Commits on Nov 28, 2023

1. Store NetworkPolicy in filesystem as fallback data source …

   In the previous implementation, traffic from/to a Pod may bypass
   NetworkPolicies applied to the Pod in a time window when the agent
   restarts because realizing NetworkPolicies and enabling forwarding are
   asynchronous.
   
   This patch stores NetworkPolicy data in files when they are received,
   and makes antre-agent fallback to use the files as data source if it
   can't connect to antrea-controller on startup. This prevents security
   regression: a NetworkPolicy that has been realized on a Node will
   continue to work even if antrea-controller is not available after
   antrea-agent restarts.
   
   The benchmark results of the storage's operations are as below:
   
   BenchmarkFileStoreAddNetworkPolicy-40              70383             16102 ns/op             520 B/op          9 allocs/op
   BenchmarkFileStoreAddAppliedToGroup-40             45382             25880 ns/op            3019 B/op          9 allocs/op
   BenchmarkFileStoreAddAddressGroup-40                7400            180000 ns/op           49538 B/op          9 allocs/op
   BenchmarkFileStoreReplaceAll-40                       10         127088004 ns/op        17815943 B/op      33099 allocs/op
   
   The disk usage when storing 1k NetworkPolicies, AddressGroups, and
   AppliedToGroups created by BenchmarkFileStoreReplaceAll is as below:
   
   16M     /var/run/antrea-test/file-store/address-groups
   4.0M    /var/run/antrea-test/file-store/applied-to-groups
   4.0M    /var/run/antrea-test/file-store/network-policies
   
   Signed-off-by: Quan Tian <[email protected]>

   

   tnqn committed Nov 28, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for f981eac
   • Browse repository at this point

   Copy the full SHA

   f981eac View commit details

   Browse the repository at this point in the history