Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ACNP appliedto NodePort svc support #3997

Merged
merged 4 commits into from
Aug 8, 2022
Merged

Add ACNP appliedto NodePort svc support #3997

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8320584
Add ACNP appliedto Nodeport svc support
GraysonWu Jul 10, 2022
2bc822d
Address comments
GraysonWu Jul 29, 2022
bbf780c
Handle node add/delete event
GraysonWu Aug 2, 2022
c4034ad
Add proxyAll restriction in the doc
GraysonWu Aug 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions build/charts/antrea/crds/clusternetworkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -190,6 +200,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-aks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-crds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -488,6 +488,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -561,6 +571,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-eks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-gke.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-ipsec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
48 changes: 47 additions & 1 deletion docs/antrea-network-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
- [Node Selector](#node-selector)
- [toServices egress rules](#toservices-egress-rules)
- [ServiceAccount based selection](#serviceaccount-based-selection)
- [Apply to NodePort Service](#apply-to-nodeport-service)
- [ClusterGroup](#clustergroup)
- [ClusterGroup CRD](#clustergroup-crd)
- [kubectl commands for ClusterGroup](#kubectl-commands-for-clustergroup)
Expand Down Expand Up @@ -482,6 +483,10 @@ Specific Pods from specific Namespaces can be selected by providing both a
`podSelector` and a `namespaceSelector` in the same `appliedTo` entry.
The `appliedTo` field can also reference a ClusterGroup resource by setting
the ClusterGroup's name in `group` field in place of the stand-alone selectors.
The `appliedTo` field can also reference a Service by setting the Service's name
and Namespace in `service` field in place of the stand-alone selectors. Only a
NodePort Service can be referred by this field. More details can be found in the
[ApplyToNodePortService](#apply-to-nodeport-service) section.
IPBlock cannot be set in the `appliedTo` field.
An IPBlock ClusterGroup referenced in an `appliedTo` field will be ignored,
and the policy will have no effect.
Expand Down Expand Up @@ -1288,14 +1293,55 @@ spec:

In this example, the policy will be applied to all Pods whose ServiceAccount is `sa-1` of `ns-1`.
Let's call those Pods "appliedToPods".
The egress `to` section will select all Pods whose ServiceAccount is in `ns-2` namespace and name as `sa-2`.
The egress `to` section will select all Pods whose ServiceAccount is in `ns-2` Namespace and name as `sa-2`.
Let's call those Pods "egressPods".
After this policy is applied, traffic from "appliedToPods" to "egressPods" will be dropped.

Note: Antrea will use a reserved label key for internal processing `serviceAccount`.
The reserved label looks like: `internal.antrea.io/service-account:[ServiceAccountName]`. Users should avoid using
this label key in any entities no matter if a policy with `serviceAccount` is applied in the cluster.

### Apply to NodePort Service

Antrea ClusterNetworkPolicy features a `service` field in `appliedTo` field to enforce the ACNP rules on the
traffic from external clients to a NodePort Service.

`service` uses `namespace` and `name` to select the Service with a specific name under a specific Namespace;
only a NodePort Service can be referred by `service` field.

There are a few **restrictions** on configuring a policy/rule that applies to NodePort Services:
GraysonWu marked this conversation as resolved.
Show resolved Hide resolved

1. This feature can only work when Antrea proxyAll is enabled and kube-proxy is disabled.
2. `service` field cannot be used with any other fields in `appliedTo`.
3. a policy or a rule can't be applied to both a NodePort Service and other entities at the same time.
4. If a `appliedTo` with `service` is used at policy level, then this policy can only contain ingress rules.
5. If a `appliedTo` with `service` is used at rule level, then this rule can only be an ingress rule.
6. If an ingress rule is applied to a NodePort Service, then this rule can only use `ipBlock` in its `from` field.

An example policy using `service` in `appliedTo` could look like this:

```yaml
apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
name: acnp-deny-external-client-nodeport-svc-access
spec:
priority: 5
tier: securityops
appliedTo:
- service:
name: svc-1
namespace: ns-1
ingress:
- action: Drop
from:
- ipBlock:
cidr: 1.1.1.0/24
```

In this example, the policy will be applied to the NodePort Service `svc-1` in Namespace `ns-1`,
and drop all packets from CIDR `1.1.1.0/24`.

## ClusterGroup

A ClusterGroup (CG) CRD is a specification of how workloads are grouped together.
Expand Down
41 changes: 34 additions & 7 deletions pkg/agent/controller/networkpolicy/cache.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"encoding/hex"
"encoding/json"
"fmt"
"strings"
"sync"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -450,13 +451,7 @@ func (c *ruleCache) processGroupIDUpdates() {
for {
select {
case svcStr := <-c.groupIDUpdates:
toSvcRules, err := c.rules.ByIndex(toServicesIndex, svcStr)
if err != nil {
continue
}
for _, toSvcRule := range toSvcRules {
c.dirtyRuleHandler(toSvcRule.(*rule).ID)
}
c.processServiceGroupIDUpdate(svcStr)
}
}
}
Expand Down Expand Up @@ -911,3 +906,35 @@ func (c *ruleCache) unionAppliedToGroups(groupNames []string) (v1beta.GroupMembe
}
return set, anyExists
}

// processServiceGroupIDUpdate gets names of AppliedToGroup by Service NamespacedName.
func (c *ruleCache) processServiceGroupIDUpdate(svcStr string) {
c.appliedToSetLock.RLock()
defer c.appliedToSetLock.RUnlock()

// Reprocess rules if the Service referred by this rule's ToServices has updated.
toSvcRules, err := c.rules.ByIndex(toServicesIndex, svcStr)
if err != nil {
return
}
for _, toSvcRule := range toSvcRules {
c.dirtyRuleHandler(toSvcRule.(*rule).ID)
}

// Reprocess rules if the Service referred by rule's AppliedToGroup has updated.
strListSvcRef := strings.Split(svcStr, "/")
if len(strListSvcRef) != 2 {
return
}
member := &v1beta.GroupMember{
Service: &v1beta.ServiceReference{
Name: strListSvcRef[1],
Namespace: strListSvcRef[0],
},
}
for group, memberSet := range c.appliedToSetByGroup {
if memberSet.Has(member) {
GraysonWu marked this conversation as resolved.
Show resolved Hide resolved
c.onAppliedToGroupUpdate(group)
}
}
}
Loading