFakeNFTablesHelper() *knftables.Fake {
+	fake := knftables.NewFake(knftables.InetFamily, OVNKubernetesNFTablesName)
+	tx := fake.NewTransaction()
+	tx.Add(&knftables.Table{})
+	_ = fake.Run(context.TODO(), tx)
+
+	nftHelper = fake
+	return fake
+}
+
+// GetNFTablesHelper returns a knftables.Interface. If SetFakeNFTablesHelper has not been
+// called, it will create a "real" knftables.Interface
+func GetNFTablesHelper() (knftables.Interface, error) {
+	if nftHelper == nil {
+		nft, err := knftables.New(knftables.InetFamily, OVNKubernetesNFTablesName)
+		if err != nil {
+			return nil, err
+		}
+		tx := nft.NewTransaction()
+		tx.Add(&knftables.Table{})
+		err = nft.Run(context.TODO(), tx)
+		if err != nil {
+			return nil, err
+		}
+
+		nftHelper = nft
+	}
+	return nftHelper, nil
+}
+
+// CleanupNFTables cleans up all ovn-kubernetes NFTables data, on ovnkube-node daemonset
+// deletion.
+func CleanupNFTables() {
+	nft, _ := GetNFTablesHelper()
+	if nft == nil {
+		return
+	}
+	tx := nft.NewTransaction()
+	tx.Delete(&knftables.Table{})
+	_ = nft.Run(context.Background(), tx)
+}

go-controller/pkg/node/nftables/testing.go

@@ -0,0 +1,38 @@
+//go:build linux
+// +build linux
+
+package nftables
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// MatchNFTRules checks that the expected nftables rules match the actual ones, ignoring
+// order.
+func MatchNFTRules(expected, actual string) error {
+	expectedSet := sets.New(strings.Split(expected, "\n")...)
+	actualSet := sets.New(strings.Split(actual, "\n")...)
+
+	// ignore blank lines
+	expectedSet.Delete("")
+	actualSet.Delete("")
+
+	missing := expectedSet.Difference(actualSet)
+	extra := actualSet.Difference(expectedSet)
+
+	if len(missing) == 0 && len(extra) == 0 {
+		return nil
+	}
+
+	msg := "nftables rule mismatch:"
+	if len(missing) > 0 {
+		msg += fmt.Sprintf("\nMissing rules: %v\n", missing.UnsortedList())
+	}
+	if len(extra) > 0 {
+		msg += fmt.Sprintf("\nExtra rules: %v\n", extra.UnsortedList())
+	}
+	return fmt.Errorf("%s", msg)
+}

go-controller/pkg/node/secondary_node_network_controller.go

@@ -93,7 +93,7 @@ func (nc *SecondaryNodeNetworkController) Stop() {
 	}
 }
 
-// Cleanup cleans up node entities for the given secondary network
+// CleanupUDNHostIsolation cleans up node entities for the given secondary network
 func (nc *SecondaryNodeNetworkController) Cleanup() error {
 	if nc.gateway != nil {
 		return nc.gateway.DelNetwork()