Report NetworkPolicy destined for Services as invalid when proxyAll is disabled

[hongliangl]

When AntreaProxy proxyAll is not enabled, the following usages are invalid:

• For an ingress NetworkPolicy, which is applied to Services. Note that,
  such ingress NetworkPolicy can be only applied to NodePort Services. As
  a result, proxyAll should be also enabled.
• For an egress NetworkPolicy, which is to Services. Note that, headless
  Services are not supported.

Signed-off-by: Hongliang Liu [email protected]

[tnqn]

We support reporting realization failure to NetworkPolicy condition. The error should be reported to antrea-controller to update the condition, instead of ignoring the rule without any error.

[hongliangl]

Do we have any existing methods to report the message like this from agent to controller currently?

[tnqn]

We haven't done it before in agent but I think the method is there, just change v1beta2.NetworkPolicyStatus to reflect the failure. It could be generic for any failure we get from the reconciler.
BTW, I think cache.go is not a good place to perform the validation. It's implementation specific so should be validated by reconciler.go

[antoninbas]

IIRC, this Message will be included in the Status for the network policy CR, using a NetworkPolicyCondition.
Should we make some transformation in the controller, given that the rule ID is not meaningful to users?

[hongliangl]

Should we make some transformation in the controller, given that the rule ID is not meaningful to users?

You are right, the rule ID is not meaningful to users. Do you mean that we should provide more information in the message? Like Service name and namespace? Or something else?

[antoninbas]

Should we handle both cases (applied to service / selects services as peers with toServices) separately?
It would make sense to me because:

1. the first case (appliedTo) doesn't only require AntreaProxy, I think it also requires proxyAll? Should we add this to the validation?
2. we may be able to generate a better error message
3. isToServicesPolicyRule is not a great function name IMO; the name implies that we only consider the second case (toServices)

[hongliangl]

the first case (appliedTo) doesn't only require AntreaProxy, I think it also requires proxyAll? Should we add this to the validation?

The feature applied to Service should only require AntreaProxy. It is added in this #2755. Do you mean that we should add validation here

antrea/pkg/agent/controller/networkpolicy/networkpolicy_controller.go

Line 621 in 9e84a68

rule, effective, realizable := c.ruleCache.GetCompletedRule(key)

If so, for the first case, the expected result of realizable should be false. But it is a little strange that adding antreaProxyEnabled member to struct ruleCache.

we may be able to generate a better error message

Do you mean that we should generate more detailed error log here?

isToServicesPolicyRule is not a great function name IMO; the name implies that we only consider the second case (toServices)

How about isAppliedToServiceIngressPolicyRule() and isToServicesEgressPolicyRule()?

[antoninbas]

I think the appliedTo case (different from toServices as an egress rule) was added in #3997, and does require ProxyAll?
@tnqn am I missing something?

[hongliangl]

@antoninbas Sorry for updating late. I have verified it with @GraysonWu. It does require proxyAll for appliedTo case.

[tnqn]

Yes, I believe both cases need AntreaProxy, and AppliedToService also needs proxyAll.

[tnqn]

I think we shouldn't add these implementatic specific checks in controller. Such special handling could eventually make syncRule extremely long and very specific to implementation, especially when the controller is extended to support more scenarios, like Node policy.

It should be the reconciler instead of the controller to do such check as it's the one knowing how to implement the rule. The reconciler should return an error to controller when it's unable to implement it and the controller should just report the error in a generic way to antrea-controller, without the need to know what's the error. In this way, the workflow can be reused by any realization failure in the future.

[tnqn]

Just found I commented the same before: #5591 (comment)

[hongliangl]

Do you meant that we should do such checks in reconciler.go. If a rule is invalid, it should return an error, then we report the error to antrea-controller through statusController? If so, do we still need to requeue the rule? If statusController is not enabled, what should we do? Just log something?

[tnqn]

Could we change realizedRules to track both realized and failed rules? otherwise you will have to ensure the two storage are exclusive. We could also change SetRuleRealization to support setting both success and failure.

[hongliangl]

Make sense, I'll try that.

[github-actions]

This PR is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days

[github-actions]

This PR is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days

[luolanzone]

@hongliangl is this still a valid change? please reopen it if you plan to move forward.