Merge policies (#390)

Author: Yongli Chen

npm/ipsm/ipsm.go

@@ -119,6 +119,10 @@ func (ipsMgr *IpsetManager) DeleteList(listName string) error {
 
 // AddToList inserts an ipset to an ipset list.
 func (ipsMgr *IpsetManager) AddToList(listName string, setName string) error {
+	if listName == setName {
+		return nil
+	}
+
 	if ipsMgr.Exists(listName, setName, util.IpsetSetListFlag) {
 		return nil
 	}

npm/iptm/iptm.go

@@ -27,7 +27,6 @@ const (
 type IptEntry struct {
 	Command               string
 	Name                  string
-	HashedName            string
 	Chain                 string
 	Flag                  string
 	LockWaitTimeInSeconds string
@@ -80,9 +79,9 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
 	// Add default allow CONNECTED/RELATED rule to AZURE-NPM chain.
 	entry.Chain = util.IptablesAzureChain
 	entry.Specs = []string{
-		util.IptablesMatchFlag,
+		util.IptablesModuleFlag,
+		util.IptablesStateModuleFlag,
 		util.IptablesStateFlag,
-		util.IptablesMatchStateFlag,
 		util.IptablesRelatedState + "," + util.IptablesEstablishedState,
 		util.IptablesJumpFlag,
 		util.IptablesAccept,
@@ -100,12 +99,38 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
 		}
 	}
 
+	// Create AZURE-NPM-KUBE-SYSTEM chain.
+	if err := iptMgr.AddChain(util.IptablesAzureKubeSystemChain); err != nil {
+		return err
+	}
+
+	// Append AZURE-NPM-KUBE-SYSTEM chain to AZURE-NPM chain.
+	entry = &IptEntry{
+		Chain: util.IptablesAzureChain,
+		Specs: []string{
+			util.IptablesJumpFlag,
+			util.IptablesAzureKubeSystemChain,
+		},
+	}
+	exists, err = iptMgr.Exists(entry)
+	if err != nil {
+		return err
+	}
+
+	if !exists {
+		iptMgr.OperationFlag = util.IptablesAppendFlag
+		if _, err = iptMgr.Run(entry); err != nil {
+			log.Errorf("Error: failed to add AZURE-NPM-KUBE-SYSTEM chain to AZURE-NPM chain.")
+			return err
+		}
+	}
+
 	// Create AZURE-NPM-INGRESS-PORT chain.
 	if err := iptMgr.AddChain(util.IptablesAzureIngressPortChain); err != nil {
 		return err
 	}
 
-	// Insert AZURE-NPM-INGRESS-PORT chain to AZURE-NPM chain.
+	// Append AZURE-NPM-INGRESS-PORT chain to AZURE-NPM chain.
 	entry.Chain = util.IptablesAzureChain
 	entry.Specs = []string{util.IptablesJumpFlag, util.IptablesAzureIngressPortChain}
 	exists, err = iptMgr.Exists(entry)
@@ -121,13 +146,8 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
 		}
 	}
 
-	// Create AZURE-NPM-INGRESS-FROM-NS chain.
-	if err = iptMgr.AddChain(util.IptablesAzureIngressFromNsChain); err != nil {
-		return err
-	}
-
-	// Create AZURE-NPM-INGRESS-FROM-POD chain.
-	if err = iptMgr.AddChain(util.IptablesAzureIngressFromPodChain); err != nil {
+	// Create AZURE-NPM-INGRESS-FROM chain.
+	if err = iptMgr.AddChain(util.IptablesAzureIngressFromChain); err != nil {
 		return err
 	}
 
@@ -152,13 +172,8 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
 		}
 	}
 
-	// Create AZURE-NPM-EGRESS-TO-NS chain.
-	if err = iptMgr.AddChain(util.IptablesAzureEgressToNsChain); err != nil {
-		return err
-	}
-
-	// Create AZURE-NPM-EGRESS-TO-POD chain.
-	if err = iptMgr.AddChain(util.IptablesAzureEgressToPodChain); err != nil {
+	// Create AZURE-NPM-EGRESS-TO chain.
+	if err = iptMgr.AddChain(util.IptablesAzureEgressToChain); err != nil {
 		return err
 	}
 
@@ -167,7 +182,7 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
 		return err
 	}
 
-	// Insert AZURE-NPM-TARGET-SETS chain to AZURE-NPM chain.
+	// Append AZURE-NPM-TARGET-SETS chain to AZURE-NPM chain.
 	entry.Chain = util.IptablesAzureChain
 	entry.Specs = []string{util.IptablesJumpFlag, util.IptablesAzureTargetSetsChain}
 	exists, err = iptMgr.Exists(entry)
@@ -190,12 +205,11 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
 func (iptMgr *IptablesManager) UninitNpmChains() error {
 	IptablesAzureChainList := []string{
 		util.IptablesAzureChain,
+		util.IptablesAzureKubeSystemChain,
 		util.IptablesAzureIngressPortChain,
-		util.IptablesAzureIngressFromNsChain,
-		util.IptablesAzureIngressFromPodChain,
+		util.IptablesAzureIngressFromChain,
 		util.IptablesAzureEgressPortChain,
-		util.IptablesAzureEgressToNsChain,
-		util.IptablesAzureEgressToPodChain,
+		util.IptablesAzureEgressToChain,
 		util.IptablesAzureTargetSetsChain,
 	}
 
@@ -282,6 +296,7 @@ func (iptMgr *IptablesManager) DeleteChain(chain string) error {
 			log.Printf("Chain doesn't exist %s.", entry.Chain)
 			return nil
 		}
+
 		log.Errorf("Error: failed to delete iptables chain %s.", entry.Chain)
 		return err
 	}
@@ -291,7 +306,7 @@ func (iptMgr *IptablesManager) DeleteChain(chain string) error {
 
 // Add adds a rule in iptables.
 func (iptMgr *IptablesManager) Add(entry *IptEntry) error {
-	log.Printf("Add iptables entry: %+v.", entry)
+	log.Printf("Adding iptables entry: %+v.", entry)
 
 	exists, err := iptMgr.Exists(entry)
 	if err != nil {
@@ -302,7 +317,7 @@ func (iptMgr *IptablesManager) Add(entry *IptEntry) error {
 		return nil
 	}
 
-	iptMgr.OperationFlag = util.IptablesInsertionFlag
+	iptMgr.OperationFlag = util.IptablesAppendFlag
 	if _, err := iptMgr.Run(entry); err != nil {
 		log.Errorf("Error: failed to create iptables rules.")
 		return err

npm/namespace.go

@@ -14,23 +14,25 @@ import (
 )
 
 type namespace struct {
-	name   string
-	setMap map[string]string
-	podMap map[types.UID]*corev1.Pod
-	npMap  map[string]*networkingv1.NetworkPolicy
-	ipsMgr *ipsm.IpsetManager
-	iptMgr *iptm.IptablesManager
+	name           string
+	setMap         map[string]string
+	podMap         map[types.UID]*corev1.Pod
+	rawNpMap       map[string]*networkingv1.NetworkPolicy
+	processedNpMap map[string]*networkingv1.NetworkPolicy
+	ipsMgr         *ipsm.IpsetManager
+	iptMgr         *iptm.IptablesManager
 }
 
 // newNS constructs a new namespace object.
 func newNs(name string) (*namespace, error) {
 	ns := &namespace{
-		name:   name,
-		setMap: make(map[string]string),
-		podMap: make(map[types.UID]*corev1.Pod),
-		npMap:  make(map[string]*networkingv1.NetworkPolicy),
-		ipsMgr: ipsm.NewIpsetManager(),
-		iptMgr: iptm.NewIptablesManager(),
+		name:           name,
+		setMap:         make(map[string]string),
+		podMap:         make(map[types.UID]*corev1.Pod),
+		rawNpMap:       make(map[string]*networkingv1.NetworkPolicy),
+		processedNpMap: make(map[string]*networkingv1.NetworkPolicy),
+		ipsMgr:         ipsm.NewIpsetManager(),
+		iptMgr:         iptm.NewIptablesManager(),
 	}
 
 	return ns, nil
@@ -40,16 +42,26 @@ func isSystemNs(nsObj *corev1.Namespace) bool {
 	return nsObj.ObjectMeta.Name == util.KubeSystemFlag
 }
 
+func (ns *namespace) policyExists(npObj *networkingv1.NetworkPolicy) bool {
+	if np, exists := ns.rawNpMap[npObj.ObjectMeta.Name]; exists {
+		if isSamePolicy(np, npObj) {
+			return true
+		}
+	}
+
+	return false
+}
+
 // InitAllNsList syncs all-namespace ipset list.
 func (npMgr *NetworkPolicyManager) InitAllNsList() error {
 	allNs := npMgr.nsMap[util.KubeAllNamespacesFlag]
-	for nsName := range npMgr.nsMap {
-		if nsName == util.KubeAllNamespacesFlag {
+	for ns:= range npMgr.nsMap {
+		if ns == util.KubeAllNamespacesFlag {
 			continue
 		}
 
-		if err := allNs.ipsMgr.AddToList(util.KubeAllNamespacesFlag, nsName); err != nil {
-			log.Errorf("Error: failed to add namespace set %s to list %s", nsName, util.KubeAllNamespacesFlag)
+		if err := allNs.ipsMgr.AddToList(util.KubeAllNamespacesFlag, ns); err != nil {
+			log.Errorf("Error: failed to add namespace set %s to ipset list %s", ns, util.KubeAllNamespacesFlag)
 			return err
 		}
 	}
@@ -60,13 +72,13 @@ func (npMgr *NetworkPolicyManager) InitAllNsList() error {
 // UninitAllNsList cleans all-namespace ipset list.
 func (npMgr *NetworkPolicyManager) UninitAllNsList() error {
 	allNs := npMgr.nsMap[util.KubeAllNamespacesFlag]
-	for nsName := range npMgr.nsMap {
-		if nsName == util.KubeAllNamespacesFlag {
+	for ns := range npMgr.nsMap {
+		if ns == util.KubeAllNamespacesFlag {
 			continue
 		}
 
-		if err := allNs.ipsMgr.DeleteFromList(util.KubeAllNamespacesFlag, nsName); err != nil {
-			log.Errorf("Error: failed to delete namespace set %s from list %s", nsName, util.KubeAllNamespacesFlag)
+		if err := allNs.ipsMgr.DeleteFromList(util.KubeAllNamespacesFlag, ns); err != nil {
+			log.Errorf("Error: failed to delete namespace set %s from list %s", ns, util.KubeAllNamespacesFlag)
 			return err
 		}
 	}
@@ -81,8 +93,8 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
 
 	var err error
 
-	nsName, nsNs, nsLabel := nsObj.ObjectMeta.Name, nsObj.ObjectMeta.Namespace, nsObj.ObjectMeta.Labels
-	log.Printf("NAMESPACE CREATING: [%s/%s/%+v]", nsName, nsNs, nsLabel)
+	nsName, nsLabel := "ns-" + nsObj.ObjectMeta.Name, nsObj.ObjectMeta.Labels
+	log.Printf("NAMESPACE CREATING: [%s/%v]", nsName, nsLabel)
 
 	ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
 	// Create ipset for the namespace.
@@ -97,16 +109,21 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
 	}
 
 	// Add the namespace to its label's ipset list.
-	var labelKeys []string
 	nsLabels := nsObj.ObjectMeta.Labels
 	for nsLabelKey, nsLabelVal := range nsLabels {
-		labelKey := util.GetNsIpsetName(nsLabelKey, nsLabelVal)
+		labelKey := "ns-" + nsLabelKey
 		log.Printf("Adding namespace %s to ipset list %s", nsName, labelKey)
 		if err = ipsMgr.AddToList(labelKey, nsName); err != nil {
 			log.Errorf("Error: failed to add namespace %s to ipset list %s", nsName, labelKey)
 			return err
 		}
-		labelKeys = append(labelKeys, labelKey)
+
+		label := "ns-" + nsLabelKey + ":" + nsLabelVal
+		log.Printf("Adding namespace %s to ipset list %s", nsName, label)
+		if err = ipsMgr.AddToList(label, nsName); err != nil {
+			log.Errorf("Error: failed to add namespace %s to ipset list %s", nsName, label)
+			return err
+		}
 	}
 
 	ns, err := newNs(nsName)
@@ -122,11 +139,11 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
 func (npMgr *NetworkPolicyManager) UpdateNamespace(oldNsObj *corev1.Namespace, newNsObj *corev1.Namespace) error {
 	var err error
 
-	oldNsName, oldNsNs, oldNsLabel := oldNsObj.ObjectMeta.Name, oldNsObj.ObjectMeta.Namespace, oldNsObj.ObjectMeta.Labels
-	newNsName, newNsNs, newNsLabel := newNsObj.ObjectMeta.Name, newNsObj.ObjectMeta.Namespace, newNsObj.ObjectMeta.Labels
+	oldNsNs, oldNsLabel := "ns-" + oldNsObj.ObjectMeta.Name, oldNsObj.ObjectMeta.Labels
+	newNsNs, newNsLabel := "ns-" + newNsObj.ObjectMeta.Name, newNsObj.ObjectMeta.Labels
 	log.Printf(
-		"NAMESPACE UPDATING:\n old namespace: [%s/%s/%+v]\n new namespace: [%s/%s/%+v]",
-		oldNsName, oldNsNs, oldNsLabel, newNsName, newNsNs, newNsLabel,
+		"NAMESPACE UPDATING:\n old namespace: [%s/%v]\n new namespace: [%s/%v]",
+		oldNsNs, oldNsLabel, newNsNs, newNsLabel,
 	)
 
 	if err = npMgr.DeleteNamespace(oldNsObj); err != nil {
@@ -149,8 +166,8 @@ func (npMgr *NetworkPolicyManager) DeleteNamespace(nsObj *corev1.Namespace) erro
 
 	var err error
 
-	nsName, nsNs, nsLabel := nsObj.ObjectMeta.Name, nsObj.ObjectMeta.Namespace, nsObj.ObjectMeta.Labels
-	log.Printf("NAMESPACE DELETING: [%s/%s/%+v]", nsName, nsNs, nsLabel)
+	nsName, nsLabel := "ns-" + nsObj.ObjectMeta.Name, nsObj.ObjectMeta.Labels
+	log.Printf("NAMESPACE DELETING: [%s/%v]", nsName, nsLabel)
 
 	_, exists := npMgr.nsMap[nsName]
 	if !exists {
@@ -159,16 +176,21 @@ func (npMgr *NetworkPolicyManager) DeleteNamespace(nsObj *corev1.Namespace) erro
 
 	// Delete the namespace from its label's ipset list.
 	ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
-	var labelKeys []string
 	nsLabels := nsObj.ObjectMeta.Labels
 	for nsLabelKey, nsLabelVal := range nsLabels {
-		labelKey := util.GetNsIpsetName(nsLabelKey, nsLabelVal)
+		labelKey := "ns-" + nsLabelKey
 		log.Printf("Deleting namespace %s from ipset list %s", nsName, labelKey)
 		if err = ipsMgr.DeleteFromList(labelKey, nsName); err != nil {
 			log.Errorf("Error: failed to delete namespace %s from ipset list %s", nsName, labelKey)
 			return err
 		}
-		labelKeys = append(labelKeys, labelKey)
+
+		label := "ns-" + nsLabelKey + ":" + nsLabelVal
+		log.Printf("Deleting namespace %s from ipset list %s", nsName, label)
+		if err = ipsMgr.DeleteFromList(label, nsName); err != nil {
+			log.Errorf("Error: failed to delete namespace %s from ipset list %s", nsName, label)
+			return err
+		}
 	}
 
 	// Delete the namespace from all-namespace ipset list.

npm/npm.go

@@ -48,6 +48,7 @@ type NetworkPolicyManager struct {
 	nodeName               string
 	nsMap                  map[string]*namespace
 	isAzureNpmChainCreated bool
+	isSafeToCleanUpAzureNpmChain bool
 
 	clusterState  telemetry.ClusterState
 	reportManager *telemetry.ReportManager
@@ -219,6 +220,7 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
 		nodeName:               os.Getenv("HOSTNAME"),
 		nsMap:                  make(map[string]*namespace),
 		isAzureNpmChainCreated: false,
+		isSafeToCleanUpAzureNpmChain: false,
 		clusterState: telemetry.ClusterState{
 			PodCount:      0,
 			NsCount:       0,