decouple Interfaces from Implementation

Author: aojea

cmd/main.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"sigs.k8s.io/kube-network-policies/pkg/api"
 	"sigs.k8s.io/kube-network-policies/pkg/dataplane"
 	"sigs.k8s.io/kube-network-policies/pkg/dns"
 	"sigs.k8s.io/kube-network-policies/pkg/networkpolicy"
@@ -193,7 +194,7 @@ func run() int {
 	// Create the evaluators for the Pipeline to process the packets
 	// and take a network policy action. The evaluators are processed
 	// by the order in the array.
-	evaluators := []networkpolicy.PolicyEvaluator{}
+	evaluators := []api.PolicyEvaluator{}
 
 	// Logging evaluator must go first if enabled.
 	if klog.V(2).Enabled() {

pkg/api/interfaces.go

@@ -0,0 +1,61 @@
+package api
+
+import (
+	"context"
+	"net"
+	"net/netip"
+
+	"sigs.k8s.io/kube-network-policies/pkg/network"
+)
+
+// PodInfoProvider defines an interface for components that can provide PodInfo.
+type PodInfoProvider interface {
+	GetPodInfoByIP(podIP string) (*PodInfo, bool)
+}
+
+// DomainResolver provides an interface for resolving domain names to IP addresses.
+type DomainResolver interface {
+	ContainsIP(domain string, ip net.IP) bool
+}
+
+// SyncFunc is a callback function that an evaluator can invoke to trigger
+// a dataplane reconciliation.
+type SyncFunc func()
+
+// Verdict represents the outcome of a packet evaluation.
+type Verdict int
+
+const (
+	// VerdictAccept allows the packet. In a directional pipeline, this means
+	// the packet is allowed for that stage.
+	VerdictAccept Verdict = iota
+	// VerdictDeny denies the packet. This is a final decision for that direction.
+	VerdictDeny
+	// VerdictNext continues to the next evaluator in the pipeline.
+	VerdictNext
+)
+
+// PolicyEvaluator is the complete interface for a policy plugin.
+// It is responsible for both evaluating packets against its policies and
+// providing the necessary configuration to the dataplane.
+type PolicyEvaluator interface {
+	// Name returns the identifier for this evaluator.
+	Name() string
+	// Ready returns true if the evaluator is initialized and ready to work.
+	Ready() bool
+
+	// EvaluateIngress/EvaluateEgress perform the runtime packet evaluation.
+	EvaluateIngress(ctx context.Context, p *network.Packet, srcPod, dstPod *PodInfo) (Verdict, error)
+	EvaluateEgress(ctx context.Context, p *network.Packet, srcPod, dstPod *PodInfo) (Verdict, error)
+
+	// SetDataplaneSyncCallback allows the dataplane to provide a callback function.
+	// The evaluator MUST call this function whenever its state changes in a way
+	// that requires the dataplane rules to be re-synced.
+	SetDataplaneSyncCallback(syncFn SyncFunc)
+
+	// ManagedIPs returns the set of Pod IPs that this policy evaluator manages.
+	// The dataplane uses this to build optimized nftables sets.
+	// It can also return 'divertAll = true' to signal that all traffic
+	// must be sent to the nfqueue, disabling the IP set optimization.
+	ManagedIPs(ctx context.Context) (ips []netip.Addr, divertAll bool, err error)
+}

pkg/dataplane/controller_test.go

@@ -35,17 +35,17 @@ type mockPolicyEvaluator struct {
 	ips       []netip.Addr
 	divertAll bool
 	isReady   bool
-	sync      networkpolicy.SyncFunc
+	sync      api.SyncFunc
 }
 
 func (m *mockPolicyEvaluator) Name() string { return m.name }
-func (m *mockPolicyEvaluator) EvaluateIngress(context.Context, *network.Packet, *api.PodInfo, *api.PodInfo) (networkpolicy.Verdict, error) {
-	return networkpolicy.VerdictNext, nil
+func (m *mockPolicyEvaluator) EvaluateIngress(context.Context, *network.Packet, *api.PodInfo, *api.PodInfo) (api.Verdict, error) {
+	return api.VerdictNext, nil
 }
-func (m *mockPolicyEvaluator) EvaluateEgress(context.Context, *network.Packet, *api.PodInfo, *api.PodInfo) (networkpolicy.Verdict, error) {
-	return networkpolicy.VerdictNext, nil
+func (m *mockPolicyEvaluator) EvaluateEgress(context.Context, *network.Packet, *api.PodInfo, *api.PodInfo) (api.Verdict, error) {
+	return api.VerdictNext, nil
 }
-func (m *mockPolicyEvaluator) SetDataplaneSyncCallback(syncFn networkpolicy.SyncFunc) {
+func (m *mockPolicyEvaluator) SetDataplaneSyncCallback(syncFn api.SyncFunc) {
 	m.sync = syncFn
 }
 func (m *mockPolicyEvaluator) Ready() bool { return m.isReady }
@@ -54,7 +54,7 @@ func (m *mockPolicyEvaluator) ManagedIPs(context.Context) ([]netip.Addr, bool, e
 }
 
 // newTestController creates a controller instance for testing with mock evaluators.
-func newTestController(config Config, evaluators []networkpolicy.PolicyEvaluator) *Controller {
+func newTestController(config Config, evaluators []api.PolicyEvaluator) *Controller {
 	client := fake.NewSimpleClientset()
 	informersFactory := informers.NewSharedInformerFactory(client, 0)
 	podInformer := informersFactory.Core().V1().Pods()
@@ -219,7 +219,7 @@ func testNetworkPolicies_SyncRules(t *testing.T) {
 	tests := []struct {
 		name             string
 		config           Config
-		evaluators       []networkpolicy.PolicyEvaluator
+		evaluators       []api.PolicyEvaluator
 		expectedNftables string
 	}{
 		{
@@ -230,7 +230,7 @@ func testNetworkPolicies_SyncRules(t *testing.T) {
 				FailOpen:            true,
 				NFTableName:         "kube-network-policies",
 			},
-			evaluators: []networkpolicy.PolicyEvaluator{
+			evaluators: []api.PolicyEvaluator{
 				&mockPolicyEvaluator{
 					name: "test-evaluator",
 					ips: []netip.Addr{
@@ -285,7 +285,7 @@ table inet kube-network-policies {
 				NFTableName:         "kube-network-policies",
 				FailOpen:            false,
 			},
-			evaluators: []networkpolicy.PolicyEvaluator{
+			evaluators: []api.PolicyEvaluator{
 				&mockPolicyEvaluator{
 					name:      "divert-all-evaluator",
 					divertAll: true,
@@ -321,7 +321,7 @@ table inet kube-network-policies {
 				QueueID:     102,
 				NFTableName: "kube-network-policies",
 			},
-			evaluators: []networkpolicy.PolicyEvaluator{
+			evaluators: []api.PolicyEvaluator{
 				&mockPolicyEvaluator{
 					name:    "ip-evaluator",
 					ips:     []netip.Addr{netip.MustParseAddr("10.0.0.1")},

pkg/networkpolicy/adminnetworkpolicy.go

@@ -22,13 +22,13 @@ import (
 type AdminNetworkPolicy struct {
 	anpLister      anplisters.AdminNetworkPolicyLister
 	anpSynced      cache.InformerSynced
-	domainResolver DomainResolver
+	domainResolver api.DomainResolver
 }
 
-var _ PolicyEvaluator = &AdminNetworkPolicy{}
+var _ api.PolicyEvaluator = &AdminNetworkPolicy{}
 
 // NewAdminNetworkPolicy creates a new ANP implementation.
-func NewAdminNetworkPolicy(anpInformer anpinformers.AdminNetworkPolicyInformer, domainResolver DomainResolver) *AdminNetworkPolicy {
+func NewAdminNetworkPolicy(anpInformer anpinformers.AdminNetworkPolicyInformer, domainResolver api.DomainResolver) *AdminNetworkPolicy {
 	return &AdminNetworkPolicy{
 		anpLister:      anpInformer.Lister(),
 		anpSynced:      anpInformer.Informer().HasSynced,
@@ -44,7 +44,7 @@ func (a *AdminNetworkPolicy) Ready() bool {
 	return a.anpSynced()
 }
 
-func (a *AdminNetworkPolicy) SetDataplaneSyncCallback(syncFn SyncFunc) {
+func (a *AdminNetworkPolicy) SetDataplaneSyncCallback(syncFn api.SyncFunc) {
 	// No-op for AdminNetworkPolicy as it doesn't directly control dataplane rules.
 	// The controller will handle syncing based on policy changes.
 }
@@ -55,59 +55,59 @@ func (a *AdminNetworkPolicy) ManagedIPs(ctx context.Context) ([]netip.Addr, bool
 	return nil, true, nil
 }
 
-func (a *AdminNetworkPolicy) EvaluateIngress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (Verdict, error) {
+func (a *AdminNetworkPolicy) EvaluateIngress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (api.Verdict, error) {
 	logger := klog.FromContext(ctx)
 
 	allPolicies, err := a.anpLister.List(labels.Everything())
 	if err != nil || len(allPolicies) == 0 {
-		return VerdictNext, err
+		return api.VerdictNext, err
 	}
 
 	dstPodAdminNetworkPolicies := getAdminNetworkPoliciesForPod(dstPod, allPolicies)
 	if len(dstPodAdminNetworkPolicies) == 0 {
 		logger.V(2).Info("Ingress AdminNetworkPolicies does not apply")
-		return VerdictNext, nil
+		return api.VerdictNext, nil
 	}
 	ingressAction := a.evaluateAdminIngress(dstPodAdminNetworkPolicies, srcPod, dstPod, p.DstPort, p.Proto)
 	logger.V(2).Info("Ingress AdminNetworkPolicies", "npolicies", len(dstPodAdminNetworkPolicies), "action", ingressAction)
 
 	switch ingressAction {
 	case npav1alpha1.AdminNetworkPolicyRuleActionAllow:
-		return VerdictAccept, nil
+		return api.VerdictAccept, nil
 	case npav1alpha1.AdminNetworkPolicyRuleActionDeny:
-		return VerdictDeny, nil
+		return api.VerdictDeny, nil
 	case npav1alpha1.AdminNetworkPolicyRuleActionPass:
-		return VerdictNext, nil
+		return api.VerdictNext, nil
 	default: // Pass
-		return VerdictNext, nil
+		return api.VerdictNext, nil
 	}
 }
 
-func (a *AdminNetworkPolicy) EvaluateEgress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (Verdict, error) {
+func (a *AdminNetworkPolicy) EvaluateEgress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (api.Verdict, error) {
 	logger := klog.FromContext(ctx)
 
 	allPolicies, err := a.anpLister.List(labels.Everything())
 	if err != nil || len(allPolicies) == 0 {
-		return VerdictNext, err
+		return api.VerdictNext, err
 	}
 
 	srcPodAdminNetworkPolicies := getAdminNetworkPoliciesForPod(srcPod, allPolicies)
 	if len(srcPodAdminNetworkPolicies) == 0 {
 		logger.V(2).Info("Egress AdminNetworkPolicies does not apply")
-		return VerdictNext, nil
+		return api.VerdictNext, nil
 	}
 	egressAction := a.evaluateAdminEgress(srcPodAdminNetworkPolicies, dstPod, p.DstIP, p.DstPort, p.Proto)
 	logger.V(2).Info("Egress AdminNetworkPolicies", "npolicies", len(srcPodAdminNetworkPolicies), "action", egressAction)
 
 	switch egressAction {
 	case npav1alpha1.AdminNetworkPolicyRuleActionAllow:
-		return VerdictAccept, nil
+		return api.VerdictAccept, nil
 	case npav1alpha1.AdminNetworkPolicyRuleActionDeny:
-		return VerdictDeny, nil
+		return api.VerdictDeny, nil
 	case npav1alpha1.AdminNetworkPolicyRuleActionPass:
-		return VerdictNext, nil
+		return api.VerdictNext, nil
 	default: // Pass
-		return VerdictNext, nil
+		return api.VerdictNext, nil
 	}
 }
 

pkg/networkpolicy/adminnetworkpolicy_test.go

@@ -495,7 +495,7 @@ func Test_adminNetworkPolicyAction(t *testing.T) {
 			}
 
 			evaluator := NewAdminNetworkPolicy(npaInformerFactory.Policy().V1alpha1().AdminNetworkPolicies(), nil)
-			engine := NewPolicyEngine(podInfoProvider, []PolicyEvaluator{evaluator})
+			engine := NewPolicyEngine(podInfoProvider, []api.PolicyEvaluator{evaluator})
 
 			verdict, err := engine.EvaluatePacket(context.TODO(), &tt.p)
 			if err != nil {
@@ -1009,7 +1009,7 @@ func TestController_evaluateAdminEgress_DomainNames(t *testing.T) {
 			}
 
 			evaluator := NewAdminNetworkPolicy(npaInformerFactory.Policy().V1alpha1().AdminNetworkPolicies(), domainResolver)
-			engine := NewPolicyEngine(podInfoProvider, []PolicyEvaluator{evaluator})
+			engine := NewPolicyEngine(podInfoProvider, []api.PolicyEvaluator{evaluator})
 
 			packet := network.Packet{
 				SrcIP: net.ParseIP("192.168.1.11"),

pkg/networkpolicy/baselineadminnetworkpolicy.go

@@ -22,7 +22,7 @@ type BaselineAdminNetworkPolicy struct {
 	banpSynced cache.InformerSynced
 }
 
-var _ PolicyEvaluator = &BaselineAdminNetworkPolicy{}
+var _ api.PolicyEvaluator = &BaselineAdminNetworkPolicy{}
 
 // NewAdminNetworkPolicy creates a new ANP implementation.
 func NewBaselineAdminNetworkPolicy(banpInformer banpinformers.BaselineAdminNetworkPolicyInformer) *BaselineAdminNetworkPolicy {
@@ -40,7 +40,7 @@ func (b *BaselineAdminNetworkPolicy) Ready() bool {
 	return b.banpSynced()
 }
 
-func (b *BaselineAdminNetworkPolicy) SetDataplaneSyncCallback(syncFn SyncFunc) {
+func (b *BaselineAdminNetworkPolicy) SetDataplaneSyncCallback(syncFn api.SyncFunc) {
 	// No-op for AdminNetworkPolicy as it doesn't directly control dataplane rules.
 	// The controller will handle syncing based on policy changes.
 }
@@ -51,39 +51,39 @@ func (b *BaselineAdminNetworkPolicy) ManagedIPs(ctx context.Context) ([]netip.Ad
 	return nil, true, nil
 }
 
-func (b *BaselineAdminNetworkPolicy) EvaluateIngress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (Verdict, error) {
+func (b *BaselineAdminNetworkPolicy) EvaluateIngress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (api.Verdict, error) {
 	logger := klog.FromContext(ctx)
 
 	allPolicies, err := b.banpLister.List(labels.Everything())
 	if err != nil || len(allPolicies) == 0 {
-		return VerdictNext, err
+		return api.VerdictNext, err
 	}
 
 	dstPodBaselineAdminNetworkPolices := getBaselineAdminNetworkPoliciesForPod(dstPod, allPolicies)
 	if len(dstPodBaselineAdminNetworkPolices) == 0 {
 		logger.V(2).Info("Ingress BaselineAdminNetworkPolicies does not apply")
-		return VerdictNext, nil
+		return api.VerdictNext, nil
 	}
 	ingressAction := b.evaluateBaselineAdminIngress(dstPodBaselineAdminNetworkPolices, srcPod, dstPod, p.DstPort, p.Proto)
 	logger.V(2).Info("Ingress BaselineAdminNetworkPolicies", "npolicies", len(dstPodBaselineAdminNetworkPolices), "action", ingressAction)
 
 	switch ingressAction {
 	case npav1alpha1.BaselineAdminNetworkPolicyRuleActionAllow:
-		return VerdictAccept, nil
+		return api.VerdictAccept, nil
 	case npav1alpha1.BaselineAdminNetworkPolicyRuleActionDeny:
-		return VerdictDeny, nil
+		return api.VerdictDeny, nil
 	default: // Pass
-		return VerdictNext, nil
+		return api.VerdictNext, nil
 	}
 }
 
-func (b *BaselineAdminNetworkPolicy) EvaluateEgress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (Verdict, error) {
+func (b *BaselineAdminNetworkPolicy) EvaluateEgress(ctx context.Context, p *network.Packet, srcPod, dstPod *api.PodInfo) (api.Verdict, error) {
 	logger := klog.FromContext(ctx)
 
 	allPolicies, err := b.banpLister.List(labels.Everything())
 	if err != nil || len(allPolicies) == 0 {
 		logger.V(2).Info("Egress BaselineAdminNetworkPolicies does not apply")
-		return VerdictNext, err
+		return api.VerdictNext, err
 	}
 
 	srcPodBaselineAdminNetworkPolices := getBaselineAdminNetworkPoliciesForPod(srcPod, allPolicies)
@@ -92,11 +92,11 @@ func (b *BaselineAdminNetworkPolicy) EvaluateEgress(ctx context.Context, p *netw
 
 	switch egressAction {
 	case npav1alpha1.BaselineAdminNetworkPolicyRuleActionAllow:
-		return VerdictAccept, nil
+		return api.VerdictAccept, nil
 	case npav1alpha1.BaselineAdminNetworkPolicyRuleActionDeny:
-		return VerdictDeny, nil
+		return api.VerdictDeny, nil
 	default: // Pass
-		return VerdictNext, nil
+		return api.VerdictNext, nil
 	}
 }
 

pkg/networkpolicy/baselineadminnetworkpolicy_test.go

@@ -168,7 +168,7 @@ func Test_baselineAdminNetworkPolicyAction(t *testing.T) {
 			}
 
 			evaluator := NewBaselineAdminNetworkPolicy(banpInformer)
-			engine := NewPolicyEngine(podInfoProvider, []PolicyEvaluator{evaluator})
+			engine := NewPolicyEngine(podInfoProvider, []api.PolicyEvaluator{evaluator})
 
 			verdict, err := engine.EvaluatePacket(context.TODO(), &tt.packet)
 			if err != nil {