Add ipBlocks in core/v1alpha2

Add controller logic to handle ipBlocks Add E2E tests for ipBlocks in CG Add validation and documentation
antrea-io · Apr 2, 2021 · 51d6db0 · 51d6db0
1 parent 117cd94
commit 51d6db0
Show file tree

Hide file tree

Showing 20 changed files with 298 additions and 63 deletions.
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -126,6 +126,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:
@@ -190,6 +198,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -126,6 +126,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:
@@ -190,6 +198,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -126,6 +126,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:
@@ -190,6 +198,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -126,6 +126,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:
@@ -190,6 +198,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -126,6 +126,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:
@@ -190,6 +198,14 @@ spec:
                     format: cidr
                     type: string
                 type: object
+              ipBlocks:
+                items:
+                  properties:
+                    cidr:
+                      format: cidr
+                      type: string
+                  type: object
+                type: array
               namespaceSelector:
                 x-kubernetes-preserve-unknown-fields: true
               podSelector:

diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml
@@ -725,6 +725,14 @@ spec:
                     cidr:
                       type: string
                       format: cidr
+                ipBlocks:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      cidr:
+                        type: string
+                        format: cidr
                 serviceReference:
                   type: object
                   properties:
@@ -1490,6 +1498,14 @@ spec:
                     cidr:
                       type: string
                       format: cidr
+                ipBlocks:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      cidr:
+                        type: string
+                        format: cidr
                 serviceReference:
                   type: object
                   properties:

diff --git a/ci/kind/test-e2e-kind.sh b/ci/kind/test-e2e-kind.sh
@@ -132,9 +132,9 @@ function run_test {
   fi
   sleep 1
   if $coverage; then
-      go test -v -timeout=50m github.com/vmware-tanzu/antrea/test/e2e -provider=kind --logs-export-dir=$ANTREA_LOG_DIR --coverage --coverage-dir $ANTREA_COV_DIR
+      go test -v -timeout=55m github.com/vmware-tanzu/antrea/test/e2e -provider=kind --logs-export-dir=$ANTREA_LOG_DIR --coverage --coverage-dir $ANTREA_COV_DIR
   else
-      go test -v -timeout=45m github.com/vmware-tanzu/antrea/test/e2e -provider=kind --logs-export-dir=$ANTREA_LOG_DIR
+      go test -v -timeout=50m github.com/vmware-tanzu/antrea/test/e2e -provider=kind --logs-export-dir=$ANTREA_LOG_DIR
   fi
   $TESTBED_CMD destroy kind
 }

diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md
@@ -602,19 +602,18 @@ order in which they are enforced.
 A ClusterGroup (CG) CRD is a specification of how workloads are grouped together.
 It allows admins to group Pods using traditional label selectors, which can then
 be referenced in ACNP in place of stand-alone `podSelector` and/or `namespaceSelector`.
-In addition, ClusterGroup also supports Pod grouping by `serviceReference`. ClusterGroup
-specified by `serviceReference` will contain the same Pod members that are currently
-selected by the Service's selector.
+In addition to `podSelector` and `namespaceSelector`, ClusterGroup also supports the
+following ways to select endpoints:
+
+- Pod grouping by `serviceReference`. ClusterGroup specified by `serviceReference` will
+contain the same Pod members that are currently selected by the Service's selector.
+- `ipBlock` or `ipBlocks` to share IPBlocks between ACNPs.
+- `childGroups` to select other ClusterGroups by name.
+
 ClusterGroups allow admins to separate the concern of grouping of workloads from
 the security aspect of Antrea-native policies.
 It adds another level of indirection allowing users to update group membership
 without having to update individual policy rules.
-In addition to specifying label selectors to group workloads, admins can create a
-ClusterGroup to share IPBlocks.
-An `ipBlock` selector may not be specified with a `podSelector` and `namespaceSelector`,
-i.e. a single ClusterGroup can either group workloads or share IPBlocks.
-A ClusterGroup is cluster scoped resource and therefore can only be set in an Antrea
-ClusterNetworkPolicy's `appliedTo` and `to`/`from` peers.
 
 ### The ClusterGroup resource
 
@@ -643,9 +642,9 @@ kind: ClusterGroup
 metadata:
   name: test-cg-ip-block
 spec:
-  # IPBlock cannot be set along with PodSelector, NamespaceSelector or serviceReference.
-  ipBlock:
-    cidr: 10.0.10.0/24
+  # IPBlocks cannot be set along with PodSelector, NamespaceSelector or serviceReference.
+  ipBlocks:
+  - cidr: 10.0.10.0/24
 status:
   conditions:
     - type: "GroupMembersComputed"
@@ -657,7 +656,7 @@ kind: ClusterGroup
 metadata:
   name: test-cg-svc-ref
 spec:
-  # ServiceReference cannot be set along with PodSelector, NamespaceSelector or ipBlock.
+  # ServiceReference cannot be set along with PodSelector, NamespaceSelector or ipBlocks.
   serviceReference:
     name: test-service
     namespace: default
@@ -666,8 +665,35 @@ status:
     - type: "GroupMembersComputed"
       status: "True"
       lastTransitionTime: "2021-01-29T20:21:46Z"
+---
+apiVersion: core.antrea.tanzu.vmware.com/v1alpha2
+kind: ClusterGroup
+metadata:
+  name: test-cg-nested
+spec:
+  childGroups: [test-cg-sel, test-cg-ip-blocks, test-cg-svc-ref]
+status:
+  conditions:
+    - type: "GroupMembersComputed"
+      status: "True"
+      lastTransitionTime: "2021-01-29T20:21:48Z"
 ```
 
+There are a few __restrictions__ on how ClusterGroups can be configured:
+
+- A ClusterGroup is a cluster-scoped resource and therefore can only be set in an Antrea
+ClusterNetworkPolicy's `appliedTo` and `to`/`from` peers.
+- For the `childGroup` field, currently only one level of nesting is supported:
+If a ClusterGroup has childGroups, it cannot be selected as a childGroup by other ClusterGroups.
+- ClusterGroup must exist before another ClusterGroup can select it by name as its childGroup.
+A ClusterGroup cannot be deleted if it is referred to by other ClusterGroup as childGroup.
+This restriction may be lifted in future releases.
+- At most one of `podSelector`, `serviceReference`, `ipBlock`, `ipBlocks` or `childGroups`
+can be set for a ClusterGroup, i.e. a single ClusterGroup can either group workloads,
+represent IP CIDRs or select other ClusterGroups. A parent ClusterGroup can select different
+types of ClusterGroups (Pod/Service/CIDRs), but as mentioned above, it cannot select a
+ClusterGroup that has childGroups itself.
+
 **spec**: The ClusterGroup `spec` has all the information needed to define a
 cluster-wide group.
 
@@ -684,6 +710,14 @@ If set with a `podSelector`, all matching Pods from Namespaces selected by the
 "sources" or `egress` "destinations".
 A ClusterGroup with `ipBlock` referenced in an ACNP's `appliedTo` field will be
 ignored, and the policy will have no effect.
+For a same ClusterGroup, `ipBlock` and `ipBlocks` cannot be set concurrently.
+ipBlock will be deprecated for ipBlocks in future versions of ClusterGroup.
+
+**ipBlocks**: This selects a list of IP CIDR ranges to allow as `ingress`
+"sources" or `egress` "destinations".
+A ClusterGroup with `ipBlocks` referenced in an ACNP's `appliedTo` field will be
+ignored, and the policy will have no effect.
+For a same ClusterGroup, `ipBlock` and `ipBlocks` cannot be set concurrently.
 
 **serviceReference**: Pods that serve as the backend for the specified Service
 will be grouped. Services without selectors are currently not supported, and will
@@ -694,6 +728,10 @@ traffic enforcement. `ServiceReference` is merely a mechanism to group Pods and
 ensure that a ClusterGroup stays in sync with the set of Pods selected by a given
 Service.
 
+**childGroups**: This selects existing ClusterGroups by name. The effective members
+of the "parent" ClusterGrup will be the union of all its childGroups' members.
+See the section above for restrictions.
+
 **status**: The ClusterGroup `status` field determines the overall realization
 status of the group.
 

diff --git a/pkg/apis/crd/v1alpha2/types.go b/pkg/apis/crd/v1alpha2/types.go
@@ -119,8 +119,15 @@ type GroupSpec struct {
 	// IPBlock describes the IPAddresses/IPBlocks that is matched in to/from.
 	// IPBlock cannot be set as part of the AppliedTo field.
 	// Cannot be set with any other selector or ServiceReference.
+	// Cannot be set with IPBlocks.
 	// +optional
 	IPBlock *v1alpha1.IPBlock `json:"ipBlock,omitempty"`
+	// IPBlocks is a list of IPAddresses/IPBlocks that is matched in to/from.
+	// IPBlock cannot be set as part of the AppliedTo field.
+	// Cannot be set with any other selector or ServiceReference.
+	// Cannot be set with IPBlock.
+	// +optional
+	IPBlocks []v1alpha1.IPBlock `json:"ipBlocks,omitempty"`
 	// Select backend Pods of the referred Service.
 	// Cannot be set with any other selector or ipBlock.
 	// +optional

diff --git a/pkg/apis/crd/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/crd/v1alpha2/zz_generated.deepcopy.go
diff --git a/pkg/controller/networkpolicy/clustergroup.go b/pkg/controller/networkpolicy/clustergroup.go
@@ -63,15 +63,15 @@ func (n *NetworkPolicyController) updateClusterGroup(oldObj, curObj interface{})
 		}
 		return true
 	}
-	ipBlockUpdated := func() bool {
-		oldIPB, newIPB := oldGroup.IPBlock, newGroup.IPBlock
-		// ClusterGroup ipBlock does not support Except
-		if oldIPB != nil && newIPB != nil && ipNetToCIDRStr(oldIPB.CIDR) == ipNetToCIDRStr(newIPB.CIDR) {
-			return false
-		} else if oldIPB == nil && newIPB == nil {
-			return false
+	ipBlocksUpdated := func() bool {
+		oldIPBs, newIPBs := sets.String{}, sets.String{}
+		for _, ipb := range oldGroup.IPBlocks {
+			oldIPBs.Insert(ipNetToCIDRStr(ipb.CIDR))
 		}
-		return true
+		for _, ipb := range newGroup.IPBlocks {
+			newIPBs.Insert(ipNetToCIDRStr(ipb.CIDR))
+		}
+		return oldIPBs.Equal(newIPBs)
 	}
 	childGroupsUpdated := func() bool {
 		oldChildGroups, newChildGroups := sets.String{}, sets.String{}
@@ -83,7 +83,7 @@ func (n *NetworkPolicyController) updateClusterGroup(oldObj, curObj interface{})
 		}
 		return !oldChildGroups.Equal(newChildGroups)
 	}
-	if !ipBlockUpdated() && !svcRefUpdated() && !selectorUpdated() && !childGroupsUpdated() {
+	if !ipBlocksUpdated() && !svcRefUpdated() && !selectorUpdated() && !childGroupsUpdated() {
 		// No change in the contents of the ClusterGroup. No need to enqueue for further sync.
 		return
 	}
@@ -129,7 +129,13 @@ func (n *NetworkPolicyController) processClusterGroup(cg *crdv1alpha2.ClusterGro
 	}
 	if cg.Spec.IPBlock != nil {
 		ipb, _ := toAntreaIPBlockForCRD(cg.Spec.IPBlock)
-		internalGroup.IPBlock = ipb
+		internalGroup.IPBlocks = append(internalGroup.IPBlocks, *ipb)
+		return &internalGroup
+	} else if len(cg.Spec.IPBlocks) > 0 {
+		for i := range cg.Spec.IPBlocks {
+			ipb, _ := toAntreaIPBlockForCRD(&cg.Spec.IPBlocks[i])
+			internalGroup.IPBlocks = append(internalGroup.IPBlocks, *ipb)
+		}
 		return &internalGroup
 	}
 	svcSelector := cg.Spec.ServiceReference