netpol: add allow acl rules for u2o logical gateway (#4420)

Signed-off-by: zhangzujian <[email protected]>

go.mod

@@ -39,6 +39,7 @@ require (
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/klog/v2 v2.120.1
 	k8s.io/sample-controller v0.23.17
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
 	kubevirt.io/client-go v0.50.0
 	sigs.k8s.io/controller-runtime v0.11.0
 )
@@ -134,7 +135,6 @@ require (
 	k8s.io/apiextensions-apiserver v0.23.17 // indirect
 	k8s.io/component-base v0.23.17 // indirect
 	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
-	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
 	kubevirt.io/api v0.50.0 // indirect
 	kubevirt.io/containerized-data-importer-api v1.42.0 // indirect
 	kubevirt.io/controller-lifecycle-operator-sdk v0.2.1 // indirect

go.sum

@@ -1866,8 +1866,9 @@ k8s.io/utils v0.0.0-20191114200735-6ca3b61696b6/go.mod h1:sZAwmy6armz5eXlNoLmJcl
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210111153108-fddb29f9d009/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20211116205334-6203023598ed h1:ck1fRPWPJWsMd8ZRFsWc6mh/zHp5fZ/shhbrgPUxDAE=
 k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 kubevirt.io/api v0.50.0 h1:UEL3Y19DP2bKn6OjL155CBhnwPpMCXSSEMGMandJUBg=
 kubevirt.io/api v0.50.0/go.mod h1:RPYFWI69OVi7i6YtW5gHN3fjYsjlRfRilKVNcpxEMmM=
 kubevirt.io/client-go v0.50.0 h1:4UvADLkbNGGc9MmRbLyXNe4qxhedTQQkT3242WoINjo=

pkg/controller/network_policy.go

@@ -509,7 +509,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 		}
 	}
 
-	if err = c.ovnLegacyClient.CreateGatewayACL(pgName, subnet.Spec.Gateway, subnet.Spec.CIDRBlock); err != nil {
+	if err = c.ovnLegacyClient.CreateGatewayACL(pgName, subnet.Spec.Gateway, subnet.Status.U2OInterconnectionIP, subnet.Spec.CIDRBlock); err != nil {
 		klog.Errorf("failed to create gateway acl, %v", err)
 		return err
 	}

pkg/controller/subnet.go

@@ -71,6 +71,18 @@ func (c *Controller) enqueueUpdateSubnet(old, new interface{}) {
 		return
 	}
 
+	if newSubnet.Spec.Gateway != oldSubnet.Spec.Gateway ||
+		newSubnet.Status.U2OInterconnectionIP != oldSubnet.Status.U2OInterconnectionIP {
+		policies, err := c.npsLister.List(labels.Everything())
+		if err != nil {
+			klog.Errorf("failed to list network policies: %v", err)
+		} else {
+			for _, np := range policies {
+				c.enqueueAddNp(np)
+			}
+		}
+	}
+
 	var usingIPs float64
 	if newSubnet.Spec.Protocol == kubeovnv1.ProtocolIPv6 {
 		usingIPs = newSubnet.Status.V6UsingIPs

pkg/ovs/ovn-nbctl-legacy.go

@@ -16,6 +16,7 @@ import (
 
 	netv1 "k8s.io/api/networking/v1"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/set"
 
 	kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
 	"github.com/kubeovn/kube-ovn/pkg/util"
@@ -1624,9 +1625,14 @@ func (c LegacyClient) DeleteACL(pgName, direction string) (err error) {
 	return
 }
 
-func (c LegacyClient) CreateGatewayACL(pgName, gateway, cidr string) error {
+func (c LegacyClient) CreateGatewayACL(pgName, gateway, u2oInterconnectionIP, cidr string) error {
 	for _, cidrBlock := range strings.Split(cidr, ",") {
-		for _, gw := range strings.Split(gateway, ",") {
+		gateways := set.New(strings.Split(gateway, ",")...)
+		if u2oInterconnectionIP != "" {
+			gateways.Insert(strings.Split(u2oInterconnectionIP, ",")...)
+		}
+
+		for gw := range gateways {
 			if util.CheckProtocol(cidrBlock) != util.CheckProtocol(gw) {
 				continue
 			}