Add service account selector support in ACNP #3044
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #3044 +/- ##
==========================================
- Coverage 60.95% 54.97% -5.99%
==========================================
Files 266 371 +105
Lines 26508 50828 +24320
==========================================
+ Hits 16159 27943 +11784
- Misses 8597 20480 +11883
- Partials 1752 2405 +653
Flags with carried forward coverage won't be shown. Click here to find out more.
|
GraysonWu
force-pushed
the
sa-selector
branch
2 times, most recently
from
3a108a6
to
32414cc
Compare
GraysonWu
changed the title
GraysonWu
force-pushed
the
sa-selector
branch
from
32414cc
to
325491a
Compare
GraysonWu
changed the title
GraysonWu
force-pushed
the
sa-selector
branch
5 times, most recently
from
afdac9f
to
a1a6976
Compare
GraysonWu
force-pushed
the
sa-selector
branch
3 times, most recently
from
59be42d
to
b5480c4
Compare
GraysonWu
changed the title
GraysonWu
force-pushed
the
sa-selector
branch
3 times, most recently
from
af508b0
to
01782b4
Compare
antoninbas
reviewed
Jan 11, 2022
| // re-processed based on if they are affected by an added/updated/deleted | ||
| // ServiceAccount. | ||
| func (n *NetworkPolicyController) filterACNPsByServiceAccount(sa *v1.ServiceAccount) (acnps []*crdv1alpha1.ClusterNetworkPolicy) { | ||
| acnpObjs, err := n.cnpInformer.Informer().GetIndexer().ByIndex(ServiceAccountsPeerIndex, HasServiceAccountsPeer) |
There was a problem hiding this comment.
@tnqn is there any issue with defining an index like this which simply partitions all the objects into 2 different groups?
GraysonWu
force-pushed
the
sa-selector
branch
from
d91c150
to
850c303
Compare
jianjuns
reviewed
Jan 12, 2022
GraysonWu
force-pushed
the
sa-selector
branch
2 times, most recently
from
6c6b9c9
to
341a695
Compare
GraysonWu
force-pushed
the
sa-selector
branch
2 times, most recently
from
4f64e47
to
3399901
Compare
tnqn
reviewed
Feb 9, 2022
GraysonWu
force-pushed
the
sa-selector
branch
2 times, most recently
from
be55e6a
to
74b8879
Compare
GraysonWu
requested review from
tnqn,
jianjuns,
antoninbas,
Dyanngg and
salv-orlando
tnqn
reviewed
Feb 10, 2022
jianjuns
reviewed
Feb 10, 2022
| // workloads in AppliedTo/To/From fields. | ||
| // Cannot be set with any other selector. | ||
| // +optional | ||
| ServiceAccount *NamespacedName `json:"serviceAccount,omitempty"` |
There was a problem hiding this comment.
Good to see the API is really simple now!
There was a problem hiding this comment.
In #2755, the reference struct is named ServiceReference:
// ServiceReference represents a reference to a v1.Service.
type ServiceReference struct {
// Name of the Service
Name string `json:"name"`
// Namespace of the Service
Namespace string `json:"namespace,omitempty"`
}
I feel we should either unify them to NamespacedName or create ServiceAccountReference for this one. Is there any plan?
There was a problem hiding this comment.
Good catch. I slightly prefer to unify them to NamespacedName which could be used to refer to other resources. And if we will use verbose API in the future then I guess this generic struct will still be needed.
There was a problem hiding this comment.
If unifying them sounds good, do you suggest unifying them in this PR or another one?
GraysonWu
force-pushed
the
sa-selector
branch
4 times, most recently
from
6365995
to
1fd84d4
Compare
tnqn
reviewed
Feb 14, 2022
| // workloads in AppliedTo/To/From fields. | ||
| // Cannot be set with any other selector. | ||
| // +optional | ||
| ServiceAccount *NamespacedName `json:"serviceAccount,omitempty"` |
There was a problem hiding this comment.
In #2755, the reference struct is named ServiceReference:
// ServiceReference represents a reference to a v1.Service.
type ServiceReference struct {
// Name of the Service
Name string `json:"name"`
// Namespace of the Service
Namespace string `json:"namespace,omitempty"`
}
I feel we should either unify them to NamespacedName or create ServiceAccountReference for this one. Is there any plan?
GraysonWu
force-pushed
the
sa-selector
branch
from
1fd84d4
to
87463cf
Compare
tnqn
reviewed
Feb 15, 2022
GraysonWu
force-pushed
the
sa-selector
branch
from
87463cf
to
1e1bf7e
Compare
tnqn
reviewed
Feb 16, 2022
| // workloads in AppliedTo/To/From fields. | ||
| // Cannot be set with any other selector. | ||
| // +optional | ||
| ServiceAccount *NamespacedName `json:"serviceAccount,omitempty"` |
Fixes antrea-io#2927 This PR added `serviceAccount` field support to ACNP. It uses Namespace and Name to specify a ServiceAccount and all Pods with this ServiceAccount will be selected as workloads. It could be used in egress `to`, ingress `from` and `appliedTo` of both policy and single rule. To implement this feature, this PR also added a custom label to all Pods internally, which looks like: `internal.antrea.io/service-account:[ServiceAccountName]`. And when process ACNP, `serviceAccount` will be translate to a `GroupSelector` with `Namespace` and `PodSelector` to select Pods we need. Signed-off-by: wgrayson <[email protected]>
GraysonWu
force-pushed
the
sa-selector
branch
from
1e1bf7e
to
42088ae
Compare
Thanks. Done. |
|
/test-all |
|
/test-integration |
bangqipropel
pushed a commit
to bangqipropel/antrea
that referenced
this pull request
Mar 2, 2022
Fixes antrea-io#2927 This PR added `serviceAccount` field support to ACNP. It uses Namespace and Name to specify a ServiceAccount and all Pods with this ServiceAccount will be selected as workloads. It could be used in egress `to`, ingress `from` and `appliedTo` of both policy and single rule. To implement this feature, this PR also added a custom label to all Pods internally, which looks like: `internal.antrea.io/service-account:[ServiceAccountName]`. And when process ACNP, `serviceAccount` will be translate to a `GroupSelector` with `Namespace` and `PodSelector` to select Pods we need. Signed-off-by: wgrayson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #2927.
This PR added
serviceAccountfield support to ACNP. It usesNamespace and Name to specify a ServiceAccount and all Pods with this
ServiceAccount will be selected as workloads. It could be used in
egress
to, ingressfromandappliedToof both policy and singlerule.
To implement this feature, this PR also added a custom label to
all Pods internally, which looks like:
internal.antrea.io/service-account:[ServiceAccountName]. And whenprocess ACNP,
serviceAccountwill be translate to aGroupSelectorwith
NamespaceandPodSelectorto select Pods we need.Signed-off-by: wgrayson [email protected]