Adds MultiNetworkPolicy v1beta2 support

Allows us to specify `endPort` to create port ranges in rules

go.mod

@@ -1,11 +1,11 @@
 module github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables
 
-go 1.19
+go 1.21
 
 require (
 	github.com/containernetworking/cni v0.8.1
 	github.com/containernetworking/plugins v0.8.6
-	github.com/k8snetworkplumbingwg/multi-networkpolicy v0.0.0-20200903074708-7b3ce95ae804
+	github.com/k8snetworkplumbingwg/multi-networkpolicy v0.0.0-20240528155521-f76867e779b8
 	github.com/k8snetworkplumbingwg/network-attachment-definition-client v0.0.0-20200528071255-22c819bc6e7e
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.27.6

pkg/controllers/networkpolicy.go

@@ -22,8 +22,8 @@ import (
 	"sync"
 	"time"
 
-	multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1"
-	multiinformerv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions/k8s.cni.cncf.io/v1beta1"
+	multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2"
+	multiinformerv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions/k8s.cni.cncf.io/v1beta2"
 
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -36,13 +36,13 @@ import (
 type NetworkPolicyHandler interface {
 	// OnPolicyAdd is called whenever creation of new policy object
 	// is observed.
-	OnPolicyAdd(policy *multiv1beta1.MultiNetworkPolicy)
+	OnPolicyAdd(policy *multiv1beta2.MultiNetworkPolicy)
 	// OnPolicyUpdate is called whenever modification of an existing
 	// policy object is observed.
-	OnPolicyUpdate(oldPolicy, policy *multiv1beta1.MultiNetworkPolicy)
+	OnPolicyUpdate(oldPolicy, policy *multiv1beta2.MultiNetworkPolicy)
 	// OnPolicyDelete is called whenever deletion of an existing policy
 	// object is observed.
-	OnPolicyDelete(policy *multiv1beta1.MultiNetworkPolicy)
+	OnPolicyDelete(policy *multiv1beta2.MultiNetworkPolicy)
 	// OnPolicySynced is called once all the initial event handlers were
 	// called and the state is fully propagated to local cache.
 	OnPolicySynced()
@@ -55,7 +55,7 @@ type NetworkPolicyConfig struct {
 }
 
 // NewNetworkPolicyConfig creates a new NetworkPolicyConfig .
-func NewNetworkPolicyConfig(policyInformer multiinformerv1beta1.MultiNetworkPolicyInformer, resyncPeriod time.Duration) *NetworkPolicyConfig {
+func NewNetworkPolicyConfig(policyInformer multiinformerv1beta2.MultiNetworkPolicyInformer, resyncPeriod time.Duration) *NetworkPolicyConfig {
 	result := &NetworkPolicyConfig{
 		listerSynced: policyInformer.Informer().HasSynced,
 	}
@@ -91,7 +91,7 @@ func (c *NetworkPolicyConfig) Run(stopCh <-chan struct{}) {
 }
 
 func (c *NetworkPolicyConfig) handleAddPolicy(obj interface{}) {
-	policy, ok := obj.(*multiv1beta1.MultiNetworkPolicy)
+	policy, ok := obj.(*multiv1beta2.MultiNetworkPolicy)
 	if !ok {
 		utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj))
 		return
@@ -104,12 +104,12 @@ func (c *NetworkPolicyConfig) handleAddPolicy(obj interface{}) {
 }
 
 func (c *NetworkPolicyConfig) handleUpdatePolicy(oldObj, newObj interface{}) {
-	oldPolicy, ok := oldObj.(*multiv1beta1.MultiNetworkPolicy)
+	oldPolicy, ok := oldObj.(*multiv1beta2.MultiNetworkPolicy)
 	if !ok {
 		utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", oldObj))
 		return
 	}
-	policy, ok := newObj.(*multiv1beta1.MultiNetworkPolicy)
+	policy, ok := newObj.(*multiv1beta2.MultiNetworkPolicy)
 	if !ok {
 		utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", newObj))
 		return
@@ -121,13 +121,13 @@ func (c *NetworkPolicyConfig) handleUpdatePolicy(oldObj, newObj interface{}) {
 }
 
 func (c *NetworkPolicyConfig) handleDeletePolicy(obj interface{}) {
-	policy, ok := obj.(*multiv1beta1.MultiNetworkPolicy)
+	policy, ok := obj.(*multiv1beta2.MultiNetworkPolicy)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
 			utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj))
 		}
-		if policy, ok = tombstone.Obj.(*multiv1beta1.MultiNetworkPolicy); !ok {
+		if policy, ok = tombstone.Obj.(*multiv1beta2.MultiNetworkPolicy); !ok {
 			utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj))
 			return
 		}
@@ -140,7 +140,7 @@ func (c *NetworkPolicyConfig) handleDeletePolicy(obj interface{}) {
 
 // PolicyInfo contains information that defines a policy.
 type PolicyInfo struct {
-	Policy *multiv1beta1.MultiNetworkPolicy
+	Policy *multiv1beta2.MultiNetworkPolicy
 }
 
 // Name ...
@@ -223,14 +223,14 @@ func (pct *PolicyChangeTracker) String() string {
 	return fmt.Sprintf("policyChange: %v", pct.items)
 }
 
-func (pct *PolicyChangeTracker) newPolicyInfo(policy *multiv1beta1.MultiNetworkPolicy) (*PolicyInfo, error) {
+func (pct *PolicyChangeTracker) newPolicyInfo(policy *multiv1beta2.MultiNetworkPolicy) (*PolicyInfo, error) {
 	info := &PolicyInfo{
 		Policy: policy,
 	}
 	return info, nil
 }
 
-func (pct *PolicyChangeTracker) policyToPolicyMap(policy *multiv1beta1.MultiNetworkPolicy) PolicyMap {
+func (pct *PolicyChangeTracker) policyToPolicyMap(policy *multiv1beta2.MultiNetworkPolicy) PolicyMap {
 	if policy == nil {
 		return nil
 	}
@@ -245,7 +245,7 @@ func (pct *PolicyChangeTracker) policyToPolicyMap(policy *multiv1beta1.MultiNetw
 }
 
 // Update ...
-func (pct *PolicyChangeTracker) Update(previous, current *multiv1beta1.MultiNetworkPolicy) bool {
+func (pct *PolicyChangeTracker) Update(previous, current *multiv1beta2.MultiNetworkPolicy) bool {
 	policy := current
 
 	if pct == nil {

pkg/controllers/networkpolicy_test.go

@@ -20,9 +20,9 @@ import (
 	//"fmt"
 	"time"
 
-	multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1"
+	multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2"
 	multifake "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/clientset/versioned/fake"
-	multiinformerv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions"
+	multiinformerv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/client/informers/externalversions"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
@@ -38,15 +38,15 @@ type FakeNetworkPolicyConfigStub struct {
 	CounterSynced int
 }
 
-func (f *FakeNetworkPolicyConfigStub) OnPolicyAdd(_ *multiv1beta1.MultiNetworkPolicy) {
+func (f *FakeNetworkPolicyConfigStub) OnPolicyAdd(_ *multiv1beta2.MultiNetworkPolicy) {
 	f.CounterAdd++
 }
 
-func (f *FakeNetworkPolicyConfigStub) OnPolicyUpdate(_, _ *multiv1beta1.MultiNetworkPolicy) {
+func (f *FakeNetworkPolicyConfigStub) OnPolicyUpdate(_, _ *multiv1beta2.MultiNetworkPolicy) {
 	f.CounterUpdate++
 }
 
-func (f *FakeNetworkPolicyConfigStub) OnPolicyDelete(_ *multiv1beta1.MultiNetworkPolicy) {
+func (f *FakeNetworkPolicyConfigStub) OnPolicyDelete(_ *multiv1beta2.MultiNetworkPolicy) {
 	f.CounterDelete++
 }
 
@@ -57,14 +57,14 @@ func (f *FakeNetworkPolicyConfigStub) OnPolicySynced() {
 func NewFakeNetworkPolicyConfig(stub *FakeNetworkPolicyConfigStub) *NetworkPolicyConfig {
 	configSync := 15 * time.Minute
 	fakeClient := multifake.NewSimpleClientset()
-	informerFactory := multiinformerv1beta1.NewSharedInformerFactoryWithOptions(fakeClient, configSync)
-	policyConfig := NewNetworkPolicyConfig(informerFactory.K8sCniCncfIo().V1beta1().MultiNetworkPolicies(), configSync)
+	informerFactory := multiinformerv1beta2.NewSharedInformerFactoryWithOptions(fakeClient, configSync)
+	policyConfig := NewNetworkPolicyConfig(informerFactory.K8sCniCncfIo().V1beta2().MultiNetworkPolicies(), configSync)
 	policyConfig.RegisterEventHandler(stub)
 	return policyConfig
 }
 
-func NewNetworkPolicy(namespace, name string) *multiv1beta1.MultiNetworkPolicy {
-	return &multiv1beta1.MultiNetworkPolicy{
+func NewNetworkPolicy(namespace, name string) *multiv1beta2.MultiNetworkPolicy {
+	return &multiv1beta2.MultiNetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 			Name:      name,

pkg/server/policyrules.go

@@ -23,7 +23,7 @@ import (
 	"strings"
 
 	"github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/pkg/controllers"
-	multiv1beta1 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta1"
+	multiv1beta2 "github.com/k8snetworkplumbingwg/multi-networkpolicy/pkg/apis/k8s.cni.cncf.io/v1beta2"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -141,10 +141,10 @@ func (ipt *iptableBuffer) FinalizeRules() {
 
 func (ipt *iptableBuffer) SaveRules(path string) error {
 	file, err := os.Create(path)
-	defer file.Close()
 	if err != nil {
 		return err
 	}
+	defer file.Close()
 	//_, err = ipt.filterRules.WriteTo(file)
 	fmt.Fprintf(file, "%s", ipt.filterRules.String())
 	return err
@@ -216,7 +216,7 @@ func (ipt *iptableBuffer) renderIngressCommon(s *Server) {
 	writeLine(ipt.policyCommon, "-A", ingressCommonChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
 }
 
-func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta1.MultiNetworkPolicy, policyNetworks []string) {
+func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta2.MultiNetworkPolicy, policyNetworks []string) {
 	chainName := fmt.Sprintf("MULTI-%d-INGRESS", idx)
 	ipt.CreateFilterChain(chainName)
 
@@ -240,7 +240,7 @@ func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo,
 	}
 }
 
-func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) {
+func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta2.MultiNetworkPolicyPort, policyNetworks []string) {
 	chainName := fmt.Sprintf("MULTI-%d-INGRESS-%d-PORTS", pIndex, iIndex)
 	ipt.CreateFilterChain(chainName)
 
@@ -255,11 +255,20 @@ func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.Pod
 			if !podIntf.CheckPolicyNetwork(policyNetworks) {
 				continue
 			}
-			writeLine(ipt.ingressPorts, "-A", chainName,
-				"-i", podIntf.InterfaceName,
-				"-m", proto, "-p", proto, "--dport", port.Port.String(),
-				"-j", "MARK", "--set-xmark", "0x10000/0x10000")
-			validPorts++
+			if port.EndPort != nil {
+				writeLine(ipt.ingressPorts, "-A", chainName,
+					"-i", podIntf.InterfaceName,
+					"-m", proto, "-p", proto, "--dport", fmt.Sprintf("%s:%d", port.Port.String(), *port.EndPort),
+					"-j", "MARK", "--set-xmark", "0x10000/0x10000")
+				validPorts++
+				klog.Infof("DEBUG: %+v", ipt.ingressPorts)
+			} else {
+				writeLine(ipt.ingressPorts, "-A", chainName,
+					"-i", podIntf.InterfaceName,
+					"-m", proto, "-p", proto, "--dport", port.Port.String(),
+					"-j", "MARK", "--set-xmark", "0x10000/0x10000")
+				validPorts++
+			}
 		}
 	}
 
@@ -269,10 +278,9 @@ func (ipt *iptableBuffer) renderIngressPorts(_ *Server, podInfo *controllers.Pod
 			"-m", "comment", "--comment", "\"no ingress ports, skipped\"",
 			"-j", "MARK", "--set-xmark", "0x10000/0x10000")
 	}
-	return
 }
 
-func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, from []multiv1beta1.MultiNetworkPolicyPeer, policyNetworks []string) {
+func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, from []multiv1beta2.MultiNetworkPolicyPeer, policyNetworks []string) {
 	chainName := fmt.Sprintf("MULTI-%d-INGRESS-%d-FROM", pIndex, iIndex)
 	ipt.CreateFilterChain(chainName)
 
@@ -391,7 +399,6 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI
 			"-m", "comment", "--comment", "\"no ingress from, skipped\"",
 			"-j", "MARK", "--set-xmark", "0x20000/0x20000")
 	}
-	return
 }
 
 func (ipt *iptableBuffer) renderEgressCommon(s *Server) {
@@ -442,7 +449,7 @@ func (ipt *iptableBuffer) renderEgressCommon(s *Server) {
 	writeLine(ipt.policyCommon, "-A", egressCommonChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
 }
 
-func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta1.MultiNetworkPolicy, policyNetworks []string) {
+func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo, idx int, policy *multiv1beta2.MultiNetworkPolicy, policyNetworks []string) {
 	chainName := fmt.Sprintf("MULTI-%d-EGRESS", idx)
 	ipt.CreateFilterChain(chainName)
 
@@ -465,7 +472,7 @@ func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo,
 	}
 }
 
-func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) {
+func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta2.MultiNetworkPolicyPort, policyNetworks []string) {
 	chainName := fmt.Sprintf("MULTI-%d-EGRESS-%d-PORTS", pIndex, iIndex)
 	ipt.CreateFilterChain(chainName)
 
@@ -494,10 +501,9 @@ func (ipt *iptableBuffer) renderEgressPorts(_ *Server, podInfo *controllers.PodI
 			"-m", "comment", "--comment", "\"no egress ports, skipped\"",
 			"-j", "MARK", "--set-xmark", "0x10000/0x10000")
 	}
-	return
 }
 
-func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, to []multiv1beta1.MultiNetworkPolicyPeer, policyNetworks []string) {
+func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, to []multiv1beta2.MultiNetworkPolicyPeer, policyNetworks []string) {
 	chainName := fmt.Sprintf("MULTI-%d-EGRESS-%d-TO", pIndex, iIndex)
 	ipt.CreateFilterChain(chainName)
 
@@ -618,7 +624,6 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo
 			"-m", "comment", "--comment", "\"no egress to, skipped\"",
 			"-j", "MARK", "--set-xmark", "0x20000/0x20000")
 	}
-	return
 }
 
 func (ipt *iptableBuffer) isIPFamilyCompatible(ip string) bool {