added npm lite default deny cni changes

Author: rejain789

cni/network/invoker.go

@@ -28,7 +28,8 @@ type IPAMAddConfig struct {
 type IPAMAddResult struct {
 	interfaceInfo map[string]network.InterfaceInfo
 	// ncResponse and host subnet prefix were moved into interface info
-	ipv6Enabled bool
+	ipv6Enabled    bool
+	defaultDenyACL []cni.KVPair
 }
 
 func (ipamAddResult IPAMAddResult) PrettyString() string {

cni/network/invoker_cns.go

@@ -55,6 +55,7 @@ type IPResultInfo struct {
 	skipDefaultRoutes  bool
 	routes             []cns.Route
 	pnpID              string
+	defaultDenyACL     []cni.KVPair
 }
 
 func (i IPResultInfo) MarshalLogObject(encoder zapcore.ObjectEncoder) error {
@@ -159,6 +160,7 @@ func (invoker *CNSIPAMInvoker) Add(addConfig IPAMAddConfig) (IPAMAddResult, erro
 			skipDefaultRoutes:  response.PodIPInfo[i].SkipDefaultRoutes,
 			routes:             response.PodIPInfo[i].Routes,
 			pnpID:              response.PodIPInfo[i].PnPID,
+			defaultDenyACL:     response.PodIPInfo[i].DefaultDenyACL,
 		}
 
 		logger.Info("Received info for pod",
@@ -444,6 +446,9 @@ func configureDefaultAddResult(info *IPResultInfo, addConfig *IPAMAddConfig, add
 				Gw:  ncgw,
 			})
 		}
+
+		addResult.defaultDenyACL = append(addResult.defaultDenyACL, info.defaultDenyACL...)
+
 		// if we have multiple infra ip result infos, we effectively append routes and ip configs to that same interface info each time
 		// the host subnet prefix (in ipv4 or ipv6) will always refer to the same interface regardless of which ip result info we look at
 		addResult.interfaceInfo[key] = network.InterfaceInfo{

cni/network/network.go

@@ -589,6 +589,8 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error {
 		// sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam DefaultInterface: %+v, SecondaryInterfaces: %+v", ipamAddResult.interfaceInfo[ifIndex], ipamAddResult.interfaceInfo))
 	}
 
+	logger.Info("The length of ipamAddResult defaultDenyACL's is", zap.Any("defaultDenyACLLength", ipamAddResult.defaultDenyACL))
+	nwCfg.AdditionalArgs = append(nwCfg.AdditionalArgs, ipamAddResult.defaultDenyACL...)
 	policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs)
 	// moved to addIpamInvoker
 	// sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString()))

cns/NetworkContainerContract.go

@@ -7,6 +7,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/Azure/azure-container-networking/cni"
 	"github.com/Azure/azure-container-networking/cns/types"
 	"github.com/Azure/azure-container-networking/crd/nodenetworkconfig/api/v1alpha"
 	"github.com/google/uuid"
@@ -503,6 +504,8 @@ type PodIpInfo struct {
 	Routes []Route
 	// PnpId is set for backend interfaces, Pnp Id identifies VF. Plug and play id(pnp) is also called as PCI ID
 	PnPID string
+	// Defauly Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes
+	DefaultDenyACL []cni.KVPair
 }
 
 type HostIPInfo struct {