Skip to content

Commit d8d848f

Browse files
author
Yongli Chen
authored
Support new network policy definition since Kubernetes version 1.11 (#307)
1 parent 3611fcf commit d8d848f

File tree

7 files changed

+957
-442
lines changed

7 files changed

+957
-442
lines changed

npm/iptm/iptm.go

Lines changed: 19 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
6666
entry.Specs = []string{
6767
util.IptablesMatchFlag,
6868
util.IptablesStateFlag,
69-
util.IPtablesMatchStateFlag,
69+
util.IptablesMatchStateFlag,
7070
util.IptablesRelatedState + "," + util.IptablesEstablishedState,
7171
util.IptablesJumpFlag,
7272
util.IptablesAccept,
@@ -84,50 +84,6 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
8484
}
8585
}
8686

87-
// Add default allow kube-system rules to AZURE-NPM chain.
88-
entry.Specs = []string{
89-
util.IptablesMatchFlag,
90-
util.IptablesSetFlag,
91-
util.IptablesMatchSetFlag,
92-
util.GetHashedName(util.KubeSystemFlag),
93-
util.IptablesDstFlag,
94-
util.IptablesJumpFlag,
95-
util.IptablesAccept,
96-
}
97-
exists, err = iptMgr.Exists(entry)
98-
if err != nil {
99-
return err
100-
}
101-
102-
if !exists {
103-
iptMgr.OperationFlag = util.IptablesAppendFlag
104-
if _, err := iptMgr.Run(entry); err != nil {
105-
log.Printf("Error adding default allow kube-system rule to AZURE-NPM chain\n")
106-
return err
107-
}
108-
}
109-
110-
entry.Specs = []string{
111-
util.IptablesMatchFlag,
112-
util.IptablesSetFlag,
113-
util.IptablesMatchSetFlag,
114-
util.GetHashedName(util.KubeSystemFlag),
115-
util.IptablesSrcFlag,
116-
util.IptablesJumpFlag,
117-
util.IptablesAccept,
118-
}
119-
exists, err = iptMgr.Exists(entry)
120-
if err != nil {
121-
return err
122-
}
123-
124-
if !exists {
125-
iptMgr.OperationFlag = util.IptablesAppendFlag
126-
if _, err := iptMgr.Run(entry); err != nil {
127-
log.Printf("Error adding default allow kube-system rule to AZURE-NPM chain\n")
128-
return err
129-
}
130-
}
13187
// Create AZURE-NPM-INGRESS-PORT chain.
13288
if err := iptMgr.AddChain(util.IptablesAzureIngressPortChain); err != nil {
13389
return err
@@ -149,8 +105,13 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
149105
}
150106
}
151107

152-
// Create AZURE-NPM-INGRESS-FROM chain.
153-
if err := iptMgr.AddChain(util.IptablesAzureIngressFromChain); err != nil {
108+
// Create AZURE-NPM-INGRESS-FROM-NS chain.
109+
if err = iptMgr.AddChain(util.IptablesAzureIngressFromNsChain); err != nil {
110+
return err
111+
}
112+
113+
// Create AZURE-NPM-INGRESS-FROM-POD chain.
114+
if err = iptMgr.AddChain(util.IptablesAzureIngressFromPodChain); err != nil {
154115
return err
155116
}
156117

@@ -175,8 +136,13 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
175136
}
176137
}
177138

178-
// Create AZURE-NPM-EGRESS-FROM chain.
179-
if err := iptMgr.AddChain(util.IptablesAzureEgressToChain); err != nil {
139+
// Create AZURE-NPM-EGRESS-TO-NS chain.
140+
if err = iptMgr.AddChain(util.IptablesAzureEgressToNsChain); err != nil {
141+
return err
142+
}
143+
144+
// Create AZURE-NPM-EGRESS-TO-POD chain.
145+
if err = iptMgr.AddChain(util.IptablesAzureEgressToPodChain); err != nil {
180146
return err
181147
}
182148

@@ -209,9 +175,11 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
209175
IptablesAzureChainList := []string{
210176
util.IptablesAzureChain,
211177
util.IptablesAzureIngressPortChain,
212-
util.IptablesAzureIngressFromChain,
178+
util.IptablesAzureIngressFromNsChain,
179+
util.IptablesAzureIngressFromPodChain,
213180
util.IptablesAzureEgressPortChain,
214-
util.IptablesAzureEgressToChain,
181+
util.IptablesAzureEgressToNsChain,
182+
util.IptablesAzureEgressToPodChain,
215183
util.IptablesAzureTargetSetsChain,
216184
}
217185

npm/namespace.go

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -40,10 +40,6 @@ func isSystemNs(nsObj *corev1.Namespace) bool {
4040
return nsObj.ObjectMeta.Name == util.KubeSystemFlag
4141
}
4242

43-
func getNsIpsetName(k, v string) string {
44-
return "ns-" + k + ":" + v
45-
}
46-
4743
// InitAllNsList syncs all-namespace ipset list.
4844
func (npMgr *NetworkPolicyManager) InitAllNsList() error {
4945
allNs := npMgr.nsMap[util.KubeAllNamespacesFlag]
@@ -110,7 +106,7 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
110106
var labelKeys []string
111107
nsLabels := nsObj.ObjectMeta.Labels
112108
for nsLabelKey, nsLabelVal := range nsLabels {
113-
labelKey := getNsIpsetName(nsLabelKey, nsLabelVal)
109+
labelKey := util.GetNsIpsetName(nsLabelKey, nsLabelVal)
114110
log.Printf("Adding namespace %s to ipset list %s\n", nsName, labelKey)
115111
if err = ipsMgr.AddToList(labelKey, nsName); err != nil {
116112
log.Printf("Error Adding namespace %s to ipset list %s\n", nsName, labelKey)
@@ -184,7 +180,7 @@ func (npMgr *NetworkPolicyManager) DeleteNamespace(nsObj *corev1.Namespace) erro
184180
var labelKeys []string
185181
nsLabels := nsObj.ObjectMeta.Labels
186182
for nsLabelKey, nsLabelVal := range nsLabels {
187-
labelKey := getNsIpsetName(nsLabelKey, nsLabelVal)
183+
labelKey := util.GetNsIpsetName(nsLabelKey, nsLabelVal)
188184
log.Printf("Deleting namespace %s from ipset list %s\n", nsName, labelKey)
189185
if err = ipsMgr.DeleteFromList(labelKey, nsName); err != nil {
190186
log.Printf("Error deleting namespace %s from ipset list %s\n", nsName, labelKey)

npm/npm.go

Lines changed: 23 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import (
1414
"github.com/Azure/azure-container-networking/telemetry"
1515
corev1 "k8s.io/api/core/v1"
1616
networkingv1 "k8s.io/api/networking/v1"
17+
"k8s.io/apimachinery/pkg/version"
1718
"k8s.io/client-go/informers"
1819
coreinformers "k8s.io/client-go/informers/core/v1"
1920
networkinginformers "k8s.io/client-go/informers/networking/v1"
@@ -42,6 +43,8 @@ type NetworkPolicyManager struct {
4243

4344
clusterState telemetry.ClusterState
4445
reportManager *telemetry.ReportManager
46+
47+
serverVersion *version.Info
4548
}
4649

4750
// GetClusterState returns current cluster state.
@@ -116,14 +119,26 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
116119
nsInformer := informerFactory.Core().V1().Namespaces()
117120
npInformer := informerFactory.Networking().V1().NetworkPolicies()
118121

122+
serverVersion, err := clientset.ServerVersion()
123+
if err != nil {
124+
log.Printf("Error retrieving server version")
125+
panic(err.Error)
126+
}
127+
log.Printf("API server version: %+v", serverVersion)
128+
129+
if err = util.SetIsNewNwPolicyVerFlag(serverVersion); err != nil {
130+
log.Printf("Error setting IsNewNwPolicyVerFlag")
131+
panic(err.Error)
132+
}
133+
119134
npMgr := &NetworkPolicyManager{
120-
clientset: clientset,
121-
informerFactory: informerFactory,
122-
podInformer: podInformer,
123-
nsInformer: nsInformer,
124-
npInformer: npInformer,
125-
nodeName: os.Getenv("HOSTNAME"),
126-
nsMap: make(map[string]*namespace),
135+
clientset: clientset,
136+
informerFactory: informerFactory,
137+
podInformer: podInformer,
138+
nsInformer: nsInformer,
139+
npInformer: npInformer,
140+
nodeName: os.Getenv("HOSTNAME"),
141+
nsMap: make(map[string]*namespace),
127142
isAzureNpmChainCreated: false,
128143
clusterState: telemetry.ClusterState{
129144
PodCount: 0,
@@ -135,12 +150,7 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
135150
ContentType: contentType,
136151
Report: &telemetry.NPMReport{},
137152
},
138-
}
139-
140-
serverVersion, err := clientset.ServerVersion()
141-
if err != nil {
142-
log.Printf("Error retrieving server version")
143-
panic(err.Error)
153+
serverVersion: serverVersion,
144154
}
145155

146156
clusterID := util.GetClusterID(npMgr.nodeName)

0 commit comments

Comments
 (0)