Merge pull request #5186 from kyrtapz/inter_udn_isolation

Drop trafffic between advertised UDN networks

Author: tssurya

dist/images/Dockerfile.fedora

@@ -75,7 +75,7 @@ RUN git log -n 1
 # Stage to download OVN RPMs from koji #
 ########################################
 FROM fedora:41 AS kojidownloader
-ARG ovnver=ovn-24.09.1-10.fc41
+ARG ovnver=ovn-24.09.2-71.fc41
 
 USER root
 

go-controller/pkg/controllermanager/controller_manager.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/containernetworking/cni/pkg/types"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
@@ -139,8 +140,12 @@ func (cm *ControllerManager) GetDefaultNetworkController() networkmanager.Reconc
 
 func (cm *ControllerManager) CleanupStaleNetworks(validNetworks ...util.NetInfo) error {
 	existingNetworksMap := map[string]string{}
+	validNetworksSubnets := sets.New[string]()
 	for _, network := range validNetworks {
 		existingNetworksMap[network.GetNetworkName()] = network.TopologyType()
+		for _, subnet := range network.Subnets() {
+			validNetworksSubnets.Insert(subnet.CIDR.String())
+		}
 	}
 
 	// Get all the existing secondary networks and its logical entities
@@ -188,6 +193,29 @@ func (cm *ControllerManager) CleanupStaleNetworks(validNetworks ...util.NetInfo)
 			klog.Errorf("Failed to delete stale OVN logical entities for network %s: %v", netName, err)
 		}
 	}
+
+	if util.IsRouteAdvertisementsEnabled() {
+		// Remove stale subnets from the advertised networks address set used for isolation
+		// NOTE: network reconciliation will take care of removing the subnets for existing networks that are no longer
+		// advertised.
+		addressSetFactory := addressset.NewOvnAddressSetFactory(cm.nbClient, config.IPv4Mode, config.IPv6Mode)
+		advertisedSubnets, err := addressSetFactory.GetAddressSet(ovn.GetAdvertisedNetworkSubnetsAddressSetDBIDs())
+		if err != nil {
+			return fmt.Errorf("failed to get advertised subnets addresset %s: %w", ovn.GetAdvertisedNetworkSubnetsAddressSetDBIDs(), err)
+		}
+		v4AdvertisedSubnets, v6AdvertisedSubnets := advertisedSubnets.GetAddresses()
+		var invalidSubnets []string
+		for _, subnet := range append(v4AdvertisedSubnets, v6AdvertisedSubnets...) {
+			if !validNetworksSubnets.Has(subnet) {
+				klog.Infof("Cleanup stale advertised subnet: %q", subnet)
+				invalidSubnets = append(invalidSubnets, subnet)
+			}
+		}
+
+		if err := advertisedSubnets.DeleteAddresses(invalidSubnets); err != nil {
+			klog.Errorf("Failed to delete stale advertised subnets: %v", invalidSubnets)
+		}
+	}
 	return nil
 }
 
@@ -451,6 +479,11 @@ func (cm *ControllerManager) Start(ctx context.Context) error {
 		return fmt.Errorf("failed to init default network controller: %v", err)
 	}
 
+	if util.IsRouteAdvertisementsEnabled() {
+		if err := cm.configureAdvertisedNetworkIsolation(); err != nil {
+			return fmt.Errorf("failed to initialize advertised network isolation: %w", err)
+		}
+	}
 	if cm.networkManager != nil {
 		if err = cm.networkManager.Start(); err != nil {
 			return fmt.Errorf("failed to start NAD Controller :%v", err)
@@ -495,3 +528,9 @@ func (cm *ControllerManager) Stop() {
 func (cm *ControllerManager) Reconcile(_ string, _, _ util.NetInfo) error {
 	return nil
 }
+
+func (cm *ControllerManager) configureAdvertisedNetworkIsolation() error {
+	addressSetFactory := addressset.NewOvnAddressSetFactory(cm.nbClient, config.IPv4Mode, config.IPv6Mode)
+	_, err := addressSetFactory.EnsureAddressSet(ovn.GetAdvertisedNetworkSubnetsAddressSetDBIDs())
+	return err
+}

go-controller/pkg/libovsdb/ops/db_object_types.go

@@ -36,6 +36,7 @@ const (
 	NetpolNamespaceOwnerType    ownerType = "NetpolNamespace"
 	VirtualMachineOwnerType     ownerType = "VirtualMachine"
 	UDNEnabledServiceOwnerType  ownerType = "UDNEnabledService"
+	AdvertisedNetworkOwnerType  ownerType = "AdvertisedNetwork"
 	// NetworkPolicyPortIndexOwnerType is the old version of NetworkPolicyOwnerType, kept for sync only
 	NetworkPolicyPortIndexOwnerType ownerType = "NetworkPolicyPortIndexOwnerType"
 	// ClusterOwnerType means the object is cluster-scoped and doesn't belong to any k8s objects
@@ -151,6 +152,19 @@ var AddressSetNetworkQoS = newObjectIDsType(addressSet, NetworkQoSOwnerType, []E
 	IPFamilyKey,
 })
 
+var AddressSetAdvertisedNetwork = newObjectIDsType(addressSet, AdvertisedNetworkOwnerType, []ExternalIDKey{
+	// cluster-wide address set name
+	ObjectNameKey,
+	IPFamilyKey,
+})
+
+var ACLAdvertisedNetwork = newObjectIDsType(acl, AdvertisedNetworkOwnerType, []ExternalIDKey{
+	// ACL name
+	ObjectNameKey,
+	// NetworkID
+	NetworkKey,
+})
+
 var ACLAdminNetworkPolicy = newObjectIDsType(acl, AdminNetworkPolicyOwnerType, []ExternalIDKey{
 	// anp name
 	ObjectNameKey,

go-controller/pkg/ovn/default_network_controller.go

@@ -31,11 +31,8 @@ import (
 	svccontroller "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/controller/services"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/controller/unidling"
 	dnsnameresolver "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/dns_name_resolver"
-	aclsyncer "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/external_ids_syncer/acl"
-	addrsetsyncer "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/external_ids_syncer/address_set"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/external_ids_syncer/logical_router_policy"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/external_ids_syncer/nat"
-	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/external_ids_syncer/port_group"
 	lsm "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/logical_switch_manager"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/routeimport"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn/topology"
@@ -296,35 +293,7 @@ func (oc *DefaultNetworkController) newRetryFramework(
 }
 
 func (oc *DefaultNetworkController) syncDb() error {
-	// sync address sets and ACLs, only required for network controller, since any old objects in the db without
-	// Owner set are owned by the default network controller.
-	// The order of syncs is important, since the next syncer may rely on the data updated by the previous one.
-	addrSetSyncer := addrsetsyncer.NewAddressSetSyncer(oc.nbClient, oc.controllerName)
-	err := addrSetSyncer.SyncAddressSets()
-	if err != nil {
-		return fmt.Errorf("failed to sync address sets on controller init: %v", err)
-	}
-
-	existingNodes, err := oc.kube.GetNodes()
-	if err != nil {
-		return fmt.Errorf("failed to get existing nodes: %w", err)
-	}
-	aclSyncer := aclsyncer.NewACLSyncer(oc.nbClient, oc.controllerName)
-	err = aclSyncer.SyncACLs(existingNodes)
-	if err != nil {
-		return fmt.Errorf("failed to sync acls on controller init: %v", err)
-	}
-
-	// port groups should be synced only once across all controllers (as port groups were used by secondary network
-	// controllers before dbIDs, but SyncPortGroups knows how to get this info from the old ExternalIDs, that is also
-	// why it doesn't have controllerName as an argument).
-	// Do it here since DefaultNetworkController is always created, and this sync has dependencies with the other syncs
-	// in this function. It uses acl.ExternalIDs[libovsdbops.ObjectNameKey.String()] to fetch namespace name for a
-	// referenced port group (thus, SyncACLs should be called before).
-	portGroupSyncer := port_group.NewPortGroupSyncer(oc.nbClient)
-	if err = portGroupSyncer.SyncPortGroups(); err != nil {
-		return fmt.Errorf("failed to sync port groups on controller init: %v", err)
-	}
+	var err error
 	// sync shared resources
 	// pod selector address sets
 	err = oc.cleanupPodSelectorAddressSets()