Add StretchedNetworkPolicy toggle (antrea-io#4429)

Add a separate toggle for StretchedNetworkPolicy on MC controller.
Rename Multicluster.Enable to EnableStretchedNetworkPolicy on Antrea
Controller.

Signed-off-by: graysonwu <[email protected]>

build/charts/antrea/README.md

@@ -85,6 +85,7 @@ Kubernetes: `>= 1.16.0-0`
 | multicast.igmpQueryInterval | string | `"125s"` | The interval at which the antrea-agent sends IGMP queries to Pods. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
 | multicast.multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. |
 | multicluster.enable | bool | `false` | Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. This feature is supported only with encap mode. |
+| multicluster.enableStretchedNetworkPolicy | bool | `false` | Enable Multicluster which allow Antrea-native policies to select peers from other clusters in a ClusterSet. This feature is supported only with encap mode when the tunnel type is Geneve. |
 | multicluster.namespace | string | `""` | The Namespace where Antrea Multi-cluster Controller is running. The default is antrea-agent's Namespace. |
 | noSNAT | bool | `false` | Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. |
 | nodeIPAM.clusterCIDRs | list | `[]` | CIDR ranges to use when allocating Pod IP addresses. |

build/charts/antrea/conf/antrea-controller.conf

@@ -113,5 +113,5 @@ multicluster:
 {{- with .Values.multicluster }}
   # Enable Multicluster which allow Antrea-native policies to select peers
   # from other clusters in a ClusterSet.
-  enable: {{ .enable }}
+  enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }}
 {{- end }}

build/charts/antrea/values.yaml

@@ -307,6 +307,10 @@ multicluster:
   # -- The Namespace where Antrea Multi-cluster Controller is running.
   # The default is antrea-agent's Namespace.
   namespace: ""
+  # -- Enable Multicluster which allow Antrea-native policies to select peers
+  # from other clusters in a ClusterSet.
+  # This feature is supported only with encap mode when the tunnel type is Geneve.
+  enableStretchedNetworkPolicy: false
 
 testing:
   ## -- enable code coverage measurement (used when testing Antrea only).

build/yamls/antrea-aks.yml

@@ -3351,7 +3351,7 @@ data:
     multicluster:
       # Enable Multicluster which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
-      enable: false
+      enableStretchedNetworkPolicy: false
 ---
 # Source: antrea/templates/crds/group.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -4273,7 +4273,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 5ff20899f04440bb5318887c6743bdd2cf4d784ab7d790812bdb106dde147547
+        checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a
       labels:
         app: antrea
         component: antrea-agent
@@ -4514,7 +4514,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 5ff20899f04440bb5318887c6743bdd2cf4d784ab7d790812bdb106dde147547
+        checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -3351,7 +3351,7 @@ data:
     multicluster:
       # Enable Multicluster which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
-      enable: false
+      enableStretchedNetworkPolicy: false
 ---
 # Source: antrea/templates/crds/group.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -4273,7 +4273,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 5ff20899f04440bb5318887c6743bdd2cf4d784ab7d790812bdb106dde147547
+        checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a
       labels:
         app: antrea
         component: antrea-agent
@@ -4516,7 +4516,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 5ff20899f04440bb5318887c6743bdd2cf4d784ab7d790812bdb106dde147547
+        checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -3351,7 +3351,7 @@ data:
     multicluster:
       # Enable Multicluster which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
-      enable: false
+      enableStretchedNetworkPolicy: false
 ---
 # Source: antrea/templates/crds/group.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -4273,7 +4273,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 2e5482899752673a14f06dc83a064f3627322feb31db5ee8df6d8c8e5c33133b
+        checksum/config: db1a9feabdabaa45a5a006e8d89bd1b3b4a4e3c67573cb98d5f3630e15d4d757
       labels:
         app: antrea
         component: antrea-agent
@@ -4513,7 +4513,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 2e5482899752673a14f06dc83a064f3627322feb31db5ee8df6d8c8e5c33133b
+        checksum/config: db1a9feabdabaa45a5a006e8d89bd1b3b4a4e3c67573cb98d5f3630e15d4d757
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -3364,7 +3364,7 @@ data:
     multicluster:
       # Enable Multicluster which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
-      enable: false
+      enableStretchedNetworkPolicy: false
 ---
 # Source: antrea/templates/crds/group.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -4286,7 +4286,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4d8f8043d14832434e7a30c7c2f27952f1008fab11a01310f677b33b4be5d2c3
+        checksum/config: 1cc89e2ac8e3f6c3c1297fb1d3d8ba1f8eb1f69a7ff915fc23322d9e45237d3f
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -4572,7 +4572,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4d8f8043d14832434e7a30c7c2f27952f1008fab11a01310f677b33b4be5d2c3
+        checksum/config: 1cc89e2ac8e3f6c3c1297fb1d3d8ba1f8eb1f69a7ff915fc23322d9e45237d3f
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -3351,7 +3351,7 @@ data:
     multicluster:
       # Enable Multicluster which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
-      enable: false
+      enableStretchedNetworkPolicy: false
 ---
 # Source: antrea/templates/crds/group.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -4273,7 +4273,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a59d7053f2f5d85cc6f24c5c6fd662295e710658caa8708399f19189ae559c03
+        checksum/config: bb8e267e96249bf4d28379cb852eaada9d0e8d20467d58c8e8ab54e33a29fd93
       labels:
         app: antrea
         component: antrea-agent
@@ -4513,7 +4513,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a59d7053f2f5d85cc6f24c5c6fd662295e710658caa8708399f19189ae559c03
+        checksum/config: bb8e267e96249bf4d28379cb852eaada9d0e8d20467d58c8e8ab54e33a29fd93
       labels:
         app: antrea
         component: antrea-controller

cmd/antrea-controller/controller.go

@@ -155,8 +155,6 @@ func run(o *Options) error {
 	groupEntityIndex := grouping.NewGroupEntityIndex()
 	groupEntityController := grouping.NewGroupEntityController(groupEntityIndex, podInformer, namespaceInformer, eeInformer)
 	labelIdentityIndex := labelidentity.NewLabelIdentityIndex()
-
-	multiclusterEnabled := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.Enable
 	networkPolicyController := networkpolicy.NewNetworkPolicyController(client,
 		crdClient,
 		groupEntityIndex,
@@ -174,7 +172,7 @@ func run(o *Options) error {
 		appliedToGroupStore,
 		networkPolicyStore,
 		groupStore,
-		multiclusterEnabled)
+		o.config.Multicluster.EnableStretchedNetworkPolicy)
 
 	var externalNodeController *externalnode.ExternalNodeController
 	if features.DefaultFeatureGate.Enabled(features.ExternalNode) {
@@ -317,7 +315,7 @@ func run(o *Options) error {
 
 	go groupEntityController.Run(stopCh)
 
-	if multiclusterEnabled {
+	if o.config.Multicluster.EnableStretchedNetworkPolicy {
 		mcInformerFactoty := mcinformers.NewSharedInformerFactory(mcClient, informerDefaultResync)
 		labelIdentityInformer := mcInformerFactoty.Multicluster().V1alpha1().LabelIdentities()
 		labelIdentityController := labelidentity.NewLabelIdentityController(labelIdentityIndex, labelIdentityInformer)

cmd/antrea-controller/options.go

@@ -85,6 +85,10 @@ func (o *Options) validate(args []string) error {
 		klog.InfoS("The legacyCRDMirroring config option is deprecated and will be ignored (no CRD mirroring)")
 	}
 
+	if o.config.Multicluster.EnableStretchedNetworkPolicy && !features.DefaultFeatureGate.Enabled(features.Multicluster) {
+		return fmt.Errorf("EnableStretchedNetworkPolicy requires Multicluster feature gate is enabled")
+	}
+
 	return nil
 }
 

multicluster/apis/multicluster/v1alpha1/multiclusterconfig_types.go

@@ -53,6 +53,10 @@ type MultiClusterConfig struct {
 	// PodIP type requires Multi-cluster Gateway too when there is no direct Pod-to-Pod
 	// connectivity across member clusters.
 	EndpointIPType string `json:"endpointIPType,omitempty"`
+	// Enable StretchedNetworkPolicy which will export and import labelIdentities in the
+	// ClusterSet and allow Antrea-native policies to select peers from other clusters
+	// in a ClusterSet.
+	EnableStretchedNetworkPolicy bool `json:"enableStretchedNetworkPolicy,omitempty"`
 }
 
 func init() {

multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml

@@ -326,6 +326,7 @@ data:
       - ""
     gatewayIPPrecedence: "private"
     endpointIPType: "ClusterIP"
+    enableStretchedNetworkPolicy: false
 kind: ConfigMap
 metadata:
   labels:
@@ -365,7 +366,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 5da3da29da98cffcad8b7b40bbfcbff1273c65ce5205f4bcc9290f6bd532e9bb
+        checksum/config: 7eb0f1e65f7eb3e35b0739d6064b92b7621af0f4e41813c35bfdee71ceaefbe2
       labels:
         app: antrea
         component: antrea-mc-controller

multicluster/build/yamls/antrea-multicluster-member.yml

@@ -1050,6 +1050,7 @@ data:
       - ""
     gatewayIPPrecedence: "private"
     endpointIPType: "ClusterIP"
+    enableStretchedNetworkPolicy: false
 kind: ConfigMap
 metadata:
   labels:
@@ -1089,7 +1090,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 5da3da29da98cffcad8b7b40bbfcbff1273c65ce5205f4bcc9290f6bd532e9bb
+        checksum/config: 7eb0f1e65f7eb3e35b0739d6064b92b7621af0f4e41813c35bfdee71ceaefbe2
       labels:
         app: antrea
         component: antrea-mc-controller

multicluster/cmd/multicluster-controller/leader.go

@@ -90,14 +90,16 @@ func runLeader(o *Options) error {
 	if err = resExportReconciler.SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("error creating ResourceExport controller: %v", err)
 	}
-	labelExportReconciler := multiclustercontrollers.NewLabelIdentityExportReconciler(
-		mgr.GetClient(),
-		mgr.GetScheme(),
-		env.GetPodNamespace())
-	if err = labelExportReconciler.SetupWithManager(mgr); err != nil {
-		return fmt.Errorf("error creating LabelIdentityExport controller: %v", err)
+	if o.EnableStretchedNetworkPolicy {
+		labelExportReconciler := multiclustercontrollers.NewLabelIdentityExportReconciler(
+			mgr.GetClient(),
+			mgr.GetScheme(),
+			env.GetPodNamespace())
+		if err = labelExportReconciler.SetupWithManager(mgr); err != nil {
+			return fmt.Errorf("error creating LabelIdentityExport controller: %v", err)
+		}
+		go labelExportReconciler.Run(stopCh)
 	}
-	go labelExportReconciler.Run(stopCh)
 
 	if err = (&multiclusterv1alpha1.ResourceExport{}).SetupWebhookWithManager(mgr); err != nil {
 		return fmt.Errorf("error creating ResourceExport webhook: %v", err)

multicluster/cmd/multicluster-controller/leader_test.go

@@ -60,26 +60,31 @@ func initMockManager(mockManager *mocks.MockManager) {
 }
 
 func TestRunLeader(t *testing.T) {
-	mockCtrl := gomock.NewController(t)
-	mockLeaderManager := mocks.NewMockManager(mockCtrl)
-	initMockManager(mockLeaderManager)
-
-	testCase := struct {
-		name      string
-		setupFunc func(o *Options) (ctrl.Manager, error)
+	testCases := []struct {
+		name    string
+		options *Options
 	}{
-		name: "Start leader controller successfully",
-		setupFunc: func(o *Options) (ctrl.Manager, error) {
-			return mockLeaderManager, nil
+		{
+			name:    "Start leader controller successfully with default options",
+			options: &Options{},
+		},
+		{
+			name:    "Start leader controller successfully with stretchedNetworkPolicy enabled",
+			options: &Options{EnableStretchedNetworkPolicy: true},
 		},
 	}
 
-	t.Run(testCase.name, func(t *testing.T) {
-		if testCase.setupFunc != nil {
-			setupManagerAndCertControllerFunc = testCase.setupFunc
+	for _, tc := range testCases {
+		mockCtrl := gomock.NewController(t)
+		mockLeaderManager := mocks.NewMockManager(mockCtrl)
+		initMockManager(mockLeaderManager)
+		setupManagerAndCertControllerFunc = func(o *Options) (ctrl.Manager, error) {
+			return mockLeaderManager, nil
 		}
 		ctrl.SetupSignalHandler = mockSetupSignalHandler
-		err := runLeader(&Options{})
-		assert.NoError(t, err, "got error when running runLeader")
-	})
+		t.Run(tc.name, func(t *testing.T) {
+			err := runLeader(tc.options)
+			assert.NoError(t, err, "got error when running runLeader")
+		})
+	}
 }

multicluster/cmd/multicluster-controller/member.go

@@ -65,6 +65,7 @@ func runMember(o *Options) error {
 	clusterSetReconciler := multiclustercontrollers.NewMemberClusterSetReconciler(mgr.GetClient(),
 		mgr.GetScheme(),
 		env.GetPodNamespace(),
+		o.EnableStretchedNetworkPolicy,
 	)
 	if err = clusterSetReconciler.SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("error creating ClusterSet controller: %v", err)
@@ -79,16 +80,17 @@ func runMember(o *Options) error {
 	if err = svcExportReconciler.SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("error creating ServiceExport controller: %v", err)
 	}
-	labelIdentityReconciler := multiclustercontrollers.NewLabelIdentityReconciler(
-		mgr.GetClient(),
-		mgr.GetScheme(),
-		commonAreaGetter)
-	if err = labelIdentityReconciler.SetupWithManager(mgr); err != nil {
-		return fmt.Errorf("error creating LabelIdentity controller: %v", err)
+	if o.EnableStretchedNetworkPolicy {
+		labelIdentityReconciler := multiclustercontrollers.NewLabelIdentityReconciler(
+			mgr.GetClient(),
+			mgr.GetScheme(),
+			commonAreaGetter)
+		if err = labelIdentityReconciler.SetupWithManager(mgr); err != nil {
+			return fmt.Errorf("error creating LabelIdentity controller: %v", err)
+		}
+		go labelIdentityReconciler.Run(stopCh)
 	}
 
-	go labelIdentityReconciler.Run(stopCh)
-
 	gwReconciler := multiclustercontrollers.NewGatewayReconciler(
 		mgr.GetClient(),
 		mgr.GetScheme(),

multicluster/cmd/multicluster-controller/member_test.go

@@ -63,24 +63,31 @@ func TestCommands(t *testing.T) {
 }
 
 func TestRunMember(t *testing.T) {
-	mockCtrl := gomock.NewController(t)
-	mockMemberManager := mocks.NewMockManager(mockCtrl)
-	initMockManager(mockMemberManager)
-
-	testCase := struct {
-		name      string
-		setupFunc func(o *Options) (ctrl.Manager, error)
+	testCases := []struct {
+		name    string
+		options *Options
 	}{
-		name: "Start member controller successfully",
-		setupFunc: func(o *Options) (ctrl.Manager, error) {
-			return mockMemberManager, nil
+		{
+			name:    "Start member controller successfully with default options",
+			options: &Options{},
+		},
+		{
+			name:    "Start member controller successfully with stretchedNetworkPolicy enabled",
+			options: &Options{EnableStretchedNetworkPolicy: true},
 		},
 	}
 
-	t.Run(testCase.name, func(t *testing.T) {
-		setupManagerAndCertControllerFunc = testCase.setupFunc
+	for _, tc := range testCases {
+		mockCtrl := gomock.NewController(t)
+		mockMemberManager := mocks.NewMockManager(mockCtrl)
+		initMockManager(mockMemberManager)
+		setupManagerAndCertControllerFunc = func(o *Options) (ctrl.Manager, error) {
+			return mockMemberManager, nil
+		}
 		ctrl.SetupSignalHandler = mockSetupSignalHandler
-		err := runMember(&Options{})
-		assert.NoError(t, err, "got error when running runMember")
-	})
+		t.Run(tc.name, func(t *testing.T) {
+			err := runMember(tc.options)
+			assert.NoError(t, err, "got error when running runMember")
+		})
+	}
 }