netpol: add allow acl rules for u2o logical gateway (#4420)

Signed-off-by: zhangzujian <[email protected]>
kubeovn · Aug 21, 2024 · 8ae11f5 · 8ae11f5
1 parent 27d4fc3
commit 8ae11f5
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -496,7 +496,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 	}
 
 	for _, subnet := range subnets {
-		if err = c.ovnLegacyClient.CreateGatewayACL("", pgName, subnet.Spec.Gateway, subnet.Spec.CIDRBlock); err != nil {
+		if err = c.ovnLegacyClient.CreateGatewayACL("", pgName, subnet.Spec.Gateway, subnet.Status.U2OInterconnectionIP, subnet.Spec.CIDRBlock); err != nil {
 			klog.Errorf("failed to create gateway acl, %v", err)
 			return err
 		}

diff --git a/pkg/controller/subnet.go b/pkg/controller/subnet.go
@@ -64,6 +64,18 @@ func (c *Controller) enqueueUpdateSubnet(old, new interface{}) {
 		return
 	}
 
+	if newSubnet.Spec.Gateway != oldSubnet.Spec.Gateway ||
+		newSubnet.Status.U2OInterconnectionIP != oldSubnet.Status.U2OInterconnectionIP {
+		policies, err := c.npsLister.List(labels.Everything())
+		if err != nil {
+			klog.Errorf("failed to list network policies: %v", err)
+		} else {
+			for _, np := range policies {
+				c.enqueueAddNp(np)
+			}
+		}
+	}
+
 	var usingIPs float64
 	if newSubnet.Spec.Protocol == kubeovnv1.ProtocolIPv6 {
 		usingIPs = newSubnet.Status.V6UsingIPs

diff --git a/pkg/ovs/ovn-nbctl-legacy.go b/pkg/ovs/ovn-nbctl-legacy.go
@@ -17,6 +17,7 @@ import (
 	"golang.org/x/exp/slices"
 	netv1 "k8s.io/api/networking/v1"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/set"
 
 	kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
 	"github.com/kubeovn/kube-ovn/pkg/util"
@@ -1972,9 +1973,14 @@ func (c LegacyClient) DeleteACL(pgName, direction string) (err error) {
 	return
 }
 
-func (c LegacyClient) CreateGatewayACL(ls, pgName, gateway, cidr string) error {
+func (c LegacyClient) CreateGatewayACL(ls, pgName, gateway, u2oInterconnectionIP, cidr string) error {
 	for _, cidrBlock := range strings.Split(cidr, ",") {
-		for _, gw := range strings.Split(gateway, ",") {
+		gateways := set.New(strings.Split(gateway, ",")...)
+		if u2oInterconnectionIP != "" {
+			gateways.Insert(strings.Split(u2oInterconnectionIP, ",")...)
+		}
+
+		for gw := range gateways {
 			if util.CheckProtocol(cidrBlock) != util.CheckProtocol(gw) {
 				continue
 			}