Blame - apps/k8s-networking/app/src/main/java/org/onosproject/k8snetworking/impl/K8sNetworkPolicyHandler.java - onos

2019-07-08 18:07:53 +0900

[diff] [blame]

/*

*

* Licensed under the Apache License, Version 2.0 (the "License");

5

* you may not use this file except in compliance with the License.

6

* You may obtain a copy of the License at

7

*

8

* http://www.apache.org/licenses/LICENSE-2.0

9

*

10

* Unless required by applicable law or agreed to in writing, software

11

* distributed under the License is distributed on an "AS IS" BASIS,

12

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

13

* See the License for the specific language governing permissions and

14

* limitations under the License.

15

*/

16

package org.onosproject.k8snetworking.impl;

17

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

18

import com.google.common.collect.ImmutableSet;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

19

import com.google.common.collect.Maps;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

20

import com.google.common.collect.Sets;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

21

import io.fabric8.kubernetes.api.model.LabelSelectorRequirement;

22

import io.fabric8.kubernetes.api.model.Namespace;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

23

import io.fabric8.kubernetes.api.model.Pod;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

24

import io.fabric8.kubernetes.api.model.Service;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

25

import io.fabric8.kubernetes.api.model.networking.NetworkPolicy;

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

26

import io.fabric8.kubernetes.api.model.networking.NetworkPolicyEgressRule;

27

import io.fabric8.kubernetes.api.model.networking.NetworkPolicyIngressRule;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

28

import io.fabric8.kubernetes.api.model.networking.NetworkPolicyPeer;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

29

import io.fabric8.kubernetes.api.model.networking.NetworkPolicyPort;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

30

import org.onlab.packet.IPv4;

31

import org.onlab.packet.IpAddress;

32

import org.onlab.packet.IpPrefix;

33

import org.onlab.packet.TpPort;

34

import org.onosproject.cfg.ComponentConfigService;

35

import org.onosproject.cluster.ClusterService;

36

import org.onosproject.cluster.LeadershipService;

37

import org.onosproject.cluster.NodeId;

38

import org.onosproject.core.ApplicationId;

39

import org.onosproject.core.CoreService;

40

import org.onosproject.k8snetworking.api.K8sFlowRuleService;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

41

import org.onosproject.k8snetworking.api.K8sNamespaceEvent;

42

import org.onosproject.k8snetworking.api.K8sNamespaceListener;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

43

import org.onosproject.k8snetworking.api.K8sNamespaceService;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

44

import org.onosproject.k8snetworking.api.K8sNetworkPolicyEvent;

45

import org.onosproject.k8snetworking.api.K8sNetworkPolicyListener;

46

import org.onosproject.k8snetworking.api.K8sNetworkPolicyService;

47

import org.onosproject.k8snetworking.api.K8sNetworkService;

48

import org.onosproject.k8snetworking.api.K8sPodEvent;

49

import org.onosproject.k8snetworking.api.K8sPodListener;

50

import org.onosproject.k8snetworking.api.K8sPodService;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

51

import org.onosproject.k8snetworking.api.K8sServiceEvent;

52

import org.onosproject.k8snetworking.api.K8sServiceListener;

53

import org.onosproject.k8snetworking.api.K8sServiceService;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

54

import org.onosproject.k8snode.api.K8sNodeService;

55

import org.onosproject.net.device.DeviceService;

56

import org.onosproject.net.driver.DriverService;

57

import org.onosproject.net.flow.DefaultTrafficSelector;

58

import org.onosproject.net.flow.DefaultTrafficTreatment;

59

import org.onosproject.net.flow.TrafficSelector;

60

import org.onosproject.net.flow.TrafficTreatment;

61

import org.onosproject.store.service.StorageService;

62

import org.osgi.service.component.annotations.Activate;

63

import org.osgi.service.component.annotations.Component;

64

import org.osgi.service.component.annotations.Deactivate;

65

import org.osgi.service.component.annotations.Reference;

66

import org.osgi.service.component.annotations.ReferenceCardinality;

67

import org.slf4j.Logger;

68

69

import java.util.List;

70

import java.util.Map;

71

import java.util.Objects;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

72

import java.util.Set;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

73

import java.util.concurrent.ExecutorService;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

74

import java.util.concurrent.atomic.AtomicReference;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

75

76

import static java.util.concurrent.Executors.newSingleThreadExecutor;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

77

import static org.onlab.packet.Ethernet.TYPE_IPV4;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

78

import static org.onlab.util.Tools.groupedThreads;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

79

import static org.onosproject.k8snetworking.api.Constants.ACL_EGRESS_BLACK_TABLE;

80

import static org.onosproject.k8snetworking.api.Constants.ACL_EGRESS_WHITE_TABLE;

81

import static org.onosproject.k8snetworking.api.Constants.ACL_INGRESS_BLACK_TABLE;

82

import static org.onosproject.k8snetworking.api.Constants.ACL_INGRESS_WHITE_TABLE;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

83

import static org.onosproject.k8snetworking.api.Constants.ACL_TABLE;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

84

import static org.onosproject.k8snetworking.api.Constants.DEFAULT_METADATA_MASK;

85

import static org.onosproject.k8snetworking.api.Constants.DEFAULT_NAMESPACE_HASH;

86

import static org.onosproject.k8snetworking.api.Constants.DEFAULT_SEGMENT_ID;

87

import static org.onosproject.k8snetworking.api.Constants.GROUPING_TABLE;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

88

import static org.onosproject.k8snetworking.api.Constants.K8S_NETWORKING_APP_ID;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

89

import static org.onosproject.k8snetworking.api.Constants.NAMESPACE_TABLE;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

90

import static org.onosproject.k8snetworking.api.Constants.PRIORITY_CIDR_RULE;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

91

import static org.onosproject.k8snetworking.api.Constants.PRIORITY_NAMESPACE_RULE;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

92

import static org.onosproject.k8snetworking.api.Constants.ROUTING_TABLE;

93

import static org.onosproject.k8snetworking.api.Constants.SHIFTED_IP_PREFIX;

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

94

import static org.onosproject.k8snetworking.impl.OsgiPropertyConstants.SERVICE_IP_CIDR_DEFAULT;

95

import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.namespaceHashByNamespace;

96

import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.namespaceHashByPodIp;

97

import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.namespaceHashByServiceIp;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

98

import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.shiftIpDomain;

99

import static org.slf4j.LoggerFactory.getLogger;

100

101

/**

102

* Handles the ACL by referring to the network policy defined through kubernetes.

103

*/

104

@Component(immediate = true)

105

public class K8sNetworkPolicyHandler {

106

107

private final Logger log = getLogger(getClass());

108

109

private static final String DIRECTION_INGRESS = "ingress";

110

private static final String DIRECTION_EGRESS = "egress";

111

112

private static final String PROTOCOL_TCP = "tcp";

113

private static final String PROTOCOL_UDP = "udp";

114

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

115

private static final String KUBE_SYSTEM = "kube-system";

116

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

117

private static final int HOST_PREFIX = 32;

118

119

@Reference(cardinality = ReferenceCardinality.MANDATORY)

120

protected CoreService coreService;

121

122

@Reference(cardinality = ReferenceCardinality.MANDATORY)

123

protected LeadershipService leadershipService;

124

125

@Reference(cardinality = ReferenceCardinality.MANDATORY)

126

protected ClusterService clusterService;

127

128

@Reference(cardinality = ReferenceCardinality.MANDATORY)

129

protected DriverService driverService;

130

131

@Reference(cardinality = ReferenceCardinality.MANDATORY)

132

protected DeviceService deviceService;

133

134

@Reference(cardinality = ReferenceCardinality.MANDATORY)

135

protected ComponentConfigService configService;

136

137

@Reference(cardinality = ReferenceCardinality.MANDATORY)

138

protected StorageService storageService;

139

140

@Reference(cardinality = ReferenceCardinality.MANDATORY)

141

protected K8sNetworkService k8sNetworkService;

142

143

@Reference(cardinality = ReferenceCardinality.MANDATORY)

144

protected K8sFlowRuleService k8sFlowRuleService;

145

146

@Reference(cardinality = ReferenceCardinality.MANDATORY)

147

protected K8sNodeService k8sNodeService;

148

149

@Reference(cardinality = ReferenceCardinality.MANDATORY)

150

protected K8sPodService k8sPodService;

151

152

@Reference(cardinality = ReferenceCardinality.MANDATORY)

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

153

protected K8sServiceService k8sServiceService;

154

155

@Reference(cardinality = ReferenceCardinality.MANDATORY)

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

156

protected K8sNetworkPolicyService k8sNetworkPolicyService;

157

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

158

@Reference(cardinality = ReferenceCardinality.MANDATORY)

159

protected K8sNamespaceService k8sNamespaceService;

160

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

161

private final ExecutorService eventExecutor = newSingleThreadExecutor(

162

groupedThreads(this.getClass().getSimpleName(), "event-handler", log));

163

private final InternalPodListener internalPodListener =

164

new InternalPodListener();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

165

private final InternalServiceListener internalServiceListener =

166

new InternalServiceListener();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

167

private final InternalNetworkPolicyListener internalNetworkPolicyListener =

168

new InternalNetworkPolicyListener();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

169

private final InternalNamespaceListener internalNamespaceListener =

170

new InternalNamespaceListener();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

171

172

private ApplicationId appId;

173

private NodeId localNodeId;

174

175

@Activate

176

protected void activate() {

177

appId = coreService.registerApplication(K8S_NETWORKING_APP_ID);

178

179

localNodeId = clusterService.getLocalNode().id();

180

leadershipService.runForLeadership(appId.name());

181

k8sPodService.addListener(internalPodListener);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

182

k8sServiceService.addListener(internalServiceListener);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

183

k8sNetworkPolicyService.addListener(internalNetworkPolicyListener);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

184

k8sNamespaceService.addListener(internalNamespaceListener);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

log.info("Started");

}

@Deactivate

protected void deactivate() {

191

leadershipService.withdraw(appId.name());

192

k8sPodService.removeListener(internalPodListener);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

193

k8sServiceService.removeListener(internalServiceListener);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

194

k8sNetworkPolicyService.removeListener(internalNetworkPolicyListener);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

195

k8sNamespaceService.removeListener(internalNamespaceListener);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

196

eventExecutor.shutdown();

log.info("Stopped");

}

private void setBlockRulesByPolicy(NetworkPolicy policy, boolean install) {

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

202

final Map<String, List<String>> filter = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

203

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

204

k8sPodService.pods().forEach(pod ->

205

filter.putAll(getBlockRuleFilter(pod, policy)));

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

206

207

setBlockRules(filter, install);

208

}

209

210

private void setBlockRulesByPod(Pod pod, boolean install) {

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

211

final Map<String, List<String>> filter = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

212

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

213

k8sNetworkPolicyService.networkPolicies().forEach(policy ->

214

filter.putAll(getBlockRuleFilter(pod, policy)));

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

215

216

setBlockRules(filter, install);

217

}

218

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

219

private Map<String, List<String>> getBlockRuleFilter(Pod pod, NetworkPolicy policy) {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

220

221

// if the POD is not included in the namespace of the given policy,

222

// we do not block the POD

223

if (!pod.getMetadata().getNamespace().equals(policy.getMetadata().getNamespace())) {

224

return Maps.newConcurrentMap();

225

}

226

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

227

Map<String, String> labels = policy.getSpec().getPodSelector().getMatchLabels();

228

Map<String, List<String>> filter = Maps.newConcurrentMap();

229

String podIp = pod.getStatus().getPodIP();

230

List<String> policyTypes = policy.getSpec().getPolicyTypes();

231

232

if (podIp != null && policyTypes != null) {

233

if (labels == null) {

234

filter.put(podIp, policyTypes);

235

} else {

236

pod.getMetadata().getLabels().forEach((k, v) -> {

237

if (labels.get(k) != null && labels.get(k).equals(v)) {

238

filter.put(podIp, policyTypes);

}

});

}

}

return filter;

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

247

private void setBlockRules(Map<String, List<String>> filter, boolean install) {

248

filter.forEach((k, v) -> {

249

v.forEach(d -> {

250

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

251

.matchEthType(TYPE_IPV4);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

252

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

253

254

Integer nsHash = namespaceHashByPodIp(k8sPodService, k8sNamespaceService, k);

255

if (nsHash != null) {

256

tBuilder.setTunnelId(nsHash);

257

}

258

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

259

if (d.equalsIgnoreCase(DIRECTION_INGRESS)) {

260

sBuilder.matchIPDst(IpPrefix.valueOf(IpAddress.valueOf(k), HOST_PREFIX));

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

261

tBuilder.transition(ACL_INGRESS_WHITE_TABLE);

Jian Li

2019-07-30 17:10:39 +0900

[diff] [blame^]

262

setPolicyRulesBase(sBuilder, tBuilder, ACL_TABLE, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

263

} else if (d.equalsIgnoreCase(DIRECTION_EGRESS)) {

Jian Li

2019-07-30 17:10:39 +0900

[diff] [blame^]

264

// original IP

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

265

sBuilder.matchIPSrc(IpPrefix.valueOf(IpAddress.valueOf(k), HOST_PREFIX));

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

266

tBuilder.transition(ACL_EGRESS_WHITE_TABLE);

Jian Li

2019-07-30 17:10:39 +0900

[diff] [blame^]

267

setPolicyRulesBase(sBuilder, tBuilder, ACL_TABLE, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

268

Jian Li

2019-07-30 17:10:39 +0900

[diff] [blame^]

269

270

// shifted IP

271

sBuilder.matchIPSrc(IpPrefix.valueOf(IpAddress.valueOf(

272

shiftIpDomain(k, SHIFTED_IP_PREFIX)), HOST_PREFIX));

273

setPolicyRulesBase(sBuilder, tBuilder, ACL_TABLE, install);

274

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

279

private void setDefaultAllowNamespaceRules(Namespace namespace, boolean install) {

280

281

String ns = namespace.getMetadata().getName();

282

if (KUBE_SYSTEM.equalsIgnoreCase(ns)) {

283

setAllowNamespaceRulesBase(0, namespace.hashCode(),

284

DIRECTION_INGRESS, install);

}

}

private void setDefaultAllowServiceRules(boolean install) {

289

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

290

.matchEthType(TYPE_IPV4)

291

.matchIPSrc(IpPrefix.valueOf(SERVICE_IP_CIDR_DEFAULT));

292

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()

293

.setTunnelId(DEFAULT_SEGMENT_ID)

294

.transition(ROUTING_TABLE);

295

296

setPolicyRulesBase(sBuilder, tBuilder, ACL_INGRESS_WHITE_TABLE, install);

297

}

298

299

private void setAllowNamespaceRulesBase(int tunnelId, int metadata,

300

String direction, boolean install) {

301

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder();

302

303

if (tunnelId != 0) {

304

sBuilder.matchTunnelId(tunnelId);

305

}

306

307

sBuilder.matchMetadata(metadata);

308

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()

309

.setTunnelId(DEFAULT_SEGMENT_ID)

310

.transition(ROUTING_TABLE);

311

312

int table = 0;

313

if (DIRECTION_INGRESS.equals(direction)) {

314

table = ACL_INGRESS_WHITE_TABLE;

315

}

316

317

setPolicyRulesBase(sBuilder, tBuilder, table, install);

318

}

319

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

320

private void setAllowRulesByPolicy(NetworkPolicy policy, boolean install) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

321

Map<String, Map<String, List<NetworkPolicyPort>>>

322

white = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

323

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

324

int nsHash = namespaceHashByNamespace(k8sNamespaceService,

325

policy.getMetadata().getNamespace());

326

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

327

List<NetworkPolicyIngressRule> ingress = policy.getSpec().getIngress();

328

if (ingress != null && ingress.size() == 1) {

329

NetworkPolicyIngressRule rule = ingress.get(0);

330

if (rule.getFrom().size() == 0 && rule.getPorts().size() == 0) {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

331

setAllowAllRule(nsHash, DIRECTION_INGRESS, install);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

}

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

335

policy.getSpec().getIngress().forEach(i -> {

336

Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();

337

direction.put(DIRECTION_INGRESS, i.getPorts());

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

338

i.getFrom().forEach(peer -> {

339

340

// IP block

341

if (peer.getIpBlock() != null) {

342

if (peer.getIpBlock().getExcept() != null &&

343

peer.getIpBlock().getExcept().size() > 0) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

344

Map<String, List<NetworkPolicyPort>>

345

blkDirection = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

346

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

347

blkDirection.put(DIRECTION_INGRESS, i.getPorts());

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

348

white.compute(peer.getIpBlock().getCidr(), (k, v) -> blkDirection);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

349

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

350

setBlackRules(peer.getIpBlock().getCidr(), DIRECTION_INGRESS,

351

peer.getIpBlock().getExcept(), install);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

352

} else {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

353

white.compute(peer.getIpBlock().getCidr(), (k, v) -> direction);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

}

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

357

// POD selector

Jian Li

cd93415

2019-07-28 21:35:49 +0900

[diff] [blame]

358

Set<Pod> pods = podsFromPolicyPeer(peer, policy.getMetadata().getNamespace());

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

359

360

pods.forEach(pod -> {

361

white.compute(shiftIpDomain(pod.getStatus().getPodIP(),

362

SHIFTED_IP_PREFIX) + "/" + HOST_PREFIX, (m, n) -> direction);

363

white.compute(pod.getStatus().getPodIP() + "/" + HOST_PREFIX, (m, n) -> direction);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

364

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

365

366

// Namespace selector

367

setAllowNamespaceRules(nsHash,

368

namespacesByPolicyPeer(peer), DIRECTION_INGRESS, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

372

List<NetworkPolicyEgressRule> egress = policy.getSpec().getEgress();

373

if (egress != null && egress.size() == 1) {

374

NetworkPolicyEgressRule rule = egress.get(0);

375

if (rule.getTo().size() == 0 && rule.getPorts().size() == 0) {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

376

setAllowAllRule(nsHash, DIRECTION_EGRESS, install);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

}

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

380

policy.getSpec().getEgress().forEach(e -> {

381

Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();

382

direction.put(DIRECTION_EGRESS, e.getPorts());

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

383

e.getTo().forEach(peer -> {

384

385

// IP block

386

if (peer.getIpBlock() != null) {

387

if (peer.getIpBlock().getExcept() != null &&

388

peer.getIpBlock().getExcept().size() > 0) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

389

390

Map<String, List<NetworkPolicyPort>>

391

blkDirection = Maps.newConcurrentMap();

392

blkDirection.put(DIRECTION_EGRESS, e.getPorts());

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

393

white.compute(peer.getIpBlock().getCidr(), (k, v) -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

394

if (v != null) {

395

v.put(DIRECTION_EGRESS, e.getPorts());

return v;

} else {

return blkDirection;

}

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

402

setBlackRules(peer.getIpBlock().getCidr(), DIRECTION_EGRESS,

403

peer.getIpBlock().getExcept(), install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

404

} else {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

405

white.compute(peer.getIpBlock().getCidr(), (k, v) -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

406

if (v != null) {

407

v.put(DIRECTION_EGRESS, e.getPorts());

return v;

} else {

return direction;

}

});

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

413

}

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

414

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

415

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

416

// POD selector

Jian Li

cd93415

2019-07-28 21:35:49 +0900

[diff] [blame]

417

Set<Pod> pods = podsFromPolicyPeer(peer, policy.getMetadata().getNamespace());

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

418

419

pods.forEach(pod -> {

420

white.compute(shiftIpDomain(pod.getStatus().getPodIP(),

421

SHIFTED_IP_PREFIX) + "/" + HOST_PREFIX, (m, n) -> {

422

if (n != null) {

423

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

white.compute(pod.getStatus().getPodIP() + "/" + HOST_PREFIX,

431

(m, n) -> {

432

if (n != null) {

433

n.put(DIRECTION_EGRESS, e.getPorts());

434

return n;

435

} else {

436

return direction;

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

437

}

438

});

439

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

440

441

// Namespace selector

442

setAllowNamespaceRules(nsHash,

443

namespacesByPolicyPeer(peer), DIRECTION_EGRESS, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

447

setAllowRules(namespaceHashByNamespace(k8sNamespaceService,

448

policy.getMetadata().getNamespace()), white, install);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

449

setBlackToRouteRules(true);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

450

}

451

Jian Li

cd93415

2019-07-28 21:35:49 +0900

[diff] [blame]

452

private Set<Pod> podsFromPolicyPeer(NetworkPolicyPeer peer, String namespace) {

453

Set<Pod> pods = Sets.newConcurrentHashSet();

454

if (peer.getPodSelector() != null) {

455

Map<String, String> podLabels = peer.getPodSelector().getMatchLabels();

456

List<LabelSelectorRequirement> matchExps = peer.getPodSelector().getMatchExpressions();

457

458

if (podLabels == null && matchExps.size() == 0) {

459

k8sPodService.pods().stream()

460

.filter(pod -> pod.getMetadata().getNamespace().equals(

namespace))

.forEach(pods::add);

} else {

k8sPodService.pods().stream()

465

.filter(pod -> pod.getMetadata().getNamespace().equals(

466

namespace))

467

.forEach(pod -> {

468

pod.getMetadata().getLabels().forEach((k, v) -> {

469

if (podLabels != null && podLabels.get(k) != null &&

470

podLabels.get(k).equals(v)) {

pods.add(pod);

}

});

});

}

}

return pods;

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

480

private void setAllowRulesByPod(Pod pod, boolean install) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

481

Map<String, Map<String, List<NetworkPolicyPort>>>

482

white = Maps.newConcurrentMap();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

483

AtomicReference<NetworkPolicy> selectedPolicy = new AtomicReference<>();

484

k8sNetworkPolicyService.networkPolicies().stream()

485

.filter(policy -> policy.getMetadata().getNamespace().equals(

486

pod.getMetadata().getNamespace()))

487

.forEach(policy -> {

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

488

String podIp = pod.getStatus().getPodIP();

489

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

490

policy.getSpec().getIngress().forEach(i -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

491

Map<String, List<NetworkPolicyPort>>

492

direction = Maps.newConcurrentMap();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

493

direction.put(DIRECTION_INGRESS, i.getPorts());

494

i.getFrom().forEach(peer -> {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

495

if (peer.getPodSelector() != null) {

496

Map<String, String> podLabels = peer.getPodSelector().getMatchLabels();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

497

List<LabelSelectorRequirement> matchExps = peer.getPodSelector().getMatchExpressions();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

498

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

499

if (podLabels == null && matchExps.size() == 0 && podIp != null) {

500

white.compute(shiftIpDomain(podIp, SHIFTED_IP_PREFIX) +

501

"/" + HOST_PREFIX, (m, n) -> direction);

502

white.compute(podIp + "/" +

503

HOST_PREFIX, (m, n) -> direction);

504

505

selectedPolicy.set(policy);

506

} else {

507

pod.getMetadata().getLabels().forEach((k, v) -> {

508

if (podLabels != null && podLabels.get(k) != null &&

509

podLabels.get(k).equals(v) && podIp != null) {

510

white.compute(shiftIpDomain(podIp, SHIFTED_IP_PREFIX) +

511

"/" + HOST_PREFIX, (m, n) -> direction);

512

white.compute(podIp + "/" +

513

HOST_PREFIX, (m, n) -> direction);

514

515

selectedPolicy.set(policy);

516

}

517

});

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

518

}

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

519

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

524

k8sNetworkPolicyService.networkPolicies().stream()

525

.filter(policy -> policy.getMetadata().getNamespace().equals(

526

pod.getMetadata().getNamespace()))

527

.forEach(policy -> {

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

528

String podIp = pod.getStatus().getPodIP();

529

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

530

policy.getSpec().getEgress().forEach(e -> {

531

Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();

532

direction.put(DIRECTION_EGRESS, e.getPorts());

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

533

e.getTo().forEach(peer -> {

534

if (peer.getPodSelector() != null) {

535

Map<String, String> podLabels = peer.getPodSelector().getMatchLabels();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

536

List<LabelSelectorRequirement> matchExps = peer.getPodSelector().getMatchExpressions();

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

537

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

538

if (podLabels == null && matchExps.size() == 0 && podIp != null) {

539

white.compute(shiftIpDomain(podIp, SHIFTED_IP_PREFIX) +

540

"/" + HOST_PREFIX, (m, n) -> {

541

if (n != null) {

542

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

548

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

549

white.compute(podIp + "/" +

550

HOST_PREFIX, (m, n) -> {

551

if (n != null) {

552

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

558

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

559

selectedPolicy.set(policy);

560

} else {

561

pod.getMetadata().getLabels().forEach((k, v) -> {

562

if (podLabels != null && podLabels.get(k) != null &&

563

podLabels.get(k).equals(v) && podIp != null) {

564

white.compute(shiftIpDomain(podIp, SHIFTED_IP_PREFIX) +

565

"/" + HOST_PREFIX, (m, n) -> {

566

if (n != null) {

567

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

white.compute(podIp + "/" +

575

HOST_PREFIX, (m, n) -> {

576

if (n != null) {

577

n.put(DIRECTION_EGRESS, e.getPorts());

return n;

} else {

return direction;

}

});

selectedPolicy.set(policy);

585

}

586

});

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

587

}

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

588

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

});

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

593

int nsHash = selectedPolicy.get() != null ? namespaceHashByNamespace(k8sNamespaceService,

594

selectedPolicy.get().getMetadata().getNamespace()) : DEFAULT_NAMESPACE_HASH;

595

596

setAllowRules(nsHash, white, install);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

597

setBlackToRouteRules(true);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

598

}

599

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

600

private Set<Namespace> namespacesByLabels(Map<String, String> labels) {

601

Set<Namespace> nsSet = Sets.newConcurrentHashSet();

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

602

k8sNamespaceService.namespaces().forEach(ns -> {

603

if (ns != null && ns.getMetadata() != null &&

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

604

ns.getMetadata().getLabels() != null && labels != null) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

605

ns.getMetadata().getLabels().forEach((k, v) -> {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

606

if (labels.get(k) != null && labels.get(k).equals(v)) {

607

nsSet.add(ns);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

}

});

}

});

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

613

return nsSet;

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

614

}

615

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

616

private Set<Namespace> namespacesByPolicyPeer(NetworkPolicyPeer peer) {

617

if (peer.getNamespaceSelector() != null) {

618

Map<String, String> labels = peer.getNamespaceSelector().getMatchLabels();

619

if (labels == null || labels.size() == 0) {

620

// if none of match labels are specified, it means the

621

// target PODs are from any namespaces

622

return k8sNamespaceService.namespaces();

623

} else {

624

return namespacesByLabels(labels);

}

}

return Sets.newConcurrentHashSet();

629

}

630

631

private void setAllowNamespaceRules(int tunnelId, Set<Namespace> nsSet,

632

String direction, boolean install) {

633

634

nsSet.forEach(ns -> {

635

setAllowNamespaceRulesBase(tunnelId, ns.hashCode(), direction, install);

});

}

private void setAllowAllRule(int nsHash, String direction, boolean install) {

641

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

642

.matchTunnelId(nsHash);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

643

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

644

.setTunnelId(DEFAULT_SEGMENT_ID)

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

645

.transition(ROUTING_TABLE);

int table = 0;

if (DIRECTION_INGRESS.equalsIgnoreCase(direction)) {

650

table = ACL_INGRESS_WHITE_TABLE;

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

651

}

652

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

653

setPolicyRulesBase(sBuilder, tBuilder, table, install);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

654

}

655

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

656

private void setAllowRules(int namespaceHash,

657

Map<String, Map<String, List<NetworkPolicyPort>>> white,

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

658

boolean install) {

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

659

white.forEach((k, v) -> {

660

v.forEach((pk, pv) -> {

661

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

662

.matchTunnelId(namespaceHash)

663

.matchEthType(TYPE_IPV4);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

664

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder();

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

665

tBuilder.setTunnelId(DEFAULT_SEGMENT_ID);

666

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

667

if (pk.equalsIgnoreCase(DIRECTION_INGRESS)) {

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

668

sBuilder.matchIPSrc(IpPrefix.valueOf(k));

669

tBuilder.writeMetadata(k.hashCode(), DEFAULT_METADATA_MASK)

670

.transition(ACL_INGRESS_BLACK_TABLE);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

671

672

if (pv.size() == 0) {

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

673

setPolicyRulesBase(sBuilder, tBuilder, ACL_INGRESS_WHITE_TABLE, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

674

} else {

675

pv.forEach(p -> {

676

if (p.getProtocol().equalsIgnoreCase(PROTOCOL_TCP)) {

677

sBuilder.matchIPProtocol(IPv4.PROTOCOL_TCP);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

678

679

if (p.getPort() != null &&

680

p.getPort().getIntVal() != null) {

681

sBuilder.matchTcpDst(TpPort.tpPort(p.getPort().getIntVal()));

682

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

683

}

684

if (p.getProtocol().equalsIgnoreCase(PROTOCOL_UDP)) {

685

sBuilder.matchIPProtocol(IPv4.PROTOCOL_UDP);

Jian Li

2019-07-15 17:37:12 +0900

[diff] [blame]

686

687

if (p.getPort() != null &&

688

p.getPort().getIntVal() != null) {

689

sBuilder.matchUdpDst(TpPort.tpPort(p.getPort().getIntVal()));

690

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

691

}

692

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

693

setPolicyRulesBase(sBuilder, tBuilder, ACL_INGRESS_WHITE_TABLE, install);

694

});

695

}

696

} else if (pk.equalsIgnoreCase(DIRECTION_EGRESS)) {

697

sBuilder.matchIPDst(IpPrefix.valueOf(k));

698

tBuilder.writeMetadata(k.hashCode(), DEFAULT_METADATA_MASK)

699

.transition(ACL_EGRESS_BLACK_TABLE);

700

701

if (pv.size() == 0) {

702

setPolicyRulesBase(sBuilder, tBuilder, ACL_EGRESS_WHITE_TABLE, install);

703

} else {

704

pv.forEach(p -> {

705

if (p.getProtocol().equalsIgnoreCase(PROTOCOL_TCP)) {

706

sBuilder.matchIPProtocol(IPv4.PROTOCOL_TCP);

707

708

if (p.getPort() != null &&

709

p.getPort().getIntVal() != null) {

710

sBuilder.matchTcpSrc(TpPort.tpPort(p.getPort().getIntVal()));

711

}

712

}

713

if (p.getProtocol().equalsIgnoreCase(PROTOCOL_UDP)) {

714

sBuilder.matchIPProtocol(IPv4.PROTOCOL_UDP);

715

716

if (p.getPort() != null &&

717

p.getPort().getIntVal() != null) {

718

sBuilder.matchUdpSrc(TpPort.tpPort(p.getPort().getIntVal()));

719

}

720

}

721

setPolicyRulesBase(sBuilder, tBuilder, ACL_EGRESS_WHITE_TABLE, install);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

});

}

} else {

log.error("In correct direction has been specified at network policy.");

}

});

});

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

732

private void setPolicyRulesBase(TrafficSelector.Builder sBuilder,

733

TrafficTreatment.Builder tBuilder,

734

int table,

735

boolean install) {

736

k8sNodeService.completeNodes().forEach(n -> {

737

k8sFlowRuleService.setRule(

appId,

n.intgBridge(),

sBuilder.build(),

tBuilder.build(),

PRIORITY_CIDR_RULE,

table,

install

);

});

}

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

749

private void setBlackRules(String whiteIpCidr, String direction,

750

List<String> except, boolean install) {

751

k8sNodeService.completeNodes().forEach(n -> {

752

except.forEach(blkIp -> {

753

TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

754

.matchEthType(TYPE_IPV4)

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

755

.matchMetadata(whiteIpCidr.hashCode());

756

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()

757

.drop();

758

int table = 0;

759

if (direction.equalsIgnoreCase(DIRECTION_INGRESS)) {

760

sBuilder.matchIPSrc(IpPrefix.valueOf(blkIp));

761

table = ACL_INGRESS_BLACK_TABLE;

762

}

763

if (direction.equalsIgnoreCase(DIRECTION_EGRESS)) {

764

sBuilder.matchIPDst(IpPrefix.valueOf(blkIp));

765

table = ACL_EGRESS_BLACK_TABLE;

766

}

767

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

768

setPolicyRulesBase(sBuilder, tBuilder, table, install);

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

});

});

}

private void setBlackToRouteRules(boolean install) {

774

775

k8sNodeService.completeNodes().forEach(n -> {

776

ImmutableSet.of(ACL_INGRESS_BLACK_TABLE, ACL_EGRESS_BLACK_TABLE).forEach(t -> {

777

k8sFlowRuleService.setRule(

778

appId,

779

n.intgBridge(),

780

DefaultTrafficSelector.builder().build(),

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

781

DefaultTrafficTreatment.builder()

782

.transition(ROUTING_TABLE).build(),

Jian Li

2019-07-11 10:38:02 +0900

[diff] [blame]

0,

t,

install

);

});

});

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

791

private void setNamespaceRulesByPod(Pod pod, boolean install) {

792

String podIp = pod.getStatus().getPodIP();

if (podIp == null) {

return;

}

Integer nsHash = namespaceHashByPodIp(k8sPodService, k8sNamespaceService, podIp);

799

800

if (nsHash == null) {

return;

}

setNamespaceRulesBase(podIp, nsHash, install);

805

}

806

807

private void setNamespaceRulesByService(Service service, boolean install) {

808

String clusterIp = service.getSpec().getClusterIP();

809

810

if (clusterIp == null) {

return;

}

setNamespaceRulesBase(clusterIp, namespaceHashByServiceIp(k8sServiceService,

815

k8sNamespaceService, clusterIp), install);

816

}

817

818

private void setNamespaceRulesBase(String ip, Integer nsHash, boolean install) {

819

820

k8sNodeService.completeNodes().forEach(n -> {

821

TrafficSelector.Builder origBuilder = DefaultTrafficSelector.builder()

822

.matchEthType(TYPE_IPV4)

823

.matchIPSrc(IpPrefix.valueOf(IpAddress.valueOf(ip), HOST_PREFIX));

824

TrafficSelector.Builder convBuilder = DefaultTrafficSelector.builder()

825

.matchEthType(TYPE_IPV4)

826

.matchIPSrc(IpPrefix.valueOf(IpAddress.valueOf(

827

shiftIpDomain(ip, SHIFTED_IP_PREFIX)), HOST_PREFIX));

828

TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()

829

.writeMetadata(nsHash, DEFAULT_METADATA_MASK)

830

.transition(GROUPING_TABLE);

831

832

k8sFlowRuleService.setRule(

appId,

n.intgBridge(),

origBuilder.build(),

tBuilder.build(),

PRIORITY_NAMESPACE_RULE,

NAMESPACE_TABLE,

install

);

k8sFlowRuleService.setRule(

appId,

n.intgBridge(),

convBuilder.build(),

tBuilder.build(),

PRIORITY_NAMESPACE_RULE,

NAMESPACE_TABLE,

install

);

});

}

private class InternalServiceListener implements K8sServiceListener {

855

856

private boolean isRelevantHelper() {

857

return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));

}

@Override

public void event(K8sServiceEvent event) {

862

Service service = event.subject();

863

switch (event.type()) {

864

case K8S_SERVICE_CREATED:

865

case K8S_SERVICE_UPDATED:

866

eventExecutor.execute(() -> processServiceCreation(service));

867

break;

868

case K8S_SERVICE_REMOVED:

869

eventExecutor.execute(() -> processServiceRemoval(service));

break;

default:

break;

}

}

private void processServiceCreation(Service service) {

877

if (!isRelevantHelper()) {

return;

}

setNamespaceRulesByService(service, true);

882

}

883

884

private void processServiceRemoval(Service service) {

885

if (!isRelevantHelper()) {

return;

}

setNamespaceRulesByService(service, false);

}

}

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

893

private class InternalPodListener implements K8sPodListener {

894

895

private boolean isRelevantHelper() {

896

return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));

}

@Override

public void event(K8sPodEvent event) {

901

Pod pod = event.subject();

902

switch (event.type()) {

903

case K8S_POD_CREATED:

904

case K8S_POD_UPDATED:

905

eventExecutor.execute(() -> processPodCreation(pod));

906

break;

907

case K8S_POD_REMOVED:

908

eventExecutor.execute(() -> processPodRemoval(pod));

break;

default:

break;

}

}

private void processPodCreation(Pod pod) {

916

if (!isRelevantHelper()) {

return;

}

setBlockRulesByPod(pod, true);

921

setAllowRulesByPod(pod, true);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

922

setNamespaceRulesByPod(pod, true);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

923

}

924

925

private void processPodRemoval(Pod pod) {

926

if (!isRelevantHelper()) {

return;

}

setBlockRulesByPod(pod, false);

931

setAllowRulesByPod(pod, false);

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

932

setNamespaceRulesByPod(pod, false);

Jian Li

2019-07-08 18:07:53 +0900

[diff] [blame]

}

}

private class InternalNetworkPolicyListener implements K8sNetworkPolicyListener {

937

938

private boolean isRelevantHelper() {

939

return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));

}

@Override

public void event(K8sNetworkPolicyEvent event) {

944

NetworkPolicy policy = event.subject();

945

switch (event.type()) {

946

case K8S_NETWORK_POLICY_CREATED:

947

case K8S_NETWORK_POLICY_UPDATED:

948

eventExecutor.execute(() -> processNetworkPolicyCreation(policy));

949

break;

950

case K8S_NETWORK_POLICY_REMOVED:

951

eventExecutor.execute(() -> processNetworkPolicyRemoval(policy));

break;

default:

break;

}

}

private void processNetworkPolicyCreation(NetworkPolicy policy) {

959

if (!isRelevantHelper()) {

return;

}

setBlockRulesByPolicy(policy, true);

964

setAllowRulesByPolicy(policy, true);

965

}

966

967

private void processNetworkPolicyRemoval(NetworkPolicy policy) {

968

if (!isRelevantHelper()) {

return;

}

setBlockRulesByPolicy(policy, false);

973

setAllowRulesByPolicy(policy, false);

974

}

975

}

Jian Li

2019-07-23 17:13:19 +0900

[diff] [blame]

976

977

private class InternalNamespaceListener implements K8sNamespaceListener {

978

979

private boolean isRelevantHelper() {

980

return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));

}

@Override

public void event(K8sNamespaceEvent event) {

985

Namespace ns = event.subject();

986

switch (event.type()) {

987

case K8S_NAMESPACE_CREATED:

988

case K8S_NAMESPACE_UPDATED:

989

eventExecutor.execute(() -> processNamespaceCreation(ns));

990

break;

991

case K8S_NAMESPACE_REMOVED:

992

eventExecutor.execute(() -> processNamespaceRemoval(ns));

break;

default:

break;

}

}

private void processNamespaceCreation(Namespace namespace) {

1000

if (!isRelevantHelper()) {

return;

}

setDefaultAllowNamespaceRules(namespace, true);

1005

setDefaultAllowServiceRules(true);

1006

}

1007

1008

private void processNamespaceRemoval(Namespace namespace) {

1009

if (!isRelevantHelper()) {

return;

}

// do nothing for now

1014

}

1015

}

Jian Li