Update NetworkPolicy code for v1 semantics #14498
Conversation
pkg/sdn/plugin/networkpolicy.go
Outdated
| @@ -206,14 +199,28 @@ func (np *networkPolicyPlugin) syncNamespace(npns *npNamespace) { | |||
| otx := np.node.oc.NewTransaction() | |||
| otx.DeleteFlows("table=80, reg1=%d", npns.vnid) | |||
| if inUse { | |||
| if npns.isolated { | |||
| defaultAllow := true | |||
There was a problem hiding this comment.
Can we get a comment on this block? Your commit message has great information about how this works, so just plop it in here too?
danwinship
force-pushed
the
networkpolicy-v1-semantics
branch
from
ebf3774 to
38bd1e6
Compare
|
pushed with comments |
pkg/sdn/plugin/networkpolicy.go
Outdated
| for _, ip := range npp.selectedIPs { | ||
| if !selectedIPs.Has(ip) { | ||
| selectedIPs.Insert(ip) | ||
| otx.AddFlow("table=80, priority=100, reg1=%d, ip, nw_dst=%s, actions=drop", ip) |
There was a problem hiding this comment.
The AddFlow()'s format string has one more format than the # of args given. Not sure what the intention here is, to keep the VNID or remove it.
There was a problem hiding this comment.
FWIW, this resulted in errors being logged while running the tests but didn't cause any of the tests to fail, which I guess means we need more test cases...
danwinship
force-pushed
the
networkpolicy-v1-semantics
branch
from
38bd1e6 to
9a7dbaa
Compare
danwinship
force-pushed
the
networkpolicy-v1-semantics
branch
from
9a7dbaa to
8be5204
Compare
|
pretty awesome that we've failed tests 6 times on a PR that doesn't modify any code that is exercised by any test... |
|
deleted all test comments. I had originally hoped we could get in a passing test run to pre-validate our eventual merge, but that's not going to happen... |
|
[merge] |
|
@danwinship Does this need a release note? |
|
Yes, we need a general NetworkPolicy stuff release note. It's on my todo list. |
|
Evaluated for origin merge up to 8be5204 |
|
[Test]ing while waiting on the merge queue |
|
Evaluated for origin test up to 8be5204 |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2158/) (Base Commit: 5f29c22) |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/977/) (Base Commit: c0c1b22) (Image: devenv-rhel7_6346) |
With NetworkPolicy v1, there is no longer a "DefaultDeny" annotation, and instead, pods are isolated if and only if there is a NetworkPolicy selecting them. This updates for that.
First, when parsing NetworkPolicies, we note which pod IPs they select. Then when updating OVS, we output the "accept" flows for all the policies at
priority=150, while also checking if any policy selects the entire Namespace. If there is not a policy that selects the entire Namespace, then that means there are potentially un-isolated pods that are default-accept rather than default-deny, so we also output apriority=100, actions=dropflow for each IP mentioned in any of the "accept" flows, and apriority=50flow accepting all other traffic in the namespace. (If there is a policy that selects the entire Namespace, then any traffic not accepted by any NetworkPolicy is denied, so we don't need any other rules because the basepriority=0, actions=droprule will do the right thing.)We may want to revisit this and optimize it further later. In particular, it's inefficient if you have a different NetworkPolicy for each pod in a Namespace (and no match-all policies, and no unmatched pods). We could fix that by having explicit "accept" rules for unmatched pods rather than explicit "deny" rules for matched pods. That would have required more rewriting though, and it only matters in the case where you don't have a "default deny" policy anyway.
(Note to self: needs release note)
@openshift/networking PTAL