Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs#24638
Merged
joestringer merged 10 commits intocilium:masterfrom Apr 17, 2023
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
e7ecffd to
7a0f675
Compare
7a0f675 to
c6b6633
Compare
d9763d4 to
1b055b0
Compare
christarazi
requested changes
Mar 31, 2023
dce042a to
10615c4
Compare
christarazi
reviewed
Apr 3, 2023
pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml
Outdated
Show resolved
Hide resolved
4d15cc5 to
de686ff
Compare
This comment was marked as outdated.
This comment was marked as outdated.
christarazi
reviewed
Apr 4, 2023
This comment was marked as outdated.
This comment was marked as outdated.
de686ff to
74873ee
Compare
Member
|
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-5.4/1754/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Job 'Cilium-PR-K8s-1.16-kernel-4.19' hit: #24697 (88.40% similarity) Edit:
|
christarazi
reviewed
Apr 14, 2023
This generates the CiliumCIDRGroup type, to reference a group of CIDRs as a single entity in CiliumNetworkPolicies. Co-authored-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Embed `cidrGroupRef` field in api.CIDRRule to reference CiliumCIDRGroup objects in Cilium Network Policies. The field can be used to allow ingress traffic from a set of CIDRs listed in the referenced CiliumCIDRGroup object. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
daa64f1 to
39f51d6
Compare
CNP and CCNP events handling is based on the same code, since each CNP and CCNP is first translated to an intermediate types.SlimCNP representation. To support the handling of CNP/CCNP updates, there are two separate caches, one for CNP and one for CCNP. This commit unify the events handling and the caches, relying on the two event channels to avoid any additional locking mechanism. This sets the stage for the fromCIDRGroupRef feature, where we need to reference another k8s object (CiliumCIDRGroup) to get the CIDRs the policies are going to allow when filtering ingress traffic. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>
39f51d6 to
d30af4e
Compare
Add support for cidrGroupRef field in Ingress rules for Cilium Network Policies. The new field allows to reference a list of CiliumCIDRGroup objects that contain the CIDRs from which we wants to allow traffic from. The feature is implemented as a wrapper to the existing FromCIDRSet Ingress rule. Each policy with a reference to a cidr group is translated in an equivalent "FromCIDRSet policy" after looking up the CIDRs in the referenced CiliumCIDRGroup objects. To do that, we use a single handler for CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy and CiliumCIDRGroup in the k8s watcher, in order to avoid further locking when accessing the CNP/CCNP cache or the CIDRGroup one. Every time the referenced CiliumCIDRGroups are updated, the CNP rules are recalculated, in order to append to the Ingress.FromCIDRSet field the updated lists of CIDRs. In case the referenced CiliumCIDRGroups k8s objects are all empty or deleted, the policy behaviour is default-deny. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>
policy_change_total metric counts all the policies change events and should take into account Cilium Clusterwide Network Policied events too. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Inspired from the CNP watcher. Co-authored-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>
The NoOp* variables are used in pkg/metrics to define metrics that can be disabled. All of those metrics are grouped together as a slice of prometheus.Collector and then registered to the prometheus register. To add a metric of type prometheus.Histogram that can also be disabled, a type that satisfies both `prometheus.Collector` and `prometheus.Observer` is needed, so the NoOpHistogram of type prometheus.histogram is added. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Add a metric to measure the time taken to translate the FromCIDRGroupRef field in CNPs and CCNPs. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Add a gauge metric to count the current number of CNPs and CCNPs that reference at least a CiliumCIDRGroup object. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Assign the following files: - k8s/pkg/watcher/cilium_network_policy.go - k8s/pkg/watcher/cilium_cidr_group.go - k8s/pkg/watcher/cilium_cidr_group_test.go containing the shared handler for CNP, CCNP and CCG objects to sig-policy group. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
d30af4e to
60506a7
Compare
Member
|
/test Job 'Cilium-PR-K8s-1.16-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.19/916/ If it is a flake and a GitHub issue doesn't already exist to track it, comment |
Member
Author
|
4.19 hit #24840 |
Member
Author
|
/test-1.16-4.19 |
2 tasks
This was referenced Feb 23, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for
cidrGroupRefin CIDR ingress rules in Cilium Network Policies.The new rule allows to reference a list of CiliumCIDRGroup objects that contain the CIDRs from which we want to allow traffic from.
An example of the newly introduced CiliumCIDRGroup CRD is the following:
The feature is implemented as a wrapper to the existing FromCIDR Ingress rule. Each
cidrGroupReffield is translated to the equivalentfromCIDRSetblock with the CIDRs from the referenced CiliumCIDRGroup object.To do that, we use a single handler for CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy and CiliumCIDRGroup in the k8s watcher.
Every time the referenced CiliumCIDRGroups are updated, the CNP rules are recalculated, in order to append to the Ingress.FromCIDR field the updated lists of CIDRs.
In case the lists of CIDRs in the referenced CiliumCIDRGroups are all empty, the policy will have an Ingress rule with all fields equal to nil, except the
cidrGroupRefone. That would result in the same behavior as an empty FromCIDR rule, which means default deny.This PR also adds some metrics to get info about the new Ingress rule impact and usage. Specifically:
cidrGroupReffield into CIDRsFixes #10349