-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix networkpolicy related antctl commands #6487
Conversation
Sample output:
|
pkg/antctl/antctl.go
Outdated
@@ -399,9 +400,14 @@ $ antctl get podmulticaststats pod -n namespace`, | |||
}, | |||
{ | |||
name: "networkpolicy", | |||
usage: "NetworkPolicy name. If present, Namespace must be provided.", | |||
usage: "NetworkPolicy name. If present, type must be provided. Namespace must be provided for non-cluster-scoped policy types.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If present, type must be provided
So with the latest version, there is no way to enforce that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If accommodating for the missing policy type in the API is too cumbersome, I think it is ok to just require the policy type unconditionally at the API level. This is an Agent-specific API, which means it is hard to consume directly without executing antctl in the Agent Pod. I think it generally makes sense to strive to preserve backwards-compatibility, even for this API, but not if it means adding too much complexity (considering that again this is an Agent-specific API, only used for advanced troubleshooting and as far as we know exclusively consumed via antctl).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the latest version I've updated the logic so that 1. type is not strictly required, just like before 2. if a type is provided, validation on whether that type requires a namespace is performed 3. if there's ambiguity, a BadRequest will be returned
e753804
to
14ff27d
Compare
3912ce4
to
e13237c
Compare
@antoninbas Could you take another look and see if you have additional comments? |
34207d9
to
5693126
Compare
This commit contains numerous fixes for antctl, including the get ovsflows and get networkpolicy commands: 1. Update the `antctl get networkpolicy` flag type=ANP to point the correct AdminNetworkPolicy type since ANP<->AntreaNetworkPolicy mapping has been deprecated. 2. Update the `antctl get ovsflows` command so that when dumping flows for a specific policy, a type is now required to eliminate ambiguity. 3. Since v1.13 the `antctl get ovsflows` command will not work properly for dumping networkpolicy flows. This is due to the matcher for dumping flows include priority, which is not supported by openvswitch. This PR fixes this issue. Signed-off-by: Dyanngg <dingyang@vmware.com>
Signed-off-by: Dyanngg <dingyang@vmware.com>
policyTypeToReturn := tc.policyType | ||
if policyTypeToReturn == "" { | ||
// Test the case where policy type is omitted from the query but the result is not ambiguous | ||
policyTypeToReturn = cpv1beta.AntreaNetworkPolicy | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
may be better to have policyType
and policyTypeToReturn
as fields in the test case definition, to avoid the special case here, but I don't feel very strongly about it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Dyanngg just checking that you didn't address it intentionally?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes for now, since this is not functionality related. I've updated it locally. Once the CI passes for Jenkins, I'll update the PR again with the changes in UT
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So to clarify I should wait before I approve & merge the PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I'll mention you in this thread once that's done, thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@antoninbas Done. The jenkins tests were passing before I pushed a refactor in UT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/test-all |
Signed-off-by: Dyanngg <dingyang@vmware.com>
bd03340
to
7b798ac
Compare
/skip-all |
This commit contains numerous fixes for antctl, including the get ovsflows and get networkpolicy commands: 1. Update the `antctl get networkpolicy` flag type=ANP to point the correct AdminNetworkPolicy type since ANP<->AntreaNetworkPolicy mapping has been deprecated. 2. Update the `antctl get ovsflows` command so that when dumping flows for a specific policy, a type is now required to eliminate ambiguity. 3. Since v1.13 the `antctl get ovsflows` command will not work properly for dumping networkpolicy flows. This is due to the matcher for dumping flows include priority, which is not supported by openvswitch. This PR fixes this issue. Signed-off-by: Dyanngg <dingyang@vmware.com>
This commit contains numerous fixes for antctl, including the get ovsflows and get networkpolicy commands:
antctl get networkpolicy
flag type=ANP to point the correct AdminNetworkPolicy type since ANP<->AntreaNetworkPolicy mapping has been deprecated.antctl get ovsflows
command so that when dumping flows for a specific policy, a type can be specified to eliminate ambiguity.antctl get ovsflows
command will not work properly for dumping networkpolicy flows. This is due to the matcher for dumping flows include priority, which is not supported by openvswitch. This PR fixes this issue.