modified code to add default deny acl policies only when default deny has been enabled to true in pni

Author: rejain789

cns/networkcontainers/networkcontainers.go

@@ -106,7 +106,7 @@ func DeleteLoopbackAdapter(adapterName string) error {
 }
 
 // This function gets the flattened network configuration (compliant with azure cni) in byte array format
-func getNetworkConfig(configFilePath string) ([]byte, error) {
+func getNetworkConfig(configFilePath string, defaultDenyACL bool) ([]byte, error) {
 	content, err := os.ReadFile(configFilePath)
 	if err != nil {
 		return nil, err
@@ -134,34 +134,35 @@ func getNetworkConfig(configFilePath string) ([]byte, error) {
 	flatNetConfigMap[versionStr] = configMap[versionStr].(string)
 	flatNetConfigMap[nameStr] = configMap[nameStr].(string)
 
-	// TODO Check if default deny bool is enabled to true
-	// insert default dent policy here
-	defaultDenyOutACL := map[string]interface{}{
-		"Name": "EndpointPolicy",
-		"Value": map[string]interface{}{
-			"Type":      "ACL",
-			"Action":    "Block",
-			"Direction": "Out",
-			"Priority":  300,
-		},
-	}
+	if defaultDenyACL {
+		// insert default dent policy here
+		defaultDenyOutACL := map[string]interface{}{
+			"Name": "EndpointPolicy",
+			"Value": map[string]interface{}{
+				"Type":      "ACL",
+				"Action":    "Block",
+				"Direction": "Out",
+				"Priority":  300,
+			},
+		}
 
-	defaultDenyInACL := map[string]interface{}{
-		"Name": "EndpointPolicy",
-		"Value": map[string]interface{}{
-			"Type":      "ACL",
-			"Action":    "Block",
-			"Direction": "In",
-			"Priority":  300,
-		},
-	}
-	additionalArgsKey := "AdditionalArgs"
-	if _, exists := flatNetConfigMap[additionalArgsKey]; !exists {
-		flatNetConfigMap[additionalArgsKey] = []interface{}{}
-	}
+		defaultDenyInACL := map[string]interface{}{
+			"Name": "EndpointPolicy",
+			"Value": map[string]interface{}{
+				"Type":      "ACL",
+				"Action":    "Block",
+				"Direction": "In",
+				"Priority":  300,
+			},
+		}
+		additionalArgsKey := "AdditionalArgs"
+		if _, exists := flatNetConfigMap[additionalArgsKey]; !exists {
+			flatNetConfigMap[additionalArgsKey] = []interface{}{}
+		}
 
-	flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyOutACL)
-	flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyInACL)
+		flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyOutACL)
+		flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyInACL)
+	}
 
 	// convert into bytes format
 	netConfig, err := json.Marshal(flatNetConfigMap)
@@ -227,17 +228,17 @@ func execPlugin(rt *libcni.RuntimeConf, netconf []byte, operation, path string)
 }
 
 // Attach - attaches network container to network.
-func (cn *NetworkContainers) Attach(podInfo cns.PodInfo, dockerContainerid string, netPluginConfig *NetPluginConfiguration) error {
+func (cn *NetworkContainers) Attach(podInfo cns.PodInfo, dockerContainerid string, netPluginConfig *NetPluginConfiguration, defaultDenyACL bool) error {
 	logger.Printf("[Azure CNS] NetworkContainers.Attach called")
-	err := configureNetworkContainerNetworking(cniAdd, podInfo.Name(), podInfo.Namespace(), dockerContainerid, netPluginConfig)
+	err := configureNetworkContainerNetworking(cniAdd, podInfo.Name(), podInfo.Namespace(), dockerContainerid, netPluginConfig, defaultDenyACL)
 	logger.Printf("[Azure CNS] NetworkContainers.Attach finished")
 	return err
 }
 
 // Detach - detaches network container from network.
-func (cn *NetworkContainers) Detach(podInfo cns.PodInfo, dockerContainerid string, netPluginConfig *NetPluginConfiguration) error {
+func (cn *NetworkContainers) Detach(podInfo cns.PodInfo, dockerContainerid string, netPluginConfig *NetPluginConfiguration, defaultDenyACL bool) error {
 	logger.Printf("[Azure CNS] NetworkContainers.Detach called")
-	err := configureNetworkContainerNetworking(cniDelete, podInfo.Name(), podInfo.Namespace(), dockerContainerid, netPluginConfig)
+	err := configureNetworkContainerNetworking(cniDelete, podInfo.Name(), podInfo.Namespace(), dockerContainerid, netPluginConfig, defaultDenyACL)
 	logger.Printf("[Azure CNS] NetworkContainers.Detach finished")
 	return err
 }

cns/networkcontainers/networkcontainers_linux.go

@@ -64,7 +64,7 @@ func updateInterface(createNetworkContainerRequest cns.CreateNetworkContainerReq
 
 	logger.Printf("[Azure CNS] run time configuration for CNI plugin info %+v", rt)
 
-	netConfig, err := getNetworkConfig(netpluginConfig.networkConfigPath)
+	netConfig, err := getNetworkConfig(netpluginConfig.networkConfigPath, false)
 	if err != nil {
 		logger.Printf("[Azure CNS] Failed to build network configuration with error %v", err)
 		return err
@@ -85,7 +85,7 @@ func deleteInterface(networkContainerID string) error {
 	return nil
 }
 
-func configureNetworkContainerNetworking(operation, podName, podNamespace, dockerContainerid string, netPluginConfig *NetPluginConfiguration) (err error) {
+func configureNetworkContainerNetworking(operation, podName, podNamespace, dockerContainerid string, netPluginConfig *NetPluginConfiguration, defaultDenyACL bool) (err error) {
 	return fmt.Errorf("[Azure CNS] Operation is not supported in linux.")
 }
 

cns/networkcontainers/networkcontainers_windows.go

@@ -219,7 +219,7 @@ func deleteInterface(interfaceName string) error {
 	return err
 }
 
-func configureNetworkContainerNetworking(operation, podName, podNamespace, dockerContainerid string, netPluginConfig *NetPluginConfiguration) (err error) {
+func configureNetworkContainerNetworking(operation, podName, podNamespace, dockerContainerid string, netPluginConfig *NetPluginConfiguration, defaultDenyACL bool) (err error) {
 	cniRtConf := &libcni.RuntimeConf{
 		ContainerID: dockerContainerid,
 		NetNS:       "none",
@@ -231,7 +231,7 @@ func configureNetworkContainerNetworking(operation, podName, podNamespace, docke
 	}
 	logger.Printf("[Azure CNS] run time conf info %+v", cniRtConf)
 
-	netConfig, err := getNetworkConfig(netPluginConfig.networkConfigPath)
+	netConfig, err := getNetworkConfig(netPluginConfig.networkConfigPath, defaultDenyACL)
 	if err != nil {
 		logger.Printf("[Azure CNS] Failed to build network configuration with error %v", err)
 		return err

cns/restserver/util.go

@@ -676,6 +676,9 @@ func (service *HTTPRestService) attachOrDetachHelper(req cns.ConfigureContainerN
 
 	var returnCode types.ResponseCode
 	var returnMessage string
+	nc := service.state.ContainerStatus[req.NetworkContainerid]
+	defaultDenyACL := nc.CreateNetworkContainerRequest.DefaultDenyACL
+
 	switch service.state.OrchestratorType {
 	case cns.Batch:
 		podInfo, err := cns.UnmarshalPodInfo(existing.CreateNetworkContainerRequest.OrchestratorContext)
@@ -687,9 +690,9 @@ func (service *HTTPRestService) attachOrDetachHelper(req cns.ConfigureContainerN
 			netPluginConfig := service.getNetPluginDetails()
 			switch operation {
 			case attach:
-				err = nc.Attach(podInfo, req.Containerid, netPluginConfig)
+				err = nc.Attach(podInfo, req.Containerid, netPluginConfig, defaultDenyACL)
 			case detach:
-				err = nc.Detach(podInfo, req.Containerid, netPluginConfig)
+				err = nc.Detach(podInfo, req.Containerid, netPluginConfig, defaultDenyACL)
 			}
 			if err != nil {
 				returnCode = types.UnexpectedError

crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml

@@ -57,6 +57,10 @@ spec:
                 default: 0
                 description: Deprecated - use PodNetworks
                 type: integer
+              DefaultDenyACL:
+                default: false
+                description: indicates whether default deny policy will be present on the pods upon pod creation
+                type: bool
               podNetworkConfigs:
                 description: |-
                   PodNetworkConfigs describes each PodNetwork to attach to a single Pod