diff --git a/.go-version b/.go-version index f124bfa..26d7b6e 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.9 +1.21.12 diff --git a/README.md b/README.md index 1094593..17a1de4 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,29 @@ Network Policy agent can operate in either IPv4 or IPv6 mode. Setting this flag **Note:** VPC CNI by default creates an egress only IPv4 interface for IPv6 pods and this network interface will not be secured by the Network policy feature. Network policies will only be enforced on the Pod's primary interface (i.e.,) `eth0`. If you want to block the egress IPv4 access, please disable the interface creation via [ENABLE_V4_EGRESS](https://github.com/aws/amazon-vpc-cni-k8s#enable_v4_egress-v1151) flag in VPC CNI. +#### `conntrack-cache-cleanup-period` (from v1.0.7+) + +Type: Integer + +Default: 300 + +Network Policy agent maintains a local conntrack cache. This configuration (in seconds) will determine how fast the local conntrack cache should be cleaned up from stale/expired entries. Based on the time interval set, network policy agent checks every entry in the local conntrack cache with kernel conntrack table and determine if the entry has to be deleted. + +#### `conntrack-cache-table-size` (from v1.1.3+) + +Type: Integer + +Default: 1024 * 256 + +Network Policy agent maintains a local conntrack cache. Ideally this should be of the same size as kernel conntrack table. Note, this should be configured on new nodes before enabling network policy or if network policy is already enabled the change in configuration would need a reload of the nodes. Dynamic update of conntrack map size would lead to traffic disruption and isn't supported. The value supported is between 32K and 1024K. + +**Note**: To check the maximum conntrack table size in your linux worker node, use the following command: + +```console +$ cat /proc/sys/net/netfilter/nf_conntrack_max +262144 +``` + ## Network Policy Agent CLI The Amazon VPC CNI plugin for Kubernetes installs eBPF SDK collection of tools on the nodes. You can use the eBPF SDK tools to identify issues with network policies. For example, the following command lists the programs that are running on the node. diff --git a/controllers/policyendpoints_controller.go b/controllers/policyendpoints_controller.go index 2f151c4..014ea59 100644 --- a/controllers/policyendpoints_controller.go +++ b/controllers/policyendpoints_controller.go @@ -74,7 +74,7 @@ func prometheusRegister() { // NewPolicyEndpointsReconciler constructs new PolicyEndpointReconciler func NewPolicyEndpointsReconciler(k8sClient client.Client, log logr.Logger, - enablePolicyEventLogs, enableCloudWatchLogs bool, enableIPv6 bool, enableNetworkPolicy bool, conntrackTTL int) (*PolicyEndpointsReconciler, error) { + enablePolicyEventLogs, enableCloudWatchLogs bool, enableIPv6 bool, enableNetworkPolicy bool, conntrackTTL int, conntrackTableSize int) (*PolicyEndpointsReconciler, error) { r := &PolicyEndpointsReconciler{ k8sClient: k8sClient, log: log, @@ -89,7 +89,7 @@ func NewPolicyEndpointsReconciler(k8sClient client.Client, log logr.Logger, var err error if enableNetworkPolicy { r.ebpfClient, err = ebpf.NewBpfClient(&r.policyEndpointeBPFContext, r.nodeIP, - enablePolicyEventLogs, enableCloudWatchLogs, enableIPv6, conntrackTTL) + enablePolicyEventLogs, enableCloudWatchLogs, enableIPv6, conntrackTTL, conntrackTableSize) // Start prometheus prometheusRegister() diff --git a/controllers/policyendpoints_controller_test.go b/controllers/policyendpoints_controller_test.go index ef2297c..71adaa2 100644 --- a/controllers/policyendpoints_controller_test.go +++ b/controllers/policyendpoints_controller_test.go @@ -329,7 +329,7 @@ func TestDeriveIngressAndEgressFirewallRules(t *testing.T) { mockClient := mock_client.NewMockClient(ctrl) policyEndpointReconciler, _ := NewPolicyEndpointsReconciler(mockClient, logr.New(&log.NullLogSink{}), - false, false, false, false, 300) + false, false, false, false, 300, 262144) var policyEndpointsList []string policyEndpointsList = append(policyEndpointsList, tt.policyEndpointName) policyEndpointReconciler.podIdentifierToPolicyEndpointMap.Store(tt.podIdentifier, policyEndpointsList) @@ -748,7 +748,7 @@ func TestArePoliciesAvailableInLocalCache(t *testing.T) { mockClient := mock_client.NewMockClient(ctrl) policyEndpointReconciler, _ := NewPolicyEndpointsReconciler(mockClient, logr.New(&log.NullLogSink{}), - false, false, false, false, 300) + false, false, false, false, 300, 262144) var policyEndpointsList []string policyEndpointsList = append(policyEndpointsList, tt.policyEndpointName...) policyEndpointReconciler.podIdentifierToPolicyEndpointMap.Store(tt.podIdentifier, policyEndpointsList) @@ -994,7 +994,7 @@ func TestDeriveFireWallRulesPerPodIdentifier(t *testing.T) { mockClient := mock_client.NewMockClient(ctrl) policyEndpointReconciler, _ := NewPolicyEndpointsReconciler(mockClient, logr.New(&log.NullLogSink{}), - false, false, false, false, 300) + false, false, false, false, 300, 262144) var policyEndpointsList []string policyEndpointsList = append(policyEndpointsList, tt.policyEndpointName) policyEndpointReconciler.podIdentifierToPolicyEndpointMap.Store(tt.podIdentifier, policyEndpointsList) diff --git a/go.mod b/go.mod index 4e3ff53..b2e0d22 100644 --- a/go.mod +++ b/go.mod @@ -1,18 +1,18 @@ module github.com/aws/aws-network-policy-agent -go 1.21 +go 1.21.12 require ( github.com/aws/amazon-vpc-cni-k8s v1.18.1 - github.com/aws/aws-ebpf-sdk-go v1.0.8 - github.com/aws/aws-sdk-go v1.50.30 + github.com/aws/aws-ebpf-sdk-go v1.0.10 + github.com/aws/aws-sdk-go v1.55.3 github.com/go-logr/logr v1.4.1 github.com/go-logr/zapr v1.3.0 github.com/golang/mock v1.6.0 github.com/google/go-cmp v0.6.0 github.com/google/uuid v1.6.0 - github.com/onsi/ginkgo/v2 v2.17.2 - github.com/onsi/gomega v1.33.0 + github.com/onsi/ginkgo/v2 v2.19.0 + github.com/onsi/gomega v1.33.1 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.19.0 github.com/spf13/cobra v1.8.0 @@ -20,7 +20,7 @@ require ( github.com/stretchr/testify v1.9.0 github.com/vishvananda/netlink v1.2.1-beta.2 go.uber.org/zap v1.27.0 - golang.org/x/sys v0.19.0 + golang.org/x/sys v0.24.0 google.golang.org/grpc v1.63.2 gopkg.in/natefinch/lumberjack.v2 v2.2.1 k8s.io/api v0.29.1 @@ -62,12 +62,12 @@ require ( github.com/vishvananda/netns v0.0.4 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect - golang.org/x/net v0.24.0 // indirect + golang.org/x/net v0.25.0 // indirect golang.org/x/oauth2 v0.18.0 // indirect golang.org/x/term v0.18.0 // indirect - golang.org/x/text v0.14.0 // indirect + golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.20.0 // indirect + golang.org/x/tools v0.21.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect diff --git a/go.sum b/go.sum index 9ab9b19..1745aba 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,13 @@ github.com/aws/amazon-vpc-cni-k8s v1.18.1 h1:u/OeBgnUUX6f3PCEOpA4dbG0+iZ71CnY6tEljjrl3iw= github.com/aws/amazon-vpc-cni-k8s v1.18.1/go.mod h1:m/J5GsxF0Th2iQTOE3ww4W9LFvwdC0tGyA9dIL4h6iQ= -github.com/aws/aws-ebpf-sdk-go v1.0.7 h1:zXreIpTQA0D3tlRhJQdV50OWbH9Q0PtiWBzzS7nHUK8= -github.com/aws/aws-ebpf-sdk-go v1.0.7/go.mod h1:Zl/tZfwg+31MZnP6cD7qwXndbORbSePxL7vRdix4HT4= -github.com/aws/aws-ebpf-sdk-go v1.0.8 h1:GyfMwkfS6Z8+5FgqRWlq+Sa3J97Qyb4fVY3KPkkyTW0= -github.com/aws/aws-ebpf-sdk-go v1.0.8/go.mod h1:RR0L0fJn8cJGgRH6zEYU4N64j6aee5P8gpUUFgkUQMA= -github.com/aws/aws-sdk-go v1.50.30 h1:2OelKH1eayeaH7OuL1Y9Ombfw4HK+/k0fEnJNWjyLts= -github.com/aws/aws-sdk-go v1.50.30/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-ebpf-sdk-go v1.0.9 h1:FvkyeRUKNvbUFgzh+Ia7XbBb5U86dHW6dCrljt76Fao= +github.com/aws/aws-ebpf-sdk-go v1.0.9/go.mod h1:SBy1vl1WXMingLbqPZfHd1VXTqB9cD473JwUfoEM+Qs= +github.com/aws/aws-ebpf-sdk-go v1.0.10-rc1 h1:Qx4f/6pDe6R1ERZK6HoSY+ud8beTH2i5mfy9G9r2Zf8= +github.com/aws/aws-ebpf-sdk-go v1.0.10-rc1/go.mod h1:ac1t60OCFqHSPXRroKl6DUaZ4WDvo/CmKKD25K/pfO0= +github.com/aws/aws-ebpf-sdk-go v1.0.10 h1:QBfNC2ZOoRZcEb9jeR4Nh8Uyw5fkI6Ckh9RTy1H6dBI= +github.com/aws/aws-ebpf-sdk-go v1.0.10/go.mod h1:ac1t60OCFqHSPXRroKl6DUaZ4WDvo/CmKKD25K/pfO0= +github.com/aws/aws-sdk-go v1.55.3 h1:0B5hOX+mIx7I5XPOrjrHlKSDQV/+ypFZpIHOx5LOk3E= +github.com/aws/aws-sdk-go v1.55.3/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= @@ -89,10 +91,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= -github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= -github.com/onsi/gomega v1.33.0 h1:snPCflnZrpMsy94p4lXVEkHo12lmPnc3vY5XBbreexE= -github.com/onsi/gomega v1.33.0/go.mod h1:+925n5YtiFsLzzafLUHzVMBpvvRAzrydIBiSIxjX3wY= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -165,16 +167,19 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -184,8 +189,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= -golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/main.go b/main.go index bfb5017..f2666ac 100644 --- a/main.go +++ b/main.go @@ -83,10 +83,16 @@ func main() { os.Exit(1) } + err = ctrlConfig.ValidControllerFlags() + if err != nil { + setupLog.Error(err, "Controller flags validation failed") + os.Exit(1) + } + ctx := ctrl.SetupSignalHandler() policyEndpointController, err := controllers.NewPolicyEndpointsReconciler(mgr.GetClient(), ctrl.Log.WithName("controllers").WithName("policyEndpoints"), ctrlConfig.EnablePolicyEventLogs, ctrlConfig.EnableCloudWatchLogs, - ctrlConfig.EnableIPv6, ctrlConfig.EnableNetworkPolicy, ctrlConfig.ConntrackCacheCleanupPeriod) + ctrlConfig.EnableIPv6, ctrlConfig.EnableNetworkPolicy, ctrlConfig.ConntrackCacheCleanupPeriod, ctrlConfig.ConntrackCacheTableSize) if err != nil { setupLog.Error(err, "unable to setup controller", "controller", "PolicyEndpoints init failed") os.Exit(1) diff --git a/pkg/config/controller_config.go b/pkg/config/controller_config.go index ad4b8ba..e66f70d 100644 --- a/pkg/config/controller_config.go +++ b/pkg/config/controller_config.go @@ -1,6 +1,10 @@ package config -import "github.com/spf13/pflag" +import ( + "errors" + + "github.com/spf13/pflag" +) const ( flagLogLevel = "log-level" @@ -10,11 +14,13 @@ const ( defaultLogFile = "/var/log/aws-routed-eni/network-policy-agent.log" defaultMaxConcurrentReconciles = 3 defaultConntrackCacheCleanupPeriod = 300 + defaultConntrackCacheTableSize = 256 * 1024 flagEnablePolicyEventLogs = "enable-policy-event-logs" flagEnableCloudWatchLogs = "enable-cloudwatch-logs" flagEnableIPv6 = "enable-ipv6" flagEnableNetworkPolicy = "enable-network-policy" flagConntrackCacheCleanupPeriod = "conntrack-cache-cleanup-period" + flagConntrackCacheTableSize = "conntrack-cache-table-size" ) // ControllerConfig contains the controller configuration @@ -35,6 +41,8 @@ type ControllerConfig struct { EnableNetworkPolicy bool // ConntrackCacheCleanupPeriod specifies the cleanup period ConntrackCacheCleanupPeriod int + // ConntrackTableSize specifies the conntrack table size for the agent + ConntrackCacheTableSize int // Configurations for the Controller Runtime RuntimeConfig RuntimeConfig } @@ -52,6 +60,17 @@ func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) { fs.BoolVar(&cfg.EnableNetworkPolicy, flagEnableNetworkPolicy, false, "If enabled, Network Policy agent will initialize BPF maps and start reconciler") fs.IntVar(&cfg.ConntrackCacheCleanupPeriod, flagConntrackCacheCleanupPeriod, defaultConntrackCacheCleanupPeriod, ""+ "Cleanup interval for network policy agent conntrack cache") + fs.IntVar(&cfg.ConntrackCacheTableSize, flagConntrackCacheTableSize, defaultConntrackCacheTableSize, ""+ + "Table size for network policy agent conntrack cache") cfg.RuntimeConfig.BindFlags(fs) } + +// Validate controller flags +func (cfg *ControllerConfig) ValidControllerFlags() error { + // Validate conntrack cache table size + if cfg.ConntrackCacheTableSize < (32*1024) || cfg.ConntrackCacheTableSize > (1024*1024) { + return errors.New("Invalid conntrack cache table size, should be between 32K and 1024K") + } + return nil +} diff --git a/pkg/ebpf/bpf_client.go b/pkg/ebpf/bpf_client.go index 293bd1e..d281847 100644 --- a/pkg/ebpf/bpf_client.go +++ b/pkg/ebpf/bpf_client.go @@ -9,7 +9,6 @@ import ( "strings" "sync" "time" - "unsafe" corev1 "k8s.io/api/core/v1" @@ -109,7 +108,7 @@ type EbpfFirewallRules struct { } func NewBpfClient(policyEndpointeBPFContext *sync.Map, nodeIP string, enablePolicyEventLogs, enableCloudWatchLogs bool, - enableIPv6 bool, conntrackTTL int) (*bpfClient, error) { + enableIPv6 bool, conntrackTTL int, conntrackTableSize int) (*bpfClient, error) { var conntrackMap goebpfmaps.BpfMap ebpfClient := &bpfClient{ @@ -181,10 +180,19 @@ func NewBpfClient(policyEndpointeBPFContext *sync.Map, nodeIP string, enablePoli if enableIPv6 { eventsProbe = EVENTS_V6_BINARY } - _, globalMapInfo, err := ebpfClient.bpfSDKClient.LoadBpfFile(eventsProbe, "global") + var bpfSdkInputData goelf.BpfCustomData + bpfSdkInputData.FilePath = eventsProbe + bpfSdkInputData.CustomPinPath = "global" + bpfSdkInputData.CustomMapSize = make(map[string]int) + + bpfSdkInputData.CustomMapSize[AWS_CONNTRACK_MAP] = conntrackTableSize + + ebpfClient.logger.Info("Setting conntrack cache map size: ", "max entries", conntrackTableSize) + + _, globalMapInfo, err := ebpfClient.bpfSDKClient.LoadBpfFileWithCustomData(bpfSdkInputData) if err != nil { ebpfClient.logger.Error(err, "Unable to load events binary. Required for policy enforcement, exiting..") - sdkAPIErr.WithLabelValues("LoadBpfFile").Inc() + sdkAPIErr.WithLabelValues("LoadBpfFileWithCustomData").Inc() return nil, err } ebpfClient.logger.Info("Successfully loaded events probe") @@ -736,7 +744,8 @@ func (l *bpfClient) updateEbpfMap(mapToUpdate goebpfmaps.BpfMap, firewallRules [ func sortFirewallRulesByPrefixLength(rules []EbpfFirewallRules, prefixLenStr string) { sort.Slice(rules, func(i, j int) bool { - prefixLen, _ := strconv.Atoi(prefixLenStr) + prefixSplit := strings.Split(prefixLenStr, "/") + prefixLen, _ := strconv.Atoi(prefixSplit[1]) prefixLenIp1 := prefixLen prefixLenIp2 := prefixLen @@ -793,10 +802,9 @@ func mergeDuplicateL4Info(ports []v1alpha1.Port) []v1alpha1.Port { return result } -func (l *bpfClient) computeMapEntriesFromEndpointRules(firewallRules []EbpfFirewallRules) (map[string]uintptr, error) { +func (l *bpfClient) computeMapEntriesFromEndpointRules(firewallRules []EbpfFirewallRules) (map[string][]byte, error) { firewallMap := make(map[string][]byte) - mapEntries := make(map[string]uintptr) ipCIDRs := make(map[string][]v1alpha1.Port) nonHostCIDRs := make(map[string][]v1alpha1.Port) isCatchAllIPEntryPresent, allowAll := false, false @@ -896,12 +904,7 @@ func (l *bpfClient) computeMapEntriesFromEndpointRules(firewallRules []EbpfFirew } } - //Add to mapEntries - for key, value := range firewallMap { - byteSlicePtr := unsafe.Pointer(&value[0]) - mapEntries[key] = uintptr(byteSlicePtr) - } - return mapEntries, nil + return firewallMap, nil } func (l *bpfClient) checkAndDeriveCatchAllIPPorts(firewallRules []EbpfFirewallRules) ([]v1alpha1.Port, bool, bool) { diff --git a/pkg/rpc/rpc_handler.go b/pkg/rpc/rpc_handler.go index 79957a6..c00ad07 100644 --- a/pkg/rpc/rpc_handler.go +++ b/pkg/rpc/rpc_handler.go @@ -44,6 +44,14 @@ type server struct { // EnforceNpToPod processes CNI Enforce NP network request func (s *server) EnforceNpToPod(ctx context.Context, in *rpc.EnforceNpRequest) (*rpc.EnforceNpReply, error) { + if s.policyReconciler.GeteBPFClient() == nil { + s.log.Info("Network policy is disabled, returning success") + success := rpc.EnforceNpReply{ + Success: true, + } + return &success, nil + } + s.log.Info("Received Enforce Network Policy Request for Pod", "Name", in.K8S_POD_NAME, "Namespace", in.K8S_POD_NAMESPACE) var err error diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index 77b2aca..9fb2cea 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -165,6 +165,7 @@ func ComputeTrieValue(l4Info []v1alpha1.Port, log logr.Logger, allowAll, denyAll for _, l4Entry := range l4Info { if startOffset >= TRIE_VALUE_LENGTH { + log.Error(nil, "No.of unique port/protocol combinations supported for a single endpoint exceeded the supported maximum of 24") return value } endPort = 0