Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] UDN host isolation #4799

Draft
wants to merge 14 commits into
base: master
Choose a base branch
from
Draft

Commits on Oct 23, 2024

  1. Call PrepareTestConfig for healthcheck tests to ensure consistent

    setup.
    
    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    4579ac0 View commit details
    Browse the repository at this point in the history
  2. kind.sh fix: delete kind cluster with given name instead of "ovn".

    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    d8970fd View commit details
    Browse the repository at this point in the history
  3. utils,fake client: Populate NAD fake-client tracker

    Since the NAD API resource name uses arbitrary name and
    doesn't match the kind name
    ('network-attachment-definitions' vs. 'NetworkAttachmentDefinition'),
    the underlying API machinery cannot match between the resource and
    kind names, causing NAD objects to not reflect in the NAD informer [1].
    
    To overcome this, populate the NAD fakeclient tracker with given NADs
    objects following the example on [2].
    
    This is preliminary change to enable simplifying UDN controller
    tests, making test setup more simple and eliminate using the NAD
    informer directly to create/delete NADs.
    
    [1] https://github.com/ovn-org/ovn-kubernetes/blob/65c79af35b2c22f90c863debefa15c4fb1f088cb/go-controller/vendor/k8s.io/client-go/testing/fixture.go#L341
    [2] ovn-org@434b059#diff-ae287d8b2b115068905d4b5bf477d0e8cb6586d271fe872ca3b17acc94f21075R1
    
    Signed-off-by: Or Mergi <ormergi@redhat.com>
    ormergi authored and npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    7b5e7c5 View commit details
    Browse the repository at this point in the history
  4. Make sure nftables binaries are available everywhere

    Signed-off-by: Dan Winship <danwinship@redhat.com>
    (cherry picked from commit 7bad589)
    danwinship authored and npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    d14702e View commit details
    Browse the repository at this point in the history
  5. Import knftables package, add pkg/node/nftables/

    Signed-off-by: Dan Winship <danwinship@redhat.com>
    (cherry picked from commit 79b6e3f)
    danwinship authored and npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    b6e6a22 View commit details
    Browse the repository at this point in the history
  6. Add testing util for nftables.

    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    Authored-by: Dan Winship <danwinship@redhat.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    3a04944 View commit details
    Browse the repository at this point in the history
  7. vendor in systemd listener

    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    afc7567 View commit details
    Browse the repository at this point in the history
  8. Bump knftables version to the master

    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    b6f4d65 View commit details
    Browse the repository at this point in the history
  9. Mount systemd/private to the ovnkube containers.

    It allows listening for systemd events, we use it to track kubelet
    restarts.
    
    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    e9fcdf8 View commit details
    Browse the repository at this point in the history
  10. Add host isolation for UDN pods.

    UDNHostIsolationManager manages the host isolation for user defined
    networks.It uses nftables chain "udn-isolation" to only allow
    connection to primary UDN pods from kubelet.
    It also listens to systemd events to re-apply the rules after kubelet
    restart as cgroup matching is used.
    
    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    ba13572 View commit details
    Browse the repository at this point in the history
  11. node UDN isolation: make nft container more generic.

    Replace podIP with Element, add tracking of duplicate elements owned
    by different pods.
    
    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    af88109 View commit details
    Browse the repository at this point in the history
  12. node UDN isolation: handle open ports annotation on UDN pods.

    To allow access to open port from the default hostNetwork pods,
    add ntf rules to track icmp and tcp/udp/sctp allowed ports.
    Add composed key option to nftPodElementsSet.
    Add unit tests for nftPodElementsSet and open port handling.
    
    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    2aff0d5 View commit details
    Browse the repository at this point in the history
  13. host isolation, open ports: add e2e

    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    a3f6743 View commit details
    Browse the repository at this point in the history
  14. Add option to disable udn-host-isolation.

    UDN host isolation requires a kernel fix. Turn it off by default in
    ovnkube.sh (aka in our kind cluster). As soon as the fix becomes
    available for github runners (and dev environments), this flag will be
    removed from ovnkube.sh (and potentially from the code).
    This flag only takes effect when network segmentation is enabled.
    
    Add DISABLE_UDN_HOST_ISOLATION env variable to test workflow, that is
    set to true.
    Skip host isolation tests based on the value.
    
    Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
    npinaeva committed Oct 23, 2024
    Configuration menu
    Copy the full SHA
    71ad044 View commit details
    Browse the repository at this point in the history