Azure · rejain456 · Nov 24, 2024 · Nov 24, 2024 · Nov 24, 2024 · Nov 24, 2024
@@ -59,6 +59,7 @@ func setEndpointOptions(cnsNwConfig *cns.GetNetworkContainerResponse, epInfo *ne
 		epInfo.AllowInboundFromHostToNC = cnsNwConfig.AllowHostToNCCommunication
 		epInfo.AllowInboundFromNCToHost = cnsNwConfig.AllowNCToHostCommunication
 		epInfo.NetworkContainerID = cnsNwConfig.NetworkContainerID
+		epInfo.DefaultDenyACL = cnsNwConfig.DefaultDenyACL
 	}
 }
 

@@ -127,6 +127,7 @@ type CreateNetworkContainerRequest struct {
 	EndpointPolicies           []NetworkContainerRequestPolicies
 	NCStatus                   v1alpha.NCStatus
 	NetworkInterfaceInfo       NetworkInterfaceInfo //nolint // introducing new field for backendnic, to be used later by cni code
+	DefaultDenyACL             bool                 // specifies whether a "deny all" policy is applied to l1vh multi-tenant pods
 }
 
 func (req *CreateNetworkContainerRequest) Validate() error {
@@ -487,6 +488,7 @@ type GetNetworkContainerResponse struct {
 	AllowHostToNCCommunication bool
 	AllowNCToHostCommunication bool
 	NetworkInterfaceInfo       NetworkInterfaceInfo
+	DefaultDenyACL             bool // specifies whether a "deny all" policy is applied to l1vh multi-tenant pods
 }
 
 type PodIpInfo struct {

@@ -106,7 +106,7 @@
 }
 
 // This function gets the flattened network configuration (compliant with azure cni) in byte array format
-func getNetworkConfig(configFilePath string) ([]byte, error) {
+func getNetworkConfig(configFilePath string, defaultDenyACL bool) ([]byte, error) {
 	content, err := os.ReadFile(configFilePath)
 	if err != nil {
 		return nil, err
@@ -134,6 +134,36 @@
 	flatNetConfigMap[versionStr] = configMap[versionStr].(string)
 	flatNetConfigMap[nameStr] = configMap[nameStr].(string)
 
+	if defaultDenyACL {
+		// insert default deny policies here
+		defaultDenyOutACL := map[string]interface{}{
+			"Name": "EndpointPolicy",
+			"Value": map[string]interface{}{
+				"Type":      "ACL",
+				"Action":    "Block",
+				"Direction": "Out",
+				"Priority":  300,
+			},
+		}
+
+		defaultDenyInACL := map[string]interface{}{
+			"Name": "EndpointPolicy",
+			"Value": map[string]interface{}{
+				"Type":      "ACL",
+				"Action":    "Block",
+				"Direction": "In",
+				"Priority":  300,
+			},
+		}
+		additionalArgsKey := "AdditionalArgs"
+		if _, exists := flatNetConfigMap[additionalArgsKey]; !exists {
+			flatNetConfigMap[additionalArgsKey] = []interface{}{}
+		}
+
+		flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyOutACL)
+		flatNetConfigMap[additionalArgsKey] = append(flatNetConfigMap[additionalArgsKey].([]interface{}), defaultDenyInACL)
+	}
+
 	// convert into bytes format
 	netConfig, err := json.Marshal(flatNetConfigMap)
 	if err != nil {
@@ -198,17 +228,17 @@
 }
 
 // Attach - attaches network container to network.
-func (cn *NetworkContainers) Attach(podInfo cns.PodInfo, dockerContainerid string, netPluginConfig *NetPluginConfiguration) error {
+func (cn *NetworkContainers) Attach(podInfo cns.PodInfo, dockerContainerid string, netPluginConfig *NetPluginConfiguration, defaultDenyACL bool) error {
 	logger.Printf("[Azure CNS] NetworkContainers.Attach called")
-	err := configureNetworkContainerNetworking(cniAdd, podInfo.Name(), podInfo.Namespace(), dockerContainerid, netPluginConfig)
+	err := configureNetworkContainerNetworking(cniAdd, podInfo.Name(), podInfo.Namespace(), dockerContainerid, netPluginConfig, defaultDenyACL)
 	logger.Printf("[Azure CNS] NetworkContainers.Attach finished")
 	return err
 }
 
 // Detach - detaches network container from network.
-func (cn *NetworkContainers) Detach(podInfo cns.PodInfo, dockerContainerid string, netPluginConfig *NetPluginConfiguration) error {
+func (cn *NetworkContainers) Detach(podInfo cns.PodInfo, dockerContainerid string, netPluginConfig *NetPluginConfiguration, defaultDenyACL bool) error {
 	logger.Printf("[Azure CNS] NetworkContainers.Detach called")
-	err := configureNetworkContainerNetworking(cniDelete, podInfo.Name(), podInfo.Namespace(), dockerContainerid, netPluginConfig)
+	err := configureNetworkContainerNetworking(cniDelete, podInfo.Name(), podInfo.Namespace(), dockerContainerid, netPluginConfig, defaultDenyACL)
 	logger.Printf("[Azure CNS] NetworkContainers.Detach finished")
 	return err
 }
@@ -64,7 +64,7 @@
 
 	logger.Printf("[Azure CNS] run time configuration for CNI plugin info %+v", rt)
 
-	netConfig, err := getNetworkConfig(netpluginConfig.networkConfigPath)
+	netConfig, err := getNetworkConfig(netpluginConfig.networkConfigPath, false)
 	if err != nil {
 		logger.Printf("[Azure CNS] Failed to build network configuration with error %v", err)
 		return err
@@ -85,7 +85,7 @@
 	return nil
 }
 
-func configureNetworkContainerNetworking(operation, podName, podNamespace, dockerContainerid string, netPluginConfig *NetPluginConfiguration) (err error) {
+func configureNetworkContainerNetworking(operation, podName, podNamespace, dockerContainerid string, netPluginConfig *NetPluginConfiguration, defaultDenyACL bool) (err error) {
 	return fmt.Errorf("[Azure CNS] Operation is not supported in linux.")
 }
 

@@ -219,7 +219,7 @@ func deleteInterface(interfaceName string) error {
 	return err
 }
 
-func configureNetworkContainerNetworking(operation, podName, podNamespace, dockerContainerid string, netPluginConfig *NetPluginConfiguration) (err error) {
+func configureNetworkContainerNetworking(operation, podName, podNamespace, dockerContainerid string, netPluginConfig *NetPluginConfiguration, defaultDenyACL bool) (err error) {
 	cniRtConf := &libcni.RuntimeConf{
 		ContainerID: dockerContainerid,
 		NetNS:       "none",
@@ -231,7 +231,7 @@ func configureNetworkContainerNetworking(operation, podName, podNamespace, docke
 	}
 	logger.Printf("[Azure CNS] run time conf info %+v", cniRtConf)
 
-	netConfig, err := getNetworkConfig(netPluginConfig.networkConfigPath)
+	netConfig, err := getNetworkConfig(netPluginConfig.networkConfigPath, defaultDenyACL)
 	if err != nil {
 		logger.Printf("[Azure CNS] Failed to build network configuration with error %v", err)
 		return err

@@ -531,6 +531,7 @@ func (service *HTTPRestService) getAllNetworkContainerResponses(
 			AllowHostToNCCommunication: savedReq.AllowHostToNCCommunication,
 			AllowNCToHostCommunication: savedReq.AllowNCToHostCommunication,
 			NetworkInterfaceInfo:       savedReq.NetworkInterfaceInfo,
+			DefaultDenyACL:             savedReq.DefaultDenyACL,
 		}
 
 		// If the NC version check wasn't skipped, take into account the VFP programming status when returning the response
@@ -675,6 +676,9 @@ func (service *HTTPRestService) attachOrDetachHelper(req cns.ConfigureContainerN
 
 	var returnCode types.ResponseCode
 	var returnMessage string
+	nc := service.state.ContainerStatus[req.NetworkContainerid]
+	defaultDenyACL := nc.CreateNetworkContainerRequest.DefaultDenyACL
+
 	switch service.state.OrchestratorType {
 	case cns.Batch:
 		podInfo, err := cns.UnmarshalPodInfo(existing.CreateNetworkContainerRequest.OrchestratorContext)
@@ -686,9 +690,9 @@ func (service *HTTPRestService) attachOrDetachHelper(req cns.ConfigureContainerN
 			netPluginConfig := service.getNetPluginDetails()
 			switch operation {
 			case attach:
-				err = nc.Attach(podInfo, req.Containerid, netPluginConfig)
+				err = nc.Attach(podInfo, req.Containerid, netPluginConfig, defaultDenyACL)
 			case detach:
-				err = nc.Detach(podInfo, req.Containerid, netPluginConfig)
+				err = nc.Detach(podInfo, req.Containerid, netPluginConfig, defaultDenyACL)
 			}
 			if err != nil {
 				returnCode = types.UnexpectedError
@@ -933,6 +937,7 @@ func (service *HTTPRestService) handleGetNetworkContainers(w http.ResponseWriter
 			LocalIPConfiguration:       ncDetails.CreateNetworkContainerRequest.LocalIPConfiguration,
 			AllowHostToNCCommunication: ncDetails.CreateNetworkContainerRequest.AllowHostToNCCommunication,
 			AllowNCToHostCommunication: ncDetails.CreateNetworkContainerRequest.AllowNCToHostCommunication,
+			DefaultDenyACL:             ncDetails.CreateNetworkContainerRequest.DefaultDenyACL,
 		}
 		networkContainers[i] = getNcResp
 		i++

@@ -56,6 +56,8 @@ type PodNetworkInstanceSpec struct {
 	// optional for now in case orchestrator uses the deprecated fields
 	// +kubebuilder:validation:Optional
 	PodNetworkConfigs []PodNetworkConfig `json:"podNetworkConfigs"`
+	// DefaultDenyACL is a bool that specifies whether a "deny all" policy is applied to l1vh multi-tenant pods
+	DefaultDenyACL bool `json:"defaultDenyACL"`
 }
 
 // PodNetworkInstanceStatus defines the observed state of PodNetworkInstance

@@ -57,6 +57,10 @@ spec:
                 default: 0
                 description: Deprecated - use PodNetworks
                 type: integer
+              DefaultDenyACL:
+                default: false
+                description: indicates whether default deny policy will be present on the pods upon pod creation
+                type: bool
               podNetworkConfigs:
                 description: |-
                   PodNetworkConfigs describes each PodNetwork to attach to a single Pod

@@ -112,6 +112,7 @@ type EndpointInfo struct {
 	IsIPv6Enabled                 bool
 	HostSubnetPrefix              string // can be used later to add an external interface
 	PnPID                         string
+	DefaultDenyACL                bool
 }
 
 // RouteInfo contains information about an IP route.

@@ -5,3 +5,4 @@ metadata:
 spec:
    podnetwork: aksswiftvnetv20425
    podIPReservationSize: 2
+   defaultDenyACL: false