Skip to content

Commit

Permalink
netpol: add allow acl rules for u2o logical gateway (#4420)
Browse files Browse the repository at this point in the history
Signed-off-by: zhangzujian <[email protected]>
  • Loading branch information
zhangzujian authored Aug 21, 2024
1 parent 226601a commit 46b8f56
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 47 deletions.
72 changes: 36 additions & 36 deletions mocks/pkg/ovs/interface.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 2 additions & 3 deletions pkg/controller/network_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"strings"
"unicode"

"github.com/scylladb/go-set/strset"
corev1 "k8s.io/api/core/v1"
netv1 "k8s.io/api/networking/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
Expand All @@ -17,8 +18,6 @@ import (
"k8s.io/client-go/tools/cache"
"k8s.io/klog/v2"

"github.com/scylladb/go-set/strset"

kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
"github.com/kubeovn/kube-ovn/pkg/ovs"
"github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb"
Expand Down Expand Up @@ -423,7 +422,7 @@ func (c *Controller) handleUpdateNp(key string) error {
}

for _, subnet := range subnets {
if err = c.OVNNbClient.CreateGatewayACL("", pgName, subnet.Spec.Gateway); err != nil {
if err = c.OVNNbClient.CreateGatewayACL("", pgName, subnet.Spec.Gateway, subnet.Status.U2OInterconnectionIP); err != nil {
klog.Errorf("create gateway acl: %v", err)
return err
}
Expand Down
12 changes: 12 additions & 0 deletions pkg/controller/subnet.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,18 @@ func (c *Controller) enqueueUpdateSubnet(oldObj, newObj interface{}) {
return
}

if newSubnet.Spec.Gateway != oldSubnet.Spec.Gateway ||
newSubnet.Status.U2OInterconnectionIP != oldSubnet.Status.U2OInterconnectionIP {
policies, err := c.npsLister.List(labels.Everything())
if err != nil {
klog.Errorf("failed to list network policies: %v", err)
} else {
for _, np := range policies {
c.enqueueAddNp(np)
}
}
}

if newSubnet.Spec.Protocol == kubeovnv1.ProtocolIPv6 {
usingIPs = newSubnet.Status.V6UsingIPs
} else {
Expand Down
2 changes: 1 addition & 1 deletion pkg/ovs/interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ type PortGroup interface {
type ACL interface {
UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
CreateGatewayACL(lsName, pgName, gateway string) error
CreateGatewayACL(lsName, pgName, gateway, u2oInterconnectionIP string) error
CreateNodeACL(pgName, nodeIPStr, joinIPStr string) error
CreateSgDenyAllACL(sgName string) error
CreateSgBaseACL(sgName, direction string) error
Expand Down
10 changes: 8 additions & 2 deletions pkg/ovs/ovn-nb-acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
netv1 "k8s.io/api/networking/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/klog/v2"
"k8s.io/utils/set"

v1alpha1 "sigs.k8s.io/network-policy-api/apis/v1alpha1"

Expand Down Expand Up @@ -138,7 +139,7 @@ func (c *OVNNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, pro
}

// CreateGatewayACL create allow acl for subnet gateway
func (c *OVNNbClient) CreateGatewayACL(lsName, pgName, gateway string) error {
func (c *OVNNbClient) CreateGatewayACL(lsName, pgName, gateway, u2oInterconnectionIP string) error {
acls := make([]*ovnnb.ACL, 0)

var parentName, parentType string
Expand All @@ -151,7 +152,12 @@ func (c *OVNNbClient) CreateGatewayACL(lsName, pgName, gateway string) error {
return errors.New("one of port group name and logical switch name must be specified")
}

for _, gw := range strings.Split(gateway, ",") {
gateways := set.New(strings.Split(gateway, ",")...)
if u2oInterconnectionIP != "" {
gateways = gateways.Insert(strings.Split(u2oInterconnectionIP, ",")...)
}

for gw := range gateways {
protocol := util.CheckProtocol(gw)
ipSuffix := "ip4"
if protocol == kubeovnv1.ProtocolIPv6 {
Expand Down
10 changes: 5 additions & 5 deletions pkg/ovs/ovn-nb-acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,7 @@ func (suite *OvnClientTestSuite) testCreateGatewayACL() {
err := ovnClient.CreatePortGroup(pgName, nil)
require.NoError(t, err)

err = ovnClient.CreateGatewayACL("", pgName, gateway)
err = ovnClient.CreateGatewayACL("", pgName, gateway, "")
require.NoError(t, err)

pg, err := ovnClient.GetPortGroup(pgName, false)
Expand All @@ -294,7 +294,7 @@ func (suite *OvnClientTestSuite) testCreateGatewayACL() {
err := ovnClient.CreatePortGroup(pgName, nil)
require.NoError(t, err)

err = ovnClient.CreateGatewayACL("", pgName, gateway)
err = ovnClient.CreateGatewayACL("", pgName, gateway, "")
require.NoError(t, err)

pg, err := ovnClient.GetPortGroup(pgName, false)
Expand All @@ -313,7 +313,7 @@ func (suite *OvnClientTestSuite) testCreateGatewayACL() {
err := ovnClient.CreatePortGroup(pgName, nil)
require.NoError(t, err)

err = ovnClient.CreateGatewayACL("", pgName, gateway)
err = ovnClient.CreateGatewayACL("", pgName, gateway, "")
require.NoError(t, err)

pg, err := ovnClient.GetPortGroup(pgName, false)
Expand All @@ -336,7 +336,7 @@ func (suite *OvnClientTestSuite) testCreateGatewayACL() {
err := ovnClient.CreateBareLogicalSwitch(lsName)
require.NoError(t, err)

err = ovnClient.CreateGatewayACL(lsName, "", gateway)
err = ovnClient.CreateGatewayACL(lsName, "", gateway, "")
require.NoError(t, err)

ls, err := ovnClient.GetLogicalSwitch(lsName, false)
Expand All @@ -349,7 +349,7 @@ func (suite *OvnClientTestSuite) testCreateGatewayACL() {

t.Run("has no pg name and ls name", func(t *testing.T) {
t.Parallel()
err := ovnClient.CreateGatewayACL("", "", "")
err := ovnClient.CreateGatewayACL("", "", "", "")
require.EqualError(t, err, "one of port group name and logical switch name must be specified")
})
}
Expand Down

0 comments on commit 46b8f56

Please sign in to comment.