Add Versioned API and Antctl for NetworkPolicyEvaluation (effective policy rule prediction)

[qiyueyao]

• Added antctl support for querying effective policy rule by networkpolicyevaluation
  antctl query networkpolicyevaluation -S ns1/pod1 -D ns2/pod2
• Added versioned API for NetworkPolicy evaluation POST call
  curl -d "@<test json file>" -H "Content-Type: application/json" -X POST <k8s-apiserver>:8001/apis/controlplane.antrea.io/v1beta2/networkpolicyevaluation

Adds the above APIs and antctl queriers that returns the predicted effective NetworkPolicy rule, which affects traffic from ns1/pod1 to ns2/pod2. The solution picks the highest priority rule that satisfies the query.

[antoninbas]

I was just curious as to whether some thought was given regarding implementing all this logic in antctl, rather than in the controller API server? I imagine that in theory antctl query networkpolicyanalysis and antctl query endpoint could share a single API (with extra information compared to what /endpoints provide today) and that the rule comparison / ordering could happen in antctl instead of in the server. If however, we think that there is a need for a dedicated API providing the end result (e.g., because it needs to be consumed by some other component), then that would explain why we need a dedicated API.

[Dyanngg]

Yes we do intend to have this API consumed by some downstream components

[tnqn]

Since this tends to be a public API and not only consumed by antctl, should we make a well-defined, structured, and versioned resource API? The API looks helpful to me and could perhaps be extended to test Pod-to-IP as well.
If it's a non-resource API like the current one, it may be hard to evolve and handle compatibility with its consumers.
I think it could be an API under controlplane API like the group membership APIs. There are quite some examples in Kubernetes APIs similar to this, used as ephemeral queries, like AdmissionReview, SubjectAccessReview, TokenReview, TokenRequest, CertificateSigningRequest.
There will be plenty of benefits by making it a resource API:

1. It can be exposed via APIService so any consumers running out of the cluster (including antctl) can access it publicly.
2. Generated client code makes it easier to consume, instead of rewriting the parser code in every client.
3. It's versioned so easier to support different versions of clients.
4. The request and response can be better structured when extending it.

For example, the data type in my mind:

type NetworkPolicyAccessReview struct {
	metav1.TypeMeta
	Request *NetworkPolicyAccessRequest
	Response *NetworkPolicyAccessResponse
}

type Entity struct {
	Namespace string
	Pod       string
	// It can be added when we can support IP check.
	IP   string

}

type NetworkPolicyAccessRequest struct {
	Source      Entity
	Destination Entity
	// It can be added when we can support port level check.
        Protocol Protocol
	SourcePort int
        DestinationPort int
}

type NetworkPolicyAccessResponse struct {
	// The expected action.
	Action Action
	// The reference of the effective NetworkPolicy.
	NetworkPolicy NetworkPolicyReference
	Direction cpv1beta.Direction 
	RuleIndex int
	// The content of the effective rule. Type is runtime.Object because it can be different types.
	Rule runtime.Object
}

[qiyueyao]

Changed to resourced API, and updated antctl call to it.

[jianjuns]

Should we name it "effectivepolicyrule"?

[qiyueyao]

Currently implementing this comment #5740 (comment) , so perhaps this will be "networkpolicyaccess"?

[jianjuns]

I assume that comment is about making the API definition generic? But the antctl command here is just for a single operation of returning the effective rule, or you plan to extend the command to support generic policy queries later?

[qiyueyao]

Named the API networkpolicyaccessreview and named the antctl command effectivepolicyrule.

[jianjuns]

Let us hear what @antoninbas and @tnqn may suggest too.

[tnqn]

Sorry, I used NetworkPolicyAccessReview in #5740 (comment) just as an example and didn't think too much about the naming. Now I feel it sounds different from what it actually represents. How about naming it NetworkPolicyEnforcement, which may also be used as the cmd name, i.e. antctl query networkpolicyenforcement?

[qiyueyao]

Since the api&cmd doesn't enforce the current configs, just queries them, perhaps enforcement would be misleading? How about NetworkPolicyEffectiveRule, NetworkPolicyPrimeRule, NetworkPolicyEvaluation, NetworkPolicyAnalysis?

[Dyanngg]

I agree with Qiyue that without the query verb in antctl, NetworkPolicyEnforcement as an API name could be misleading as it does not return the actual policy enforcement state. I personally would vote for NetworkPolicyEvaluation but love to hear what @tnqn and @jianjuns think as well

[tnqn]

NetworkPolicyEvaluation sounds good to me too.

[qiyueyao]

Renamed the types.

[antoninbas]

I thought this package was meant for output transforms. For parameter transform (which is a new concept), maybe it should be in a separate package?

[qiyueyao]

Created a new package paramter under antctl.

[tnqn]

should it be moved to transform/networkpolicy like the type of the response? otherwise this file would include all parameters of discrete commands.

[qiyueyao]

The function was moved here as a new package parameter based on this comment, if I understood it correctly.

[antoninbas]

We should probably find a better package name / location in a future PR though

[qiyueyao]

Sure, do you have any suggestion or insight? To include it inside transform or refactor some of the existing structs?

[antoninbas]

Thinking about it some more, maybe we could keep it in transform/networkpolicy, but as a separate file to clearly mark the difference? Maybe we could have transform/networkpolicy/request.go and ransform/networkpolicy/response.go?

[qiyueyao]

Sounds good, will open a PR for this.

[tnqn]

should we use "networkpolicies/evaluation" as the path to indicate their relationship? Like "pods/log", "pods/attach", "pods/exec" APIs?

[qiyueyao]

I did some test and found that, since NetworkPolicyEvaluation is currently a resource, to use networkpolicies/evaluation we have to make evaluation a subresource of networkpolicies. But different from status&scale, this NetworkPolicyEvaluation is not affiliated to a particular networkpolicy at input, so I could not provide a networkpolicy name for the subresource. I feel like this might have to stay as a separate resource like appliedtogroups?

[tnqn]

makes sense

[qiyueyao]

Depends on #5989
Merged and rebased.

[tnqn]

makes sense

[tnqn]

Is the following equivalent?

for _, rule := range commonRules {
	if rule.Policy.SourceRef.Type == controlplane.K8sNetworkPolicy ||
		*rule.Policy.TierPriority == BaselineTierPriority ||
		rule.Rule.Action == nil || *rule.Rule.Action != crdv1beta1.RuleActionPass) {
		return rule
	}
}
return nil

[qiyueyao]

Seems not, we discussed the cases when 1) Pass was the first rule, but there are no satisfied rules found later, then the first Pass rule should be returned. 2) If Pass was the first rule, we need to skip all ACNP/ANNP rules until a K8s rule or Baseline rule appears, looks like the above solution returns the next non-pass rule.

[tnqn]

makes sense

[tnqn]

makes sense

[tnqn]

LGTM

[Dyanngg]

LGTM, thanks for addressing all the comments on this giant PR

[tnqn]

@jianjuns @antoninbas do you have other comments?

[antoninbas]

@tnqn I took another quick look, LGTM

[tnqn]

/test-all

[tnqn]

Ignoring the following tests:

• “Upgrade from Antrea version N-1” and "API compatible with client version N-1" should be related to the issue fixed by Do not load unnecessary images in ci/kind/test-upgrade-antrea.sh #6039

• "Antrea-native (VLAN) secondary network tests on a Kind cluster on Linux" should be fixed by [e2e tests] Wait for secondary IPs before running ping test #6041