Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix networkpolicy related antctl commands #6487

Merged
merged 3 commits into from
Sep 16, 2024

Conversation

Dyanngg
Copy link
Contributor

@Dyanngg Dyanngg commented Jun 26, 2024

This commit contains numerous fixes for antctl, including the get ovsflows and get networkpolicy commands:

  1. Update the antctl get networkpolicy flag type=ANP to point the correct AdminNetworkPolicy type since ANP<->AntreaNetworkPolicy mapping has been deprecated.
  2. Update the antctl get ovsflows command so that when dumping flows for a specific policy, a type can be specified to eliminate ambiguity.
  3. Since v1.13 the antctl get ovsflows command will not work properly for dumping networkpolicy flows. This is due to the matcher for dumping flows include priority, which is not supported by openvswitch. This PR fixes this issue.

@Dyanngg
Copy link
Contributor Author

Dyanngg commented Jun 26, 2024

Sample output:

root@kind-worker2:/# antctl get ovsflows -N cnp-deny-client-to-db --type ACNP

table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, idle_age=233, priority=14800,conj_id=4 actions=set_field:0x4->reg3,set_field:0x400/0x400->reg0,goto_table:EgressMetric
table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, idle_age=233, priority=14800,ip,nw_src=10.20.2.2 actions=conjunction(4,1/2)
table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, idle_age=233, priority=14800,ip,nw_src=10.20.2.8 actions=conjunction(4,1/2)
table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, idle_age=233, priority=14800,ip,nw_dst=10.20.1.8 actions=conjunction(4,2/2)
table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, idle_age=233, priority=14800,ip,nw_dst=10.20.1.6 actions=conjunction(4,2/2)
table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, idle_age=233, priority=14800,ip,nw_dst=10.20.2.5 actions=conjunction(4,2/2)
table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, idle_age=233, priority=14800,ip,nw_dst=10.20.2.6 actions=conjunction(4,2/2)


root@kind-worker2:/# antctl get ovsflows -N test-1 --type K8sNP -n default

table=IngressRule, n_packets=0, n_bytes=0, idle_age=22, priority=190,conj_id=5,ip actions=set_field:0x5->reg6,ct(commit,table=IngressMetric,zone=65520,exec(set_field:0x5/0xffffffff->ct_label))
table=IngressRule, n_packets=0, n_bytes=0, idle_age=22, priority=200,ip,nw_src=10.20.2.2 actions=conjunction(5,1/3)
table=IngressRule, n_packets=0, n_bytes=0, idle_age=22, priority=200,ip,nw_src=10.20.1.7 actions=conjunction(5,1/3)
table=IngressRule, n_packets=0, n_bytes=0, idle_age=22, priority=200,reg1=0x4 actions=conjunction(5,2/3)
table=IngressRule, n_packets=0, n_bytes=0, idle_age=473, priority=200,tcp,tp_dst=443 actions=conjunction(5,3/3),conjunction(2,3/3)
table=IngressDefaultRule, n_packets=0, n_bytes=0, idle_age=22, priority=200,reg1=0x4 actions=drop

@Dyanngg Dyanngg requested a review from jianjuns June 26, 2024 17:04
pkg/querier/querier.go Show resolved Hide resolved
pkg/ovs/openflow/utils.go Outdated Show resolved Hide resolved
pkg/agent/apiserver/handlers/ovsflows/handler.go Outdated Show resolved Hide resolved
pkg/agent/apiserver/handlers/networkpolicy/handler.go Outdated Show resolved Hide resolved
pkg/agent/apiserver/handlers/ovsflows/handler.go Outdated Show resolved Hide resolved
pkg/ovs/openflow/utils.go Outdated Show resolved Hide resolved
@@ -399,9 +400,14 @@ $ antctl get podmulticaststats pod -n namespace`,
},
{
name: "networkpolicy",
usage: "NetworkPolicy name. If present, Namespace must be provided.",
usage: "NetworkPolicy name. If present, type must be provided. Namespace must be provided for non-cluster-scoped policy types.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If present, type must be provided

So with the latest version, there is no way to enforce that?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If accommodating for the missing policy type in the API is too cumbersome, I think it is ok to just require the policy type unconditionally at the API level. This is an Agent-specific API, which means it is hard to consume directly without executing antctl in the Agent Pod. I think it generally makes sense to strive to preserve backwards-compatibility, even for this API, but not if it means adding too much complexity (considering that again this is an Agent-specific API, only used for advanced troubleshooting and as far as we know exclusively consumed via antctl).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the latest version I've updated the logic so that 1. type is not strictly required, just like before 2. if a type is provided, validation on whether that type requires a namespace is performed 3. if there's ambiguity, a BadRequest will be returned

@Dyanngg Dyanngg force-pushed the antctl-np-fix branch 2 times, most recently from e753804 to 14ff27d Compare July 26, 2024 21:15
@Dyanngg Dyanngg requested a review from antoninbas July 29, 2024 17:19
@Dyanngg Dyanngg force-pushed the antctl-np-fix branch 3 times, most recently from 3912ce4 to e13237c Compare July 29, 2024 21:08
@Dyanngg
Copy link
Contributor Author

Dyanngg commented Aug 9, 2024

@antoninbas Could you take another look and see if you have additional comments?

docs/antctl.md Outdated Show resolved Hide resolved
pkg/agent/apiserver/handlers/ovsflows/handler.go Outdated Show resolved Hide resolved
pkg/agent/apiserver/handlers/ovsflows/handler_test.go Outdated Show resolved Hide resolved
pkg/ovs/openflow/utils.go Outdated Show resolved Hide resolved
pkg/ovs/openflow/utils.go Show resolved Hide resolved
pkg/ovs/openflow/utils_test.go Outdated Show resolved Hide resolved
pkg/ovs/openflow/utils_test.go Show resolved Hide resolved
@Dyanngg Dyanngg force-pushed the antctl-np-fix branch 2 times, most recently from 34207d9 to 5693126 Compare August 13, 2024 19:01
pkg/agent/apiserver/handlers/networkpolicy/handler.go Outdated Show resolved Hide resolved
pkg/agent/apiserver/handlers/networkpolicy/handler.go Outdated Show resolved Hide resolved
pkg/agent/apiserver/handlers/ovsflows/handler_test.go Outdated Show resolved Hide resolved
pkg/agent/apiserver/handlers/ovsflows/handler_test.go Outdated Show resolved Hide resolved
pkg/ovs/openflow/utils.go Outdated Show resolved Hide resolved
This commit contains numerous fixes for antctl, including the get ovsflows
and get networkpolicy commands:
1. Update the `antctl get networkpolicy` flag type=ANP to point the correct
   AdminNetworkPolicy type since ANP<->AntreaNetworkPolicy mapping has been
   deprecated.
2. Update the `antctl get ovsflows` command so that when dumping flows for
   a specific policy, a type is now required to eliminate ambiguity.
3. Since v1.13 the `antctl get ovsflows` command will not work properly for
   dumping networkpolicy flows. This is due to the matcher for dumping flows
   include priority, which is not supported by openvswitch. This PR fixes
   this issue.

Signed-off-by: Dyanngg <dingyang@vmware.com>
Signed-off-by: Dyanngg <dingyang@vmware.com>
pkg/querier/querier.go Outdated Show resolved Hide resolved
antoninbas
antoninbas previously approved these changes Aug 22, 2024
Comment on lines 239 to 243
policyTypeToReturn := tc.policyType
if policyTypeToReturn == "" {
// Test the case where policy type is omitted from the query but the result is not ambiguous
policyTypeToReturn = cpv1beta.AntreaNetworkPolicy
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

may be better to have policyType and policyTypeToReturn as fields in the test case definition, to avoid the special case here, but I don't feel very strongly about it

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Dyanngg just checking that you didn't address it intentionally?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes for now, since this is not functionality related. I've updated it locally. Once the CI passes for Jenkins, I'll update the PR again with the changes in UT

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So to clarify I should wait before I approve & merge the PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I'll mention you in this thread once that's done, thanks

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@antoninbas Done. The jenkins tests were passing before I pushed a refactor in UT.

Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Dyanngg
Copy link
Contributor Author

Dyanngg commented Sep 16, 2024

/test-all

Signed-off-by: Dyanngg <dingyang@vmware.com>
@antoninbas
Copy link
Contributor

/skip-all

@antoninbas antoninbas merged commit d3faddc into antrea-io:main Sep 16, 2024
52 of 58 checks passed
@antoninbas antoninbas added the action/release-note Indicates a PR that should be included in release notes. label Sep 16, 2024
hangyan pushed a commit to hangyan/antrea that referenced this pull request Oct 29, 2024
This commit contains numerous fixes for antctl, including the get ovsflows
and get networkpolicy commands:

1. Update the `antctl get networkpolicy` flag type=ANP to point the correct
   AdminNetworkPolicy type since ANP<->AntreaNetworkPolicy mapping has been
   deprecated.
2. Update the `antctl get ovsflows` command so that when dumping flows for
   a specific policy, a type is now required to eliminate ambiguity.
3. Since v1.13 the `antctl get ovsflows` command will not work properly for
   dumping networkpolicy flows. This is due to the matcher for dumping flows
   include priority, which is not supported by openvswitch. This PR fixes
   this issue.

Signed-off-by: Dyanngg <dingyang@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
action/release-note Indicates a PR that should be included in release notes.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants