Add support for network policy (#513)

Notes:

- mounts empty /opt/cni/bin from host to kubelet container(pod)
  so that all pods share same cni binaries

Signed-off-by: Abhinav Dahiya <[email protected]>

Author: Abhinav Dahiya

cmd/bootkube/render.go

@@ -52,9 +52,11 @@ var (
 		selfHostKubelet     bool
 		cloudProvider       string
 		selfHostedEtcd      bool
+		calicoNetworkPolicy bool
 	}
 
 	imageVersions = asset.DefaultImages
+	cniRelease    = asset.DefaultCNIRelease
 )
 
 func init() {
@@ -73,6 +75,7 @@ func init() {
 	cmdRender.Flags().BoolVar(&renderOpts.selfHostKubelet, "experimental-self-hosted-kubelet", false, "(Experimental) Create a self-hosted kubelet daemonset.")
 	cmdRender.Flags().StringVar(&renderOpts.cloudProvider, "cloud-provider", "", "The provider for cloud services.  Empty string for no provider")
 	cmdRender.Flags().BoolVar(&renderOpts.selfHostedEtcd, "experimental-self-hosted-etcd", false, "(Experimental) Create self-hosted etcd assets.")
+	cmdRender.Flags().BoolVar(&renderOpts.calicoNetworkPolicy, "experimental-calico-network-policy", false, "(Experimental) Add network policy support by calico.")
 }
 
 func runCmdRender(cmd *cobra.Command, args []string) error {
@@ -222,25 +225,27 @@ func flagsToAssetConfig() (c *asset.Config, err error) {
 	}
 
 	return &asset.Config{
-		EtcdCACert:        etcdCACert,
-		EtcdClientCert:    etcdClientCert,
-		EtcdClientKey:     etcdClientKey,
-		EtcdServers:       etcdServers,
-		EtcdUseTLS:        etcdUseTLS,
-		CACert:            caCert,
-		CAPrivKey:         caPrivKey,
-		APIServers:        apiServers,
-		AltNames:          altNames,
-		PodCIDR:           podNet,
-		ServiceCIDR:       serviceNet,
-		APIServiceIP:      apiServiceIP,
-		BootEtcdServiceIP: bootEtcdServiceIP,
-		DNSServiceIP:      dnsServiceIP,
-		EtcdServiceIP:     etcdServiceIP,
-		SelfHostKubelet:   renderOpts.selfHostKubelet,
-		CloudProvider:     renderOpts.cloudProvider,
-		SelfHostedEtcd:    renderOpts.selfHostedEtcd,
-		Images:            imageVersions,
+		EtcdCACert:          etcdCACert,
+		EtcdClientCert:      etcdClientCert,
+		EtcdClientKey:       etcdClientKey,
+		EtcdServers:         etcdServers,
+		EtcdUseTLS:          etcdUseTLS,
+		CACert:              caCert,
+		CAPrivKey:           caPrivKey,
+		APIServers:          apiServers,
+		AltNames:            altNames,
+		PodCIDR:             podNet,
+		ServiceCIDR:         serviceNet,
+		APIServiceIP:        apiServiceIP,
+		BootEtcdServiceIP:   bootEtcdServiceIP,
+		DNSServiceIP:        dnsServiceIP,
+		EtcdServiceIP:       etcdServiceIP,
+		SelfHostKubelet:     renderOpts.selfHostKubelet,
+		CloudProvider:       renderOpts.cloudProvider,
+		SelfHostedEtcd:      renderOpts.selfHostedEtcd,
+		CalicoNetworkPolicy: renderOpts.calicoNetworkPolicy,
+		Images:              imageVersions,
+		CNIRelease:          cniRelease,
 	}, nil
 }
 

e2e/network_test.go

@@ -0,0 +1,295 @@
+package e2e
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/client-go/pkg/api"
+	"k8s.io/client-go/pkg/api/v1"
+	"k8s.io/client-go/pkg/apis/extensions/v1beta1"
+)
+
+func TestNetwork(t *testing.T) {
+	//
+	// 1. create nginx service
+	di, _, err := api.Codecs.UniversalDecoder().Decode(nginxDepNT, nil, &v1beta1.Deployment{})
+	if err != nil {
+		t.Fatalf("unable to decode deployment manifest: %v", err)
+	}
+
+	d, ok := di.(*v1beta1.Deployment)
+	if !ok {
+		t.Fatalf("expected manifest to decode into *api.deployment, got %T", di)
+	}
+	_, err = client.ExtensionsV1beta1().Deployments(namespace).Create(d)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	deleteDeployment := func() {
+		delPropPolicy := metav1.DeletePropagationForeground
+		client.ExtensionsV1beta1().Deployments(namespace).Delete("nginx-deployment-nt", &metav1.DeleteOptions{
+			PropagationPolicy: &delPropPolicy,
+		})
+	}
+	defer deleteDeployment()
+
+	if err := retry(10, time.Second*10, getNginxPod); err != nil {
+		t.Fatalf("timed out waiting for nginx pod: %v", err)
+	}
+
+	si, _, err := api.Codecs.UniversalDecoder().Decode(nginxSVCNT, nil, &v1.Service{})
+	if err != nil {
+		t.Fatalf("unable to decode service manifest: %v", err)
+	}
+	s, ok := si.(*v1.Service)
+	if !ok {
+		t.Fatalf("expected manifest to decode into *api.service, got %T", si)
+	}
+	_, err = client.CoreV1().Services(namespace).Create(s)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer client.CoreV1().Services(namespace).Delete("nginx-service-nt", &metav1.DeleteOptions{})
+
+	//
+	// 2. create a wget pod that hits the nginx service
+	testPodName := fmt.Sprintf("%s-%s", "wget-pod-nt", utilrand.String(5))
+	wgetPodNT.ObjectMeta.Name = testPodName
+	_, err = client.CoreV1().Pods(namespace).Create(wgetPodNT)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := retry(10, time.Second*10, getPod(testPodName)); err != nil {
+		t.Fatalf(fmt.Sprintf("timed out waiting for wget pod to succeed: %v", err))
+	}
+
+	t.Run("DefaultDeny", HelperDefaultDeny)
+
+	resetNetworkPolicy := func() {
+		n, err := client.CoreV1().Namespaces().Get(namespace, metav1.GetOptions{})
+		if err != nil {
+			t.Fatalf("unable to retrieve namespace %v", err)
+		}
+
+		n.ObjectMeta.Annotations = map[string]string{}
+		n.ObjectMeta.Annotations["net.beta.kubernetes.io/network-policy"] = defaultAllowNetworkPolicy
+		_, err = client.CoreV1().Namespaces().Update(n)
+		if err != nil {
+			t.Fatalf("unable to reset namespace network policy%v", err)
+		}
+	}
+	defer resetNetworkPolicy()
+
+	t.Run("NetworkPolicy", HelperPolicy)
+}
+
+func HelperDefaultDeny(t *testing.T) {
+	//
+	// 3. set DefaultDeny policy
+	var n *v1.Namespace
+	n, err := client.CoreV1().Namespaces().Get(namespace, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("unable to retrieve namespace %v", err)
+	}
+
+	n.ObjectMeta.Annotations = map[string]string{}
+	n.ObjectMeta.Annotations["net.beta.kubernetes.io/network-policy"] = defaultDenyNetworkPolicy
+	_, err = client.CoreV1().Namespaces().Update(n)
+	if err != nil {
+		t.Fatalf("unable to set namespace network policy defaultdeny%v", err)
+	}
+
+	//
+	// 4. create a wget pod that fails to hit nginx service
+	testPodName := fmt.Sprintf("%s-%s", "wget-pod-nt", utilrand.String(5))
+	wgetPodNT.ObjectMeta.Name = testPodName
+	_, err = client.CoreV1().Pods(namespace).Create(wgetPodNT)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := retry(10, time.Second*10, getFailedPod(testPodName)); err != nil {
+		t.Fatalf(fmt.Sprintf("timed out waiting for wget pod to fail: %v", err))
+	}
+}
+
+func HelperPolicy(t *testing.T) {
+	//
+	// 5. create NetworkPolicy that allows `allow=access`
+	npi, _, err := api.Codecs.UniversalDecoder().Decode(netPolicy, nil, &v1beta1.NetworkPolicy{})
+	if err != nil {
+		t.Fatalf("unable to decode network policy manifest: %v", err)
+	}
+
+	np, ok := npi.(*v1beta1.NetworkPolicy)
+	if !ok {
+		t.Fatalf("expected manifest to decode into *api.networkpolicy, got %T", npi)
+	}
+
+	httpRestClient := client.ExtensionsV1beta1().RESTClient()
+	uri := fmt.Sprintf("/apis/%s/%s/namespaces/%s/%s",
+		strings.ToLower("extensions"),
+		strings.ToLower("v1beta1"),
+		strings.ToLower(namespace),
+		strings.ToLower("NetworkPolicies"))
+
+	result := httpRestClient.Post().RequestURI(uri).Body(np).Do()
+	if result.Error() != nil {
+		t.Fatal(result.Error())
+	}
+	defer func() {
+		uri = fmt.Sprintf("/apis/%s/%s/namespaces/%s/%s/%s",
+			strings.ToLower("extensions"),
+			strings.ToLower("v1beta1"),
+			strings.ToLower(namespace),
+			strings.ToLower("NetworkPolicies"),
+			strings.ToLower(np.ObjectMeta.Name))
+
+		result = httpRestClient.Delete().RequestURI(uri).Do()
+		if result.Error() != nil {
+			t.Fatal(result.Error())
+		}
+
+	}()
+
+	//
+	// 6. create a wget pod with label `allow=access` that hits the nginx service
+	testPodName := fmt.Sprintf("%s-%s", "wget-pod-nt", utilrand.String(5))
+	wgetPodNT.ObjectMeta.Name = testPodName
+	wgetPodNT.ObjectMeta.Labels = map[string]string{}
+	wgetPodNT.ObjectMeta.Labels["allow"] = "access"
+	_, err = client.CoreV1().Pods(namespace).Create(wgetPodNT)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := retry(10, time.Second*10, getPod(testPodName)); err != nil {
+		t.Fatalf(fmt.Sprintf("timed out waiting for wget pod to succeed: %v", err))
+	}
+
+	//
+	// 7. create a wget pod with label `allow=cant-access` that fails to the nginx service
+	testPodName = fmt.Sprintf("%s-%s", "wget-pod-nt", utilrand.String(5))
+	wgetPodNT.ObjectMeta.Name = testPodName
+	wgetPodNT.ObjectMeta.Labels["allow"] = "cant-access"
+	_, err = client.CoreV1().Pods(namespace).Create(wgetPodNT)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := retry(10, time.Second*10, getFailedPod(testPodName)); err != nil {
+		t.Fatalf(fmt.Sprintf("timed out waiting for wget pod to fail: %v", err))
+	}
+}
+
+func getNginxPod() error {
+	l, err := client.CoreV1().Pods(namespace).List(metav1.ListOptions{LabelSelector: "app=nginx"})
+	if err != nil || len(l.Items) == 0 {
+		return fmt.Errorf("couldn't list pods: %v", err)
+	}
+
+	// take the first pod
+	p := &l.Items[0]
+
+	if p.Status.Phase != v1.PodRunning {
+		return fmt.Errorf("pod not yet running: %v", p.Status.Phase)
+	}
+	return nil
+}
+
+func getPod(name string) func() error {
+	return func() error {
+		p, err := client.CoreV1().Pods(namespace).Get(name, metav1.GetOptions{})
+		if err != nil {
+			return fmt.Errorf("couldn't get pod: %v", err)
+		}
+		if p.Status.Phase != v1.PodSucceeded {
+			return fmt.Errorf("pod did not succeed: %v", p.Status.Phase)
+		}
+		return nil
+	}
+}
+
+func getFailedPod(name string) func() error {
+	return func() error {
+		p, err := client.CoreV1().Pods(namespace).Get(name, metav1.GetOptions{})
+		if err != nil {
+			return fmt.Errorf("couldn't get pod: %v", err)
+		}
+		if p.Status.Phase != v1.PodFailed {
+			return fmt.Errorf("pod did not fail: %v", p.Status.Phase)
+		}
+		return nil
+	}
+}
+
+var nginxDepNT = []byte(`apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: nginx-deployment-nt
+spec:
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.8
+        ports:
+        - containerPort: 80
+`)
+
+var wgetPodNT = &v1.Pod{
+	ObjectMeta: metav1.ObjectMeta{
+		Namespace: namespace,
+	},
+	Spec: v1.PodSpec{
+		Containers: []v1.Container{
+			{
+				Name:    "wget-container",
+				Image:   "busybox:1.26",
+				Command: []string{"wget", "--timeout", "5", "nginx-service-nt"},
+			},
+		},
+		RestartPolicy: v1.RestartPolicyNever,
+	},
+}
+
+var nginxSVCNT = []byte(`apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-service-nt
+spec:
+  selector:
+    app: nginx
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+`)
+
+var defaultDenyNetworkPolicy = `{"ingress":{"isolation":"DefaultDeny"}}`
+var defaultAllowNetworkPolicy = `{"ingress":{"isolation":""}}`
+
+var netPolicy = []byte(`kind: NetworkPolicy                                                      
+apiVersion: extensions/v1beta1
+metadata:
+  name: access-nginx
+spec:
+  podSelector:
+    matchLabels:
+      app: nginx
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            allow: access
+`)

hack/multi-node/bootkube-up

@@ -20,7 +20,7 @@ fi
 
 # Render assets
 if [ ! -d "cluster" ]; then
-  ../../_output/bin/${local_os}/bootkube render --asset-dir=cluster --api-servers=https://172.17.4.101:443 ${etcd_render_flags}
+  ../../_output/bin/${local_os}/bootkube render --asset-dir=cluster --api-servers=https://172.17.4.101:443 ${etcd_render_flags} --experimental-calico-network-policy
   cp user-data.sample cluster/user-data-worker
   cp user-data.sample cluster/user-data-controller
   sed -i.bak -e '/node-role.kubernetes.io\/master/d' cluster/user-data-worker

hack/multi-node/user-data.sample

@@ -12,7 +12,10 @@ coreos:
         Environment=KUBELET_IMAGE_TAG=v1.6.4_coreos.0
         Environment="RKT_RUN_ARGS=--uuid-file-save=/var/cache/kubelet-pod.uuid \
           --volume var-lib-cni,kind=host,source=/var/lib/cni \
-          --mount volume=var-lib-cni,target=/var/lib/cni"
+          --volume opt-cni-bin,kind=host,source=/opt/cni/bin \
+          --mount volume=var-lib-cni,target=/var/lib/cni \
+          --mount volume=opt-cni-bin,target=/opt/cni/bin"
+        ExecStartPre=/bin/mkdir -p /opt/cni/bin
         ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
         ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
         ExecStartPre=/bin/mkdir -p /etc/kubernetes/checkpoint-secrets

hack/quickstart/init-master.sh

@@ -57,7 +57,7 @@ function init_master_node() {
     fi
 
     # Render cluster assets
-    /home/${REMOTE_USER}/bootkube render --asset-dir=/home/${REMOTE_USER}/assets ${etcd_render_flags} \
+    /home/${REMOTE_USER}/bootkube render --asset-dir=/home/${REMOTE_USER}/assets ${etcd_render_flags} --experimental-calico-network-policy \
       --api-servers=https://${COREOS_PUBLIC_IPV4}:443,https://${COREOS_PRIVATE_IPV4}:443
 
     # Move the local kubeconfig into expected location