From 04fc67f801d3721c20ace44e34fae9ae9f3566e3 Mon Sep 17 00:00:00 2001 From: Mengxin Liu Date: Sun, 23 May 2021 16:25:25 +0800 Subject: [PATCH] fix: add node to pod allow acl If this acl not exists and networkpolicy is added, probe will failed as is not allowed. If no networkpolicy exists, this allow acl may increase performance burden. So only add this acl if any networkpolicy exists (cherry picked from commit c1d3fc3cfe51d886e427923caa75b9fd9b4f4df7) --- pkg/controller/controller.go | 1 + pkg/controller/network_policy.go | 24 +++++++++++++++++ pkg/ovs/ovn-nbctl.go | 44 ++++++++++++++++++++++++++++---- 3 files changed, 64 insertions(+), 5 deletions(-) diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index 0c813f8413c..3ac6f5118d6 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -449,4 +449,5 @@ func (c *Controller) startWorkers(stopCh <-chan struct{}) { }, 30*time.Second, stopCh) go wait.Until(c.resyncSubnetMetrics, 30*time.Second, stopCh) + go wait.Until(c.resyncNodeACL, 10*time.Second, stopCh) } diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go index c457b7d374c..7d921c1b8af 100644 --- a/pkg/controller/network_policy.go +++ b/pkg/controller/network_policy.go @@ -664,3 +664,27 @@ func isNamespaceMatchNetworkPolicy(ns *corev1.Namespace, policy *netv1.NetworkPo } return false } + +func (c *Controller) resyncNodeACL() { + np, _ := c.npsLister.List(labels.Everything()) + networkPolicyExists := len(np) != 0 + + subnets, _ := c.subnetsLister.List(labels.Everything()) + for _, subnet := range subnets { + if subnet.Spec.Provider == util.OvnProvider || subnet.Spec.Provider == "" { + if subnet.Name == c.config.NodeSwitch { + continue + } + + if networkPolicyExists { + if err := c.ovnClient.SetNodeSwitchAcl(subnet.Name); err != nil { + klog.Errorf("failed to set node acl, %v", err) + } + } else { + if err := c.ovnClient.RemoveNodeSwitchAcl(subnet.Name); err != nil { + klog.Errorf("failed to set node acl, %v", err) + } + } + } + } +} diff --git a/pkg/ovs/ovn-nbctl.go b/pkg/ovs/ovn-nbctl.go index bf8b65b5e86..f923d85ea3d 100644 --- a/pkg/ovs/ovn-nbctl.go +++ b/pkg/ovs/ovn-nbctl.go @@ -704,6 +704,40 @@ func (c Client) CleanLogicalSwitchAcl(ls string) error { return err } +func (c Client) SetNodeSwitchAcl(ls string) error { + cidrs := strings.Split(c.NodeSwitchCIDR, ",") + for _, cidr := range cidrs { + var err error + if util.CheckProtocol(cidr) == kubeovnv1.ProtocolIPv4 { + _, err = c.ovnNbCommand(MayExist, "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR), "allow-related") + } else { + _, err = c.ovnNbCommand(MayExist, "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR), "allow-related") + } + if err != nil { + klog.Errorf("failed to add node switch acl") + return err + } + } + return nil +} + +func (c Client) RemoveNodeSwitchAcl(ls string) error { + cidrs := strings.Split(c.NodeSwitchCIDR, ",") + for _, cidr := range cidrs { + var err error + if util.CheckProtocol(cidr) == kubeovnv1.ProtocolIPv4 { + _, err = c.ovnNbCommand("acl-del", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR)) + } else { + _, err = c.ovnNbCommand("acl-del", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR)) + } + if err != nil { + klog.Errorf("failed to delete node switch acl") + return err + } + } + return nil +} + // ResetLogicalSwitchAcl reset acl of a switch func (c Client) ResetLogicalSwitchAcl(ls string) error { _, err := c.ovnNbCommand("acl-del", ls) @@ -717,12 +751,12 @@ func (c Client) SetPrivateLogicalSwitch(ls, protocol, cidr string, allow []strin var dropArgs []string if protocol == kubeovnv1.ProtocolIPv4 { dropArgs = []string{"--", "--log", fmt.Sprintf("--name=%s", ls), fmt.Sprintf("--severity=%s", "warning"), "acl-add", ls, "to-lport", util.DefaultDropPriority, "ip", "drop"} - allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR), "allow-related") - allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.SubnetAllowPriority, fmt.Sprintf(`ip4.src==%s && ip4.dst==%s`, cidr, cidr), "allow-related") + allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR), "allow-related") + allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.SubnetAllowPriority, fmt.Sprintf(`ip4.src==%s && ip4.dst==%s`, cidr, cidr), "allow-related") } else { dropArgs = []string{"--", "--log", fmt.Sprintf("--name=%s", ls), fmt.Sprintf("--severity=%s", "warning"), "acl-add", ls, "to-lport", util.DefaultDropPriority, "ip", "drop"} - allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR), "allow-related") - allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.SubnetAllowPriority, fmt.Sprintf(`ip6.src==%s && ip6.dst==%s`, cidr, cidr), "allow-related") + allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR), "allow-related") + allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.SubnetAllowPriority, fmt.Sprintf(`ip6.src==%s && ip6.dst==%s`, cidr, cidr), "allow-related") } ovnArgs := append(delArgs, dropArgs...) @@ -736,7 +770,7 @@ func (c Client) SetPrivateLogicalSwitch(ls, protocol, cidr string, allow []strin match = fmt.Sprintf("(ip6.src==%s && ip6.dst==%s) || (ip6.src==%s && ip6.dst==%s)", strings.TrimSpace(subnet), cidr, cidr, strings.TrimSpace(subnet)) } - allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.SubnetAllowPriority, match, "allow-related") + allowArgs = append(allowArgs, "--", MayExist, "acl-add", ls, "to-lport", util.SubnetAllowPriority, match, "allow-related") } } ovnArgs = append(ovnArgs, allowArgs...)