Skip to content

Commit

Permalink
Add ACNP appliedto Nodeport svc support
Browse files Browse the repository at this point in the history
Fixes antrea-io#1580
With this PR users could use ACNP to control the external access of a Nodeport service.
1. Add `service` field in `appliedTo` of ACNP.
2. Add `Service` in `AppliedToGroup` and appliedToGroup with `Service` will span to all Nodes.
3. Use groupIDs of a Service to do destination matching.
4. Use `ct_nw_src` to do source matching.

Signed-off-by: wgrayson <[email protected]>
  • Loading branch information
GraysonWu committed Jul 28, 2022
1 parent 684dca3 commit 8320584
Show file tree
Hide file tree
Showing 40 changed files with 1,464 additions and 300 deletions.
20 changes: 20 additions & 0 deletions build/charts/antrea/crds/clusternetworkpolicy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -190,6 +200,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-aks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-crds.yml
Original file line number Diff line number Diff line change
Expand Up @@ -488,6 +488,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -561,6 +571,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-eks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-gke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea-ipsec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
20 changes: 20 additions & 0 deletions build/yamls/antrea.yml
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
ingress:
type: array
items:
Expand Down Expand Up @@ -568,6 +578,16 @@ spec:
required:
- name
- namespace
service:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
Expand Down
46 changes: 46 additions & 0 deletions docs/antrea-network-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
- [Node Selector](#node-selector)
- [toServices egress rules](#toservices-egress-rules)
- [ServiceAccount based selection](#serviceaccount-based-selection)
- [ACNP appliedTo NodePort Service](#acnp-appliedto-nodeport-service)
- [ClusterGroup](#clustergroup)
- [ClusterGroup CRD](#clustergroup-crd)
- [kubectl commands for ClusterGroup](#kubectl-commands-for-clustergroup)
Expand Down Expand Up @@ -482,6 +483,10 @@ Specific Pods from specific Namespaces can be selected by providing both a
`podSelector` and a `namespaceSelector` in the same `appliedTo` entry.
The `appliedTo` field can also reference a ClusterGroup resource by setting
the ClusterGroup's name in `group` field in place of the stand-alone selectors.
The `appliedTo` field can also reference a Service by setting the Service's name
and namespace in `service` field in place of the stand-alone selectors. Only a
NodePort Service can be referred by this field. More details can be found in the
[ACNPAppliedToNodePortService](#acnp-appliedto-nodeport-service) section.
IPBlock cannot be set in the `appliedTo` field.
An IPBlock ClusterGroup referenced in an `appliedTo` field will be ignored,
and the policy will have no effect.
Expand Down Expand Up @@ -1296,6 +1301,47 @@ Note: Antrea will use a reserved label key for internal processing `serviceAccou
The reserved label looks like: `internal.antrea.io/service-account:[ServiceAccountName]`. Users should avoid using
this label key in any entities no matter if a policy with `serviceAccount` is applied in the cluster.

### ACNP appliedTo NodePort Service

Antrea ClusterNetworkPolicy features a `service` field in `appliedTo` field to enable the ACNP could be enforced
on the traffic from external client to a NodePort Service.

`service` uses `namespace` and `name` to select the Service with a specific name under a specific namespace and
only a NodePort Service can be referred by `service` field.

`service` field cannot be used with any other fields and a policy or a rule can't be applied to NodePort Service
and other peers at the same time.

Since `service` field is used to control the external access of a NodePort Service, then

1. If a `appliedTo` with `service` is used at policy level, then this policy can only contain ingress rules.
2. If a `appliedTo` with `service` is used at rule level, then this rule can only be an ingress rule.
3. If an ingress rule is applied to a NodePort Service, then this ingress can only use `ipBlock` in its `from` field.

An example policy using `service` in `appliedTo` could look like this:

```yaml
apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
name: acnp-deny-external-client-nodeport-svc-access
spec:
priority: 5
tier: securityops
appliedTo:
- service:
name: svc-1
namespace: ns-1
ingress:
- action: Drop
from:
- ipBlock:
cidr: 1.1.1.0/24
```

In this example, the policy will be applied to the NodePort Service `svc-1` in Namespace `ns-1`
and drop all packets from CIDR `1.1.1.0/24`.

## ClusterGroup

A ClusterGroup (CG) CRD is a specification of how workloads are grouped together.
Expand Down
41 changes: 34 additions & 7 deletions pkg/agent/controller/networkpolicy/cache.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"encoding/hex"
"encoding/json"
"fmt"
"strings"
"sync"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -450,13 +451,7 @@ func (c *ruleCache) processGroupIDUpdates() {
for {
select {
case svcStr := <-c.groupIDUpdates:
toSvcRules, err := c.rules.ByIndex(toServicesIndex, svcStr)
if err != nil {
continue
}
for _, toSvcRule := range toSvcRules {
c.dirtyRuleHandler(toSvcRule.(*rule).ID)
}
c.processServiceGroupIDUpdate(svcStr)
}
}
}
Expand Down Expand Up @@ -911,3 +906,35 @@ func (c *ruleCache) unionAppliedToGroups(groupNames []string) (v1beta.GroupMembe
}
return set, anyExists
}

// processServiceGroupIDUpdate gets names of AppliedToGroup by Service NamespacedName.
func (c *ruleCache) processServiceGroupIDUpdate(svcStr string) {
c.appliedToSetLock.RLock()
defer c.appliedToSetLock.RUnlock()

// Reprocess rules if the Service referred by this rule's ToServices has updated.
toSvcRules, err := c.rules.ByIndex(toServicesIndex, svcStr)
if err != nil {
return
}
for _, toSvcRule := range toSvcRules {
c.dirtyRuleHandler(toSvcRule.(*rule).ID)
}

// Reprocess rules if the Service referred by rule's AppliedToGroup has updated.
strListSvcRef := strings.Split(svcStr, "/")
if len(strListSvcRef) != 2 {
return
}
member := &v1beta.GroupMember{
Service: &v1beta.ServiceReference{
Name: strListSvcRef[1],
Namespace: strListSvcRef[0],
},
}
for group, memberSet := range c.appliedToSetByGroup {
if memberSet.Has(member) {
c.onAppliedToGroupUpdate(group)
}
}
}
Loading

0 comments on commit 8320584

Please sign in to comment.