StretchedNetworkPolicy Antrea agent support (antrea-io#3914)

1. Add implementation of Stretched NetworkPolicy in Antrea agent. 1.1 Add OVS flows with tun_id matching. 1.2 Also realize a security rule using unknown LabelIdentity for each Stretched NetworkPolicy rule. 2. Add implementation of LabelIdentity on datapath. 2.1 Pod will load its LabelIdentity in tun_id in ClassifierFlow. 2.2 Pod Classifier flow will have different cacheKey for easy update. 3. Add UT and E2E tests. Signed-off-by: graysonwu <[email protected]>
GraysonWu · Jan 27, 2023 · 477b13d · 477b13d
1 parent cf5ddda
commit 477b13d
Show file tree

Hide file tree

Showing 47 changed files with 1,763 additions and 209 deletions.
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -85,7 +85,7 @@ Kubernetes: `>= 1.16.0-0`
 | multicast.igmpQueryInterval | string | `"125s"` | The interval at which the antrea-agent sends IGMP queries to Pods. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
 | multicast.multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. |
 | multicluster.enable | bool | `false` | Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. This feature is supported only with encap mode. |
-| multicluster.enableStretchedNetworkPolicy | bool | `false` | Enable Multicluster which allow Antrea-native policies to select peers from other clusters in a ClusterSet. This feature is supported only with encap mode when the tunnel type is Geneve. |
+| multicluster.enableStretchedNetworkPolicy | bool | `false` | Enable StretchedNetworkPolicy which allow Antrea-native policies to select peers from other clusters in a ClusterSet. This feature is supported only with encap mode when the tunnel type is Geneve. |
 | multicluster.namespace | string | `""` | The Namespace where Antrea Multi-cluster Controller is running. The default is antrea-agent's Namespace. |
 | noSNAT | bool | `false` | Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. |
 | nodeIPAM.clusterCIDRs | list | `[]` | CIDR ranges to use when allocating Pod IP addresses. |

diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -333,4 +333,7 @@ multicluster:
 # The Namespace where Antrea Multi-cluster Controller is running.
 # The default is antrea-agent's Namespace.
   namespace: {{ .namespace | quote }}
+# Enable StretchedNetworkPolicy which could be enforced on cross-cluster traffic.
+# This feature is supported only with encap mode when the tunnel type is Geneve.
+  enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }}
 {{- end }}
diff --git a/build/charts/antrea/conf/antrea-controller.conf b/build/charts/antrea/conf/antrea-controller.conf
@@ -111,7 +111,7 @@ ipsecCSRSigner:
 
 multicluster:
 {{- with .Values.multicluster }}
-  # Enable Multicluster which allow Antrea-native policies to select peers
+  # Enable StretchedNetworkPolicy which allow Antrea-native policies to select peers
   # from other clusters in a ClusterSet.
   enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }}
 {{- end }}
diff --git a/build/charts/antrea/templates/agent/clusterrole.yaml b/build/charts/antrea/templates/agent/clusterrole.yaml
@@ -213,6 +213,7 @@ rules:
     - multicluster.crd.antrea.io
     resources:
     - clusterinfoimports
+    - labelidentities
     verbs:
     - get
     - list

diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -307,7 +307,7 @@ multicluster:
   # -- The Namespace where Antrea Multi-cluster Controller is running.
   # The default is antrea-agent's Namespace.
   namespace: ""
-  # -- Enable Multicluster which allow Antrea-native policies to select peers
+  # -- Enable StretchedNetworkPolicy which allow Antrea-native policies to select peers
   # from other clusters in a ClusterSet.
   # This feature is supported only with encap mode when the tunnel type is Geneve.
   enableStretchedNetworkPolicy: false

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -3224,6 +3224,9 @@ data:
     # The Namespace where Antrea Multi-cluster Controller is running.
     # The default is antrea-agent's Namespace.
       namespace: ""
+    # Enable StretchedNetworkPolicy which could be enforced on cross-cluster traffic.
+    # This feature is supported only with encap mode when the tunnel type is Geneve.
+      enableStretchedNetworkPolicy: false
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3353,7 +3356,7 @@ data:
       selfSignedCA: true
 
     multicluster:
-      # Enable Multicluster which allow Antrea-native policies to select peers
+      # Enable StretchedNetworkPolicy which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
       enableStretchedNetworkPolicy: false
 ---
@@ -3703,6 +3706,7 @@ rules:
     - multicluster.crd.antrea.io
     resources:
     - clusterinfoimports
+    - labelidentities
     verbs:
     - get
     - list
@@ -4277,7 +4281,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a
+        checksum/config: f06bc0519d38f9edaaa4516e816c564429500bf878c777abc41033b346e8edff
       labels:
         app: antrea
         component: antrea-agent
@@ -4518,7 +4522,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a
+        checksum/config: f06bc0519d38f9edaaa4516e816c564429500bf878c777abc41033b346e8edff
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -3224,6 +3224,9 @@ data:
     # The Namespace where Antrea Multi-cluster Controller is running.
     # The default is antrea-agent's Namespace.
       namespace: ""
+    # Enable StretchedNetworkPolicy which could be enforced on cross-cluster traffic.
+    # This feature is supported only with encap mode when the tunnel type is Geneve.
+      enableStretchedNetworkPolicy: false
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3353,7 +3356,7 @@ data:
       selfSignedCA: true
 
     multicluster:
-      # Enable Multicluster which allow Antrea-native policies to select peers
+      # Enable StretchedNetworkPolicy which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
       enableStretchedNetworkPolicy: false
 ---
@@ -3703,6 +3706,7 @@ rules:
     - multicluster.crd.antrea.io
     resources:
     - clusterinfoimports
+    - labelidentities
     verbs:
     - get
     - list
@@ -4277,7 +4281,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a
+        checksum/config: f06bc0519d38f9edaaa4516e816c564429500bf878c777abc41033b346e8edff
       labels:
         app: antrea
         component: antrea-agent
@@ -4520,7 +4524,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a
+        checksum/config: f06bc0519d38f9edaaa4516e816c564429500bf878c777abc41033b346e8edff
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -3224,6 +3224,9 @@ data:
     # The Namespace where Antrea Multi-cluster Controller is running.
     # The default is antrea-agent's Namespace.
       namespace: ""
+    # Enable StretchedNetworkPolicy which could be enforced on cross-cluster traffic.
+    # This feature is supported only with encap mode when the tunnel type is Geneve.
+      enableStretchedNetworkPolicy: false
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3353,7 +3356,7 @@ data:
       selfSignedCA: true
 
     multicluster:
-      # Enable Multicluster which allow Antrea-native policies to select peers
+      # Enable StretchedNetworkPolicy which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
       enableStretchedNetworkPolicy: false
 ---
@@ -3703,6 +3706,7 @@ rules:
     - multicluster.crd.antrea.io
     resources:
     - clusterinfoimports
+    - labelidentities
     verbs:
     - get
     - list
@@ -4277,7 +4281,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: db1a9feabdabaa45a5a006e8d89bd1b3b4a4e3c67573cb98d5f3630e15d4d757
+        checksum/config: 4c94da583c601f67c4369808e59e884c0ea07d35b3f295e7a9fe3e14b80221a5
       labels:
         app: antrea
         component: antrea-agent
@@ -4517,7 +4521,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: db1a9feabdabaa45a5a006e8d89bd1b3b4a4e3c67573cb98d5f3630e15d4d757
+        checksum/config: 4c94da583c601f67c4369808e59e884c0ea07d35b3f295e7a9fe3e14b80221a5
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -3237,6 +3237,9 @@ data:
     # The Namespace where Antrea Multi-cluster Controller is running.
     # The default is antrea-agent's Namespace.
       namespace: ""
+    # Enable StretchedNetworkPolicy which could be enforced on cross-cluster traffic.
+    # This feature is supported only with encap mode when the tunnel type is Geneve.
+      enableStretchedNetworkPolicy: false
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3366,7 +3369,7 @@ data:
       selfSignedCA: true
 
     multicluster:
-      # Enable Multicluster which allow Antrea-native policies to select peers
+      # Enable StretchedNetworkPolicy which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
       enableStretchedNetworkPolicy: false
 ---
@@ -3716,6 +3719,7 @@ rules:
     - multicluster.crd.antrea.io
     resources:
     - clusterinfoimports
+    - labelidentities
     verbs:
     - get
     - list
@@ -4290,7 +4294,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 1cc89e2ac8e3f6c3c1297fb1d3d8ba1f8eb1f69a7ff915fc23322d9e45237d3f
+        checksum/config: 8a0ea8f57943caf7de83015414c2bb78c4283a7280118ce3a2160e121e8829b9
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -4576,7 +4580,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 1cc89e2ac8e3f6c3c1297fb1d3d8ba1f8eb1f69a7ff915fc23322d9e45237d3f
+        checksum/config: 8a0ea8f57943caf7de83015414c2bb78c4283a7280118ce3a2160e121e8829b9
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -3224,6 +3224,9 @@ data:
     # The Namespace where Antrea Multi-cluster Controller is running.
     # The default is antrea-agent's Namespace.
       namespace: ""
+    # Enable StretchedNetworkPolicy which could be enforced on cross-cluster traffic.
+    # This feature is supported only with encap mode when the tunnel type is Geneve.
+      enableStretchedNetworkPolicy: false
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3353,7 +3356,7 @@ data:
       selfSignedCA: true
 
     multicluster:
-      # Enable Multicluster which allow Antrea-native policies to select peers
+      # Enable StretchedNetworkPolicy which allow Antrea-native policies to select peers
       # from other clusters in a ClusterSet.
       enableStretchedNetworkPolicy: false
 ---
@@ -3703,6 +3706,7 @@ rules:
     - multicluster.crd.antrea.io
     resources:
     - clusterinfoimports
+    - labelidentities
     verbs:
     - get
     - list
@@ -4277,7 +4281,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: bb8e267e96249bf4d28379cb852eaada9d0e8d20467d58c8e8ab54e33a29fd93
+        checksum/config: 7ef1495672b7b4b2ed3d7729f27af861e3f619bd3343488d45b9c8c3195106cd
       labels:
         app: antrea
         component: antrea-agent
@@ -4517,7 +4521,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: bb8e267e96249bf4d28379cb852eaada9d0e8d20467d58c8e8ab54e33a29fd93
+        checksum/config: 7ef1495672b7b4b2ed3d7729f27af861e3f619bd3343488d45b9c8c3195106cd
       labels:
         app: antrea
         component: antrea-controller

diff --git a/ci/jenkins/test-mc.sh b/ci/jenkins/test-mc.sh
@@ -248,6 +248,24 @@ function run_codecov { (set -e
     rm -f trustedkeys.gpg codecov
 )}
 
+function modify_config {
+  if [[ ${ENABLE_MC_GATEWAY} == "true" ]]; then
+  cat > build/yamls/chart-values/antrea.yml << EOF
+multicluster:
+  enable: true
+  enableStretchedNetworkPolicy: true
+featureGates: {
+  Multicluster: true
+}
+EOF
+  make manifest
+  cd multicluster
+  sed -i 's/enableStretchedNetworkPolicy: false/enableStretchedNetworkPolicy: true/g' config/default/configmap/controller_manager_config.yaml
+  make manifests
+  cd ..
+  fi
+}
+
 function deliver_antrea_multicluster {
     echo "====== Building Antrea for the Following Commit ======"
     export GO111MODULE=on
@@ -357,16 +375,6 @@ function run_multicluster_e2e {
     export GOCACHE=${WORKDIR}/.cache/go-build
     export PATH=$GOROOT/bin:$PATH
 
-    if [[ ${ENABLE_MC_GATEWAY} == "true" ]]; then
-    cat > build/yamls/chart-values/antrea.yml <<EOF
-multicluster:
-  enable: true
-featureGates: {
-  Multicluster: true
-}
-EOF
-    make manifest
-    fi
     wait_for_antrea_multicluster_pods_ready "${LEADER_CLUSTER_CONFIG}"
     wait_for_antrea_multicluster_pods_ready "${EAST_CLUSTER_CONFIG}"
     wait_for_antrea_multicluster_pods_ready "${WEST_CLUSTER_CONFIG}"
@@ -471,6 +479,7 @@ set -e
 
 if [[ ${TESTCASE} =~ "e2e" ]]; then
     deliver_antrea_multicluster
+    modify_config
     deliver_multicluster_controller
     run_multicluster_e2e
     if $COVERAGE;then