L7 Visibility support in Antrea

Signed-off-by: Tushar Tathgur <tathgurt@tathgurtFLVDL.vmware.com>

build/charts/antrea/README.md

@@ -78,7 +78,7 @@ Kubernetes: `>= 1.16.0-0`
 | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
 | featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. |
 | flowExporter.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
-| flowExporter.enable | bool | `false` | Enable the flow exporter feature. |
+| flowExporter.enable | bool | `true` | Enable the flow exporter feature. |
 | flowExporter.flowCollectorAddr | string | `"flow-aggregator/flow-aggregator:4739:tls"` | IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>]. If the collector is running in-cluster as a Service, set <HOST> to <Service namespace>/<Service name>. |
 | flowExporter.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. |
 | flowExporter.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |

build/charts/antrea/conf/antrea-agent.conf

@@ -80,6 +80,9 @@ featureGates:
 # Allow users to specify the load balancer mode as DSR (Direct Server Return).
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "LoadBalancerModeDSR" "default" false) }}
 
+# Enable L7Visibility on Pods and Namespace.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "L7Visibility" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -173,7 +173,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -219,3 +218,15 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete

build/charts/antrea/values.yaml

@@ -312,7 +312,7 @@ controller:
 
 flowExporter:
   # -- Enable the flow exporter feature.
-  enable: false
+  enable: true
   # -- IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
   # If the collector is running in-cluster as a Service, set <HOST> to
   # <Service namespace>/<Service name>.

build/yamls/antrea-aks.yml

@@ -5535,6 +5535,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5654,7 +5657,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6162,7 +6165,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6208,6 +6210,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -7060,7 +7074,11 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+<<<<<<< HEAD
         checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428
+=======
+        checksum/config: decff49e8a2dd2019acbb0b49a88c1deb81b53fc64e4b6ca2741babac00ae97a
+>>>>>>> ad1eb60f (L7 Visibility support in Antrea)
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -5535,6 +5535,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5654,7 +5657,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6162,7 +6165,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6208,6 +6210,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole

build/yamls/antrea-gke.yml

@@ -5535,6 +5535,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5654,7 +5657,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6162,7 +6165,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6208,6 +6210,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole

build/yamls/antrea-ipsec.yml

@@ -5548,6 +5548,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5667,7 +5670,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6175,7 +6178,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6221,6 +6223,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole

build/yamls/antrea.yml

@@ -5535,6 +5535,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5654,7 +5657,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6162,7 +6165,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6208,6 +6210,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -6819,7 +6833,11 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+<<<<<<< HEAD
         checksum/config: cc9b64c3b915bfd5a500d76f39a5b650f86819e144dbccea5019b4ecd4192292
+=======
+        checksum/config: c4f58fbb3065448295fab081c6bb9fa5e69536333ee9e32464ffaee9a84148ed
+>>>>>>> ad1eb60f (L7 Visibility support in Antrea)
       labels:
         app: antrea
         component: antrea-agent
@@ -7058,7 +7076,11 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+<<<<<<< HEAD
         checksum/config: cc9b64c3b915bfd5a500d76f39a5b650f86819e144dbccea5019b4ecd4192292
+=======
+        checksum/config: c4f58fbb3065448295fab081c6bb9fa5e69536333ee9e32464ffaee9a84148ed
+>>>>>>> ad1eb60f (L7 Visibility support in Antrea)
       labels:
         app: antrea
         component: antrea-controller

cmd/antrea-agent/agent.go

@@ -39,6 +39,7 @@ import (
 	"antrea.io/antrea/pkg/agent/controller/egress"
 	"antrea.io/antrea/pkg/agent/controller/ipseccertificate"
 	"antrea.io/antrea/pkg/agent/controller/networkpolicy"
+	"antrea.io/antrea/pkg/agent/controller/networkpolicy/l7engine"
 	"antrea.io/antrea/pkg/agent/controller/noderoute"
 	"antrea.io/antrea/pkg/agent/controller/serviceexternalip"
 	"antrea.io/antrea/pkg/agent/controller/traceflow"
@@ -704,6 +705,7 @@ func run(o *Options) error {
 
 	if features.DefaultFeatureGate.Enabled(features.TrafficControl) {
 		tcController := trafficcontrol.NewTrafficControlController(ofClient,
+			crdClient,
 			ifaceStore,
 			ovsBridgeClient,
 			ovsCtlClient,
@@ -712,6 +714,9 @@ func run(o *Options) error {
 			namespaceInformer,
 			podUpdateChannel)
 		go tcController.Run(stopCh)
+		if features.DefaultFeatureGate.Enabled(features.L7Visibility) {
+			go l7engine.Run(tcController)
+		}
 	}
 
 	//  Start the localPodInformer

go.mod

@@ -236,3 +236,5 @@ require (
 	sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
+
+replace github.com/vmware/go-ipfix v0.6.2 => github.com/tushartathgur/go-ipfix v0.0.0-20230803191543-aacd1016296d

go.sum

@@ -1081,6 +1081,8 @@ github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhV
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 h1:uruHq4dN7GR16kFc5fp3d1RIYzJW5onx8Ybykw2YQFA=
+github.com/tushartathgur/go-ipfix v0.0.0-20230803191543-aacd1016296d h1:pJ+1RREibFRvyp55mf7B7xnKRBQ/DUZyUn0yqbspfqg=
+github.com/tushartathgur/go-ipfix v0.0.0-20230803191543-aacd1016296d/go.mod h1:dGCppoeqknr9o3yz9BD74mP/FPHgefb6v34xdUKxDPI=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
@@ -1098,8 +1100,6 @@ github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f h1:p4VB7kIXpOQvVn1ZaTIVp+3vuYAXFe3OJEvjbUYJLaA=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vmware/go-ipfix v0.6.2 h1:9awOJ9HV2ZsBYqB1bbUu0ULX8mqR/hekt884/IRjijs=
-github.com/vmware/go-ipfix v0.6.2/go.mod h1:dGCppoeqknr9o3yz9BD74mP/FPHgefb6v34xdUKxDPI=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=

hack/update-codegen-common.sh

@@ -19,7 +19,7 @@ function generate_mocks {
   # Command mockgen does not automatically replace variable YEAR with current year
   # like others do, e.g. client-gen.
   current_year=$(date +"%Y")
-  sed -i "s/YEAR/${current_year}/g" hack/boilerplate/license_header.raw.txt
+  awk -v year="$current_year" '{gsub(/YEAR/, year)} 1' hack/boilerplate/license_header.raw.txt > temp.txt && mv temp.txt hack/boilerplate/license_header.raw.txt
   for target in "${MOCKGEN_TARGETS[@]}"; do
     read -r src_package interfaces dst_package_name dst_file_name <<<"${target}"
     src_package_name=$(basename "${src_package}")