[Flow Exporter] Fix deny connections tracking for ANP baseline tier #2542
Conversation
zyiou
force-pushed
the
zyiou/fix_deny_connections
branch
from
4e3808f
to
3ab3c06
Compare
Codecov Report
@@ Coverage Diff @@
## main #2542 +/- ##
==========================================
- Coverage 58.82% 53.23% -5.60%
==========================================
Files 281 281
Lines 22271 22268 -3
==========================================
- Hits 13101 11854 -1247
- Misses 7796 9132 +1336
+ Partials 1374 1282 -92
Flags with carried forward coverage won't be shown. Click here to find out more.
|
zyiou
force-pushed
the
zyiou/fix_deny_connections
branch
3 times, most recently
from
dfa16d4
to
499d9c0
Compare
| denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition) | ||
| } | ||
| } else { // Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy | ||
| if tableID == openflow.AntreaPolicyIngressRuleTable { |
There was a problem hiding this comment.
Why are cases 1,3 / 2,4 not grouped? i.e.
if tableID == openflow.AntreaPolicyIngressRuleTable || tableID == tableID == openflow.IngressDefaultTable
unless I'm missing something obvious....
There was a problem hiding this comment.
You are right, these can be combined. Thanks!
| denyConn.EgressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type) | ||
| denyConn.EgressNetworkPolicyRuleName = rule.Name | ||
| denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition) | ||
| } else if tableID == openflow.IngressDefaultTable { |
There was a problem hiding this comment.
Also if we don't want to refer to ad-hoc table names here, there are actually exported functions GetAntreaPolicyEgressTables() and GetAntreaPolicyIngressTables() in pipeline.go that gives the list of tables ACNP/ANP uses for ingress/egress. Although in this particular case it seems an overkill, since we would need to check tableID for list membership to determine the direction of conn. However, it is more future-proof, in the sense that in case ACNP/ANP uses additional tables in the future, this approach saves additional changes in this file and potential bugs.
| } else if tableID == openflow.EgressDefaultTable { | ||
| denyConn.EgressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy | ||
| denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition) | ||
| } else { // Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy |
There was a problem hiding this comment.
Bug seems to be we are ignoring the ANP associated tables.
If so, please revise this description. Connection is not inside the specified table, but they are just associated with those tables.
it will be filled as K8s NetworkPolicy instead of ANP
since the connection will be in IngressDefaultTable/EgressDefaultTable.
zyiou
added
area/flow-visibility
zyiou
force-pushed
the
zyiou/fix_deny_connections
branch
2 times, most recently
from
daf7ecf
to
f349100
Compare
| for _, table := range openflow.GetAntreaPolicyIngressTables() { | ||
| if table == tableID { | ||
| denyConn.IngressNetworkPolicyName = policy.Name | ||
| denyConn.IngressNetworkPolicyNamespace = policy.Namespace | ||
| denyConn.IngressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type) | ||
| denyConn.IngressNetworkPolicyRuleName = rule.Name | ||
| denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition) | ||
| } else if tableID == openflow.AntreaPolicyEgressRuleTable { | ||
| } | ||
| } | ||
| for _, table := range openflow.GetAntreaPolicyEgressTables() { | ||
| if table == tableID { |
There was a problem hiding this comment.
I think it would be nice to define some local helper closure functions isAntreaPolicyIngressTables and isAntreaPolicyEgressTables
zyiou
force-pushed
the
zyiou/fix_deny_connections
branch
from
f349100
to
5661170
Compare
zyiou
force-pushed
the
zyiou/fix_deny_connections
branch
from
5661170
to
4b62df4
Compare
|
/test-all |
zyiou
force-pushed
the
zyiou/fix_deny_connections
branch
2 times, most recently
from
fae2d14
to
2c64a21
Compare
|
/test-all |
|
/test-e2e |
|
/test-e2e |
|
/test-ipv6-e2e /test-ipv6-only-e2e |
| } | ||
| if isAntreaPolicyEgressTable(tableID) { |
There was a problem hiding this comment.
nit: else if to avoid the duplicate check for ingress policy tables
If we apply a baseline ANP, in deny connections tracking of Flow Exporter, it will be filled as K8s NetworkPolicy instead of ANP since we are ignoring ANP associate tables IngressDefaultTable and EgressDefaultTable for these connections. This PR fixes it by changing the logic for assigning policy type. Signed-off-by: zyiou <zyiou@vmware.com>
zyiou
dismissed stale reviews from antoninbas, srikartati, and dreamtalen
via
cdc4a3d
zyiou
force-pushed
the
zyiou/fix_deny_connections
branch
from
2c64a21
to
cdc4a3d
Compare
|
/test-all |
If we apply a baseline ANP, in deny connections tracking of Flow
Exporter, it will be filled as K8s NetworkPolicy instead of ANP
since we are ignoring ANP associate tables IngressDefaultTable
and EgressDefaultTable for these connections.
This PR fixes it by changing the logic for assigning policy type.
Signed-off-by: zyiou zyiou@vmware.com