Skip to content

Commit

Permalink
Add controller to deploy netobserv network policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@OlivierCazade
OlivierCazade committed Jun 25, 2024
1 parent bc0bcef commit 1ce7586
Show file tree
Hide file tree
Showing 18 changed files with 597 additions and 1 deletion.
1 change: 1 addition & 0 deletions apis/flowcollector/v1beta1/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions apis/flowcollector/v1beta2/flowcollector_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,21 @@ type FlowCollectorSpec struct {
// +optional
// +k8s:conversion-gen=false
Exporters []*FlowCollectorExporter `json:"exporters"`

// `networkPolicy` define network policy settings for netobserv
// +k8s:conversion-gen=false
NetworkPolicy NetworkPolycy `json:"networkPolicy,omitempty"`
}

type NetworkPolycy struct {
// Set `deploy` to `false` to disable network policy deployment. It is enabled by default.
// +optional
Deploy *bool `json:"deploy,omitempty"`

// `additionalNamespaces` contains the interface names from where flows are collected. If empty, the agent
//+kubebuilder:default:={"openshift-console", "openshift-monitoring"}
//+optional
AdditionalNamespaces []string `json:"additionalNamespaces"`
}

type FlowCollectorAgentType string
Expand Down
26 changes: 26 additions & 0 deletions apis/flowcollector/v1beta2/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions bundle/manifests/flows.netobserv.io_flowcollectors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6382,6 +6382,23 @@ spec:
default: netobserv
description: Namespace where NetObserv pods are deployed.
type: string
networkPolicy:
description: '`networkPolicy` define network policy settings for netobserv'
properties:
additionalNamespaces:
default:
- openshift-console
- openshift-monitoring
description: '`additionalNamespaces` contains the interface names
from where flows are collected. If empty, the agent'
items:
type: string
type: array
deploy:
description: Set `deploy` to `false` to disable network policy
deployment. It is enabled by default.
type: boolean
type: object
processor:
description: |-
`processor` defines the settings of the component that receives the flows from the agent,
Expand Down
16 changes: 16 additions & 0 deletions bundle/manifests/netobserv-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -776,6 +776,12 @@ spec:
path: loki.readTimeout
- displayName: Namespace
path: namespace
- displayName: Network policy
path: networkPolicy
- displayName: Additional namespaces
path: networkPolicy.additionalNamespaces
- displayName: Deploy
path: networkPolicy.deploy
- displayName: Log types
path: processor.logTypes
- displayName: Disable alerts
Expand Down Expand Up @@ -1070,6 +1076,16 @@ spec:
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- operator.openshift.io
resources:
Expand Down
15 changes: 15 additions & 0 deletions config/crd/bases/flows.netobserv.io_flowcollectors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5857,6 +5857,21 @@ spec:
default: netobserv
description: Namespace where NetObserv pods are deployed.
type: string
networkPolicy:
description: '`networkPolicy` define network policy settings for netobserv'
properties:
additionalNamespaces:
default:
- openshift-console
- openshift-monitoring
description: '`additionalNamespaces` contains the interface names from where flows are collected. If empty, the agent'
items:
type: string
type: array
deploy:
description: Set `deploy` to `false` to disable network policy deployment. It is enabled by default.
type: boolean
type: object
processor:
description: |-
`processor` defines the settings of the component that receives the flows from the agent,
Expand Down
10 changes: 10 additions & 0 deletions config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,16 @@ rules:
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- operator.openshift.io
resources:
Expand Down
3 changes: 2 additions & 1 deletion controllers/controllers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@ package controllers
import (
"github.com/netobserv/network-observability-operator/controllers/flp"
"github.com/netobserv/network-observability-operator/controllers/monitoring"
"github.com/netobserv/network-observability-operator/controllers/networkpolicy"
"github.com/netobserv/network-observability-operator/pkg/manager"
)

var Registerers = []manager.Registerer{Start, flp.Start, monitoring.Start}
var Registerers = []manager.Registerer{Start, flp.Start, monitoring.Start, networkpolicy.Start}
4 changes: 4 additions & 0 deletions controllers/flowcollector_controller_iso_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,10 @@ func flowCollectorIsoSpecs() {
},
},
Exporters: []*flowslatest.FlowCollectorExporter{},
NetworkPolicy: flowslatest.NetworkPolycy{
Deploy: nil,
AdditionalNamespaces: []string{},
},
}

It("Should create CR successfully", func() {
Expand Down
94 changes: 94 additions & 0 deletions controllers/networkpolicy/np_controller.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
package networkpolicy

import (
"context"
"fmt"

corev1 "k8s.io/api/core/v1"
networkingv1 "k8s.io/api/networking/v1"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"

flowslatest "github.com/netobserv/network-observability-operator/apis/flowcollector/v1beta2"
"github.com/netobserv/network-observability-operator/controllers/constants"
"github.com/netobserv/network-observability-operator/controllers/reconcilers"
"github.com/netobserv/network-observability-operator/pkg/helper"
"github.com/netobserv/network-observability-operator/pkg/manager"
"github.com/netobserv/network-observability-operator/pkg/manager/status"
)

type Reconciler struct {
client.Client
mgr *manager.Manager
status status.Instance
currentNamespace string
}

func Start(ctx context.Context, mgr *manager.Manager) error {
log := log.FromContext(ctx)
log.Info("Starting Network Policy controller")
r := Reconciler{
Client: mgr.Client,
mgr: mgr,
status: mgr.Status.ForComponent(status.NetworkPolicy),
}
return ctrl.NewControllerManagedBy(mgr).
For(&flowslatest.FlowCollector{}, reconcilers.IgnoreStatusChange).
Named("networkPolicy").
Owns(&corev1.Namespace{}).
Owns(&networkingv1.NetworkPolicy{}).
Complete(&r)
}

// Reconcile is the controller entry point for reconciling current state with desired state.
// It manages the controller status at a high level. Business logic is delegated into `reconcile`.
func (r *Reconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
l := log.Log.WithName("networkpolicy") // clear context (too noisy)
ctx = log.IntoContext(ctx, l)

// Get flowcollector & create dedicated client
clh, desired, err := helper.NewFlowCollectorClientHelper(ctx, r.Client)
if err != nil {
return ctrl.Result{}, fmt.Errorf("failed to get FlowCollector: %w", err)
} else if desired == nil {
// Delete case
return ctrl.Result{}, nil
}

r.status.SetUnknown()
defer r.status.Commit(ctx, r.Client)

err = r.reconcile(ctx, clh, desired)
if err != nil {
l.Error(err, "Network policy reconcile failure")
// Set status failure unless it was already set
if !r.status.HasFailure() {
r.status.SetFailure("NetworkPolicyError", err.Error())
}
return ctrl.Result{}, err
}

r.status.SetReady()
return ctrl.Result{}, nil
}

func (r *Reconciler) reconcile(ctx context.Context, clh *helper.Client, desired *flowslatest.FlowCollector) error {
// log := log.FromContext(ctx)
ns := helper.GetNamespace(&desired.Spec)
privilegedNs := ns + constants.EBPFPrivilegedNSSuffix
r.currentNamespace = ns
authorizedNs := append([]string{privilegedNs}, desired.Spec.NetworkPolicy.AdditionalNamespaces...)
if desired.Spec.Loki.Mode == flowslatest.LokiModeLokiStack && desired.Spec.Loki.LokiStack.Namespace != "" {
authorizedNs = append(authorizedNs, desired.Spec.Loki.LokiStack.Namespace)
}
npName, desiredNp := buildNetworkPolicy(ns, desired, authorizedNs)
if err := reconcilers.ReconcileNetworkPolicy(ctx, clh, npName, desiredNp); err != nil {
return err
}
privilegedNpName, desiredPrivilegedNp := buildNetworkPolicy(privilegedNs, desired, append([]string{ns}, desired.Spec.NetworkPolicy.AdditionalNamespaces...))

err := reconcilers.ReconcileNetworkPolicy(ctx, clh, privilegedNpName, desiredPrivilegedNp)

return err
}

0 comments on commit 1ce7586

Please sign in to comment.