Skip to content

Commit

Permalink
Address comments
Browse files Browse the repository at this point in the history 
Signed-off-by: Yang Ding <dingyang@vmware.com>
  • Loading branch information
@Dyanngg
Dyanngg committed May 14, 2021
1 parent d379621 commit 5dccd68
Show file tree
Hide file tree
Showing 12 changed files with 301 additions and 132 deletions.
10 changes: 10 additions & 0 deletions build/yamls/antrea-aks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -700,6 +705,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
10 changes: 10 additions & 0 deletions build/yamls/antrea-eks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -700,6 +705,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
10 changes: 10 additions & 0 deletions build/yamls/antrea-gke.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -700,6 +705,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
10 changes: 10 additions & 0 deletions build/yamls/antrea-ipsec.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -700,6 +705,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
10 changes: 10 additions & 0 deletions build/yamls/antrea.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down Expand Up @@ -700,6 +705,11 @@ spec:
matchLabels:
x-kubernetes-preserve-unknown-fields: true
type: object
namespaces:
properties:
match:
type: string
type: object
podSelector:
properties:
matchExpressions:
Expand Down
10 changes: 10 additions & 0 deletions build/yamls/base/crds.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -656,6 +656,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down Expand Up @@ -795,6 +800,11 @@ spec:
type: string
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaces:
type: object
properties:
match:
type: string
ipBlock:
type: object
properties:
Expand Down
68 changes: 38 additions & 30 deletions pkg/controller/networkpolicy/clusternetworkpolicy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1"
"antrea.io/antrea/pkg/controller/networkpolicy/store"
antreatypes "antrea.io/antrea/pkg/controller/types"
utilsets "antrea.io/antrea/pkg/util/sets"
)

// addCNP receives ClusterNetworkPolicy ADD events and creates resources
Expand Down Expand Up @@ -135,9 +136,7 @@ func (n *NetworkPolicyController) filterPerNamespaceRuleACNPsByNSLabels(nsLabels
}
for _, np := range nps {
internalNP := np.(*antreatypes.NetworkPolicy)
//klog.Infof("NP %v has perNSSel", internalNP.SourceRef.Name)
for _, sel := range internalNP.PerNamespaceSelectors {
//klog.Infof("Evaluating selector %v", sel)
if sel.Matches(nsLabels) {
affectedPolicies.Insert(internalNP.SourceRef.Name)
break
Expand Down Expand Up @@ -171,21 +170,10 @@ func (n *NetworkPolicyController) updateNamespace(oldObj, curObj interface{}) {
oldNamespace, curNamespace := oldObj.(*v1.Namespace), curObj.(*v1.Namespace)
klog.V(2).Infof("Processing Namespace %s UPDATE event, labels: %v", curNamespace.Name, curNamespace.Labels)
oldLabelSet, curLabelSet := labels.Set(oldNamespace.Labels), labels.Set(curNamespace.Labels)
addedLabels, removedLabels := labels.Set{}, labels.Set{}
for k, v := range oldLabelSet {
if !curLabelSet.Has(k) || curLabelSet.Get(k) != v {
removedLabels[k] = v
}
}
for k, v := range curLabelSet {
if !oldLabelSet.Has(k) || oldLabelSet.Get(k) != v {
addedLabels[k] = v
}
}
affectedACNPsByLabelRemoval := n.filterPerNamespaceRuleACNPsByNSLabels(removedLabels)
affectedACNPsByLabelAdd := n.filterPerNamespaceRuleACNPsByNSLabels(addedLabels)
policiesToSync := affectedACNPsByLabelAdd.Union(affectedACNPsByLabelRemoval)
for _, cnpName := range policiesToSync.List() {
affectedACNPsByOldLabels := n.filterPerNamespaceRuleACNPsByNSLabels(oldLabelSet)
affectedACNPsByCurLabels := n.filterPerNamespaceRuleACNPsByNSLabels(curLabelSet)
affectedACNPs := utilsets.SymmetricDifference(affectedACNPsByOldLabels, affectedACNPsByCurLabels)
for _, cnpName := range affectedACNPs.List() {
cnp, err := n.cnpLister.Get(cnpName)
if err != nil {
klog.Errorf("Error getting Antrea ClusterNetworkPolicy %s", cnpName)
Expand Down Expand Up @@ -248,6 +236,22 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C
// to re-calculate affected Namespaces.
var affectedNamespaceSelectors []labels.Selector

// If appliedTo is set at spec level and the ACNP has per-namespace rules, then each appliedTo needs
// to be split into appliedToGroups for each of its affected Namespace.
var clusterAppliedToAffectedNS []string
var atgForNamespace []string
if hasPerNamespaceRule && len(cnp.Spec.AppliedTo) > 0 {
for _, at := range cnp.Spec.AppliedTo {
affectedNS, selectors := n.getAffectedNamespacesForAppliedTo(at)
affectedNamespaceSelectors = append(affectedNamespaceSelectors, selectors...)
for _, ns := range affectedNS {
atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector)
atgNamesSet.Insert(atg)
clusterAppliedToAffectedNS = append(clusterAppliedToAffectedNS, ns)
atgForNamespace = append(atgForNamespace, atg)
}
}
}
var rules []controlplane.NetworkPolicyRule
processRules := func(cnpRules []crdv1alpha1.Rule, direction controlplane.Direction) {
for idx, cnpRule := range cnpRules {
Expand Down Expand Up @@ -282,18 +286,23 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C
addRule(n.toAntreaPeerForCRD(clusterPeers, cnp, direction, namedPortExists), direction, ruleATGNames)
}
if len(perNSPeers) > 0 {
ruleAppliedTos := cnp.Spec.AppliedTo
if len(cnpRule.AppliedTo) > 0 {
ruleAppliedTos = cnpRule.AppliedTo
}
for _, at := range ruleAppliedTos {
affectedNS, selectors := n.getAffectedNamespacesForAppliedTo(at)
affectedNamespaceSelectors = append(affectedNamespaceSelectors, selectors...)
for _, ns := range affectedNS {
atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector)
atgNamesSet.Insert(atg)
klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for %s", atg, cnp.Name)
addRule(n.toNamespacedPeerForCRD(perNSPeers, ns), direction, []string{atg})
if len(cnp.Spec.AppliedTo) > 0 {
// Create a rule for each affected Namespace of appliedTo at spec level
for i := range clusterAppliedToAffectedNS {
klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for rule %d of %s", clusterAppliedToAffectedNS[i], idx, cnp.Name)
addRule(n.toNamespacedPeerForCRD(perNSPeers, clusterAppliedToAffectedNS[i]), direction, []string{atgForNamespace[i]})
}
} else {
// Create a rule for each affected Namespace of appliedTo at rule level
for _, at := range cnpRule.AppliedTo {
affectedNS, selectors := n.getAffectedNamespacesForAppliedTo(at)
affectedNamespaceSelectors = append(affectedNamespaceSelectors, selectors...)
for _, ns := range affectedNS {
atg := n.createAppliedToGroup(ns, at.PodSelector, nil, at.ExternalEntitySelector)
atgNamesSet.Insert(atg)
klog.V(4).Infof("Adding a new per-namespace rule with appliedTo %v for rule %d of %s", atg, idx, cnp.Name)
addRule(n.toNamespacedPeerForCRD(perNSPeers, ns), direction, []string{atg})
}
}
}
}
Expand All @@ -308,7 +317,6 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C
n.processClusterAppliedTo(cnp.Spec.AppliedTo, atgNamesSet)
}
tierPriority := n.getTierPriority(cnp.Spec.Tier)
klog.Infof("Before uniqueness compute, selectors are %v", affectedNamespaceSelectors)
internalNetworkPolicy := &antreatypes.NetworkPolicy{
Name: internalNetworkPolicyKeyFunc(cnp),
Generation: cnp.Generation,
Expand Down
Loading

0 comments on commit 5dccd68

Please sign in to comment.