diff --git a/mocks/pkg/ovs/interface.go b/mocks/pkg/ovs/interface.go index 03a4d73c9e88..fc82a9e12bc6 100644 --- a/mocks/pkg/ovs/interface.go +++ b/mocks/pkg/ovs/interface.go @@ -1771,48 +1771,48 @@ func (mr *MockACLMockRecorder) SetLogicalSwitchPrivate(lsName, cidrBlock, nodeSw } // UpdateAnpRuleACLOps mocks base method. -func (m *MockACL) UpdateAnpRuleACLOps(pgName, asName, protocol string, priority int, aclAction ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error) { +func (m *MockACL) UpdateAnpRuleACLOps(pgName, asName, protocol, aclName string, priority int, aclAction ovnnb.ACLAction, logACLActions []ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "UpdateAnpRuleACLOps", pgName, asName, protocol, priority, aclAction, rulePorts, isIngress, isBanp) + ret := m.ctrl.Call(m, "UpdateAnpRuleACLOps", pgName, asName, protocol, aclName, priority, aclAction, logACLActions, rulePorts, isIngress, isBanp) ret0, _ := ret[0].([]ovsdb.Operation) ret1, _ := ret[1].(error) return ret0, ret1 } // UpdateAnpRuleACLOps indicates an expected call of UpdateAnpRuleACLOps. -func (mr *MockACLMockRecorder) UpdateAnpRuleACLOps(pgName, asName, protocol, priority, aclAction, rulePorts, isIngress, isBanp any) *gomock.Call { +func (mr *MockACLMockRecorder) UpdateAnpRuleACLOps(pgName, asName, protocol, aclName, priority, aclAction, logACLActions, rulePorts, isIngress, isBanp any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAnpRuleACLOps", reflect.TypeOf((*MockACL)(nil).UpdateAnpRuleACLOps), pgName, asName, protocol, priority, aclAction, rulePorts, isIngress, isBanp) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAnpRuleACLOps", reflect.TypeOf((*MockACL)(nil).UpdateAnpRuleACLOps), pgName, asName, protocol, aclName, priority, aclAction, logACLActions, rulePorts, isIngress, isBanp) } // UpdateEgressACLOps mocks base method. -func (m *MockACL) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol string, npp []v10.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { +func (m *MockACL) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName string, npp []v10.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "UpdateEgressACLOps", pgName, asEgressName, asExceptName, protocol, npp, logEnable, namedPortMap) + ret := m.ctrl.Call(m, "UpdateEgressACLOps", pgName, asEgressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap) ret0, _ := ret[0].([]ovsdb.Operation) ret1, _ := ret[1].(error) return ret0, ret1 } // UpdateEgressACLOps indicates an expected call of UpdateEgressACLOps. -func (mr *MockACLMockRecorder) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, npp, logEnable, namedPortMap any) *gomock.Call { +func (mr *MockACLMockRecorder) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateEgressACLOps", reflect.TypeOf((*MockACL)(nil).UpdateEgressACLOps), pgName, asEgressName, asExceptName, protocol, npp, logEnable, namedPortMap) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateEgressACLOps", reflect.TypeOf((*MockACL)(nil).UpdateEgressACLOps), pgName, asEgressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap) } // UpdateIngressACLOps mocks base method. -func (m *MockACL) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol string, npp []v10.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { +func (m *MockACL) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName string, npp []v10.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "UpdateIngressACLOps", pgName, asIngressName, asExceptName, protocol, npp, logEnable, namedPortMap) + ret := m.ctrl.Call(m, "UpdateIngressACLOps", pgName, asIngressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap) ret0, _ := ret[0].([]ovsdb.Operation) ret1, _ := ret[1].(error) return ret0, ret1 } // UpdateIngressACLOps indicates an expected call of UpdateIngressACLOps. -func (mr *MockACLMockRecorder) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, npp, logEnable, namedPortMap any) *gomock.Call { +func (mr *MockACLMockRecorder) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateIngressACLOps", reflect.TypeOf((*MockACL)(nil).UpdateIngressACLOps), pgName, asIngressName, asExceptName, protocol, npp, logEnable, namedPortMap) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateIngressACLOps", reflect.TypeOf((*MockACL)(nil).UpdateIngressACLOps), pgName, asIngressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap) } // UpdateLogicalSwitchACL mocks base method. @@ -4404,18 +4404,18 @@ func (mr *MockNbClientMockRecorder) Transact(method, operations any) *gomock.Cal } // UpdateAnpRuleACLOps mocks base method. -func (m *MockNbClient) UpdateAnpRuleACLOps(pgName, asName, protocol string, priority int, aclAction ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error) { +func (m *MockNbClient) UpdateAnpRuleACLOps(pgName, asName, protocol, aclName string, priority int, aclAction ovnnb.ACLAction, logACLActions []ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "UpdateAnpRuleACLOps", pgName, asName, protocol, priority, aclAction, rulePorts, isIngress, isBanp) + ret := m.ctrl.Call(m, "UpdateAnpRuleACLOps", pgName, asName, protocol, aclName, priority, aclAction, logACLActions, rulePorts, isIngress, isBanp) ret0, _ := ret[0].([]ovsdb.Operation) ret1, _ := ret[1].(error) return ret0, ret1 } // UpdateAnpRuleACLOps indicates an expected call of UpdateAnpRuleACLOps. -func (mr *MockNbClientMockRecorder) UpdateAnpRuleACLOps(pgName, asName, protocol, priority, aclAction, rulePorts, isIngress, isBanp any) *gomock.Call { +func (mr *MockNbClientMockRecorder) UpdateAnpRuleACLOps(pgName, asName, protocol, aclName, priority, aclAction, logACLActions, rulePorts, isIngress, isBanp any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAnpRuleACLOps", reflect.TypeOf((*MockNbClient)(nil).UpdateAnpRuleACLOps), pgName, asName, protocol, priority, aclAction, rulePorts, isIngress, isBanp) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAnpRuleACLOps", reflect.TypeOf((*MockNbClient)(nil).UpdateAnpRuleACLOps), pgName, asName, protocol, aclName, priority, aclAction, logACLActions, rulePorts, isIngress, isBanp) } // UpdateBFD mocks base method. @@ -4467,18 +4467,18 @@ func (mr *MockNbClientMockRecorder) UpdateDnatAndSnat(lrName, externalIP, logica } // UpdateEgressACLOps mocks base method. -func (m *MockNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol string, npp []v10.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { +func (m *MockNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName string, npp []v10.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "UpdateEgressACLOps", pgName, asEgressName, asExceptName, protocol, npp, logEnable, namedPortMap) + ret := m.ctrl.Call(m, "UpdateEgressACLOps", pgName, asEgressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap) ret0, _ := ret[0].([]ovsdb.Operation) ret1, _ := ret[1].(error) return ret0, ret1 } // UpdateEgressACLOps indicates an expected call of UpdateEgressACLOps. -func (mr *MockNbClientMockRecorder) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, npp, logEnable, namedPortMap any) *gomock.Call { +func (mr *MockNbClientMockRecorder) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateEgressACLOps", reflect.TypeOf((*MockNbClient)(nil).UpdateEgressACLOps), pgName, asEgressName, asExceptName, protocol, npp, logEnable, namedPortMap) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateEgressACLOps", reflect.TypeOf((*MockNbClient)(nil).UpdateEgressACLOps), pgName, asEgressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap) } // UpdateGatewayChassis mocks base method. @@ -4501,18 +4501,18 @@ func (mr *MockNbClientMockRecorder) UpdateGatewayChassis(gwChassis any, fields . } // UpdateIngressACLOps mocks base method. -func (m *MockNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol string, npp []v10.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { +func (m *MockNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName string, npp []v10.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "UpdateIngressACLOps", pgName, asIngressName, asExceptName, protocol, npp, logEnable, namedPortMap) + ret := m.ctrl.Call(m, "UpdateIngressACLOps", pgName, asIngressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap) ret0, _ := ret[0].([]ovsdb.Operation) ret1, _ := ret[1].(error) return ret0, ret1 } // UpdateIngressACLOps indicates an expected call of UpdateIngressACLOps. -func (mr *MockNbClientMockRecorder) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, npp, logEnable, namedPortMap any) *gomock.Call { +func (mr *MockNbClientMockRecorder) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateIngressACLOps", reflect.TypeOf((*MockNbClient)(nil).UpdateIngressACLOps), pgName, asIngressName, asExceptName, protocol, npp, logEnable, namedPortMap) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateIngressACLOps", reflect.TypeOf((*MockNbClient)(nil).UpdateIngressACLOps), pgName, asIngressName, asExceptName, protocol, aclName, npp, logEnable, logACLActions, namedPortMap) } // UpdateLogicalRouterPortOptions mocks base method. diff --git a/pkg/controller/admin_network_policy.go b/pkg/controller/admin_network_policy.go index f8feb9682afa..77f9821c6809 100644 --- a/pkg/controller/admin_network_policy.go +++ b/pkg/controller/admin_network_policy.go @@ -94,6 +94,11 @@ func (c *Controller) enqueueUpdateAnp(oldObj, newObj interface{}) { return } } + + if oldAnpObj.Annotations[util.ACLActionsLogAnnotation] != newAnpObj.Annotations[util.ACLActionsLogAnnotation] { + c.addAnpQueue.Add(newAnpObj.Name) + return + } klog.V(3).Infof("enqueue update anp %s", newAnpObj.Name) // The remaining changes do not affect the acls. The port-group or address-set should be updated. @@ -270,6 +275,10 @@ func (c *Controller) handleAddAnp(key string) (err error) { c.anpNamePrioMap[anp.Name] = anp.Spec.Priority anpName := getAnpName(anp.Name) + var logActions []string + if anp.Annotations[util.ACLActionsLogAnnotation] != "" { + logActions = strings.Split(anp.Annotations[util.ACLActionsLogAnnotation], ",") + } // ovn portGroup/addressSet doesn't support name with '-', so we replace '-' by '.'. // This may cause conflict if two anp with name test-anp and test.anp, maybe hash is a better solution, but we do not want to lost the readability now. @@ -340,7 +349,8 @@ func (c *Controller) handleAddAnp(key string) (err error) { } if len(v4Addrs) != 0 { - ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, ingressAsV4Name, kubeovnv1.ProtocolIPv4, aclPriority, aclAction, rulePorts, true, false) + aclName := fmt.Sprintf("anp/%s/ingress/%s/%d", anpName, kubeovnv1.ProtocolIPv4, index) + ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, ingressAsV4Name, kubeovnv1.ProtocolIPv4, aclName, aclPriority, aclAction, logActions, rulePorts, true, false) if err != nil { klog.Errorf("failed to add v4 ingress acls for anp %s: %v", key, err) return err @@ -349,7 +359,8 @@ func (c *Controller) handleAddAnp(key string) (err error) { } if len(v6Addrs) != 0 { - ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, ingressAsV6Name, kubeovnv1.ProtocolIPv6, aclPriority, aclAction, rulePorts, true, false) + aclName := fmt.Sprintf("anp/%s/ingress/%s/%d", anpName, kubeovnv1.ProtocolIPv6, index) + ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, ingressAsV6Name, kubeovnv1.ProtocolIPv6, aclName, aclPriority, aclAction, logActions, rulePorts, true, false) if err != nil { klog.Errorf("failed to add v6 ingress acls for anp %s: %v", key, err) return err @@ -405,7 +416,8 @@ func (c *Controller) handleAddAnp(key string) (err error) { } if len(v4Addrs) != 0 { - ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, egressAsV4Name, kubeovnv1.ProtocolIPv4, aclPriority, aclAction, rulePorts, false, false) + aclName := fmt.Sprintf("anp/%s/egress/%s/%d", anpName, kubeovnv1.ProtocolIPv4, index) + ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, egressAsV4Name, kubeovnv1.ProtocolIPv4, aclName, aclPriority, aclAction, logActions, rulePorts, false, false) if err != nil { klog.Errorf("failed to add v4 egress acls for anp %s: %v", key, err) return err @@ -414,7 +426,8 @@ func (c *Controller) handleAddAnp(key string) (err error) { } if len(v6Addrs) != 0 { - ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, egressAsV6Name, kubeovnv1.ProtocolIPv6, aclPriority, aclAction, rulePorts, false, false) + aclName := fmt.Sprintf("anp/%s/egress/%s/%d", anpName, kubeovnv1.ProtocolIPv6, index) + ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, egressAsV6Name, kubeovnv1.ProtocolIPv6, aclName, aclPriority, aclAction, logActions, rulePorts, false, false) if err != nil { klog.Errorf("failed to add v6 egress acls for anp %s: %v", key, err) return err diff --git a/pkg/controller/baseline_admin_network_policy.go b/pkg/controller/baseline_admin_network_policy.go index 6dc630bac68c..5953133dfc31 100644 --- a/pkg/controller/baseline_admin_network_policy.go +++ b/pkg/controller/baseline_admin_network_policy.go @@ -65,6 +65,11 @@ func (c *Controller) enqueueUpdateBanp(oldObj, newObj interface{}) { return } } + + if oldBanp.Annotations[util.ACLActionsLogAnnotation] != newBanp.Annotations[util.ACLActionsLogAnnotation] { + c.addBanpQueue.Add(newBanp.Name) + return + } klog.V(3).Infof("enqueue update banp %s", newBanp.Name) // The remaining changes do not affect the acls. The port-group or address-set should be updated. @@ -231,6 +236,10 @@ func (c *Controller) handleAddBanp(key string) (err error) { banp := cachedBanp.DeepCopy() banpName := getAnpName(banp.Name) + var logActions []string + if banp.Annotations[util.ACLActionsLogAnnotation] != "" { + logActions = strings.Split(banp.Annotations[util.ACLActionsLogAnnotation], ",") + } // ovn portGroup/addressSet doesn't support name with '-', so we replace '-' by '.'. pgName := strings.ReplaceAll(banpName, "-", ".") @@ -300,7 +309,8 @@ func (c *Controller) handleAddBanp(key string) (err error) { } if len(v4Addrs) != 0 { - ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, ingressAsV4Name, kubeovnv1.ProtocolIPv4, aclPriority, aclAction, rulePorts, true, true) + aclName := fmt.Sprintf("banp/%s/ingress/%s/%d", banpName, kubeovnv1.ProtocolIPv4, index) + ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, ingressAsV4Name, kubeovnv1.ProtocolIPv4, aclName, aclPriority, aclAction, logActions, rulePorts, true, true) if err != nil { klog.Errorf("failed to add v4 ingress acls for banp %s: %v", key, err) return err @@ -309,7 +319,8 @@ func (c *Controller) handleAddBanp(key string) (err error) { } if len(v6Addrs) != 0 { - ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, ingressAsV6Name, kubeovnv1.ProtocolIPv6, aclPriority, aclAction, rulePorts, true, true) + aclName := fmt.Sprintf("banp/%s/ingress/%s/%d", banpName, kubeovnv1.ProtocolIPv6, index) + ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, ingressAsV6Name, kubeovnv1.ProtocolIPv6, aclName, aclPriority, aclAction, logActions, rulePorts, true, true) if err != nil { klog.Errorf("failed to add v6 ingress acls for banp %s: %v", key, err) return err @@ -365,7 +376,8 @@ func (c *Controller) handleAddBanp(key string) (err error) { } if len(v4Addrs) != 0 { - ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, egressAsV4Name, kubeovnv1.ProtocolIPv4, aclPriority, aclAction, rulePorts, false, true) + aclName := fmt.Sprintf("banp/%s/egress/%s/%d", banpName, kubeovnv1.ProtocolIPv4, index) + ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, egressAsV4Name, kubeovnv1.ProtocolIPv4, aclName, aclPriority, aclAction, logActions, rulePorts, false, true) if err != nil { klog.Errorf("failed to add v4 egress acls for banp %s: %v", key, err) return err @@ -374,7 +386,8 @@ func (c *Controller) handleAddBanp(key string) (err error) { } if len(v6Addrs) != 0 { - ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, egressAsV6Name, kubeovnv1.ProtocolIPv6, aclPriority, aclAction, rulePorts, false, true) + aclName := fmt.Sprintf("banp/%s/egress/%s/%d", banpName, kubeovnv1.ProtocolIPv6, index) + ops, err := c.OVNNbClient.UpdateAnpRuleACLOps(pgName, egressAsV6Name, kubeovnv1.ProtocolIPv6, aclName, aclPriority, aclAction, logActions, rulePorts, false, true) if err != nil { klog.Errorf("failed to add v6 egress acls for banp %s: %v", key, err) return err diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go index b1e6628e6229..d958424b35d1 100644 --- a/pkg/controller/network_policy.go +++ b/pkg/controller/network_policy.go @@ -19,6 +19,7 @@ import ( kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1" "github.com/kubeovn/kube-ovn/pkg/ovs" + "github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb" "github.com/kubeovn/kube-ovn/pkg/util" ) @@ -176,6 +177,12 @@ func (c *Controller) handleUpdateNp(key string) error { if np.Annotations[util.NetworkPolicyLogAnnotation] == "true" { logEnable = true } + var logActions []string + if np.Annotations[util.ACLActionsLogAnnotation] != "" { + logActions = strings.Split(np.Annotations[util.ACLActionsLogAnnotation], ",") + } else { + logActions = []string{ovnnb.ACLActionDrop} + } npName := np.Name nameArray := []rune(np.Name) @@ -234,6 +241,7 @@ func (c *Controller) handleUpdateNp(key string) error { // A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different ingressAllowAsName := fmt.Sprintf("%s.%s.%d", ingressAllowAsNamePrefix, protocol, idx) ingressExceptAsName := fmt.Sprintf("%s.%s.%d", ingressExceptAsNamePrefix, protocol, idx) + aclName := fmt.Sprintf("np/%s.%s/ingress/%s/%d", npName, np.Namespace, protocol, idx) var allows, excepts []string if len(npr.From) == 0 { @@ -269,7 +277,7 @@ func (c *Controller) handleUpdateNp(key string) error { npp = npr.Ports } - ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, npp, logEnable, namedPortMap) + ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap) if err != nil { klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err) return err @@ -280,6 +288,7 @@ func (c *Controller) handleUpdateNp(key string) error { if len(np.Spec.Ingress) == 0 { ingressAllowAsName := fmt.Sprintf("%s.%s.all", ingressAllowAsNamePrefix, protocol) ingressExceptAsName := fmt.Sprintf("%s.%s.all", ingressExceptAsNamePrefix, protocol) + aclName := fmt.Sprintf("np/%s.%s/ingress/%s/all", npName, np.Namespace, protocol) if err = c.createAsForNetpol(np.Namespace, npName, "ingress", ingressAllowAsName, nil); err != nil { klog.Error(err) @@ -290,7 +299,7 @@ func (c *Controller) handleUpdateNp(key string) error { return err } - ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, nil, logEnable, namedPortMap) + ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap) if err != nil { klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err) return err @@ -364,6 +373,7 @@ func (c *Controller) handleUpdateNp(key string) error { // A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different egressAllowAsName := fmt.Sprintf("%s.%s.%d", egressAllowAsNamePrefix, protocol, idx) egressExceptAsName := fmt.Sprintf("%s.%s.%d", egressExceptAsNamePrefix, protocol, idx) + aclName := fmt.Sprintf("np/%s.%s/egress/%s/%d", npName, np.Namespace, protocol, idx) var allows, excepts []string if len(npr.To) == 0 { @@ -395,7 +405,7 @@ func (c *Controller) handleUpdateNp(key string) error { } if len(allows) != 0 || len(excepts) != 0 { - ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, npr.Ports, logEnable, namedPortMap) + ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, npr.Ports, logEnable, logActions, namedPortMap) if err != nil { klog.Errorf("generate operations that add egress acls to np %s: %v", key, err) return err @@ -407,6 +417,7 @@ func (c *Controller) handleUpdateNp(key string) error { if len(np.Spec.Egress) == 0 { egressAllowAsName := fmt.Sprintf("%s.%s.all", egressAllowAsNamePrefix, protocol) egressExceptAsName := fmt.Sprintf("%s.%s.all", egressExceptAsNamePrefix, protocol) + aclName := fmt.Sprintf("np/%s.%s/egress/%s/all", npName, np.Namespace, protocol) if err = c.createAsForNetpol(np.Namespace, npName, "egress", egressAllowAsName, nil); err != nil { klog.Error(err) @@ -417,7 +428,7 @@ func (c *Controller) handleUpdateNp(key string) error { return err } - ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, nil, logEnable, namedPortMap) + ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap) if err != nil { klog.Errorf("generate operations that add egress acls to np %s: %v", key, err) return err diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go index 801fdb373516..05c06e91ae86 100644 --- a/pkg/ovs/interface.go +++ b/pkg/ovs/interface.go @@ -139,8 +139,8 @@ type PortGroup interface { } type ACL interface { - UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol string, npp []netv1.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) - UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol string, npp []netv1.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) + UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) + UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) CreateGatewayACL(lsName, pgName, gateway string) error CreateNodeACL(pgName, nodeIPStr, joinIPStr string) error CreateSgDenyAllACL(sgName string) error @@ -152,7 +152,7 @@ type ACL interface { SGLostACL(sg *kubeovnv1.SecurityGroup) (bool, error) DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string) error DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string) ([]ovsdb.Operation, error) - UpdateAnpRuleACLOps(pgName, asName, protocol string, priority int, aclAction ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error) + UpdateAnpRuleACLOps(pgName, asName, protocol, aclName string, priority int, aclAction ovnnb.ACLAction, logACLActions []ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error) } type AddressSet interface { diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go index 095b2f3cb2ec..26eac9a82feb 100644 --- a/pkg/ovs/ovn-nb-acl.go +++ b/pkg/ovs/ovn-nb-acl.go @@ -23,7 +23,7 @@ import ( ) // UpdateIngressACLOps return operation that creates an ingress ACL -func (c *OVNNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol string, npp []netv1.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { +func (c *OVNNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { acls := make([]*ovnnb.ACL, 0) if strings.HasSuffix(asIngressName, ".0") || strings.HasSuffix(asIngressName, ".all") { @@ -51,7 +51,14 @@ func (c *OVNNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, p /* allow acl */ matches := newNetworkPolicyACLMatch(pgName, asIngressName, asExceptName, protocol, ovnnb.ACLDirectionToLport, npp, namedPortMap) for _, m := range matches { - allowACL, err := c.newACLWithoutCheck(pgName, ovnnb.ACLDirectionToLport, util.IngressAllowPriority, m, ovnnb.ACLActionAllowRelated, util.NetpolACLTier) + options := func(acl *ovnnb.ACL) { + if slices.Contains(logACLActions, ovnnb.ACLActionAllow) && logEnable { + acl.Name = &aclName + acl.Log = true + } + } + + allowACL, err := c.newACLWithoutCheck(pgName, ovnnb.ACLDirectionToLport, util.IngressAllowPriority, m, ovnnb.ACLActionAllowRelated, util.NetpolACLTier, options) if err != nil { return nil, fmt.Errorf("new allow ingress acl for port group %s: %w", pgName, err) } @@ -68,7 +75,7 @@ func (c *OVNNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, p } // UpdateEgressACLOps return operation that creates an egress ACL -func (c *OVNNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol string, npp []netv1.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { +func (c *OVNNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) { acls := make([]*ovnnb.ACL, 0) if strings.HasSuffix(asEgressName, ".0") || strings.HasSuffix(asEgressName, ".all") { @@ -107,6 +114,11 @@ func (c *OVNNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, pro acl.Options = make(map[string]string) } acl.Options["apply-after-lb"] = "true" + + if slices.Contains(logACLActions, ovnnb.ACLActionAllow) && logEnable { + acl.Name = &aclName + acl.Log = true + } }) if err != nil { klog.Error(err) @@ -1284,7 +1296,7 @@ func (c *OVNNbClient) SGLostACL(sg *kubeovnv1.SecurityGroup) (bool, error) { } // UpdateAnpRuleACLOps return operation that creates an ingress/egress ACL -func (c *OVNNbClient) UpdateAnpRuleACLOps(pgName, asName, protocol string, priority int, aclAction ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error) { +func (c *OVNNbClient) UpdateAnpRuleACLOps(pgName, asName, protocol, aclName string, priority int, aclAction ovnnb.ACLAction, logACLActions []ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error) { acls := make([]*ovnnb.ACL, 0, 10) options := func(acl *ovnnb.ACL) { @@ -1297,6 +1309,14 @@ func (c *OVNNbClient) UpdateAnpRuleACLOps(pgName, asName, protocol string, prior acl.Options = make(map[string]string) } acl.Options["apply-after-lb"] = "true" + + if slices.Contains(logACLActions, aclAction) { + acl.Name = &aclName + acl.Log = true + if aclAction == ovnnb.ACLActionDrop { + acl.Severity = &ovnnb.ACLSeverityWarning + } + } } var direction ovnnb.ACLDirection diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go index b41cb7b4e087..597ff5c9f93e 100644 --- a/pkg/ovs/ovn-nb-acl_test.go +++ b/pkg/ovs/ovn-nb-acl_test.go @@ -85,13 +85,14 @@ func (suite *OvnClientTestSuite) testUpdateIngressACLOps() { asIngressName := "test.default.ingress.allow.ipv4.all" asExceptName := "test.default.ingress.except.ipv4.all" protocol := kubeovnv1.ProtocolIPv4 + aclName := "test_create_v4_ingress_acl_pg" err := ovnClient.CreatePortGroup(pgName, nil) require.NoError(t, err) npp := mockNetworkPolicyPort() - ops, err := ovnClient.UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, npp, true, nil) + ops, err := ovnClient.UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName, npp, true, nil, nil) require.NoError(t, err) require.Len(t, ops, 4) @@ -113,11 +114,12 @@ func (suite *OvnClientTestSuite) testUpdateIngressACLOps() { asIngressName := "test.default.ingress.allow.ipv6.all" asExceptName := "test.default.ingress.except.ipv6.all" protocol := kubeovnv1.ProtocolIPv6 + aclName := "test_create_v6_ingress_acl_pg" err := ovnClient.CreatePortGroup(pgName, nil) require.NoError(t, err) - ops, err := ovnClient.UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, nil, true, nil) + ops, err := ovnClient.UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName, nil, true, nil, nil) require.NoError(t, err) require.Len(t, ops, 3) @@ -155,13 +157,14 @@ func (suite *OvnClientTestSuite) testUpdateEgressACLOps() { asEgressName := "test.default.egress.allow.ipv4.all" asExceptName := "test.default.egress.except.ipv4.all" protocol := kubeovnv1.ProtocolIPv4 + aclName := "test_create_v4_egress_acl_pg" err := ovnClient.CreatePortGroup(pgName, nil) require.NoError(t, err) npp := mockNetworkPolicyPort() - ops, err := ovnClient.UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, npp, true, nil) + ops, err := ovnClient.UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName, npp, true, nil, nil) require.NoError(t, err) require.Len(t, ops, 4) @@ -183,11 +186,12 @@ func (suite *OvnClientTestSuite) testUpdateEgressACLOps() { asEgressName := "test.default.egress.allow.ipv6.all" asExceptName := "test.default.egress.except.ipv6.all" protocol := kubeovnv1.ProtocolIPv6 + aclName := "test_create_v6_egress_acl_pg" err := ovnClient.CreatePortGroup(pgName, nil) require.NoError(t, err) - ops, err := ovnClient.UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, nil, true, nil) + ops, err := ovnClient.UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName, nil, true, nil, nil) require.NoError(t, err) require.Len(t, ops, 3) diff --git a/pkg/util/const.go b/pkg/util/const.go index b0d7006b6098..dbc31d83005d 100644 --- a/pkg/util/const.go +++ b/pkg/util/const.go @@ -109,6 +109,7 @@ const ( QoSLabel = "ovn.kubernetes.io/qos" NodeNameLabel = "ovn.kubernetes.io/node-name" NetworkPolicyLogAnnotation = "ovn.kubernetes.io/enable_log" + ACLActionsLogAnnotation = "ovn.kubernetes.io/log_acl_actions" VpcLastName = "ovn.kubernetes.io/last_vpc_name" VpcLastPolicies = "ovn.kubernetes.io/last_policies"