Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do rbac in xdp prog #712

Merged
merged 21 commits into from
Sep 7, 2024
Merged

do rbac in xdp prog #712

merged 21 commits into from
Sep 7, 2024

Conversation

supercharge-xsy
Copy link
Contributor

What type of PR is this?
It's a continuation of the previous modification(https://github.com/kmesh-net/kmesh/pull/680)

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #655

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

LiZhenCheng9527
LiZhenCheng9527 reviewed Aug 10, 2024
View reviewed changes
bpf/kmesh/workload/include/authz.h Outdated Show resolved Hide resolved
bpf/kmesh/workload/include/authz.h Outdated Show resolved Hide resolved
@supercharge-xsy supercharge-xsy force-pushed the acl_xdp_dev_0810 branch 8 times, most recently from 4b284b3 to 00de04e Compare August 20, 2024 08:12
@supercharge-xsy supercharge-xsy changed the title [WIP] do rbac in xdp prog do rbac in xdp prog,support dst_port match Aug 20, 2024
@supercharge-xsy supercharge-xsy changed the title do rbac in xdp prog,support dst_port match [WIP]do rbac in xdp prog Aug 20, 2024
@supercharge-xsy
Copy link
Contributor Author

/retest

1 similar comment
@supercharge-xsy
Copy link
Contributor Author

/retest

@supercharge-xsy supercharge-xsy changed the title [WIP]do rbac in xdp prog do rbac in xdp prog Aug 20, 2024
@supercharge-xsy supercharge-xsy force-pushed the acl_xdp_dev_0810 branch 6 times, most recently from 47cf15d to 82a01b8 Compare August 24, 2024 08:18
@codecov Codecov
Copy link

codecov bot commented Aug 24, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 29.05405% with 105 lines in your changes missing coverage. Please review.

Project coverage is 52.80%. Comparing base (9bef054) to head (4c6d933).
Report is 74 commits behind head on main.

Files with missing lines Patch % Lines
pkg/cache/v2/maps/authz.go 0.00% 43 Missing ⚠️
pkg/controller/workload/workload_processor.go 24.07% 40 Missing and 1 partial ⚠️
pkg/bpf/bpf_kmesh_l4_workload.go 53.57% 7 Missing and 6 partials ⚠️
pkg/controller/workload/bpfcache/auth_policy.go 33.33% 6 Missing ⚠️
pkg/controller/workload/bpfcache/fake_map.go 81.81% 1 Missing and 1 partial ⚠️
Files with missing lines Coverage Δ
pkg/auth/policy_store.go 68.33% <ø> (ø)
pkg/bpf/bpf_kmesh_workload.go 60.82% <100.00%> (+0.37%) ⬆️
pkg/controller/workload/bpfcache/fake_map.go 83.05% <81.81%> (-0.29%) ⬇️
pkg/controller/workload/bpfcache/auth_policy.go 33.33% <33.33%> (ø)
pkg/bpf/bpf_kmesh_l4_workload.go 38.37% <53.57%> (+7.33%) ⬆️
pkg/controller/workload/workload_processor.go 62.81% <24.07%> (-5.99%) ⬇️
pkg/cache/v2/maps/authz.go 0.00% <0.00%> (ø)

... and 9 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b7ebf49...4c6d933. Read the comment docs.

@supercharge-xsy
Copy link
Contributor Author

@tacslon
@nlgwcy

@supercharge-xsy
init deserial_so in worklaod mode
33bdb86 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
support srcip and dstports rbac in xdp
921de7a 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
add SUPPORT_IP_MATCH define
ed34f47 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
fix unroll loop
663f8df 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
htons when match dstport
8824e40 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
store workload_polices to bpf map in kmesh-deamon
8477677 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
fix test case
bf68056 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
fix unroll compile waring
1c185a0 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
fix ads start issues
a58eac3 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
fix comments
b312095 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
store policy to bpf-map by hashid instead of name
204f3b5 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
delete redundancy code
eb000e4 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
fix comments
883a054 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
merge authz cache with authz records in bpfmap when kmesh restart
4066296 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
fix conflict
944a0c5 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
fix test
ce3903e 
Signed-off-by: superCharge-xsy <[email protected]>
@supercharge-xsy
remove debug macro and sync.once for handleRemoveAuthzPolicyDuringRes…
f83283c 
…tart

Signed-off-by: superCharge-xsy <[email protected]>
hzxuzhonghu
hzxuzhonghu reviewed Sep 6, 2024
View reviewed changes
pkg/bpf/bpf_kmesh_l4_workload.go

ret := C.deserial_init()
if ret != 0 {
l.Stop()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is already done in the defer above

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is a condition in defer action:err !=nil

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

hzxuzhonghu
hzxuzhonghu approved these changes Sep 6, 2024
View reviewed changes
Copy link
Member

@hzxuzhonghu hzxuzhonghu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nlgwcy defer to you to review the bpf map part

@nlgwcy
Copy link
Contributor

nlgwcy commented Sep 7, 2024

/lgtm
/approve

@kmesh-bot kmesh-bot added the lgtm label Sep 7, 2024
@kmesh-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hzxuzhonghu, nlgwcy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kmesh-bot kmesh-bot merged commit 25f8959 into kmesh-net:main Sep 7, 2024
9 checks passed
@hzxuzhonghu
Copy link
Member

can we add a e2e case for it now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tacslon tacslon tacslon left review comments

@weli-l weli-l weli-l left review comments

@nlgwcy nlgwcy nlgwcy left review comments

@LiZhenCheng9527 LiZhenCheng9527 LiZhenCheng9527 left review comments

@hzxuzhonghu hzxuzhonghu hzxuzhonghu approved these changes

Assignees

@tacslon tacslon

@weli-l weli-l

@nlgwcy nlgwcy

Labels
approved lgtm size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

do rbac match in xdp program
7 participants
@supercharge-xsy @tacslon @weli-l @hzxuzhonghu @nlgwcy @kmesh-bot @LiZhenCheng9527