-
Notifications
You must be signed in to change notification settings - Fork 366
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Block a Pod's IP packets until its NetworkPolicies are realized
In the previous implementation, traffic from/to a Pod may bypass NetworkPolicies applied to the Pod in a short time window when the agent restarts because realizing NetworkPolicies and enabling forwarding are asynchronous. However, we can't wait for all NetworkPolicies to be realized before enabling forwarding of OVS because there are some cases the former depends on the latter, for example, when proxyAll is enabled, or when it's a Windows Node, in which cases control-plane communication relies on the forwarding of OVS. This patch takes a more fine-grained approach: block a Pod's IP packets in NetworkPolicy's entry tables until its NetworkPolicies are realized. This granularity leaves the Node and the hostNetwork Pods' traffic untouched and makes the realization issue of a Pod's NetworkPolicies affect the Pod's IP packets only. The following changes are made to implement the approach: 1. EgressSecurityClassifierTable is now always required. (Previously it's only required for ExternalNode, not K8sNode). 2. One flow with low priority dropping traffic from local Pods is installed in EgressSecurityClassifierTable, and one flow with low priority dropping traffic to local Pods is installed in IngressSecurityClassifierTable. 3. When a Pod's NetworkPolicies are fully realized the first time, one flow with normal priority allowing traffic from this Pod is installed in EgressSecurityClassifierTable to override the above drop action, one flow in IngressSecurityClassifierTable did the same for traffic to this Pod. Signed-off-by: Quan Tian <qtian@vmware.com>
- Loading branch information
Showing
23 changed files
with
826 additions
and
203 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.