Blame - apps/k8s-networking/app/src/main/java/org/onosproject/k8snetworking/impl/K8sNetworkPolicyHandler.java - onos

2019-07-08 18:07:53 +0900

[diff] [blame]

/*

*

* Licensed under the Apache License, Version 2.0 (the "License");

5

* you may not use this file except in compliance with the License.

6

* You may obtain a copy of the License at

7

*

8

* http://www.apache.org/licenses/LICENSE-2.0

9

*

10

* Unless required by applicable law or agreed to in writing, software

11

* distributed under the License is distributed on an "AS IS" BASIS,

12

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

13

* See the License for the specific language governing permissions and

14

* limitations under the License.

15

*/

16

package org.onosproject.k8snetworking.impl;

17

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

18

import com.google.common.collect.ImmutableSet;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

19

import com.google.common.collect.Maps;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

20

import com.google.common.collect.Sets;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

21

import io.fabric8.kubernetes.api.model.LabelSelectorRequirement;

22

import io.fabric8.kubernetes.api.model.Namespace;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

23

import io.fabric8.kubernetes.api.model.Pod;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

24

import io.fabric8.kubernetes.api.model.Service;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

25

import io.fabric8.kubernetes.api.model.networking.NetworkPolicy;

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

26

import io.fabric8.kubernetes.api.model.networking.NetworkPolicyEgressRule;

27

import io.fabric8.kubernetes.api.model.networking.NetworkPolicyIngressRule;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

28

import io.fabric8.kubernetes.api.model.networking.NetworkPolicyPeer;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

29

import io.fabric8.kubernetes.api.model.networking.NetworkPolicyPort;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

30

import org.onlab.packet.IPv4;

31

import org.onlab.packet.IpAddress;

32

import org.onlab.packet.IpPrefix;

33

import org.onlab.packet.TpPort;

34

import org.onosproject.cfg.ComponentConfigService;

35

import org.onosproject.cluster.ClusterService;

36

import org.onosproject.cluster.LeadershipService;

37

import org.onosproject.cluster.NodeId;

38

import org.onosproject.core.ApplicationId;

39

import org.onosproject.core.CoreService;

40

import org.onosproject.k8snetworking.api.K8sFlowRuleService;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

41

import org.onosproject.k8snetworking.api.K8sNamespaceEvent;

42

import org.onosproject.k8snetworking.api.K8sNamespaceListener;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

43

import org.onosproject.k8snetworking.api.K8sNamespaceService;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

44

import org.onosproject.k8snetworking.api.K8sNetworkPolicyEvent;

45

import org.onosproject.k8snetworking.api.K8sNetworkPolicyListener;

46

import org.onosproject.k8snetworking.api.K8sNetworkPolicyService;

47

import org.onosproject.k8snetworking.api.K8sNetworkService;

48

import org.onosproject.k8snetworking.api.K8sPodEvent;

49

import org.onosproject.k8snetworking.api.K8sPodListener;

50

import org.onosproject.k8snetworking.api.K8sPodService;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

51

import org.onosproject.k8snetworking.api.K8sServiceEvent;

52

import org.onosproject.k8snetworking.api.K8sServiceListener;

53

import org.onosproject.k8snetworking.api.K8sServiceService;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

54

import org.onosproject.k8snode.api.K8sNodeService;

55

import org.onosproject.net.device.DeviceService;

56

import org.onosproject.net.driver.DriverService;

57

import org.onosproject.net.flow.DefaultTrafficSelector;

58

import org.onosproject.net.flow.DefaultTrafficTreatment;

59

import org.onosproject.net.flow.TrafficSelector;

60

import org.onosproject.net.flow.TrafficTreatment;

61

import org.onosproject.store.service.StorageService;

62

import org.osgi.service.component.annotations.Activate;

63

import org.osgi.service.component.annotations.Component;

64

import org.osgi.service.component.annotations.Deactivate;

65

import org.osgi.service.component.annotations.Reference;

66

import org.osgi.service.component.annotations.ReferenceCardinality;

67

import org.slf4j.Logger;

68

69

import java.util.List;

70

import java.util.Map;

71

import java.util.Objects;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

72

import java.util.Set;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

73

import java.util.concurrent.ExecutorService;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

74

import java.util.concurrent.atomic.AtomicReference;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

75

76

import static java.util.concurrent.Executors.newSingleThreadExecutor;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

77

import static org.onlab.packet.Ethernet.TYPE_IPV4;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

78

import static org.onlab.util.Tools.groupedThreads;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

79

import static org.onosproject.k8snetworking.api.Constants.ACL_EGRESS_BLACK_TABLE;

80

import static org.onosproject.k8snetworking.api.Constants.ACL_EGRESS_WHITE_TABLE;

81

import static org.onosproject.k8snetworking.api.Constants.ACL_INGRESS_BLACK_TABLE;

82

import static org.onosproject.k8snetworking.api.Constants.ACL_INGRESS_WHITE_TABLE;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

83

import static org.onosproject.k8snetworking.api.Constants.ACL_TABLE;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

84

import static org.onosproject.k8snetworking.api.Constants.DEFAULT_METADATA_MASK;

85

import static org.onosproject.k8snetworking.api.Constants.DEFAULT_NAMESPACE_HASH;

86

import static org.onosproject.k8snetworking.api.Constants.DEFAULT_SEGMENT_ID;

87

import static org.onosproject.k8snetworking.api.Constants.GROUPING_TABLE;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

88

import static org.onosproject.k8snetworking.api.Constants.K8S_NETWORKING_APP_ID;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

89

import static org.onosproject.k8snetworking.api.Constants.NAMESPACE_TABLE;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

90

import static org.onosproject.k8snetworking.api.Constants.PRIORITY_CIDR_RULE;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

91

import static org.onosproject.k8snetworking.api.Constants.PRIORITY_NAMESPACE_RULE;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

92

import static org.onosproject.k8snetworking.api.Constants.ROUTING_TABLE;

93

import static org.onosproject.k8snetworking.api.Constants.SHIFTED_IP_PREFIX;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

94

import static org.onosproject.k8snetworking.impl.OsgiPropertyConstants.SERVICE_IP_CIDR_DEFAULT;

95

import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.namespaceHashByNamespace;

96

import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.namespaceHashByPodIp;

97

import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.namespaceHashByServiceIp;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

98

import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.shiftIpDomain;

99

import static org.slf4j.LoggerFactory.getLogger;

100

101

/**

102

* Handles the ACL by referring to the network policy defined through kubernetes.

103

*/

104

@Component(immediate = true)

105

public class K8sNetworkPolicyHandler {

106

107

private final Logger log = getLogger(getClass());

108

109

private static final String DIRECTION_INGRESS = "ingress";

110

private static final String DIRECTION_EGRESS = "egress";

111

112

private static final String PROTOCOL_TCP = "tcp";

113

private static final String PROTOCOL_UDP = "udp";

114

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

115

private static final String KUBE_SYSTEM = "kube-system";

116

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

117

private static final int HOST_PREFIX = 32;

118

119

@Reference(cardinality = ReferenceCardinality.MANDATORY)

120

protected CoreService coreService;

121

122

@Reference(cardinality = ReferenceCardinality.MANDATORY)

123

protected LeadershipService leadershipService;

124

125

@Reference(cardinality = ReferenceCardinality.MANDATORY)

126

protected ClusterService clusterService;

127

128

@Reference(cardinality = ReferenceCardinality.MANDATORY)

129

protected DriverService driverService;

130

131

@Reference(cardinality = ReferenceCardinality.MANDATORY)

132

protected DeviceService deviceService;

133

134

@Reference(cardinality = ReferenceCardinality.MANDATORY)

135

protected ComponentConfigService configService;

136

137

@Reference(cardinality = ReferenceCardinality.MANDATORY)

138

protected StorageService storageService;

139

140

@Reference(cardinality = ReferenceCardinality.MANDATORY)

141

protected K8sNetworkService k8sNetworkService;

142

143

@Reference(cardinality = ReferenceCardinality.MANDATORY)

144

protected K8sFlowRuleService k8sFlowRuleService;

145

146

@Reference(cardinality = ReferenceCardinality.MANDATORY)

147

protected K8sNodeService k8sNodeService;

148

149

@Reference(cardinality = ReferenceCardinality.MANDATORY)

150

protected K8sPodService k8sPodService;

151

152

@Reference(cardinality = ReferenceCardinality.MANDATORY)

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

153

protected K8sServiceService k8sServiceService;

154

155

@Reference(cardinality = ReferenceCardinality.MANDATORY)

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

156

protected K8sNetworkPolicyService k8sNetworkPolicyService;

157

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

158

@Reference(cardinality = ReferenceCardinality.MANDATORY)

159

protected K8sNamespaceService k8sNamespaceService;

160

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

161

private final ExecutorService eventExecutor = newSingleThreadExecutor(

162

groupedThreads(this.getClass().getSimpleName(), "event-handler", log));

163

private final InternalPodListener internalPodListener =

164

new InternalPodListener();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

165

private final InternalServiceListener internalServiceListener =

166

new InternalServiceListener();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

167

private final InternalNetworkPolicyListener internalNetworkPolicyListener =

168

new InternalNetworkPolicyListener();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

169

private final InternalNamespaceListener internalNamespaceListener =

170

new InternalNamespaceListener();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

171

172

private ApplicationId appId;

173

private NodeId localNodeId;

174

175

@Activate

176

protected void activate() {

177

appId = coreService.registerApplication(K8S_NETWORKING_APP_ID);

178

179

localNodeId = clusterService.getLocalNode().id();

180

leadershipService.runForLeadership(appId.name());

181

k8sPodService.addListener(internalPodListener);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

182

k8sServiceService.addListener(internalServiceListener);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

183

k8sNetworkPolicyService.addListener(internalNetworkPolicyListener);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

184

k8sNamespaceService.addListener(internalNamespaceListener);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

log.info("Started");

}

@Deactivate

protected void deactivate() {

191

leadershipService.withdraw(appId.name());

192

k8sPodService.removeListener(internalPodListener);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

193

k8sServiceService.removeListener(internalServiceListener);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

194

k8sNetworkPolicyService.removeListener(internalNetworkPolicyListener);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

195

k8sNamespaceService.removeListener(internalNamespaceListener);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

196

eventExecutor.shutdown();

log.info("Stopped");

}

private void setBlockRulesByPolicy(NetworkPolicy policy, boolean install) {

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

202

final Map<String, List<String>> filter = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

203

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

204

k8sPodService.pods().forEach(pod ->

205

filter.putAll(getBlockRuleFilter(pod, policy)));

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

206

207

setBlockRules(filter, install);

208

}

209

210

private void setBlockRulesByPod(Pod pod, boolean install) {

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

211

final Map<String, List<String>> filter = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

212

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

213

k8sNetworkPolicyService.networkPolicies().forEach(policy ->

214

filter.putAll(getBlockRuleFilter(pod, policy)));

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

215

216

setBlockRules(filter, install);

217

}

218

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

219

private Map<String, List<String>> getBlockRuleFilter(Pod pod, NetworkPolicy policy) {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

220

221

// if the POD is not included in the namespace of the given policy,

222

// we do not block the POD

223

if (!pod.getMetadata().getNamespace().equals(policy.getMetadata().getNamespace())) {

224

return Maps.newConcurrentMap();

225

}

226

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

227

Map<String, String> labels = policy.getSpec().getPodSelector().getMatchLabels();

228

Map<String, List<String>> filter = Maps.newConcurrentMap();

229

String podIp = pod.getStatus().getPodIP();

230

List<String> policyTypes = policy.getSpec().getPolicyTypes();

231

232

if (podIp != null && policyTypes != null) {

233

if (labels == null) {

234

filter.put(podIp, policyTypes);

235

} else {

236

pod.getMetadata().getLabels().forEach((k, v) -> {

237

if (labels.get(k) != null && labels.get(k).equals(v)) {

238

filter.put(podIp, policyTypes);

}

});

}

}

return filter;

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

247

private void setBlockRules(Map<String, List<String>> filter, boolean install) {

248

filter.forEach((k, v) -> {

249

v.forEach(d -> {

250

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

251

.matchEthType(TYPE_IPV4);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

252

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

253

254

Integer nsHash = namespaceHashByPodIp(k8sPodService, k8sNamespaceService, k);

255

if (nsHash != null) {

256

tBuilder.setTunnelId(nsHash);

257

}

258

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

259

if (d.equalsIgnoreCase(DIRECTION_INGRESS)) {

260

sBuilder.matchIPDst(IpPrefix.valueOf(IpAddress.valueOf(k), HOST_PREFIX));

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

261

tBuilder.transition(ACL_INGRESS_WHITE_TABLE);

Jian Li

2019-07-30 17:10:39 +0900

[diff] [blame]

262

setPolicyRulesBase(sBuilder, tBuilder, ACL_TABLE, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

263

} else if (d.equalsIgnoreCase(DIRECTION_EGRESS)) {

Jian Li

2019-07-30 17:10:39 +0900

[diff] [blame]

264

// original IP

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

265

sBuilder.matchIPSrc(IpPrefix.valueOf(IpAddress.valueOf(k), HOST_PREFIX));

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

266

tBuilder.transition(ACL_EGRESS_WHITE_TABLE);

Jian Li

2019-07-30 17:10:39 +0900

[diff] [blame]

267

setPolicyRulesBase(sBuilder, tBuilder, ACL_TABLE, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

268

Jian Li

2019-07-30 17:10:39 +0900

[diff] [blame]

269

270

// shifted IP

271

sBuilder.matchIPSrc(IpPrefix.valueOf(IpAddress.valueOf(

272

shiftIpDomain(k, SHIFTED_IP_PREFIX)), HOST_PREFIX));

273

setPolicyRulesBase(sBuilder, tBuilder, ACL_TABLE, install);

274

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

279

private void setDefaultAllowNamespaceRules(Namespace namespace, boolean install) {

280

281

String ns = namespace.getMetadata().getName();

282

if (KUBE_SYSTEM.equalsIgnoreCase(ns)) {

283

setAllowNamespaceRulesBase(0, namespace.hashCode(),

284

DIRECTION_INGRESS, install);

}

}

private void setDefaultAllowServiceRules(boolean install) {

289

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

290

.matchEthType(TYPE_IPV4)

291

.matchIPSrc(IpPrefix.valueOf(SERVICE_IP_CIDR_DEFAULT));

292

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()

293

.setTunnelId(DEFAULT_SEGMENT_ID)

294

.transition(ROUTING_TABLE);

295

296

setPolicyRulesBase(sBuilder, tBuilder, ACL_INGRESS_WHITE_TABLE, install);

297

}

298

299

private void setAllowNamespaceRulesBase(int tunnelId, int metadata,

300

String direction, boolean install) {

301

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder();

302

303

if (tunnelId != 0) {

304

sBuilder.matchTunnelId(tunnelId);

305

}

306

307

sBuilder.matchMetadata(metadata);

308

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()

309

.setTunnelId(DEFAULT_SEGMENT_ID)

310

.transition(ROUTING_TABLE);

311

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

312

if (DIRECTION_INGRESS.equals(direction)) {

Jian Li

2019-07-30 19:12:07 +0900

[diff] [blame^]

313

setPolicyRulesBase(sBuilder, tBuilder, ACL_INGRESS_WHITE_TABLE, install);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

314

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

315

}

316

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

317

private void setAllowRulesByPolicy(NetworkPolicy policy, boolean install) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

318

Map<String, Map<String, List<NetworkPolicyPort>>>

319

white = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

320

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

321

int nsHash = namespaceHashByNamespace(k8sNamespaceService,

322

policy.getMetadata().getNamespace());

323

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

324

List<NetworkPolicyIngressRule> ingress = policy.getSpec().getIngress();

325

if (ingress != null && ingress.size() == 1) {

326

NetworkPolicyIngressRule rule = ingress.get(0);

327

if (rule.getFrom().size() == 0 && rule.getPorts().size() == 0) {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

328

setAllowAllRule(nsHash, DIRECTION_INGRESS, install);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

}

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

332

policy.getSpec().getIngress().forEach(i -> {

333

Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();

334

direction.put(DIRECTION_INGRESS, i.getPorts());

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

335

i.getFrom().forEach(peer -> {

336

337

// IP block

338

if (peer.getIpBlock() != null) {

339

if (peer.getIpBlock().getExcept() != null &&

340

peer.getIpBlock().getExcept().size() > 0) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

341

Map<String, List<NetworkPolicyPort>>

342

blkDirection = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

343

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

344

blkDirection.put(DIRECTION_INGRESS, i.getPorts());

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

345

white.compute(peer.getIpBlock().getCidr(), (k, v) -> blkDirection);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

346

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

347

setBlackRules(peer.getIpBlock().getCidr(), DIRECTION_INGRESS,

348

peer.getIpBlock().getExcept(), install);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

349

} else {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

350

white.compute(peer.getIpBlock().getCidr(), (k, v) -> direction);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

}

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

354

// POD selector

Jian Li

f3b595b

2019-07-28 21:35:49 +0900

[diff] [blame]

355

Set<Pod> pods = podsFromPolicyPeer(peer, policy.getMetadata().getNamespace());

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

356

Jian Li

2019-07-30 19:12:07 +0900

[diff] [blame^]

357

pods.stream()

358

.filter(pod -> pod.getStatus().getPodIP() != null)

359

.forEach(pod -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

360

white.compute(shiftIpDomain(pod.getStatus().getPodIP(),

361

SHIFTED_IP_PREFIX) + "/" + HOST_PREFIX, (m, n) -> direction);

362

white.compute(pod.getStatus().getPodIP() + "/" + HOST_PREFIX, (m, n) -> direction);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

363

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

364

365

// Namespace selector

366

setAllowNamespaceRules(nsHash,

367

namespacesByPolicyPeer(peer), DIRECTION_INGRESS, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

371

List<NetworkPolicyEgressRule> egress = policy.getSpec().getEgress();

372

if (egress != null && egress.size() == 1) {

373

NetworkPolicyEgressRule rule = egress.get(0);

374

if (rule.getTo().size() == 0 && rule.getPorts().size() == 0) {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

375

setAllowAllRule(nsHash, DIRECTION_EGRESS, install);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

}

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

379

policy.getSpec().getEgress().forEach(e -> {

380

Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();

381

direction.put(DIRECTION_EGRESS, e.getPorts());

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

382

e.getTo().forEach(peer -> {

383

384

// IP block

385

if (peer.getIpBlock() != null) {

386

if (peer.getIpBlock().getExcept() != null &&

387

peer.getIpBlock().getExcept().size() > 0) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

388

389

Map<String, List<NetworkPolicyPort>>

390

blkDirection = Maps.newConcurrentMap();

391

blkDirection.put(DIRECTION_EGRESS, e.getPorts());

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

392

white.compute(peer.getIpBlock().getCidr(), (k, v) -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

393

if (v != null) {

394

v.put(DIRECTION_EGRESS, e.getPorts());

return v;

} else {

return blkDirection;

}

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

401

setBlackRules(peer.getIpBlock().getCidr(), DIRECTION_EGRESS,

402

peer.getIpBlock().getExcept(), install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

403

} else {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

404

white.compute(peer.getIpBlock().getCidr(), (k, v) -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

405

if (v != null) {

406

v.put(DIRECTION_EGRESS, e.getPorts());

return v;

} else {

return direction;

}

});

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

412

}

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

413

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

414

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

415

// POD selector

Jian Li

f3b595b

2019-07-28 21:35:49 +0900

[diff] [blame]

416

Set<Pod> pods = podsFromPolicyPeer(peer, policy.getMetadata().getNamespace());

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

417

Jian Li

2019-07-30 19:12:07 +0900

[diff] [blame^]

418

pods.stream()

419

.filter(pod -> pod.getStatus().getPodIP() != null)

420

.forEach(pod -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

421

white.compute(shiftIpDomain(pod.getStatus().getPodIP(),

422

SHIFTED_IP_PREFIX) + "/" + HOST_PREFIX, (m, n) -> {

423

if (n != null) {

424

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

white.compute(pod.getStatus().getPodIP() + "/" + HOST_PREFIX,

432

(m, n) -> {

433

if (n != null) {

434

n.put(DIRECTION_EGRESS, e.getPorts());

435

return n;

436

} else {

437

return direction;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

438

}

439

});

440

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

441

442

// Namespace selector

443

setAllowNamespaceRules(nsHash,

444

namespacesByPolicyPeer(peer), DIRECTION_EGRESS, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

448

setAllowRules(namespaceHashByNamespace(k8sNamespaceService,

449

policy.getMetadata().getNamespace()), white, install);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

450

setBlackToRouteRules(true);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

451

}

452

Jian Li

f3b595b

2019-07-28 21:35:49 +0900

[diff] [blame]

453

private Set<Pod> podsFromPolicyPeer(NetworkPolicyPeer peer, String namespace) {

454

Set<Pod> pods = Sets.newConcurrentHashSet();

455

if (peer.getPodSelector() != null) {

456

Map<String, String> podLabels = peer.getPodSelector().getMatchLabels();

457

List<LabelSelectorRequirement> matchExps = peer.getPodSelector().getMatchExpressions();

458

459

if (podLabels == null && matchExps.size() == 0) {

460

k8sPodService.pods().stream()

461

.filter(pod -> pod.getMetadata().getNamespace().equals(

namespace))

.forEach(pods::add);

} else {

k8sPodService.pods().stream()

466

.filter(pod -> pod.getMetadata().getNamespace().equals(

467

namespace))

468

.forEach(pod -> {

469

pod.getMetadata().getLabels().forEach((k, v) -> {

470

if (podLabels != null && podLabels.get(k) != null &&

471

podLabels.get(k).equals(v)) {

pods.add(pod);

}

});

});

}

}

return pods;

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

481

private void setAllowRulesByPod(Pod pod, boolean install) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

482

Map<String, Map<String, List<NetworkPolicyPort>>>

483

white = Maps.newConcurrentMap();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

484

AtomicReference<NetworkPolicy> selectedPolicy = new AtomicReference<>();

485

k8sNetworkPolicyService.networkPolicies().stream()

486

.filter(policy -> policy.getMetadata().getNamespace().equals(

487

pod.getMetadata().getNamespace()))

488

.forEach(policy -> {

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

489

String podIp = pod.getStatus().getPodIP();

490

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

491

policy.getSpec().getIngress().forEach(i -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

492

Map<String, List<NetworkPolicyPort>>

493

direction = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

494

direction.put(DIRECTION_INGRESS, i.getPorts());

495

i.getFrom().forEach(peer -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

496

if (peer.getPodSelector() != null) {

497

Map<String, String> podLabels = peer.getPodSelector().getMatchLabels();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

498

List<LabelSelectorRequirement> matchExps = peer.getPodSelector().getMatchExpressions();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

499

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

500

if (podLabels == null && matchExps.size() == 0 && podIp != null) {

501

white.compute(shiftIpDomain(podIp, SHIFTED_IP_PREFIX) +

502

"/" + HOST_PREFIX, (m, n) -> direction);

503

white.compute(podIp + "/" +

504

HOST_PREFIX, (m, n) -> direction);

505

506

selectedPolicy.set(policy);

507

} else {

508

pod.getMetadata().getLabels().forEach((k, v) -> {

509

if (podLabels != null && podLabels.get(k) != null &&

510

podLabels.get(k).equals(v) && podIp != null) {

511

white.compute(shiftIpDomain(podIp, SHIFTED_IP_PREFIX) +

512

"/" + HOST_PREFIX, (m, n) -> direction);

513

white.compute(podIp + "/" +

514

HOST_PREFIX, (m, n) -> direction);

515

516

selectedPolicy.set(policy);

517

}

518

});

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

519

}

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

520

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

525

k8sNetworkPolicyService.networkPolicies().stream()

526

.filter(policy -> policy.getMetadata().getNamespace().equals(

527

pod.getMetadata().getNamespace()))

528

.forEach(policy -> {

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

529

String podIp = pod.getStatus().getPodIP();

530

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

531

policy.getSpec().getEgress().forEach(e -> {

532

Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();

533

direction.put(DIRECTION_EGRESS, e.getPorts());

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

534

e.getTo().forEach(peer -> {

535

if (peer.getPodSelector() != null) {

536

Map<String, String> podLabels = peer.getPodSelector().getMatchLabels();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

537

List<LabelSelectorRequirement> matchExps = peer.getPodSelector().getMatchExpressions();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

538

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

539

if (podLabels == null && matchExps.size() == 0 && podIp != null) {

540

white.compute(shiftIpDomain(podIp, SHIFTED_IP_PREFIX) +

541

"/" + HOST_PREFIX, (m, n) -> {

542

if (n != null) {

543

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

549

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

550

white.compute(podIp + "/" +

551

HOST_PREFIX, (m, n) -> {

552

if (n != null) {

553

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

559

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

560

selectedPolicy.set(policy);

561

} else {

562

pod.getMetadata().getLabels().forEach((k, v) -> {

563

if (podLabels != null && podLabels.get(k) != null &&

564

podLabels.get(k).equals(v) && podIp != null) {

565

white.compute(shiftIpDomain(podIp, SHIFTED_IP_PREFIX) +

566

"/" + HOST_PREFIX, (m, n) -> {

567

if (n != null) {

568

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

white.compute(podIp + "/" +

576

HOST_PREFIX, (m, n) -> {

577

if (n != null) {

578

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

selectedPolicy.set(policy);

586

}

587

});

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

588

}

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

589

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

594

int nsHash = selectedPolicy.get() != null ? namespaceHashByNamespace(k8sNamespaceService,

595

selectedPolicy.get().getMetadata().getNamespace()) : DEFAULT_NAMESPACE_HASH;

596

597

setAllowRules(nsHash, white, install);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

598

setBlackToRouteRules(true);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

599

}

600

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

601

private Set<Namespace> namespacesByLabels(Map<String, String> labels) {

602

Set<Namespace> nsSet = Sets.newConcurrentHashSet();

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

603

k8sNamespaceService.namespaces().forEach(ns -> {

604

if (ns != null && ns.getMetadata() != null &&

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

605

ns.getMetadata().getLabels() != null && labels != null) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

606

ns.getMetadata().getLabels().forEach((k, v) -> {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

607

if (labels.get(k) != null && labels.get(k).equals(v)) {

608

nsSet.add(ns);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

}

});

}

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

614

return nsSet;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

615

}

616

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

617

private Set<Namespace> namespacesByPolicyPeer(NetworkPolicyPeer peer) {

618

if (peer.getNamespaceSelector() != null) {

619

Map<String, String> labels = peer.getNamespaceSelector().getMatchLabels();

620

if (labels == null || labels.size() == 0) {

621

// if none of match labels are specified, it means the

622

// target PODs are from any namespaces

623

return k8sNamespaceService.namespaces();

624

} else {

625

return namespacesByLabels(labels);

}

}

return Sets.newConcurrentHashSet();

630

}

631

632

private void setAllowNamespaceRules(int tunnelId, Set<Namespace> nsSet,

633

String direction, boolean install) {

634

635

nsSet.forEach(ns -> {

636

setAllowNamespaceRulesBase(tunnelId, ns.hashCode(), direction, install);

637

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

638

}

639

640

private void setAllowAllRule(int nsHash, String direction, boolean install) {

641

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

642

.matchTunnelId(nsHash);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

643

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

644

.setTunnelId(DEFAULT_SEGMENT_ID)

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

645

.transition(ROUTING_TABLE);

int table = 0;

if (DIRECTION_INGRESS.equalsIgnoreCase(direction)) {

650

table = ACL_INGRESS_WHITE_TABLE;

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

651

}

652

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

653

setPolicyRulesBase(sBuilder, tBuilder, table, install);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

654

}

655

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

656

private void setAllowRules(int namespaceHash,

657

Map<String, Map<String, List<NetworkPolicyPort>>> white,

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

658

boolean install) {

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

659

white.forEach((k, v) -> {

660

v.forEach((pk, pv) -> {

661

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

662

.matchTunnelId(namespaceHash)

663

.matchEthType(TYPE_IPV4);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

664

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

665

tBuilder.setTunnelId(DEFAULT_SEGMENT_ID);

666

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

667

if (pk.equalsIgnoreCase(DIRECTION_INGRESS)) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

668

sBuilder.matchIPSrc(IpPrefix.valueOf(k));

669

tBuilder.writeMetadata(k.hashCode(), DEFAULT_METADATA_MASK)

670

.transition(ACL_INGRESS_BLACK_TABLE);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

671

672

if (pv.size() == 0) {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

673

setPolicyRulesBase(sBuilder, tBuilder, ACL_INGRESS_WHITE_TABLE, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

674

} else {

675

pv.forEach(p -> {

676

if (p.getProtocol().equalsIgnoreCase(PROTOCOL_TCP)) {

677

sBuilder.matchIPProtocol(IPv4.PROTOCOL_TCP);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

678

679

if (p.getPort() != null &&

680

p.getPort().getIntVal() != null) {

681

sBuilder.matchTcpDst(TpPort.tpPort(p.getPort().getIntVal()));

682

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

683

}

684

if (p.getProtocol().equalsIgnoreCase(PROTOCOL_UDP)) {

685

sBuilder.matchIPProtocol(IPv4.PROTOCOL_UDP);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

686

687

if (p.getPort() != null &&

688

p.getPort().getIntVal() != null) {

689

sBuilder.matchUdpDst(TpPort.tpPort(p.getPort().getIntVal()));

690

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

691

}

692

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

693

setPolicyRulesBase(sBuilder, tBuilder, ACL_INGRESS_WHITE_TABLE, install);

694

});

695

}

696

} else if (pk.equalsIgnoreCase(DIRECTION_EGRESS)) {

697

sBuilder.matchIPDst(IpPrefix.valueOf(k));

698

tBuilder.writeMetadata(k.hashCode(), DEFAULT_METADATA_MASK)

699

.transition(ACL_EGRESS_BLACK_TABLE);

700

701

if (pv.size() == 0) {

702

setPolicyRulesBase(sBuilder, tBuilder, ACL_EGRESS_WHITE_TABLE, install);

703

} else {

704

pv.forEach(p -> {

705

if (p.getProtocol().equalsIgnoreCase(PROTOCOL_TCP)) {

706

sBuilder.matchIPProtocol(IPv4.PROTOCOL_TCP);

707

708

if (p.getPort() != null &&

709

p.getPort().getIntVal() != null) {

710

sBuilder.matchTcpSrc(TpPort.tpPort(p.getPort().getIntVal()));

711

}

712

}

713

if (p.getProtocol().equalsIgnoreCase(PROTOCOL_UDP)) {

714

sBuilder.matchIPProtocol(IPv4.PROTOCOL_UDP);

715

716

if (p.getPort() != null &&

717

p.getPort().getIntVal() != null) {

718

sBuilder.matchUdpSrc(TpPort.tpPort(p.getPort().getIntVal()));

719

}

720

}

721

setPolicyRulesBase(sBuilder, tBuilder, ACL_EGRESS_WHITE_TABLE, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

}

} else {

log.error("In correct direction has been specified at network policy.");

}

});

});

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

732

private void setPolicyRulesBase(TrafficSelector.Builder sBuilder,

733

TrafficTreatment.Builder tBuilder,

734

int table,

735

boolean install) {

736

k8sNodeService.completeNodes().forEach(n -> {

737

k8sFlowRuleService.setRule(

appId,

n.intgBridge(),

sBuilder.build(),

tBuilder.build(),

PRIORITY_CIDR_RULE,

table,

install

);

});

}

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

749

private void setBlackRules(String whiteIpCidr, String direction,

750

List<String> except, boolean install) {

751

k8sNodeService.completeNodes().forEach(n -> {

752

except.forEach(blkIp -> {

753

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

754

.matchEthType(TYPE_IPV4)

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

755

.matchMetadata(whiteIpCidr.hashCode());

756

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()

757

.drop();

758

int table = 0;

759

if (direction.equalsIgnoreCase(DIRECTION_INGRESS)) {

760

sBuilder.matchIPSrc(IpPrefix.valueOf(blkIp));

761

table = ACL_INGRESS_BLACK_TABLE;

762

}

763

if (direction.equalsIgnoreCase(DIRECTION_EGRESS)) {

764

sBuilder.matchIPDst(IpPrefix.valueOf(blkIp));

765

table = ACL_EGRESS_BLACK_TABLE;

766

}

767

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

768

setPolicyRulesBase(sBuilder, tBuilder, table, install);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

});

});

}

private void setBlackToRouteRules(boolean install) {

774

775

k8sNodeService.completeNodes().forEach(n -> {

776

ImmutableSet.of(ACL_INGRESS_BLACK_TABLE, ACL_EGRESS_BLACK_TABLE).forEach(t -> {

777

k8sFlowRuleService.setRule(

778

appId,

779

n.intgBridge(),

780

DefaultTrafficSelector.builder().build(),

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

781

DefaultTrafficTreatment.builder()

782

.transition(ROUTING_TABLE).build(),

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

0,

t,

install

);

});

});

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

791

private void setNamespaceRulesByPod(Pod pod, boolean install) {

792

String podIp = pod.getStatus().getPodIP();

if (podIp == null) {

return;

}

Integer nsHash = namespaceHashByPodIp(k8sPodService, k8sNamespaceService, podIp);

799

Jian Li

2019-07-30 19:12:07 +0900

[diff] [blame^]

800

// in uninstall case, we will have null nsHash value

801

if (install && nsHash == null) {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

return;

}

setNamespaceRulesBase(podIp, nsHash, install);

806

}

807

808

private void setNamespaceRulesByService(Service service, boolean install) {

809

String clusterIp = service.getSpec().getClusterIP();

810

811

if (clusterIp == null) {

return;

}

setNamespaceRulesBase(clusterIp, namespaceHashByServiceIp(k8sServiceService,

816

k8sNamespaceService, clusterIp), install);

817

}

818

819

private void setNamespaceRulesBase(String ip, Integer nsHash, boolean install) {

820

821

k8sNodeService.completeNodes().forEach(n -> {

822

TrafficSelector.Builder origBuilder = DefaultTrafficSelector.builder()

823

.matchEthType(TYPE_IPV4)

824

.matchIPSrc(IpPrefix.valueOf(IpAddress.valueOf(ip), HOST_PREFIX));

825

TrafficSelector.Builder convBuilder = DefaultTrafficSelector.builder()

826

.matchEthType(TYPE_IPV4)

827

.matchIPSrc(IpPrefix.valueOf(IpAddress.valueOf(

828

shiftIpDomain(ip, SHIFTED_IP_PREFIX)), HOST_PREFIX));

Jian Li

2019-07-30 19:12:07 +0900

[diff] [blame^]

829

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder();

830

831

if (install) {

832

tBuilder.writeMetadata(nsHash, DEFAULT_METADATA_MASK)

833

.transition(GROUPING_TABLE);

834

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

835

836

k8sFlowRuleService.setRule(

appId,

n.intgBridge(),

origBuilder.build(),

tBuilder.build(),

PRIORITY_NAMESPACE_RULE,

NAMESPACE_TABLE,

install

);

k8sFlowRuleService.setRule(

appId,

n.intgBridge(),

convBuilder.build(),

tBuilder.build(),

PRIORITY_NAMESPACE_RULE,

NAMESPACE_TABLE,

install

);

});

}

private class InternalServiceListener implements K8sServiceListener {

859

860

private boolean isRelevantHelper() {

861

return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));

}

@Override

public void event(K8sServiceEvent event) {

866

Service service = event.subject();

867

switch (event.type()) {

868

case K8S_SERVICE_CREATED:

869

case K8S_SERVICE_UPDATED:

870

eventExecutor.execute(() -> processServiceCreation(service));

871

break;

872

case K8S_SERVICE_REMOVED:

873

eventExecutor.execute(() -> processServiceRemoval(service));

break;

default:

break;

}

}

private void processServiceCreation(Service service) {

881

if (!isRelevantHelper()) {

return;

}

setNamespaceRulesByService(service, true);

886

}

887

888

private void processServiceRemoval(Service service) {

889

if (!isRelevantHelper()) {

return;

}

setNamespaceRulesByService(service, false);

}

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

897

private class InternalPodListener implements K8sPodListener {

898

899

private boolean isRelevantHelper() {

900

return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));

}

@Override

public void event(K8sPodEvent event) {

905

Pod pod = event.subject();

906

switch (event.type()) {

907

case K8S_POD_CREATED:

908

case K8S_POD_UPDATED:

909

eventExecutor.execute(() -> processPodCreation(pod));

910

break;

911

case K8S_POD_REMOVED:

912

eventExecutor.execute(() -> processPodRemoval(pod));

break;

default:

break;

}

}

private void processPodCreation(Pod pod) {

920

if (!isRelevantHelper()) {

return;

}

setBlockRulesByPod(pod, true);

925

setAllowRulesByPod(pod, true);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

926

setNamespaceRulesByPod(pod, true);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

927

}

928

929

private void processPodRemoval(Pod pod) {

930

if (!isRelevantHelper()) {

return;

}

setBlockRulesByPod(pod, false);

935

setAllowRulesByPod(pod, false);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

936

setNamespaceRulesByPod(pod, false);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

}

}

private class InternalNetworkPolicyListener implements K8sNetworkPolicyListener {

941

942

private boolean isRelevantHelper() {

943

return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));

}

@Override

public void event(K8sNetworkPolicyEvent event) {

948

NetworkPolicy policy = event.subject();

949

switch (event.type()) {

950

case K8S_NETWORK_POLICY_CREATED:

951

case K8S_NETWORK_POLICY_UPDATED:

952

eventExecutor.execute(() -> processNetworkPolicyCreation(policy));

953

break;

954

case K8S_NETWORK_POLICY_REMOVED:

955

eventExecutor.execute(() -> processNetworkPolicyRemoval(policy));

break;

default:

break;

}

}

private void processNetworkPolicyCreation(NetworkPolicy policy) {

963

if (!isRelevantHelper()) {

return;

}

setBlockRulesByPolicy(policy, true);

968

setAllowRulesByPolicy(policy, true);

969

}

970

971

private void processNetworkPolicyRemoval(NetworkPolicy policy) {

972

if (!isRelevantHelper()) {

return;

}

setBlockRulesByPolicy(policy, false);

977

setAllowRulesByPolicy(policy, false);

978

}

979

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

980

981

private class InternalNamespaceListener implements K8sNamespaceListener {

982

983

private boolean isRelevantHelper() {

984

return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));

}

@Override

public void event(K8sNamespaceEvent event) {

989

Namespace ns = event.subject();

990

switch (event.type()) {

991

case K8S_NAMESPACE_CREATED:

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

992

eventExecutor.execute(() -> processNamespaceCreation(ns));

993

break;

994

case K8S_NAMESPACE_REMOVED:

995

eventExecutor.execute(() -> processNamespaceRemoval(ns));

break;

default:

break;

}

}

private void processNamespaceCreation(Namespace namespace) {

1003

if (!isRelevantHelper()) {

return;

}

setDefaultAllowNamespaceRules(namespace, true);

1008

setDefaultAllowServiceRules(true);

1009

}

1010

1011

private void processNamespaceRemoval(Namespace namespace) {

1012

if (!isRelevantHelper()) {

return;

}

Jian Li

2019-07-30 19:12:07 +0900

[diff] [blame^]

1016

setDefaultAllowNamespaceRules(namespace, false);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

1017

}

1018

}

Jian Li