feat: [NPM] Adding Npm Lite (#3005)

* added npm lite feature

* enabled npm lite flag

* revert changes

* fix yaml file

* added unit test to test cidr only network policies allowed

* fixed comments

* updated comments

* added space in comment

* added test cases, fixed pr comments

* fixed lint errors

* fixed logic for pod informer

* refactored logic

* updated variable

* updated unit test case and desciption

* added logic to not allow named ports and updated error description

* added extra unit test cases

* created a new azure-npm-lite file

* resolve pr comments

* added a new line

* removed a new line

* added a new line

* added a new line

* added a new line

* fixed a lint formatting issue

* seperate params into two lines - lint

* modified formatting

* added npm yaml file for lte

* turned of npm lite

* fixed lint error

* followed go list suggestion - combine multi same param type

* refactored function param line

* fixed param line

* enebaled npm lite

* moved yaml files around

* ran gofumpt on the files

* added a unit test and disabled npm lite

* revert

* refactored yaml files

* combined npm files

* added seperation of daemon sets

* added unit test for fail scenario

* added unit test for fail scenario

* fixed all unit test cases

* seperated the 2 yamlf iles

* updated unit test

* enabled npm lite

Author: rejain456

npm/cacheencoder.go

@@ -28,8 +28,9 @@ func CacheEncoder(nodeName string) json.Marshaler {
 	cfg := npmconfig.DefaultConfig
 	cfg.Toggles.EnableHTTPDebugAPI = true
 	cfg.Toggles.EnableV2NPM = false
+	cfg.Toggles.EnableNPMLite = false
 	// TODO test v2 NPM debug API when it's implemented
-	npMgr := NewNetworkPolicyManager(cfg, kubeInformer, &dpmocks.MockGenericDataplane{}, exec, npmVersion, fakeK8sVersion)
+	npMgr := NewNetworkPolicyManager(cfg, kubeInformer, kubeInformer, &dpmocks.MockGenericDataplane{}, exec, npmVersion, fakeK8sVersion)
 	npMgr.NodeName = nodeName
 	return npMgr
 }

npm/cmd/start.go

@@ -20,6 +20,7 @@ import (
 	"github.com/Azure/azure-container-networking/npm/util"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	k8sversion "k8s.io/apimachinery/pkg/version"
 	"k8s.io/client-go/informers"
@@ -115,8 +116,21 @@ func start(config npmconfig.Config, flags npmconfig.Flags) error {
 	factor := rand.Float64() + 1 //nolint
 	resyncPeriod := time.Duration(float64(minResyncPeriod.Nanoseconds()) * factor)
 	klog.Infof("Resync period for NPM pod is set to %d.", int(resyncPeriod/time.Minute))
-	factory := informers.NewSharedInformerFactory(clientset, resyncPeriod)
 
+	factory := informers.NewSharedInformerFactory(clientset, resyncPeriod)
+	podFactory := factory // // Separate podFactory for different versions in npm and npm lite.
+	// npm-lite -> daemon set will listen to pods only in its own node
+	if config.Toggles.EnableNPMLite {
+		podFactory = informers.NewSharedInformerFactoryWithOptions(
+			clientset,
+			resyncPeriod,
+			informers.WithTweakListOptions(func(options *metav1.ListOptions) {
+				// Use field selector to filter pods based on their assigned node
+				klog.Infof("NPM agent is listening to pods only under its node")
+				options.FieldSelector = "spec.nodeName=" + models.GetNodeName()
+			}),
+		)
+	}
 	k8sServerVersion := k8sServerVersion(clientset)
 
 	var dp dataplane.GenericDataplane
@@ -181,7 +195,7 @@ func start(config npmconfig.Config, flags npmconfig.Flags) error {
 		}
 		dp.RunPeriodicTasks()
 	}
-	npMgr := npm.NewNetworkPolicyManager(config, factory, dp, exec.New(), version, k8sServerVersion)
+	npMgr := npm.NewNetworkPolicyManager(config, factory, podFactory, dp, exec.New(), version, k8sServerVersion)
 	err = metrics.CreateTelemetryHandle(config.NPMVersion(), version, npm.GetAIMetadata())
 	if err != nil {
 		klog.Infof("CreateTelemetryHandle failed with error %v. AITelemetry is not initialized.", err)

npm/config/config.go

@@ -51,6 +51,7 @@ var DefaultConfig = Config{
 		ApplyInBackground: true,
 		// NetPolInBackground is currently used in Linux to apply NetPol controller Add events in the background
 		NetPolInBackground: true,
+		EnableNPMLite:      false,
 	},
 }
 
@@ -94,6 +95,7 @@ type Toggles struct {
 	ApplyInBackground bool
 	// NetPolInBackground
 	NetPolInBackground bool
+	EnableNPMLite      bool
 }
 
 type Flags struct {

npm/controller/server.go

@@ -91,7 +91,7 @@ func NewNetworkPolicyServer(
 	n.NpmNamespaceCacheV2 = &controllersv2.NpmNamespaceCache{NsMap: make(map[string]*common.Namespace)}
 	n.PodControllerV2 = controllersv2.NewPodController(n.PodInformer, dp, n.NpmNamespaceCacheV2)
 	n.NamespaceControllerV2 = controllersv2.NewNamespaceController(n.NsInformer, dp, n.NpmNamespaceCacheV2)
-	n.NetPolControllerV2 = controllersv2.NewNetworkPolicyController(n.NpInformer, dp)
+	n.NetPolControllerV2 = controllersv2.NewNetworkPolicyController(n.NpInformer, dp, config.Toggles.EnableNPMLite)
 
 	return n, nil
 }

npm/examples/azure-npm-lite.yaml

@@ -0,0 +1,178 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: azure-npm
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: azure-npm
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - nodes
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: azure-npm-binding
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+subjects:
+  - kind: ServiceAccount
+    name: azure-npm
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: azure-npm
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: azure-npm
+  namespace: kube-system
+  labels:
+    app: azure-npm
+    addonmanager.kubernetes.io/mode: EnsureExists
+spec:
+  selector:
+    matchLabels:
+      k8s-app: azure-npm
+  template:
+    metadata:
+      labels:
+        k8s-app: azure-npm
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ""
+        azure.npm/scrapeable: ""
+    spec:
+      priorityClassName: system-node-critical
+      tolerations:
+        - operator: "Exists"
+          effect: NoExecute
+        - operator: "Exists"
+          effect: NoSchedule
+        - key: CriticalAddonsOnly
+          operator: Exists
+      containers:
+        - name: azure-npm
+          image: mcr.microsoft.com/containernetworking/azure-npm:v1.4.45.3
+          resources:
+            limits:
+              cpu: 250m
+              memory: 300Mi
+            requests:
+              cpu: 250m
+          securityContext:
+            privileged: false
+            capabilities:
+              add:
+              - NET_ADMIN
+            readOnlyRootFilesystem: true
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: NPM_CONFIG
+              value: /etc/azure-npm/azure-npm.json
+          volumeMounts:
+            - name: log
+              mountPath: /var/log
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+            - name: protocols
+              mountPath: /etc/protocols
+            - name: azure-npm-config
+              mountPath: /etc/azure-npm
+            - name: tmp
+              mountPath: /tmp
+      hostNetwork: true
+      hostUsers: false
+      nodeSelector:
+        kubernetes.io/os: linux
+      volumes:
+        - name: log
+          hostPath:
+            path: /var/log
+            type: Directory
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: File
+        - name: protocols
+          hostPath:
+            path: /etc/protocols
+            type: File
+        - name: azure-npm-config
+          configMap:
+            name: azure-npm-config
+        - name: tmp
+          emptyDir: {}
+      serviceAccountName: azure-npm
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: npm-metrics-cluster-service
+  namespace: kube-system
+  labels:
+    app: npm-metrics
+spec:
+  selector:
+    k8s-app: azure-npm
+  ports:
+    - port: 9000
+      targetPort: 10091
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: azure-npm-config
+  namespace: kube-system
+data:
+  azure-npm.json: |
+    {
+        "ResyncPeriodInMinutes":        15,
+        "ListeningPort":                10091,
+        "ListeningAddress":             "0.0.0.0",
+        "ApplyIntervalInMilliseconds":  500,
+        "ApplyMaxBatches":              100,
+        "MaxBatchedACLsPerPod":         30,
+        "NetPolInvervalInMilliseconds": 500,
+        "MaxPendingNetPols":            100,
+        "Toggles": {
+            "EnablePrometheusMetrics": true,
+            "EnablePprof":             true,
+            "EnableHTTPDebugAPI":      true,
+            "EnableV2NPM":             true,
+            "PlaceAzureChainFirst":    false,
+            "ApplyInBackground":       true,
+            "NetPolInBackground":      true
+            "EnableNPMLite":           true
+        }
+    }