SecurityMode: traffic segregation

Co-authored-by: Luca Francescato <[email protected]>

build/liqonet/Dockerfile

@@ -22,10 +22,10 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$(go env GOARCH) go build -ldflags="-s -w" .
 FROM alpine:3.18
 
 RUN apk update && \
-    apk add iptables bash wireguard-tools tcpdump conntrack-tools curl && \
+    apk add iptables ipset bash wireguard-tools tcpdump conntrack-tools curl && \
     rm -rf /var/cache/apk/*
 
 COPY --from=goBuilder /tmp/builder/liqonet /usr/bin/liqonet
 COPY --from=goBuilder-wg /go/wireguard-go/wireguard-go /usr/bin/wireguard-go
 
-ENTRYPOINT [ "/usr/bin/liqonet" ]
+ENTRYPOINT [ "/usr/bin/liqonet" ]

cmd/liqonet/gateway-operator.go

@@ -22,15 +22,13 @@ import (
 	"time"
 
 	"github.com/containernetworking/plugins/pkg/ns"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/fields"
+	/* corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields" */
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
+	//"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/cache"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	tunneloperator "github.com/liqotech/liqo/internal/liqonet/tunnel-operator"
 	liqoconst "github.com/liqotech/liqo/pkg/consts"
@@ -39,6 +37,7 @@ import (
 	liqonetutils "github.com/liqotech/liqo/pkg/liqonet/utils"
 	"github.com/liqotech/liqo/pkg/liqonet/utils/links"
 	liqonetsignals "github.com/liqotech/liqo/pkg/liqonet/utils/signals"
+	argsutils "github.com/liqotech/liqo/pkg/utils/args"
 	"github.com/liqotech/liqo/pkg/utils/mapper"
 	"github.com/liqotech/liqo/pkg/utils/restcfg"
 )
@@ -51,9 +50,13 @@ type gatewayOperatorFlags struct {
 	tunnelMTU            uint
 	tunnelListeningPort  uint
 	updateStatusInterval time.Duration
+	securityMode         *argsutils.StringEnum
 }
 
 func addGatewayOperatorFlags(liqonet *gatewayOperatorFlags) {
+	liqonet.securityMode = argsutils.NewEnum([]string{string(liqoconst.FullPodToPodSecurityMode),
+		string(liqoconst.IntraClusterTrafficSegregationSecurityMode)},
+		string(liqoconst.FullPodToPodSecurityMode))
 	flag.BoolVar(&liqonet.enableLeaderElection, "gateway.leader-elect", false,
 		"leader-elect enables leader election for controller manager.")
 	flag.DurationVar(&liqonet.leaseDuration, "gateway.lease-duration", 7*time.Second,
@@ -72,6 +75,7 @@ func addGatewayOperatorFlags(liqonet *gatewayOperatorFlags) {
 		"ping-loss-threshold is the number of lost packets after which the connection check is considered as failed.")
 	flag.DurationVar(&conncheck.PingInterval, "gateway.ping-interval", 2*time.Second,
 		"ping-interval is the interval between two connection checks")
+	flag.Var(liqonet.securityMode, "gateway.security-mode", "security-mode represents different security modes regarding connectivity among clusters")
 }
 
 func runGatewayOperator(commonFlags *liqonetCommonFlags, gatewayFlags *gatewayOperatorFlags) {
@@ -82,6 +86,8 @@ func runGatewayOperator(commonFlags *liqonetCommonFlags, gatewayFlags *gatewayOp
 	leaseDuration := gatewayFlags.leaseDuration
 	renewDeadLine := gatewayFlags.renewDeadline
 	retryPeriod := gatewayFlags.retryPeriod
+	securityMode := liqoconst.SecurityModeType(gatewayFlags.securityMode.String())
+	klog.Infof("gw1)%s", securityMode)
 
 	// If port is not in the correct range, then return an error.
 	if gatewayFlags.tunnelListeningPort < liqoconst.UDPMinPort || gatewayFlags.tunnelListeningPort > liqoconst.UDPMaxPort {
@@ -103,6 +109,13 @@ func runGatewayOperator(commonFlags *liqonetCommonFlags, gatewayFlags *gatewayOp
 		klog.Errorf("unable to get pod namespace: %v", err)
 		os.Exit(1)
 	}
+
+	/* podsLabelRequirement, err := labels.NewRequirement(liqoconst.ManagedByLabelKey, selection.Equals, []string{liqoconst.ManagedByShadowPodValue})
+	utilruntime.Must(err)
+
+	endpointslicesLabelRequirement, err := labels.NewRequirement(discoveryv1.LabelManagedBy, selection.Equals, []string{liqovk.EndpointSliceManagedBy})
+	utilruntime.Must(err) */
+
 	main, err := ctrl.NewManager(restcfg.SetRateLimiter(ctrl.GetConfigOrDie()), ctrl.Options{
 		MapperProvider:                mapper.LiqoMapperProvider(scheme),
 		Scheme:                        scheme,
@@ -115,14 +128,14 @@ func runGatewayOperator(commonFlags *liqonetCommonFlags, gatewayFlags *gatewayOp
 		LeaseDuration:                 &leaseDuration,
 		RenewDeadline:                 &renewDeadLine,
 		RetryPeriod:                   &retryPeriod,
-		NewCache: func(config *rest.Config, opts cache.Options) (cache.Cache, error) {
+		/* NewCache: func(config *rest.Config, opts cache.Options) (cache.Cache, error) {
 			opts.ByObject = map[client.Object]cache.ByObject{
 				&corev1.Pod{}: {
 					Field: fields.OneTermEqualSelector("metadata.namespace", podNamespace),
 				},
 			}
 			return cache.New(config, opts)
-		},
+		}, */
 	})
 	if err != nil {
 		klog.Errorf("unable to get main manager: %s", err)
@@ -157,7 +170,7 @@ func runGatewayOperator(commonFlags *liqonetCommonFlags, gatewayFlags *gatewayOp
 		os.Exit(1)
 	}
 	tunnelController, err := tunneloperator.NewTunnelController(ctx, &wg, podIP.String(), podNamespace, eventRecorder,
-		clientset, main.GetClient(), &readyClustersMutex, readyClusters, gatewayNetns, hostNetns, int(MTU), int(port), updateStatusInterval)
+		clientset, main.GetClient(), &readyClustersMutex, readyClusters, gatewayNetns, hostNetns, int(MTU), int(port), updateStatusInterval, securityMode)
 	// If something goes wrong while creating and configuring the tunnel controller
 	// then make sure that we remove all the resources created during the create process.
 	if err != nil {
@@ -187,6 +200,31 @@ func runGatewayOperator(commonFlags *liqonetCommonFlags, gatewayFlags *gatewayOp
 		os.Exit(1)
 	}
 
+	klog.Infof("gw1)%s, %s, %s", securityMode, liqoconst.IntraClusterTrafficSegregationSecurityMode, securityMode == liqoconst.IntraClusterTrafficSegregationSecurityMode)
+	if securityMode == liqoconst.IntraClusterTrafficSegregationSecurityMode {
+		klog.Infof("gw2)%s", securityMode)
+		podsInfo := &sync.Map{}
+		endpointslicesInfo := &sync.Map{}
+		offloadedPodController, err := tunneloperator.NewOffloadedPodController(main.GetClient(), gatewayNetns, podsInfo, endpointslicesInfo)
+		if err != nil {
+			klog.Errorf("an error occurred while creating the offloaded pod controller: %v", err)
+			os.Exit(1)
+		}
+		if err = offloadedPodController.SetupWithManager(main); err != nil {
+			klog.Errorf("unable to setup offloaded pod controller: %s", err)
+			os.Exit(1)
+		}
+		reflectedEndpointsliceController, err := tunneloperator.NewReflectedEndpointsliceController(main.GetClient(), main.GetScheme(), gatewayNetns, podsInfo, endpointslicesInfo)
+		if err != nil {
+			klog.Errorf("an error occurred while creating the reflected endpointslice controller: %v", err)
+			os.Exit(1)
+		}
+		if err = reflectedEndpointsliceController.SetupWithManager(main); err != nil {
+			klog.Errorf("unable to setup reflected endpointslice controller: %s", err)
+			os.Exit(1)
+		}
+	}
+
 	klog.Info("Starting manager as Tunnel-Operator")
 	if err := main.Start(tunnelController.SetupSignalHandlerForTunnelOperator(ctx, &wg)); err != nil {
 		klog.Errorf("unable to start tunnel controller: %s", err)

cmd/liqonet/main.go

@@ -26,6 +26,7 @@ import (
 
 	discoveryv1alpha1 "github.com/liqotech/liqo/apis/discovery/v1alpha1"
 	netv1alpha1 "github.com/liqotech/liqo/apis/net/v1alpha1"
+	offloadingv1alpha1 "github.com/liqotech/liqo/apis/offloading/v1alpha1"
 	liqoconst "github.com/liqotech/liqo/pkg/consts"
 	"github.com/liqotech/liqo/pkg/utils/restcfg"
 )
@@ -47,6 +48,7 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(discoveryv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(netv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(offloadingv1alpha1.AddToScheme(scheme))
 }
 
 func main() {

deployments/liqo/files/liqo-gateway-ClusterRole.yaml

@@ -11,6 +11,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -21,6 +29,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/status
+  verbs:
+  - get
 - apiGroups:
   - ""
   resources:
@@ -30,6 +44,30 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices/endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices/endpoints/addresses
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - net.liqo.io
   resources:
@@ -62,3 +100,11 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - offloading.liqo.io
+  resources:
+  - namespaceoffloadings
+  verbs:
+  - get
+  - list
+  - watch

deployments/liqo/templates/liqo-gateway-deployment.yaml

@@ -56,6 +56,9 @@ spec:
           {{- if .Values.common.extraArgs }}
           {{- toYaml .Values.common.extraArgs | nindent 10 }}
           {{- end }}
+          {{- if .Values.networking.securityMode}}
+          - --gateway.security-mode={{ .Values.networking.securityMode }}
+          {{- end }}
           {{- if .Values.gateway.pod.extraArgs }}
           {{- toYaml .Values.gateway.pod.extraArgs | nindent 10 }}
           {{- end }}

deployments/liqo/values.yaml

@@ -37,6 +37,8 @@ networking:
   # The default value is configured to ensure correct behavior regardless of the combination of the underlying environments
   # (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops.
   mtu: 1340
+  # -- Select the mode to enforce security on connectivity among clusters 
+  securityMode: "IntraClusterTrafficSegregation"
 
 reflection:
   skip:

go.mod

@@ -55,6 +55,7 @@ require (
 	k8s.io/component-helpers v0.28.2
 	k8s.io/klog/v2 v2.100.1
 	k8s.io/kubectl v0.28.2
+	k8s.io/kubernetes v1.26.2
 	k8s.io/metrics v0.28.2
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
 	sigs.k8s.io/aws-iam-authenticator v0.6.12

go.sum

@@ -605,8 +605,9 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/karrick/godirwalk v1.16.1 h1:DynhcF+bztK8gooS0+NDJFrdNZjJ3gzVzC545UNA9iw=
 github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk=
+github.com/karrick/godirwalk v1.17.0 h1:b4kY7nqDdioR/6qnbHQyDvmA17u5G1cZ6J+CZXwSWoI=
+github.com/karrick/godirwalk v1.17.0/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
@@ -1596,6 +1597,8 @@ k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5Ohx
 k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
 k8s.io/kubectl v0.28.2 h1:fOWOtU6S0smdNjG1PB9WFbqEIMlkzU5ahyHkc7ESHgM=
 k8s.io/kubectl v0.28.2/go.mod h1:6EQWTPySF1fn7yKoQZHYf9TPwIl2AygHEcJoxFekr64=
+k8s.io/kubernetes v1.26.2 h1:6Ve0nzlF2noVXf9jMHSJgbRZC0EkyOV22GYEv1K7MZI=
+k8s.io/kubernetes v1.26.2/go.mod h1:cv07eVU5+kF6ibpVtAvOGjIBsrfgevQL4ORK85/oqWc=
 k8s.io/metrics v0.28.2 h1:Z/oMk5SmiT/Ji1SaWOPfW2l9W831BLO9/XxDq9iS3ak=
 k8s.io/metrics v0.28.2/go.mod h1:QTIIdjMrq+KodO+rmp6R9Pr1LZO8kTArNtkWoQXw0sw=
 k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=