Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add v1beta2 support #67

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
module github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables

go 1.19
go 1.21

require (
github.com/containernetworking/cni v0.8.1
github.com/containernetworking/plugins v0.8.6
github.com/k8snetworkplumbingwg/multi-networkpolicy v0.0.0-20200903074708-7b3ce95ae804
github.com/k8snetworkplumbingwg/multi-networkpolicy v0.0.0-20240528155521-f76867e779b8
github.com/k8snetworkplumbingwg/network-attachment-definition-client v0.0.0-20200528071255-22c819bc6e7e
github.com/onsi/ginkgo v1.16.4
github.com/onsi/gomega v1.27.6
Expand Down
1,800 changes: 15 additions & 1,785 deletions go.sum

Large diffs are not rendered by default.

30 changes: 15 additions & 15 deletions pkg/controllers/networkpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ import (
"sync"
"time"

multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1"
multiinformerv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions/k8s.cni.cncf.io/v1beta1"
multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2"
multiinformerv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions/k8s.cni.cncf.io/v1beta2"

"k8s.io/apimachinery/pkg/types"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
Expand All @@ -36,13 +36,13 @@ import (
type NetworkPolicyHandler interface {
// OnPolicyAdd is called whenever creation of new policy object
// is observed.
OnPolicyAdd(policy *multiv1beta1.MultiNetworkPolicy)
OnPolicyAdd(policy *multiv1beta2.MultiNetworkPolicy)
// OnPolicyUpdate is called whenever modification of an existing
// policy object is observed.
OnPolicyUpdate(oldPolicy, policy *multiv1beta1.MultiNetworkPolicy)
OnPolicyUpdate(oldPolicy, policy *multiv1beta2.MultiNetworkPolicy)
// OnPolicyDelete is called whenever deletion of an existing policy
// object is observed.
OnPolicyDelete(policy *multiv1beta1.MultiNetworkPolicy)
OnPolicyDelete(policy *multiv1beta2.MultiNetworkPolicy)
// OnPolicySynced is called once all the initial event handlers were
// called and the state is fully propagated to local cache.
OnPolicySynced()
Expand All @@ -55,7 +55,7 @@ type NetworkPolicyConfig struct {
}

// NewNetworkPolicyConfig creates a new NetworkPolicyConfig .
func NewNetworkPolicyConfig(policyInformer multiinformerv1beta1.MultiNetworkPolicyInformer, resyncPeriod time.Duration) *NetworkPolicyConfig {
func NewNetworkPolicyConfig(policyInformer multiinformerv1beta2.MultiNetworkPolicyInformer, resyncPeriod time.Duration) *NetworkPolicyConfig {
result := &NetworkPolicyConfig{
listerSynced: policyInformer.Informer().HasSynced,
}
Expand Down Expand Up @@ -91,7 +91,7 @@ func (c *NetworkPolicyConfig) Run(stopCh <-chan struct{}) {
}

func (c *NetworkPolicyConfig) handleAddPolicy(obj interface{}) {
policy, ok := obj.(*multiv1beta1.MultiNetworkPolicy)
policy, ok := obj.(*multiv1beta2.MultiNetworkPolicy)
if !ok {
utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj))
return
Expand All @@ -104,12 +104,12 @@ func (c *NetworkPolicyConfig) handleAddPolicy(obj interface{}) {
}

func (c *NetworkPolicyConfig) handleUpdatePolicy(oldObj, newObj interface{}) {
oldPolicy, ok := oldObj.(*multiv1beta1.MultiNetworkPolicy)
oldPolicy, ok := oldObj.(*multiv1beta2.MultiNetworkPolicy)
if !ok {
utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", oldObj))
return
}
policy, ok := newObj.(*multiv1beta1.MultiNetworkPolicy)
policy, ok := newObj.(*multiv1beta2.MultiNetworkPolicy)
if !ok {
utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", newObj))
return
Expand All @@ -121,13 +121,13 @@ func (c *NetworkPolicyConfig) handleUpdatePolicy(oldObj, newObj interface{}) {
}

func (c *NetworkPolicyConfig) handleDeletePolicy(obj interface{}) {
policy, ok := obj.(*multiv1beta1.MultiNetworkPolicy)
policy, ok := obj.(*multiv1beta2.MultiNetworkPolicy)
if !ok {
tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
if !ok {
utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj))
}
if policy, ok = tombstone.Obj.(*multiv1beta1.MultiNetworkPolicy); !ok {
if policy, ok = tombstone.Obj.(*multiv1beta2.MultiNetworkPolicy); !ok {
utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj))
return
}
Expand All @@ -140,7 +140,7 @@ func (c *NetworkPolicyConfig) handleDeletePolicy(obj interface{}) {

// PolicyInfo contains information that defines a policy.
type PolicyInfo struct {
Policy *multiv1beta1.MultiNetworkPolicy
Policy *multiv1beta2.MultiNetworkPolicy
}

// Name ...
Expand Down Expand Up @@ -223,14 +223,14 @@ func (pct *PolicyChangeTracker) String() string {
return fmt.Sprintf("policyChange: %v", pct.items)
}

func (pct *PolicyChangeTracker) newPolicyInfo(policy *multiv1beta1.MultiNetworkPolicy) (*PolicyInfo, error) {
func (pct *PolicyChangeTracker) newPolicyInfo(policy *multiv1beta2.MultiNetworkPolicy) (*PolicyInfo, error) {
info := &PolicyInfo{
Policy: policy,
}
return info, nil
}

func (pct *PolicyChangeTracker) policyToPolicyMap(policy *multiv1beta1.MultiNetworkPolicy) PolicyMap {
func (pct *PolicyChangeTracker) policyToPolicyMap(policy *multiv1beta2.MultiNetworkPolicy) PolicyMap {
if policy == nil {
return nil
}
Expand All @@ -245,7 +245,7 @@ func (pct *PolicyChangeTracker) policyToPolicyMap(policy *multiv1beta1.MultiNetw
}

// Update ...
func (pct *PolicyChangeTracker) Update(previous, current *multiv1beta1.MultiNetworkPolicy) bool {
func (pct *PolicyChangeTracker) Update(previous, current *multiv1beta2.MultiNetworkPolicy) bool {
policy := current

if pct == nil {
Expand Down
18 changes: 9 additions & 9 deletions pkg/controllers/networkpolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,14 @@
//"fmt"
"time"

multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1"
multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2"
multifake "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/clientset/versioned/fake"
multiinformerv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions"
multiinformerv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"

. "github.com/onsi/ginkgo"

Check warning on line 30 in pkg/controllers/networkpolicy_test.go

View workflow job for this annotation

GitHub Actions / test (1.21.x, ubuntu-latest)

should not use dot imports
. "github.com/onsi/gomega"
)

Expand All @@ -38,15 +38,15 @@
CounterSynced int
}

func (f *FakeNetworkPolicyConfigStub) OnPolicyAdd(_ *multiv1beta1.MultiNetworkPolicy) {
func (f *FakeNetworkPolicyConfigStub) OnPolicyAdd(_ *multiv1beta2.MultiNetworkPolicy) {
f.CounterAdd++
}

func (f *FakeNetworkPolicyConfigStub) OnPolicyUpdate(_, _ *multiv1beta1.MultiNetworkPolicy) {
func (f *FakeNetworkPolicyConfigStub) OnPolicyUpdate(_, _ *multiv1beta2.MultiNetworkPolicy) {
f.CounterUpdate++
}

func (f *FakeNetworkPolicyConfigStub) OnPolicyDelete(_ *multiv1beta1.MultiNetworkPolicy) {
func (f *FakeNetworkPolicyConfigStub) OnPolicyDelete(_ *multiv1beta2.MultiNetworkPolicy) {
f.CounterDelete++
}

Expand All @@ -57,14 +57,14 @@
func NewFakeNetworkPolicyConfig(stub *FakeNetworkPolicyConfigStub) *NetworkPolicyConfig {
configSync := 15 * time.Minute
fakeClient := multifake.NewSimpleClientset()
informerFactory := multiinformerv1beta1.NewSharedInformerFactoryWithOptions(fakeClient, configSync)
policyConfig := NewNetworkPolicyConfig(informerFactory.K8sCniCncfIo().V1beta1().MultiNetworkPolicies(), configSync)
informerFactory := multiinformerv1beta2.NewSharedInformerFactoryWithOptions(fakeClient, configSync)
policyConfig := NewNetworkPolicyConfig(informerFactory.K8sCniCncfIo().V1beta2().MultiNetworkPolicies(), configSync)
policyConfig.RegisterEventHandler(stub)
return policyConfig
}

func NewNetworkPolicy(namespace, name string) *multiv1beta1.MultiNetworkPolicy {
return &multiv1beta1.MultiNetworkPolicy{
func NewNetworkPolicy(namespace, name string) *multiv1beta2.MultiNetworkPolicy {
return &multiv1beta2.MultiNetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Namespace: namespace,
Name: name,
Expand Down
32 changes: 18 additions & 14 deletions pkg/server/policyrules.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ import (
"strings"

"github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/pkg/controllers"
multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1"
multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
Expand Down Expand Up @@ -141,10 +141,10 @@ func (ipt *iptableBuffer) FinalizeRules() {

func (ipt *iptableBuffer) SaveRules(path string) error {
file, err := os.Create(path)
defer file.Close()
if err != nil {
return err
}
defer file.Close()
//_, err = ipt.filterRules.WriteTo(file)
fmt.Fprintf(file, "%s", ipt.filterRules.String())
return err
Expand Down Expand Up @@ -216,7 +216,7 @@ func (ipt *iptableBuffer) renderIngressCommon(s *Server) {
writeLine(ipt.policyCommon, "-A", ingressCommonChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
}

func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta1.MultiNetworkPolicy, policyNetworks []string) {
func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta2.MultiNetworkPolicy, policyNetworks []string) {
chainName := fmt.Sprintf("MULTI-%d-INGRESS", idx)
ipt.CreateFilterChain(chainName)

Expand All @@ -240,7 +240,7 @@ func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo,
}
}

func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) {
func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta2.MultiNetworkPolicyPort, policyNetworks []string) {
chainName := fmt.Sprintf("MULTI-%d-INGRESS-%d-PORTS", pIndex, iIndex)
ipt.CreateFilterChain(chainName)

Expand All @@ -255,9 +255,13 @@ func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.Pod
if !podIntf.CheckPolicyNetwork(policyNetworks) {
continue
}
dport := port.Port.String()
if port.EndPort != nil {
dport = fmt.Sprintf("%s:%d", port.Port.String(), *port.EndPort)
}
writeLine(ipt.ingressPorts, "-A", chainName,
"-i", podIntf.InterfaceName,
"-m", proto, "-p", proto, "--dport", port.Port.String(),
"-m", proto, "-p", proto, "--dport", dport,
"-j", "MARK", "--set-xmark", "0x10000/0x10000")
validPorts++
}
Expand All @@ -269,10 +273,9 @@ func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.Pod
"-m", "comment", "--comment", "\"no ingress ports, skipped\"",
"-j", "MARK", "--set-xmark", "0x10000/0x10000")
}
return
}

func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, from []multiv1beta1.MultiNetworkPolicyPeer, policyNetworks []string) {
func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, from []multiv1beta2.MultiNetworkPolicyPeer, policyNetworks []string) {
chainName := fmt.Sprintf("MULTI-%d-INGRESS-%d-FROM", pIndex, iIndex)
ipt.CreateFilterChain(chainName)

Expand Down Expand Up @@ -391,7 +394,6 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI
"-m", "comment", "--comment", "\"no ingress from, skipped\"",
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
}
return
}

func (ipt *iptableBuffer) renderEgressCommon(s *Server) {
Expand Down Expand Up @@ -442,7 +444,7 @@ func (ipt *iptableBuffer) renderEgressCommon(s *Server) {
writeLine(ipt.policyCommon, "-A", egressCommonChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
}

func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta1.MultiNetworkPolicy, policyNetworks []string) {
func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta2.MultiNetworkPolicy, policyNetworks []string) {
chainName := fmt.Sprintf("MULTI-%d-EGRESS", idx)
ipt.CreateFilterChain(chainName)

Expand All @@ -465,7 +467,7 @@ func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo,
}
}

func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) {
func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta2.MultiNetworkPolicyPort, policyNetworks []string) {
chainName := fmt.Sprintf("MULTI-%d-EGRESS-%d-PORTS", pIndex, iIndex)
ipt.CreateFilterChain(chainName)

Expand All @@ -480,9 +482,13 @@ func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodI
if !podIntf.CheckPolicyNetwork(policyNetworks) {
continue
}
dport := port.Port.String()
if port.EndPort != nil {
dport = fmt.Sprintf("%s:%d", port.Port.String(), *port.EndPort)
}
writeLine(ipt.egressPorts, "-A", chainName,
"-o", podIntf.InterfaceName,
"-m", proto, "-p", proto, "--dport", port.Port.String(),
"-m", proto, "-p", proto, "--dport", dport,
"-j", "MARK", "--set-xmark", "0x10000/0x10000")
validPorts++
}
Expand All @@ -494,10 +500,9 @@ func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodI
"-m", "comment", "--comment", "\"no egress ports, skipped\"",
"-j", "MARK", "--set-xmark", "0x10000/0x10000")
}
return
}

func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, to []multiv1beta1.MultiNetworkPolicyPeer, policyNetworks []string) {
func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, to []multiv1beta2.MultiNetworkPolicyPeer, policyNetworks []string) {
chainName := fmt.Sprintf("MULTI-%d-EGRESS-%d-TO", pIndex, iIndex)
ipt.CreateFilterChain(chainName)

Expand Down Expand Up @@ -618,7 +623,6 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo
"-m", "comment", "--comment", "\"no egress to, skipped\"",
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
}
return
}

func (ipt *iptableBuffer) isIPFamilyCompatible(ip string) bool {
Expand Down
Loading
Loading