Upstream rebase (openshift#18)

* Merge pull request openshift#12 from zeeke/default-protocol

Use TCP as default for Port.Protocol

* Fix to work namespacveSelector policy, without labelSelector

* Support for `NamespaceSelector` (openshift#16)

* Add test case for namespace selector

The case is about having two namespaces with pods
and net-attach-def and a multi networkpolicy that
goes through namespace borders.

Signed-off-by: Andrea Panattoni <[email protected]>

* Add test case with net-attach-def in other ns

Signed-off-by: Andrea Panattoni <[email protected]>

* Improve logging in server.go (openshift#19)

* Add object information to update events

This should make it clearer what k8s object the
daemon is working on.

Increase verbosity threshlod for invoke handlers logs.

Signed-off-by: Andrea Panattoni <[email protected]>

* Improve error logging

Signed-off-by: Andrea Panattoni <[email protected]>

* Add IPv6 support in TODO list

* Log filter rules (openshift#23)

* Log filter rules

Logging iptables rules before applying them
can be useful to debug complex scenarios.
Setting verbosity level to 6 as they can be
quite cumbersome.

Signed-off-by: Andrea Panattoni <[email protected]>

* Clean up logging code

Signed-off-by: Andrea Panattoni <[email protected]>

* Refine policy generation routine to support multiple policies

This change refines policy rule generation to introduce conntrack
and support multiple policies in a pod. Fix openshift#17 and openshift#18

* Fix capabilities (openshift#25)

fix openshift#24

Signed-off-by: Andrea Panattoni <[email protected]>
Co-authored-by: Tomofumi Hayashi <[email protected]>

README.md

@@ -45,6 +45,7 @@ MultiNetworkPolicy creates DaemonSet and it runs `multi-networkpolicy-iptables`
 ## TODO
 
 * Bugfixing
+* IPv6 support
 * (TBD)
 
 ## Contact Us

deploy.yml

@@ -107,7 +107,7 @@ spec:
         securityContext:
           privileged: true
           capabilities:
-            add: ["SYS_ADMIN", "SYS_NET_ADMIN"]
+            add: ["SYS_ADMIN", "NET_ADMIN"]
         volumeMounts:
         - name: host
           mountPath: /host

pkg/controllers/namespace.go

@@ -22,7 +22,7 @@ import (
 	"sync"
 	"time"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	coreinformers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/tools/cache"
@@ -83,7 +83,7 @@ func (c *NamespaceConfig) Run(stopCh <-chan struct{}) {
 	}
 
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnNamespaceSynced()")
+		klog.V(10).Infof("Calling handler.OnNamespaceSynced()")
 		c.eventHandlers[i].OnNamespaceSynced()
 	}
 }
@@ -96,7 +96,7 @@ func (c *NamespaceConfig) handleAddNamespace(obj interface{}) {
 	}
 
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnNamespaceAdd")
+		klog.V(10).Infof("Calling handler.OnNamespaceAdd")
 		c.eventHandlers[i].OnNamespaceAdd(ns)
 	}
 }
@@ -113,7 +113,7 @@ func (c *NamespaceConfig) handleUpdateNamespace(oldObj, newObj interface{}) {
 		return
 	}
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnNamespaceUpdate")
+		klog.V(10).Infof("Calling handler.OnNamespaceUpdate")
 		c.eventHandlers[i].OnNamespaceUpdate(oldNamespace, ns)
 	}
 }
@@ -131,7 +131,7 @@ func (c *NamespaceConfig) handleDeleteNamespace(obj interface{}) {
 		}
 	}
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnNamespaceDelete")
+		klog.V(10).Infof("Calling handler.OnNamespaceDelete")
 		c.eventHandlers[i].OnNamespaceDelete(ns)
 	}
 }

pkg/controllers/net-attach-def.go

@@ -88,7 +88,7 @@ func (c *NetDefConfig) Run(stopCh <-chan struct{}) {
 	}
 
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnPolicySynced()")
+		klog.V(10).Infof("Calling handler.OnNetDefSynced()")
 		c.eventHandlers[i].OnNetDefSynced()
 	}
 }
@@ -101,7 +101,7 @@ func (c *NetDefConfig) handleAddNetDef(obj interface{}) {
 	}
 
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnPolicyAdd")
+		klog.V(10).Infof("Calling handler.OnNetDefAdd")
 		c.eventHandlers[i].OnNetDefAdd(netdef)
 	}
 }
@@ -118,7 +118,7 @@ func (c *NetDefConfig) handleUpdateNetDef(oldObj, newObj interface{}) {
 		return
 	}
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnPolicyUpdate")
+		klog.V(10).Infof("Calling handler.OnNetDefUpdate")
 		c.eventHandlers[i].OnNetDefUpdate(oldNetDef, netdef)
 	}
 }
@@ -136,7 +136,7 @@ func (c *NetDefConfig) handleDeleteNetDef(obj interface{}) {
 		}
 	}
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnNetDefDelete")
+		klog.V(10).Infof("Calling handler.OnNetDefDelete")
 		c.eventHandlers[i].OnNetDefDelete(netdef)
 	}
 }

pkg/controllers/networkpolicy.go

@@ -85,7 +85,7 @@ func (c *NetworkPolicyConfig) Run(stopCh <-chan struct{}) {
 	}
 
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnPolicySynced()")
+		klog.V(10).Infof("Calling handler.OnPolicySynced()")
 		c.eventHandlers[i].OnPolicySynced()
 	}
 }
@@ -98,7 +98,7 @@ func (c *NetworkPolicyConfig) handleAddPolicy(obj interface{}) {
 	}
 
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnPolicyAdd")
+		klog.V(10).Infof("Calling handler.OnPolicyAdd")
 		c.eventHandlers[i].OnPolicyAdd(policy)
 	}
 }
@@ -115,7 +115,7 @@ func (c *NetworkPolicyConfig) handleUpdatePolicy(oldObj, newObj interface{}) {
 		return
 	}
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnPolicyUpdate")
+		klog.V(10).Infof("Calling handler.OnPolicyUpdate")
 		c.eventHandlers[i].OnPolicyUpdate(oldPolicy, policy)
 	}
 }
@@ -133,7 +133,7 @@ func (c *NetworkPolicyConfig) handleDeletePolicy(obj interface{}) {
 		}
 	}
 	for i := range c.eventHandlers {
-		klog.V(4).Infof("Calling handler.OnPolicyDelete")
+		klog.V(10).Infof("Calling handler.OnPolicyDelete")
 		c.eventHandlers[i].OnPolicyDelete(policy)
 	}
 }

pkg/controllers/pod.go

@@ -127,7 +127,7 @@ func (c *PodConfig) Run(stopCh <-chan struct{}) {
 	}
 
 	for i := range c.eventHandlers {
-		klog.V(9).Infof("Calling handler.OnPodSynced()")
+		klog.V(10).Infof("Calling handler.OnPodSynced()")
 		c.eventHandlers[i].OnPodSynced()
 	}
 }
@@ -140,7 +140,7 @@ func (c *PodConfig) handleAddPod(obj interface{}) {
 	}
 
 	for i := range c.eventHandlers {
-		klog.V(9).Infof("Calling handler.OnPodAdd")
+		klog.V(10).Infof("Calling handler.OnPodAdd")
 		c.eventHandlers[i].OnPodAdd(pod)
 	}
 }
@@ -157,7 +157,7 @@ func (c *PodConfig) handleUpdatePod(oldObj, newObj interface{}) {
 		return
 	}
 	for i := range c.eventHandlers {
-		klog.V(9).Infof("Calling handler.OnPodUpdate")
+		klog.V(10).Infof("Calling handler.OnPodUpdate")
 		c.eventHandlers[i].OnPodUpdate(oldPod, pod)
 	}
 }
@@ -175,7 +175,7 @@ func (c *PodConfig) handleDeletePod(obj interface{}) {
 		}
 	}
 	for i := range c.eventHandlers {
-		klog.V(9).Infof("Calling handler.OnPodDelete")
+		klog.V(10).Infof("Calling handler.OnPodDelete")
 		c.eventHandlers[i].OnPodDelete(pod)
 	}
 }

pkg/server/policyrules.go

@@ -24,8 +24,7 @@ import (
 
 	"github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/pkg/controllers"
 	multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1"
-
-	//v1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/klog"
@@ -144,11 +143,6 @@ func (ipt *iptableBuffer) SaveRules(path string) error {
 }
 
 func (ipt *iptableBuffer) SyncRules(iptables utiliptables.Interface) error {
-	/*
-		fmt.Fprintf(os.Stderr, "========= filterRules\n")
-		fmt.Fprintf(os.Stderr, "%s", ipt.filterRules.String())
-		fmt.Fprintf(os.Stderr, "=========\n")
-	*/
 	return iptables.RestoreAll(ipt.filterRules.Bytes(), utiliptables.NoFlushTables, utiliptables.RestoreCounters)
 }
 
@@ -171,12 +165,17 @@ func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo,
 	ipt.CreateFilterChain(chainName)
 
 	ingresses := policy.Spec.Ingress
+	if idx == 0 {
+		writeLine(ipt.policyIndex, "-A", ingressChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
+	}
 	for _, podIntf := range podInfo.Interfaces {
 		if podIntf.CheckPolicyNetwork(policyNetworks) {
 			comment := fmt.Sprintf("\"policy:%s net-attach-def:%s\"", policy.Name, podIntf.NetattachName)
 			writeLine(ipt.policyIndex, "-A", ingressChain,
 				"-m", "comment", "--comment", comment, "-i", podIntf.InterfaceName,
 				"-j", chainName)
+			writeLine(ipt.policyIndex, "-A", ingressChain,
+				"-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN")
 		}
 	}
 
@@ -185,10 +184,7 @@ func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo,
 			"-j", "MARK", "--set-xmark 0x0/0x30000")
 		ipt.renderIngressPorts(s, podInfo, idx, n, ingress.Ports, policyNetworks)
 		ipt.renderIngressFrom(s, podInfo, idx, n, ingress.From, policyNetworks)
-		writeLine(ipt.policyIndex, "-A", chainName,
-			"-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN")
 	}
-	writeLine(ipt.policyIndex, "-A", chainName, "-j", "DROP")
 }
 
 func (ipt *iptableBuffer) renderIngressPorts(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) {
@@ -200,7 +196,8 @@ func (ipt *iptableBuffer) renderIngressPorts(s *Server, podInfo *controllers.Pod
 
 	validPorts := 0
 	for _, port := range ports {
-		proto := strings.ToLower(string(*port.Protocol))
+		proto := renderProtocol(port.Protocol)
+
 		for _, podIntf := range podInfo.Interfaces {
 			if !podIntf.CheckPolicyNetwork(policyNetworks) {
 				continue
@@ -232,7 +229,7 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI
 	s.podMap.Update(s.podChanges)
 	validPeers := 0
 	for _, peer := range from {
-		if peer.PodSelector != nil {
+		if peer.PodSelector != nil || peer.NamespaceSelector != nil {
 			podSelectorMap, err := metav1.LabelSelectorAsMap(peer.PodSelector)
 			if err != nil {
 				klog.Errorf("pod selector: %v", err)
@@ -285,6 +282,12 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI
 								"-j", "MARK", "--set-xmark", "0x20000/0x20000")
 							validPeers++
 						}
+						// ingress should accept reverse path
+						for _, ip := range podIntf.IPs {
+							writeLine(ipt.ingressFrom, "-A", chainName,
+								"-i", podIntf.InterfaceName, "-s", ip,
+								"-j", "MARK", "--set-xmark", "0x20000/0x20000")
+						}
 					}
 				}
 			}
@@ -308,6 +311,16 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI
 					"-j", "MARK", "--set-xmark", "0x20000/0x20000")
 				validPeers++
 			}
+			for _, podIntf := range podInfo.Interfaces {
+				if !podIntf.CheckPolicyNetwork(policyNetworks) {
+					continue
+				}
+				for _, ip := range podIntf.IPs {
+					writeLine(ipt.ingressFrom, "-A", chainName,
+						"-i", podIntf.InterfaceName, "-s", ip,
+						"-j", "MARK", "--set-xmark", "0x20000/0x20000")
+				}
+			}
 		} else {
 			klog.Errorf("unknown rule")
 		}
@@ -327,21 +340,24 @@ func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo,
 	ipt.CreateFilterChain(chainName)
 
 	egresses := policy.Spec.Egress
+	if idx == 0 {
+		writeLine(ipt.policyIndex, "-A", egressChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
+	}
 	for _, podIntf := range podInfo.Interfaces {
 		if podIntf.CheckPolicyNetwork(policyNetworks) {
 			comment := fmt.Sprintf("\"policy:%s net-attach-def:%s\"", policy.Name, podIntf.NetattachName)
 			writeLine(ipt.policyIndex, "-A", egressChain,
 				"-m", "comment", "--comment", comment, "-o", podIntf.InterfaceName,
 				"-j", chainName)
+			writeLine(ipt.policyIndex, "-A", egressChain,
+				"-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN")
 		}
 	}
 	for n, egress := range egresses {
 		writeLine(ipt.policyIndex, "-A", chainName, "-j", "MARK", "--set-xmark 0x0/0x30000")
 		ipt.renderEgressPorts(s, podInfo, idx, n, egress.Ports, policyNetworks)
 		ipt.renderEgressTo(s, podInfo, idx, n, egress.To, policyNetworks)
-		writeLine(ipt.policyIndex, "-A", chainName, "-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN")
 	}
-	writeLine(ipt.policyIndex, "-A", chainName, "-j", "DROP")
 }
 
 func (ipt *iptableBuffer) renderEgressPorts(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) {
@@ -353,7 +369,8 @@ func (ipt *iptableBuffer) renderEgressPorts(s *Server, podInfo *controllers.PodI
 
 	validPorts := 0
 	for _, port := range ports {
-		proto := strings.ToLower(string(*port.Protocol))
+		proto := renderProtocol(port.Protocol)
+
 		for _, podIntf := range podInfo.Interfaces {
 			if !podIntf.CheckPolicyNetwork(policyNetworks) {
 				continue
@@ -385,7 +402,7 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo
 	s.podMap.Update(s.podChanges)
 	validPeers := 0
 	for _, peer := range to {
-		if peer.PodSelector != nil {
+		if peer.PodSelector != nil || peer.NamespaceSelector != nil {
 			podSelectorMap, err := metav1.LabelSelectorAsMap(peer.PodSelector)
 			if err != nil {
 				klog.Errorf("pod selector: %v", err)
@@ -439,6 +456,12 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo
 								"-j", "MARK", "--set-xmark", "0x20000/0x20000")
 							validPeers++
 						}
+						// egress should accept reverse path
+						for _, ip := range podIntf.IPs {
+							writeLine(ipt.egressTo, "-A", chainName,
+								"-o", podIntf.InterfaceName, "-d", ip,
+								"-j", "MARK", "--set-xmark", "0x20000/0x20000")
+						}
 					}
 				}
 			}
@@ -462,6 +485,17 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo
 					"-j", "MARK", "--set-xmark", "0x20000/0x20000")
 				validPeers++
 			}
+			// egress should accept reverse path
+			for _, podIntf := range podInfo.Interfaces {
+				if !podIntf.CheckPolicyNetwork(policyNetworks) {
+					continue
+				}
+				for _, ip := range podIntf.IPs {
+					writeLine(ipt.egressTo, "-A", chainName,
+						"-o", podIntf.InterfaceName, "-d", ip,
+						"-j", "MARK", "--set-xmark", "0x20000/0x20000")
+				}
+			}
 		} else {
 			klog.Errorf("unknown rule")
 		}
@@ -493,3 +527,12 @@ func writeBytesLine(buf *bytes.Buffer, bytes []byte) {
 	buf.Write(bytes)
 	buf.WriteByte('\n')
 }
+
+func renderProtocol(proto *v1.Protocol) string {
+	p := v1.ProtocolTCP
+	if proto != nil {
+		p = *proto
+	}
+
+	return strings.ToLower(string(p))
+}