Dynamic egress removal

jobs/README.md

@@ -9,4 +9,4 @@ This is the README for Silk-release jobs. To learn more about `silk-release`, go
 | `silk-cni` | Short-lived [CNI](https://github.com/containernetworking/cni) job, executed along with the [`cni-wrapper-plugin`](https://github.com/cloudfoundry/silk-release/tree/master/src/cni-wrapper-plugin) to provision the network namespace and configure the network interface and routing rules for a container. | When executed, it obtains an overlay subnet and MTU from the `silk-daemon` for the container. Optionally limits bandwidth in and out of each container with the [`bandwidth` plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/bandwidth). Uses iptables mutex lock.|
 | `silk-controller` | Manages IP subnet lease allocation for the Diego cell. State that maps the Diego cell to the leased overlay subnet is stored in a SQL database. |  |
 | `silk-daemon` | Daemon that polls the `silk-controller` API to acquire and renew the overlay subnet lease for the Diego cell. Polling frequency can be configured and is 5s by default. It also serves an API that the `silk-cni` calls to retrieve information about the overlay subnet lease. |  |
-| `vxlan-policy-agent` | Polls the the [Policy Server Internal API](https://github.com/cloudfoundry/cf-networking-release/tree/develop/jobs) for desired network policies (container networking and dynamic egress) and writes IPTables rules on the Diego cell to enforce those policies for network traffic between applications. For container networking policies, the IPtables rules tag traffic from applications with network policies on egress, and separate rules at the destination allow traffic with tags whitelisted by policies to applications on ingress. | Uses iptables mutex lock. |
+| `vxlan-policy-agent` | Polls the the [Policy Server Internal API](https://github.com/cloudfoundry/cf-networking-release/tree/develop/jobs) for desired network policies (container networking and dynamic application security groups) and writes IPTables rules on the Diego cell to enforce those policies for network traffic between applications. For container networking policies, the IPtables rules tag traffic from applications with network policies on egress, and separate rules at the destination allow traffic with tags whitelisted by policies to applications on ingress. | Uses iptables mutex lock. |

src/code.cloudfoundry.org/go.mod

@@ -25,7 +25,7 @@ require (
 	code.cloudfoundry.org/garden v0.0.0-20210608104724-fa3a10d59c82
 	code.cloudfoundry.org/go-loggregator/v8 v8.0.5
 	code.cloudfoundry.org/lager v2.0.0+incompatible
-	code.cloudfoundry.org/policy_client v0.0.0-20220203234022-670e720134e3
+	code.cloudfoundry.org/policy_client v0.0.0-20220420200808-7feb15de93f1
 	code.cloudfoundry.org/runtimeschema v0.0.0-00010101000000-000000000000
 	code.cloudfoundry.org/silk v0.0.0-20211004235850-da152076940f
 	github.com/cloudfoundry/dropsonde v1.0.0

src/code.cloudfoundry.org/go.sum

@@ -27,6 +27,10 @@ code.cloudfoundry.org/lager v1.1.1-0.20210513163233-569157d2803b h1:jgCg9ARoZ2ME
 code.cloudfoundry.org/lager v1.1.1-0.20210513163233-569157d2803b/go.mod h1:SF6BAZkl2+itWGVny2ILQCY9UNXIRwgi/m181VkHfrI=
 code.cloudfoundry.org/policy_client v0.0.0-20220203234022-670e720134e3 h1:qjjgXJEYFcd8FVQ367yji8jjGfIJg5sjRz4j7mzUy8g=
 code.cloudfoundry.org/policy_client v0.0.0-20220203234022-670e720134e3/go.mod h1:bzqpNvN9V1gJd0ny82Qnqxow5MFAnU97Sti/l4ORHWY=
+code.cloudfoundry.org/policy_client v0.0.0-20220420173332-5d4bff348a33 h1:JN7bKt1Bp0P/aw9xvQfbtdN04kx29zb4I1Zmyd8hi+U=
+code.cloudfoundry.org/policy_client v0.0.0-20220420173332-5d4bff348a33/go.mod h1:bzqpNvN9V1gJd0ny82Qnqxow5MFAnU97Sti/l4ORHWY=
+code.cloudfoundry.org/policy_client v0.0.0-20220420200808-7feb15de93f1 h1:BwWhTaj7V/cot+S3/IKd93SO1t3wQlB8kMLNlzBRu3I=
+code.cloudfoundry.org/policy_client v0.0.0-20220420200808-7feb15de93f1/go.mod h1:bzqpNvN9V1gJd0ny82Qnqxow5MFAnU97Sti/l4ORHWY=
 code.cloudfoundry.org/routing-info v0.0.0-20220215234142-7d023ecb0fad h1:FHI7/GgnWlgG97a0bEf+UezN0dJez2YoNTjkwOOImj8=
 code.cloudfoundry.org/routing-info v0.0.0-20220215234142-7d023ecb0fad/go.mod h1:ykLgqzJGV5PTkvxtfyOy8hcQy7wxPaoV5ZPyk74aqp8=
 code.cloudfoundry.org/runtimeschema v0.0.0-20180622181441-7dcd19348be6 h1:J08p1/LBnhv5BDDf0WLpHRyMJFCws3vd3fLCFL/iVnQ=

src/code.cloudfoundry.org/vendor/modules.txt

@@ -49,7 +49,7 @@ code.cloudfoundry.org/lager/internal/truncate
 code.cloudfoundry.org/lager/lagerctx
 code.cloudfoundry.org/lager/lagerflags
 code.cloudfoundry.org/lager/lagertest
-# code.cloudfoundry.org/policy_client v0.0.0-20220203234022-670e720134e3
+# code.cloudfoundry.org/policy_client v0.0.0-20220420200808-7feb15de93f1
 ## explicit; go 1.17
 code.cloudfoundry.org/policy_client
 # code.cloudfoundry.org/routing-info v0.0.0-20220215234142-7d023ecb0fad

src/code.cloudfoundry.org/vxlan-policy-agent/cmd/vxlan-policy-agent/main.go

@@ -120,7 +120,7 @@ func main() {
 		policy_client.DefaultConfig,
 	)
 
-	_, _, err = policyClient.GetPolicies()
+	_, err = policyClient.GetPolicies()
 
 	if err != nil {
 		die(logger, "policy-client-get-policies", err)

src/code.cloudfoundry.org/vxlan-policy-agent/integration/linux/linux_test.go

@@ -209,14 +209,6 @@ var _ = Describe("VXLAN Policy Agent", func() {
 							return resp.StatusCode, nil
 						}).Should(Equal(http.StatusOK))
 
-						Eventually(iptablesFilterRules, "4s", "1s").Should(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m tcp --dport 8080:8081 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.3-10.27.1.4 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.3-10.27.1.4 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.2.1-10.27.2.2 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 3/4 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 8 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.28.2.3-10.28.2.5 -j ACCEPT`))
 					})
 				})
 
@@ -243,16 +235,6 @@ var _ = Describe("VXLAN Policy Agent", func() {
 					Expect(iptablesFilterRules()).To(ContainSubstring(`-d 10.255.100.21/32 -p udp -m udp --dport 7000:8000 -m mark --mark 0xd -m comment --comment "src:yet-another-app-guid_dst:some-very-very-long-app-guid" -j ACCEPT`))
 				})
 
-				It("enforces egress policies", func() {
-					Eventually(iptablesFilterRules, "4s", "1s").Should(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m tcp --dport 8080:8081 -j ACCEPT`))
-					Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.3-10.27.1.4 -j ACCEPT`))
-					Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 3/4 -j ACCEPT`))
-					Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -j ACCEPT`))
-					Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 8 -j ACCEPT`))
-					Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.2.1-10.27.2.2 -j ACCEPT`))
-					Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.28.2.3-10.28.2.5 -j ACCEPT`))
-				})
-
 				Context("when the container is staging", func() {
 					BeforeEach(func() {
 						containerMetadata := `{
@@ -269,13 +251,6 @@ var _ = Describe("VXLAN Policy Agent", func() {
 					}`
 						Expect(ioutil.WriteFile(datastorePath, []byte(containerMetadata), os.ModePerm))
 					})
-
-					It("enforces the egress policies for staging", func() {
-						Eventually(iptablesFilterRules, "4s", "1s").Should(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m tcp --dport 8080:8081 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 8 -j ACCEPT`))
-						Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 1.1.1.1-2.9.9.9 -m tcp --dport 8080:8081 -j ACCEPT`))
-					})
 				})
 
 				It("writes only one mark rule for a single container", func() {
@@ -370,7 +345,7 @@ var _ = Describe("VXLAN Policy Agent", func() {
 							runIptablesCommand("-N", "netout--some-handle--log")
 						})
 
-						It("enforces the egress policies for staging", func() {
+						It("enforces the ASG policies for staging", func() {
 							Eventually(iptablesFilterRules, "4s", "1s").Should(MatchRegexp(`-A asg-[a-zA-Z0-9]+ -p tcp -m iprange --dst-range 10.0.11.0-10.0.11.255 -m tcp --dport 443 -g netout--some-handle--log`))
 							Consistently(iptablesFilterRules, "2s", "1s").Should(MatchRegexp(`-A asg-[a-zA-Z0-9]+ -p tcp -m iprange --dst-range 10.0.11.0-10.0.11.255 -m tcp --dport 80 -g netout--some-handle--log`))
 							Consistently(iptablesFilterRules, "2s", "1s").Should(MatchRegexp(`-A asg-[a-zA-Z0-9]+ -m iprange --dst-range 11.0.0.0-169.253.255.255 -j ACCEPT`))
@@ -671,54 +646,6 @@ func startServer(serverListenAddr string, tlsConfig *tls.Config) ifrit.Process {
 						"source": {"id":"yet-another-app-guid", "tag":"D"},
 						"destination": {"id": "some-very-very-long-app-guid", "tag":"A", "protocol":"udp", "ports":{"start":7000, "end":8000}}
 					}
-				],
-				"total_egress_policies": 7,
-				"egress_policies": [
-					{
-						"source": {"id": "some-space", "type": "space" },
-						"destination": {"ips": [{"start": "10.27.2.1", "end": "10.27.2.2"}], "protocol": "tcp"},
-						"app_lifecycle": "running"
-					},
-					{
-						"source": {"id": "some-very-very-long-app-guid" },
-						"destination": {"ips": [{"start": "10.27.1.1", "end": "10.27.1.2"}], "protocol": "icmp", "icmp_type": 3, "icmp_code": 4},
-						"app_lifecycle": "running"
-					},
-					{
-						"source": {"id": "some-very-very-long-app-guid" },
-						"destination": {"ips": [{"start": "1.1.1.1", "end": "2.9.9.9"}], "ports": [{"start": 8080, "end": 8081}], "protocol": "tcp"},
-						"app_lifecycle": "staging"
-					},
-					{
-						"source": {"id": "some-very-very-long-app-guid" },
-						"destination": {"ips": [{"start": "10.27.1.1", "end": "10.27.1.2"}], "protocol": "icmp", "icmp_type": -1, "icmp_code": -1},
-						"app_lifecycle": "all"
-					},
-					{
-						"source": {"id": "some-very-very-long-app-guid" },
-						"destination": {"ips": [{"start": "10.27.1.1", "end": "10.27.1.2"}], "protocol": "icmp", "icmp_type": 8, "icmp_code": -1},
-						"app_lifecycle": "all"
-					},
-					{
-						"source": {"id": "some-very-very-long-app-guid" },
-						"destination": {"ips": [{"start": "10.27.1.1", "end": "10.27.1.2"}], "ports": [{"start": 8080, "end": 8081}], "protocol": "tcp"},
-						"app_lifecycle": "all"
-					},
-					{
-						"source": {"id": "some-app-guid-no-ports" },
-						"destination": {"ips": [{"start": "10.27.1.3", "end": "10.27.1.4"}], "protocol": "tcp"},
-						"app_lifecycle": "all"
-					},
-					{
-						"source": {"id": "not-deployed-on-this-cell-why-did-you-query-for-this-id" },
-						"destination": {"ips": [{"start": "10.27.2.3", "end": "10.27.2.5"}], "protocol": "udp"},
-						"app_lifecycle": "all"
-					},
-					{
-						"source": {"id": "", "type": "default" },
-						"destination": {"ips": [{"start": "10.28.2.3", "end": "10.28.2.5"}], "protocol": "tcp"},
-						"app_lifecycle": "all"
-					}
 				]
 			}`))
 			return

src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner.go

@@ -47,7 +47,7 @@ type dstore interface {
 
 //go:generate counterfeiter -o fakes/policy_client.go --fake-name PolicyClient . policyClient
 type policyClient interface {
-	GetPoliciesByID(ids ...string) ([]policy_client.Policy, []policy_client.EgressPolicy, error)
+	GetPoliciesByID(ids ...string) ([]policy_client.Policy, error)
 	GetSecurityGroupsForSpace(spaceGuids ...string) ([]policy_client.SecurityGroup, error)
 	CreateOrGetTag(id, groupType string) (string, error)
 }