-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce NetworkPolicy support to osh workload #193
Conversation
2c1b9aa
to
51de078
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LorenzoBianconi when running with:
"name_space_size": 2,
"network_policy_size": 2,
"create_acls": true
This generates the following NB config:
$ ovn-nbctl list port_group
_uuid : 2568706c-8499-4d77-8cd2-d3364c92dfe5
acls : [45b4473e-61da-4634-8843-d0eebf4226d1, 506d08f5-dedc-436f-9116-a5a5000a5721, bc887d16-003e-49ff-9888-5307abab37b3, c5b46790-7bb7-476c-ab97-69bc2eb6727a]
external_ids : {}
name : networkPolicy0
ports : [4a410a5f-2e00-4576-af33-26e3bbcaf233]
_uuid : 5cef0dfd-a26d-42fa-bed1-673ce79a3024
acls : [32429399-ae77-4b51-8179-8f09397173f8, 7ada52f8-7fb9-4f92-845a-b68cf6f84a02]
external_ids : {}
name : portGroupMultiDefDeny
ports : [624d4358-c7e8-4f5c-8201-881b39a172fe]
_uuid : 2b5382e5-06c9-4660-b04d-3f80301a97af
acls : [0428de8d-f4c5-4378-a57c-ee3941007770, e198bb40-ded8-404c-abb0-00167944d0c1]
external_ids : {}
name : mcastPortGroup_nameSpace1
ports : [624d4358-c7e8-4f5c-8201-881b39a172fe]
_uuid : 20308185-5499-4c89-9cfc-2399b874c0d1
acls : [04664f48-2953-4327-aad6-56f0cfda20cf, 36479673-fc77-4af9-836e-816a95e8fc3b, 6980cf7d-b288-496e-80ff-f7f578634dde, 76404bbe-a5e9-44de-ac9b-7b50ce314bda]
external_ids : {}
name : networkPolicy1
ports : [624d4358-c7e8-4f5c-8201-881b39a172fe]
_uuid : a3698ada-ac01-4bc9-a199-96e5d88ddb59
acls : [44749e5b-ce84-4f02-9931-ae6f1e897dce, a5553649-55e3-4411-98d4-e8b0fd96ca96, d7a78bda-49e8-40d8-9113-c5d1353574a7, f00eb761-99ae-432f-afaa-ff196bf2ebb2]
external_ids : {}
name : portGroupDefDeny
ports : [624d4358-c7e8-4f5c-8201-881b39a172fe]
_uuid : b5ce99bb-910a-42b9-b0d6-3b2fdfd3076b
acls : [e119b314-a62d-4416-8bcd-d80ab14922a4, ed169b0d-b1f5-49cf-a3df-2e242d0c50aa]
external_ids : {}
name : mcastPortGroup_nameSpace0
ports : [4a410a5f-2e00-4576-af33-26e3bbcaf233]
Shouldn't port group portGroupDefDeny
and portGroupMultiDefDeny
contain all 4 ports instead of just one?
Also if I understand correctly the requirements, port groups networkPolicy0
and networkPolicy1
should both contain 2 ports. Same for mcastPortGroup_nameSpace0
and mcastPortGroup_nameSpace1
.
What do you think?
port_group = {"name" : "portGroupMultiDefDeny"} | ||
|
||
# ingress | ||
acl_create_args = { "match" : "ip4.mcast", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be "match" : "%(direction)s == %(lport)s && ip4.mcast"
.
For the network policy related port-groups and ACLs, it seems to me better to be created as configuration (in JSON format) instead of adding to the code implementation. In the code we can add the support to apply whatever port-groups and ACLs that is configured, so that it is easier to test scalability of different port-group/ACL configurations. For example, we can compare the scalability of creating one port-group for all default policies with creating different groups for ingress/egress policies, without changing the code. What do you think? |
51de078
to
a25849d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LorenzoBianconi I have a few more minor comments.
@hzhou8 Regarding your comment, do we do a rework of the port_group/address_set/acl scenarios as a follow up to this PR?
Introduce NetworkPolicy (NP) entity according to network-policy.md (https://github.com/ovn-org/ovn-kubernetes/blob/e68397c4223c7213ea7bf0e01bbcdb6d19a51a25/docs/network-policy.md) In particular the traffic is blocked by default adding each Pod to the DefaultDeny PortGroup and each NP will create 2 port groups for ingress and egress traffic specifying which traffic is allowed for the pods belonging to the same NetworkPolicy
Introduce multicast support to NetworkPolicy crating a multicastPortGroup for each Nemaspae added to the workload. By default multicast traffic is blocked by DefaultDenyMultiPortGroup
a25849d
to
9f06bcd
Compare
Introduce NetworkPolicy (NP) entity according to network-policy.md. In particular the traffic is blocked by default adding each Pod to the DefaultDeny PortGroup and each NP will create 2 port groups for ingress and egress traffic specifying which traffic is allowed for the pods belonging to the same NetworkPolicy