apply policies in a way where the network policy may seem order agnostic (#462)

Author: jaer-tsun

npm/translatePolicy.go

@@ -144,9 +144,10 @@ func craftPartialIptablesCommentFromSelector(ns string, selector *metav1.LabelSe
 
 func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []networkingv1.NetworkPolicyIngressRule) ([]string, []string, []*iptm.IptEntry) {
 	var (
-		sets    []string // ipsets with type: net:hash
-		lists   []string // ipsets with type: list:set
-		entries []*iptm.IptEntry
+		sets                                  []string // ipsets with type: net:hash
+		lists                                 []string // ipsets with type: list:set
+		entries                               []*iptm.IptEntry
+		fromRuleEntries                       []*iptm.IptEntry
 		addedIngressFromEntry, addedPortEntry bool // add drop entries at the end of the chain when there are non ALLOW-ALL* rules
 	)
 
@@ -264,7 +265,7 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne
 							"DROP-"+except+
 								"-TO-"+targetSelectorComment,
 						)
-						entries = append(entries, exceptEntry)
+						fromRuleEntries = append(fromRuleEntries, exceptEntry)
 					}
 					addedIngressFromEntry = true
 				}
@@ -295,7 +296,7 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne
 									"-:-"+craftPartialIptablesCommentFromPort(portRule, util.IptablesDstPortFlag)+
 									"-TO-"+targetSelectorComment,
 							)
-							entries = append(entries, entry)
+							fromRuleEntries = append(fromRuleEntries, entry)
 						}
 					} else {
 						cidrEntry := &iptm.IptEntry{
@@ -317,7 +318,7 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne
 							"ALLOW-"+fromRule.IPBlock.CIDR+
 								"-TO-"+targetSelectorComment,
 						)
-						entries = append(entries, cidrEntry)
+						fromRuleEntries = append(fromRuleEntries, cidrEntry)
 						addedIngressFromEntry = true
 					}
 				}
@@ -569,6 +570,10 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne
 		}
 	}
 
+	if len(fromRuleEntries) > 0 {
+		entries = append(entries, fromRuleEntries...)
+	}
+
 	if addedPortEntry && !addedIngressFromEntry {
 		entry := &iptm.IptEntry{
 			Chain: util.IptablesAzureIngressPortChain,
@@ -627,9 +632,10 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne
 
 func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []networkingv1.NetworkPolicyEgressRule) ([]string, []string, []*iptm.IptEntry) {
 	var (
-		sets    []string // ipsets with type: net:hash
-		lists   []string // ipsets with type: list:set
-		entries []*iptm.IptEntry
+		sets                               []string // ipsets with type: net:hash
+		lists                              []string // ipsets with type: list:set
+		entries                            []*iptm.IptEntry
+		toRuleEntries                      []*iptm.IptEntry 
 		addedEgressToEntry, addedPortEntry bool // add drop entry when there are non ALLOW-ALL* rules
 	)
 
@@ -742,7 +748,7 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net
 							"DROP-"+except+
 								"-FROM-"+targetSelectorComment,
 						)
-						entries = append(entries, exceptEntry)
+						toRuleEntries = append(toRuleEntries, exceptEntry)
 					}
 					addedEgressToEntry = true
 				}
@@ -773,7 +779,7 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net
 									"-:-"+craftPartialIptablesCommentFromPort(portRule, util.IptablesDstPortFlag)+
 									"-FROM-"+targetSelectorComment,
 							)
-							entries = append(entries, entry)
+							toRuleEntries = append(toRuleEntries, entry)
 						}
 					} else {
 						cidrEntry := &iptm.IptEntry{
@@ -798,7 +804,7 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net
 							"ALLOW-"+toRule.IPBlock.CIDR+
 								"-FROM-"+targetSelectorComment,
 						)
-						entries = append(entries, cidrEntry)
+						toRuleEntries = append(toRuleEntries, cidrEntry)
 						addedEgressToEntry = true
 					}
 				}
@@ -1051,6 +1057,10 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net
 		}
 	}
 
+	if len(toRuleEntries) > 0 {
+		entries = append(entries, toRuleEntries...)
+	}
+
 	if addedPortEntry && !addedEgressToEntry {
 		entry := &iptm.IptEntry{
 			Chain: util.IptablesAzureEgressPortChain,

npm/translatePolicy_test.go

@@ -2989,33 +2989,18 @@ func TestTranslatePolicy(t *testing.T) {
 	expectedIptEntries = []*iptm.IptEntry{}
 	nonKubeSystemEntries = []*iptm.IptEntry{
 		&iptm.IptEntry{
-			Chain: util.IptablesAzureIngressFromChain,
+			Chain: util.IptablesAzureIngressPortChain,
 			Specs: []string{
-				util.IptablesSFlag,
-				"172.17.1.0/24",
 				util.IptablesModuleFlag,
 				util.IptablesSetModuleFlag,
 				util.IptablesMatchSetFlag,
 				util.GetHashedName("role:db"),
 				util.IptablesDstFlag,
-				util.IptablesJumpFlag,
-				util.IptablesDrop,
-				util.IptablesModuleFlag,
-				util.IptablesCommentModuleFlag,
-				util.IptablesCommentFlag,
-				"DROP-172.17.1.0/24-TO-role:db",
-			},
-		},
-		&iptm.IptEntry{
-			Chain: util.IptablesAzureIngressPortChain,
-			Specs: []string{
 				util.IptablesModuleFlag,
 				util.IptablesSetModuleFlag,
 				util.IptablesMatchSetFlag,
-				util.GetHashedName("role:db"),
-				util.IptablesDstFlag,
-				util.IptablesSFlag,
-				"172.17.0.0/16",
+				util.GetHashedName("ns-project:myproject"),
+				util.IptablesSrcFlag,
 				util.IptablesProtFlag,
 				"TCP",
 				util.IptablesDstPortFlag,
@@ -3025,7 +3010,7 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesCommentModuleFlag,
 				util.IptablesCommentFlag,
-				"ALLOW-172.17.0.0/16-:-TCP-PORT-6379-TO-role:db",
+				"ALLOW-ns-project:myproject-AND-TCP-PORT-6379-TO-role:db",
 			},
 		},
 		&iptm.IptEntry{
@@ -3039,7 +3024,7 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesSetModuleFlag,
 				util.IptablesMatchSetFlag,
-				util.GetHashedName("ns-project:myproject"),
+				util.GetHashedName("role:frontend"),
 				util.IptablesSrcFlag,
 				util.IptablesProtFlag,
 				"TCP",
@@ -3050,22 +3035,37 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesCommentModuleFlag,
 				util.IptablesCommentFlag,
-				"ALLOW-ns-project:myproject-AND-TCP-PORT-6379-TO-role:db",
+				"ALLOW-role:frontend-AND-TCP-PORT-6379-TO-role:db",
 			},
 		},
 		&iptm.IptEntry{
-			Chain: util.IptablesAzureIngressPortChain,
+			Chain: util.IptablesAzureIngressFromChain,
 			Specs: []string{
+				util.IptablesSFlag,
+				"172.17.1.0/24",
 				util.IptablesModuleFlag,
 				util.IptablesSetModuleFlag,
 				util.IptablesMatchSetFlag,
 				util.GetHashedName("role:db"),
 				util.IptablesDstFlag,
+				util.IptablesJumpFlag,
+				util.IptablesDrop,
+				util.IptablesModuleFlag,
+				util.IptablesCommentModuleFlag,
+				util.IptablesCommentFlag,
+				"DROP-172.17.1.0/24-TO-role:db",
+			},
+		},
+		&iptm.IptEntry{
+			Chain: util.IptablesAzureIngressPortChain,
+			Specs: []string{
 				util.IptablesModuleFlag,
 				util.IptablesSetModuleFlag,
 				util.IptablesMatchSetFlag,
-				util.GetHashedName("role:frontend"),
-				util.IptablesSrcFlag,
+				util.GetHashedName("role:db"),
+				util.IptablesDstFlag,
+				util.IptablesSFlag,
+				"172.17.0.0/16",
 				util.IptablesProtFlag,
 				"TCP",
 				util.IptablesDstPortFlag,
@@ -3075,7 +3075,7 @@ func TestTranslatePolicy(t *testing.T) {
 				util.IptablesModuleFlag,
 				util.IptablesCommentModuleFlag,
 				util.IptablesCommentFlag,
-				"ALLOW-role:frontend-AND-TCP-PORT-6379-TO-role:db",
+				"ALLOW-172.17.0.0/16-:-TCP-PORT-6379-TO-role:db",
 			},
 		},
 		&iptm.IptEntry{