updated creating acl code to make it more modularized

rejain789 · rejain789 · commit 06eb949f79fd · 2025-01-14T21:41:11.000-08:00
diff --git a/cns/middlewares/k8sSwiftV2.go b/cns/middlewares/k8sSwiftV2.go
@@ -59,17 +59,26 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa
 			return ipConfigsResp, err
 		}
 
-		// ipConfigsResp has infra IP configs -> if defaultDenyACLbool is enabled, add the default deny acl's pn the infra IP configs
+		// ipConfigsResp has infra IP configs -> if defaultDenyACLbool is enabled, add the default deny endpoint policies as a property in PodIpInfo
 		for i := range ipConfigsResp.PodIPInfo {
 			ipInfo := &ipConfigsResp.PodIPInfo[i]
-			var defaultDenyEndpointPolicies []policy.Policy
 			// there will be no pod connectivity to and from those pods
+			var defaultDenyEngressPolicy, defaultDenyIngressPolicy policy.Policy
+
 			if defaultDenyACLbool && ipInfo.NICType == cns.InfraNIC {
-				defaultDenyEndpointPolicies, err = addDefaultDenyACL()
+				defaultDenyEngressPolicy, err = getEndpointPolicyL(string(policy.ACLPolicy), cns.ActionTypeBlock, cns.DirectionTypeOut, 10_000)
 				if err != nil {
 					logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err)
 				}
-				ipInfo.EndpointPolicies = append(ipInfo.EndpointPolicies, defaultDenyEndpointPolicies...)
+
+				defaultDenyIngressPolicy, err = getEndpointPolicyL(string(policy.ACLPolicy), cns.ActionTypeBlock, cns.DirectionTypeIn, 10_000)
+				if err != nil {
+					logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err)
+				}
+
+				ipInfo.EndpointPolicies = append(ipInfo.EndpointPolicies, defaultDenyEngressPolicy, defaultDenyIngressPolicy)
+				logger.Printf("Created endpoint policies for defaultDenyEngressPolicy and defaultDenyIngressPolicy")
+
 				break
 			}
 		}
diff --git a/cns/middlewares/k8sSwiftV2_linux.go b/cns/middlewares/k8sSwiftV2_linux.go
@@ -105,6 +105,6 @@ func (k *K8sSWIFTv2Middleware) assignSubnetPrefixLengthFields(_ *cns.PodIpInfo,
 
 func (k *K8sSWIFTv2Middleware) addDefaultRoute(*cns.PodIpInfo, string) {}
 
-func addDefaultDenyACL() ([]policy.Policy, error) {
-	return []policy.Policy{}, nil
+func getEndpointPolicyL(_, _, _ string, _ int) (policy.Policy, error) {
+	return policy.Policy{}, nil
 }
diff --git a/cns/middlewares/k8sSwiftV2_windows.go b/cns/middlewares/k8sSwiftV2_windows.go
@@ -7,7 +7,6 @@ import (
 	"github.com/Azure/azure-container-networking/cns/middlewares/utils"
 	"github.com/Azure/azure-container-networking/crd/multitenancy/api/v1alpha1"
 	"github.com/Azure/azure-container-networking/network/policy"
-	"github.com/Microsoft/hcsshim/hcn"
 	"github.com/pkg/errors"
 )
 
@@ -63,52 +62,41 @@ func (k *K8sSWIFTv2Middleware) addDefaultRoute(podIPInfo *cns.PodIpInfo, gwIP st
 	podIPInfo.Routes = append(podIPInfo.Routes, route)
 }
 
-// append the default deny acl's to the list defaultDenyACL field in podIpInfo
-func addDefaultDenyACL() ([]policy.Policy, error) {
-	blockEgressACL, err := getDefaultDenyACLPolicy(hcn.DirectionTypeOut)
+// get policy of type endpoint policy given the params
+func getEndpointPolicyL(policyType string, action string, direction string, priority int) (policy.Policy, error) {
+	endpointPolicy, err := createEndpointPolicy(policyType, action, direction, priority)
 	if err != nil {
-		return []policy.Policy{}, errors.Wrap(err, "failed to create default deny ACL policy egress")
+		return policy.Policy{}, errors.Wrap(err, "failed to create endpoint policy")
 	}
 
-	blockIngressACL, err := getDefaultDenyACLPolicy(hcn.DirectionTypeIn)
-	if err != nil {
-		return []policy.Policy{}, errors.Wrap(err, "Failed to create default deny ACL policy ingress")
-	}
-
-	additionalArgs := []policy.Policy{
-		{
-			Type: policy.EndpointPolicy,
-			Data: blockEgressACL,
-		},
-		{
-			Type: policy.EndpointPolicy,
-			Data: blockIngressACL,
-		},
+	additionalArgs := policy.Policy{
+		Type: policy.EndpointPolicy,
+		Data: endpointPolicy,
 	}
 
 	return additionalArgs, nil
 }
 
-// create the default deny acl's that need to be added to the list defaultDenyACL field in podIpInfo
-func getDefaultDenyACLPolicy(direction hcn.DirectionType) ([]byte, error) {
-	type DefaultDenyACL struct {
-		Type      string            `json:"Type"`
-		Action    hcn.ActionType    `json:"Action"`
-		Direction hcn.DirectionType `json:"Direction"`
-		Priority  int               `json:"Priority"`
+// create policy given the params
+func createEndpointPolicy(policyType string, action string, direction string, priority int) ([]byte, error) {
+	type EndpointPolicy struct {
+		Type      string `json:"Type"`
+		Action    string `json:"Action"`
+		Direction string `json:"Direction"`
+		Priority  int    `json:"Priority"`
 	}
 
-	denyACL := DefaultDenyACL{
-		Type:      "ACL", // policy type is ACL
-		Action:    hcn.ActionTypeBlock,
+	policy := EndpointPolicy{
+		Type:      policyType,
+		Action:    action,
 		Direction: direction,
-		Priority:  10_000, // default deny priority will be 10_000
+		Priority:  priority,
 	}
 
-	denyACLJSON, err := json.Marshal(denyACL)
+	rawPolicy, err := json.Marshal(policy)
 	if err != nil {
-		return nil, errors.Wrap(err, "error marshalling default deny policy to json")
+		return nil, errors.Wrap(err, "error marshalling policy to json")
 	}
 
-	return denyACLJSON, nil
+	return rawPolicy, nil
 }
diff --git a/cns/middlewares/k8sSwiftV2_windows_test.go b/cns/middlewares/k8sSwiftV2_windows_test.go
@@ -2,6 +2,7 @@ package middlewares
 
 import (
 	"encoding/json"
+	"fmt"
 	"reflect"
 	"testing"
 
@@ -105,19 +106,35 @@ func TestAddDefaultRoute(t *testing.T) {
 }
 
 func TestAddDefaultDenyACL(t *testing.T) {
-	valueOut := []byte(`{
-		"Type": "ACL",
-		"Action": "Block",
-		"Direction": "Out",
-		"Priority": 10000
-	}`)
-
-	valueIn := []byte(`{
-		"Type": "ACL",
-		"Action": "Block",
-		"Direction": "In",
-		"Priority": 10000
-	}`)
+	const policyType = "ACL"
+	const action = "Block"
+	const ingressDir = "In"
+	const egressDir = "Out"
+	const priority = 10000
+
+	valueIn := []byte(fmt.Sprintf(`{
+		"Type": "%s",
+		"Action": "%s",
+		"Direction": "%s",
+		"Priority": %d
+	}`,
+		policyType,
+		action,
+		ingressDir,
+		priority,
+	))
+
+	valueOut := []byte(fmt.Sprintf(`{
+		"Type": "%s",
+		"Action": "%s",
+		"Direction": "%s",
+		"Priority": %d
+	}`,
+		policyType,
+		action,
+		egressDir,
+		priority,
+	))
 
 	expectedDefaultDenyEndpoint := []policy.Policy{
 		{
@@ -129,13 +146,17 @@ func TestAddDefaultDenyACL(t *testing.T) {
 			Data: valueIn,
 		},
 	}
+	var allEndpoints []policy.Policy
 
-	defaultDenyEndpoint, err := addDefaultDenyACL()
+	defaultDenyEngressPolicy, err := getEndpointPolicyL("ACL", "Block", "Out", 10000)
+	defaultDenyIngressPolicy, err := getEndpointPolicyL("ACL", "Block", "In", 10000)
+
+	allEndpoints = append(allEndpoints, defaultDenyEngressPolicy, defaultDenyIngressPolicy)
 	assert.Equal(t, err, nil)
 
 	// Normalize both slices so there is no extra spacing, new lines, etc
 	normalizedExpected := normalizeKVPairs(t, expectedDefaultDenyEndpoint)
-	normalizedActual := normalizeKVPairs(t, defaultDenyEndpoint)
+	normalizedActual := normalizeKVPairs(t, allEndpoints)
 	if !reflect.DeepEqual(normalizedExpected, normalizedActual) {
 		t.Errorf("got '%+v', expected '%+v'", normalizedActual, normalizedExpected)
 	}

Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,6 @@ func (k K8sSWIFTv2Middleware) assignSubnetPrefixLengthFields(_ cns.PodIpInfo,`
`105`	`105`
`106`	`106`	`func (k K8sSWIFTv2Middleware) addDefaultRoute(cns.PodIpInfo, string) {}`
`107`	`107`
`108`		`-func addDefaultDenyACL() ([]policy.Policy, error) {`
`109`		`- return []policy.Policy{}, nil`
	`108`	`+func getEndpointPolicyL(_, _, _ string, _ int) (policy.Policy, error) {`
	`109`	`+ return policy.Policy{}, nil`
`110`	`110`	`}`