Skip to content

Commit

Permalink
Merge policies (#390)
Browse files Browse the repository at this point in the history
  • Loading branch information
Yongli Chen authored Aug 30, 2019
1 parent 8bf1124 commit 36f188c
Show file tree
Hide file tree
Showing 18 changed files with 5,416 additions and 1,158 deletions.
4 changes: 4 additions & 0 deletions npm/ipsm/ipsm.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@ func (ipsMgr *IpsetManager) DeleteList(listName string) error {

// AddToList inserts an ipset to an ipset list.
func (ipsMgr *IpsetManager) AddToList(listName string, setName string) error {
if listName == setName {
return nil
}

if ipsMgr.Exists(listName, setName, util.IpsetSetListFlag) {
return nil
}
Expand Down
65 changes: 40 additions & 25 deletions npm/iptm/iptm.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ const (
type IptEntry struct {
Command string
Name string
HashedName string
Chain string
Flag string
LockWaitTimeInSeconds string
Expand Down Expand Up @@ -80,9 +79,9 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
// Add default allow CONNECTED/RELATED rule to AZURE-NPM chain.
entry.Chain = util.IptablesAzureChain
entry.Specs = []string{
util.IptablesMatchFlag,
util.IptablesModuleFlag,
util.IptablesStateModuleFlag,
util.IptablesStateFlag,
util.IptablesMatchStateFlag,
util.IptablesRelatedState + "," + util.IptablesEstablishedState,
util.IptablesJumpFlag,
util.IptablesAccept,
Expand All @@ -100,12 +99,38 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
}
}

// Create AZURE-NPM-KUBE-SYSTEM chain.
if err := iptMgr.AddChain(util.IptablesAzureKubeSystemChain); err != nil {
return err
}

// Append AZURE-NPM-KUBE-SYSTEM chain to AZURE-NPM chain.
entry = &IptEntry{
Chain: util.IptablesAzureChain,
Specs: []string{
util.IptablesJumpFlag,
util.IptablesAzureKubeSystemChain,
},
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesAppendFlag
if _, err = iptMgr.Run(entry); err != nil {
log.Errorf("Error: failed to add AZURE-NPM-KUBE-SYSTEM chain to AZURE-NPM chain.")
return err
}
}

// Create AZURE-NPM-INGRESS-PORT chain.
if err := iptMgr.AddChain(util.IptablesAzureIngressPortChain); err != nil {
return err
}

// Insert AZURE-NPM-INGRESS-PORT chain to AZURE-NPM chain.
// Append AZURE-NPM-INGRESS-PORT chain to AZURE-NPM chain.
entry.Chain = util.IptablesAzureChain
entry.Specs = []string{util.IptablesJumpFlag, util.IptablesAzureIngressPortChain}
exists, err = iptMgr.Exists(entry)
Expand All @@ -121,13 +146,8 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
}
}

// Create AZURE-NPM-INGRESS-FROM-NS chain.
if err = iptMgr.AddChain(util.IptablesAzureIngressFromNsChain); err != nil {
return err
}

// Create AZURE-NPM-INGRESS-FROM-POD chain.
if err = iptMgr.AddChain(util.IptablesAzureIngressFromPodChain); err != nil {
// Create AZURE-NPM-INGRESS-FROM chain.
if err = iptMgr.AddChain(util.IptablesAzureIngressFromChain); err != nil {
return err
}

Expand All @@ -152,13 +172,8 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
}
}

// Create AZURE-NPM-EGRESS-TO-NS chain.
if err = iptMgr.AddChain(util.IptablesAzureEgressToNsChain); err != nil {
return err
}

// Create AZURE-NPM-EGRESS-TO-POD chain.
if err = iptMgr.AddChain(util.IptablesAzureEgressToPodChain); err != nil {
// Create AZURE-NPM-EGRESS-TO chain.
if err = iptMgr.AddChain(util.IptablesAzureEgressToChain); err != nil {
return err
}

Expand All @@ -167,7 +182,7 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
return err
}

// Insert AZURE-NPM-TARGET-SETS chain to AZURE-NPM chain.
// Append AZURE-NPM-TARGET-SETS chain to AZURE-NPM chain.
entry.Chain = util.IptablesAzureChain
entry.Specs = []string{util.IptablesJumpFlag, util.IptablesAzureTargetSetsChain}
exists, err = iptMgr.Exists(entry)
Expand All @@ -190,12 +205,11 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
func (iptMgr *IptablesManager) UninitNpmChains() error {
IptablesAzureChainList := []string{
util.IptablesAzureChain,
util.IptablesAzureKubeSystemChain,
util.IptablesAzureIngressPortChain,
util.IptablesAzureIngressFromNsChain,
util.IptablesAzureIngressFromPodChain,
util.IptablesAzureIngressFromChain,
util.IptablesAzureEgressPortChain,
util.IptablesAzureEgressToNsChain,
util.IptablesAzureEgressToPodChain,
util.IptablesAzureEgressToChain,
util.IptablesAzureTargetSetsChain,
}

Expand Down Expand Up @@ -282,6 +296,7 @@ func (iptMgr *IptablesManager) DeleteChain(chain string) error {
log.Printf("Chain doesn't exist %s.", entry.Chain)
return nil
}

log.Errorf("Error: failed to delete iptables chain %s.", entry.Chain)
return err
}
Expand All @@ -291,7 +306,7 @@ func (iptMgr *IptablesManager) DeleteChain(chain string) error {

// Add adds a rule in iptables.
func (iptMgr *IptablesManager) Add(entry *IptEntry) error {
log.Printf("Add iptables entry: %+v.", entry)
log.Printf("Adding iptables entry: %+v.", entry)

exists, err := iptMgr.Exists(entry)
if err != nil {
Expand All @@ -302,7 +317,7 @@ func (iptMgr *IptablesManager) Add(entry *IptEntry) error {
return nil
}

iptMgr.OperationFlag = util.IptablesInsertionFlag
iptMgr.OperationFlag = util.IptablesAppendFlag
if _, err := iptMgr.Run(entry); err != nil {
log.Errorf("Error: failed to create iptables rules.")
return err
Expand Down
90 changes: 56 additions & 34 deletions npm/namespace.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,23 +14,25 @@ import (
)

type namespace struct {
name string
setMap map[string]string
podMap map[types.UID]*corev1.Pod
npMap map[string]*networkingv1.NetworkPolicy
ipsMgr *ipsm.IpsetManager
iptMgr *iptm.IptablesManager
name string
setMap map[string]string
podMap map[types.UID]*corev1.Pod
rawNpMap map[string]*networkingv1.NetworkPolicy
processedNpMap map[string]*networkingv1.NetworkPolicy
ipsMgr *ipsm.IpsetManager
iptMgr *iptm.IptablesManager
}

// newNS constructs a new namespace object.
func newNs(name string) (*namespace, error) {
ns := &namespace{
name: name,
setMap: make(map[string]string),
podMap: make(map[types.UID]*corev1.Pod),
npMap: make(map[string]*networkingv1.NetworkPolicy),
ipsMgr: ipsm.NewIpsetManager(),
iptMgr: iptm.NewIptablesManager(),
name: name,
setMap: make(map[string]string),
podMap: make(map[types.UID]*corev1.Pod),
rawNpMap: make(map[string]*networkingv1.NetworkPolicy),
processedNpMap: make(map[string]*networkingv1.NetworkPolicy),
ipsMgr: ipsm.NewIpsetManager(),
iptMgr: iptm.NewIptablesManager(),
}

return ns, nil
Expand All @@ -40,16 +42,26 @@ func isSystemNs(nsObj *corev1.Namespace) bool {
return nsObj.ObjectMeta.Name == util.KubeSystemFlag
}

func (ns *namespace) policyExists(npObj *networkingv1.NetworkPolicy) bool {
if np, exists := ns.rawNpMap[npObj.ObjectMeta.Name]; exists {
if isSamePolicy(np, npObj) {
return true
}
}

return false
}

// InitAllNsList syncs all-namespace ipset list.
func (npMgr *NetworkPolicyManager) InitAllNsList() error {
allNs := npMgr.nsMap[util.KubeAllNamespacesFlag]
for nsName := range npMgr.nsMap {
if nsName == util.KubeAllNamespacesFlag {
for ns:= range npMgr.nsMap {
if ns == util.KubeAllNamespacesFlag {
continue
}

if err := allNs.ipsMgr.AddToList(util.KubeAllNamespacesFlag, nsName); err != nil {
log.Errorf("Error: failed to add namespace set %s to list %s", nsName, util.KubeAllNamespacesFlag)
if err := allNs.ipsMgr.AddToList(util.KubeAllNamespacesFlag, ns); err != nil {
log.Errorf("Error: failed to add namespace set %s to ipset list %s", ns, util.KubeAllNamespacesFlag)
return err
}
}
Expand All @@ -60,13 +72,13 @@ func (npMgr *NetworkPolicyManager) InitAllNsList() error {
// UninitAllNsList cleans all-namespace ipset list.
func (npMgr *NetworkPolicyManager) UninitAllNsList() error {
allNs := npMgr.nsMap[util.KubeAllNamespacesFlag]
for nsName := range npMgr.nsMap {
if nsName == util.KubeAllNamespacesFlag {
for ns := range npMgr.nsMap {
if ns == util.KubeAllNamespacesFlag {
continue
}

if err := allNs.ipsMgr.DeleteFromList(util.KubeAllNamespacesFlag, nsName); err != nil {
log.Errorf("Error: failed to delete namespace set %s from list %s", nsName, util.KubeAllNamespacesFlag)
if err := allNs.ipsMgr.DeleteFromList(util.KubeAllNamespacesFlag, ns); err != nil {
log.Errorf("Error: failed to delete namespace set %s from list %s", ns, util.KubeAllNamespacesFlag)
return err
}
}
Expand All @@ -81,8 +93,8 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {

var err error

nsName, nsNs, nsLabel := nsObj.ObjectMeta.Name, nsObj.ObjectMeta.Namespace, nsObj.ObjectMeta.Labels
log.Printf("NAMESPACE CREATING: [%s/%s/%+v]", nsName, nsNs, nsLabel)
nsName, nsLabel := "ns-" + nsObj.ObjectMeta.Name, nsObj.ObjectMeta.Labels
log.Printf("NAMESPACE CREATING: [%s/%v]", nsName, nsLabel)

ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
// Create ipset for the namespace.
Expand All @@ -97,16 +109,21 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
}

// Add the namespace to its label's ipset list.
var labelKeys []string
nsLabels := nsObj.ObjectMeta.Labels
for nsLabelKey, nsLabelVal := range nsLabels {
labelKey := util.GetNsIpsetName(nsLabelKey, nsLabelVal)
labelKey := "ns-" + nsLabelKey
log.Printf("Adding namespace %s to ipset list %s", nsName, labelKey)
if err = ipsMgr.AddToList(labelKey, nsName); err != nil {
log.Errorf("Error: failed to add namespace %s to ipset list %s", nsName, labelKey)
return err
}
labelKeys = append(labelKeys, labelKey)

label := "ns-" + nsLabelKey + ":" + nsLabelVal
log.Printf("Adding namespace %s to ipset list %s", nsName, label)
if err = ipsMgr.AddToList(label, nsName); err != nil {
log.Errorf("Error: failed to add namespace %s to ipset list %s", nsName, label)
return err
}
}

ns, err := newNs(nsName)
Expand All @@ -122,11 +139,11 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
func (npMgr *NetworkPolicyManager) UpdateNamespace(oldNsObj *corev1.Namespace, newNsObj *corev1.Namespace) error {
var err error

oldNsName, oldNsNs, oldNsLabel := oldNsObj.ObjectMeta.Name, oldNsObj.ObjectMeta.Namespace, oldNsObj.ObjectMeta.Labels
newNsName, newNsNs, newNsLabel := newNsObj.ObjectMeta.Name, newNsObj.ObjectMeta.Namespace, newNsObj.ObjectMeta.Labels
oldNsNs, oldNsLabel := "ns-" + oldNsObj.ObjectMeta.Name, oldNsObj.ObjectMeta.Labels
newNsNs, newNsLabel := "ns-" + newNsObj.ObjectMeta.Name, newNsObj.ObjectMeta.Labels
log.Printf(
"NAMESPACE UPDATING:\n old namespace: [%s/%s/%+v]\n new namespace: [%s/%s/%+v]",
oldNsName, oldNsNs, oldNsLabel, newNsName, newNsNs, newNsLabel,
"NAMESPACE UPDATING:\n old namespace: [%s/%v]\n new namespace: [%s/%v]",
oldNsNs, oldNsLabel, newNsNs, newNsLabel,
)

if err = npMgr.DeleteNamespace(oldNsObj); err != nil {
Expand All @@ -149,8 +166,8 @@ func (npMgr *NetworkPolicyManager) DeleteNamespace(nsObj *corev1.Namespace) erro

var err error

nsName, nsNs, nsLabel := nsObj.ObjectMeta.Name, nsObj.ObjectMeta.Namespace, nsObj.ObjectMeta.Labels
log.Printf("NAMESPACE DELETING: [%s/%s/%+v]", nsName, nsNs, nsLabel)
nsName, nsLabel := "ns-" + nsObj.ObjectMeta.Name, nsObj.ObjectMeta.Labels
log.Printf("NAMESPACE DELETING: [%s/%v]", nsName, nsLabel)

_, exists := npMgr.nsMap[nsName]
if !exists {
Expand All @@ -159,16 +176,21 @@ func (npMgr *NetworkPolicyManager) DeleteNamespace(nsObj *corev1.Namespace) erro

// Delete the namespace from its label's ipset list.
ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
var labelKeys []string
nsLabels := nsObj.ObjectMeta.Labels
for nsLabelKey, nsLabelVal := range nsLabels {
labelKey := util.GetNsIpsetName(nsLabelKey, nsLabelVal)
labelKey := "ns-" + nsLabelKey
log.Printf("Deleting namespace %s from ipset list %s", nsName, labelKey)
if err = ipsMgr.DeleteFromList(labelKey, nsName); err != nil {
log.Errorf("Error: failed to delete namespace %s from ipset list %s", nsName, labelKey)
return err
}
labelKeys = append(labelKeys, labelKey)

label := "ns-" + nsLabelKey + ":" + nsLabelVal
log.Printf("Deleting namespace %s from ipset list %s", nsName, label)
if err = ipsMgr.DeleteFromList(label, nsName); err != nil {
log.Errorf("Error: failed to delete namespace %s from ipset list %s", nsName, label)
return err
}
}

// Delete the namespace from all-namespace ipset list.
Expand Down
2 changes: 2 additions & 0 deletions npm/npm.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ type NetworkPolicyManager struct {
nodeName string
nsMap map[string]*namespace
isAzureNpmChainCreated bool
isSafeToCleanUpAzureNpmChain bool

clusterState telemetry.ClusterState
reportManager *telemetry.ReportManager
Expand Down Expand Up @@ -219,6 +220,7 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
nodeName: os.Getenv("HOSTNAME"),
nsMap: make(map[string]*namespace),
isAzureNpmChainCreated: false,
isSafeToCleanUpAzureNpmChain: false,
clusterState: telemetry.ClusterState{
PodCount: 0,
NsCount: 0,
Expand Down
Loading

0 comments on commit 36f188c

Please sign in to comment.