Commits on Nov 15, 2023

1. Block a Pod's IP packets until its NetworkPolicies are realized …

   In the previous implementation, traffic from/to a Pod may bypass
   NetworkPolicies applied to the Pod in a short time window when the agent
   restarts because realizing NetworkPolicies and enabling forwarding are
   asynchronous.
   
   However, we can't wait for all NetworkPolicies to be realized before
   enabling forwarding of OVS because there are some cases the former
   depends on the latter, for example, when proxyAll is enabled, or when
   it's a Windows Node, in which cases control-plane communication relies
   on the forwarding of OVS.
   
   This patch takes a more fine-grained approach: block a Pod's IP packets
   in NetworkPolicy's entry tables until its NetworkPolicies are realized.
   This granularity leaves the Node and the hostNetwork Pods' traffic
   untouched and makes the realization issue of a Pod's NetworkPolicies
   affect the Pod's IP packets only.
   
   The following changes are made to implement the approach:
   1. EgressSecurityClassifierTable is now always required. (Previously
      it's only required for ExternalNode, not K8sNode).
   2. One flow with low priority dropping traffic from local Pods is
      installed in EgressSecurityClassifierTable, and one flow with low
      priority dropping traffic to local Pods is installed in
      IngressSecurityClassifierTable.
   3. When a Pod's NetworkPolicies are fully realized the first time, one
      flow with normal priority allowing traffic from this Pod is installed
      in EgressSecurityClassifierTable to override the above drop action,
      one flow in IngressSecurityClassifierTable did the same for traffic
      to this Pod.
   
   Signed-off-by: Quan Tian <[email protected]>

   

   tnqn committed Nov 15, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for f8f0271
   • Browse repository at this point

   Copy the full SHA

   f8f0271 View commit details

   Browse the repository at this point in the history