first commit

Author: aojea

.github/workflows/e2e.yml

@@ -0,0 +1,165 @@
+name: e2e
+
+on:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+env:
+  GO_VERSION: "1.22.0"
+  K8S_VERSION: "v1.29.2"
+  KIND_VERSION: "v0.22.0"
+  REGISTRY: ghcr.io
+  IMAGE_NAME: registry.k8s.io/kube-netpol
+  KIND_CLUSTER_NAME: kind
+
+permissions: write-all
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ env.GO_VERSION }}
+      id: go
+
+    - name: Check out code
+      uses: actions/checkout@v2
+
+    - name: Build
+      run: |
+        docker build -t registry.k8s.io/kube-netpol:test -f Dockerfile .
+        mkdir _output
+        docker save registry.k8s.io/kube-netpol:test  > _output/kube-netpol-image.tar
+
+    - uses: actions/upload-artifact@v2
+      with:
+        name: test-image
+        path: _output/kube-netpol-image.tar
+
+  e2e:
+    name: e2e
+    runs-on: ubuntu-22.04
+    timeout-minutes: 100
+    needs:
+      - build
+    strategy:
+      fail-fast: false
+      matrix:
+        # TODO add "dual", waiting on KEP https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/3705-cloud-node-ips
+        ipFamily: ["ipv4", "ipv6"]
+    env:
+      JOB_NAME: "kube-netpol-${{ matrix.ipFamily }}"
+      IP_FAMILY: ${{ matrix.ipFamily }}
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v2
+
+    - name: Enable ipv4 and ipv6 forwarding
+      run: |
+        sudo sysctl -w net.ipv6.conf.all.forwarding=1
+        sudo sysctl -w net.ipv4.ip_forward=1
+
+    - name: Set up environment (download dependencies)
+      run: |
+        TMP_DIR=$(mktemp -d)
+        # Test binaries
+        curl -L https://dl.k8s.io/${{ env.K8S_VERSION }}/kubernetes-test-linux-amd64.tar.gz -o ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz
+        tar xvzf ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz \
+          --directory ${TMP_DIR} \
+          --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test
+        # kubectl
+        curl -L https://dl.k8s.io/${{ env.K8S_VERSION }}/bin/linux/amd64/kubectl -o ${TMP_DIR}/kubectl
+        # kind
+        curl -Lo ${TMP_DIR}/kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64
+        # Install
+        sudo cp ${TMP_DIR}/ginkgo /usr/local/bin/ginkgo
+        sudo cp ${TMP_DIR}/e2e.test /usr/local/bin/e2e.test
+        sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl
+        sudo cp ${TMP_DIR}/kind /usr/local/bin/kind
+        sudo chmod +x /usr/local/bin/*
+
+    - name: Create multi node cluster
+      run: |
+        # output_dir
+        mkdir -p _artifacts
+        # create cluster
+        cat <<EOF | /usr/local/bin/kind create cluster \
+          --name ${{ env.KIND_CLUSTER_NAME}}           \
+          --image kindest/node:${{ env.K8S_VERSION }}  \
+          -v7 --wait 1m --retain --config=-
+        kind: Cluster
+        apiVersion: kind.x-k8s.io/v1alpha4
+        networking:
+          ipFamily: ${IP_FAMILY}
+        nodes:
+        - role: control-plane
+        - role: worker
+        - role: worker
+        EOF
+        # dump the kubeconfig for later
+        /usr/local/bin/kind get kubeconfig --name ${{ env.KIND_CLUSTER_NAME}} > _artifacts/kubeconfig.conf
+
+    - uses: actions/download-artifact@v2
+      with:
+        name: test-image
+
+    - name: Install kube-netpol
+      run: |
+        # preload kube-netpol image
+        docker load --input kube-netpol-image.tar
+        /usr/local/bin/kind load docker-image registry.k8s.io/kube-netpol:test --name ${{ env.KIND_CLUSTER_NAME}}
+        sed -i s#registry.k8s.io/kube-netpol.*#registry.k8s.io/kube-netpol:test# install.yaml
+        /usr/local/bin/kubectl apply -f ./install.yaml
+
+    - name: Get Cluster status
+      run: |
+        # wait network is ready
+        sleep 5
+        /usr/local/bin/kubectl get nodes -o wide
+        /usr/local/bin/kubectl get pods -A
+        /usr/local/bin/kubectl wait --timeout=1m --for=condition=ready pods --namespace=kube-system -l k8s-app=kube-dns
+        /usr/local/bin/kubectl wait --timeout=1m --for=condition=ready pods --namespace=kube-system -l app=kube-network-policies
+
+    - name: Run tests
+      run: |
+        export KUBERNETES_CONFORMANCE_TEST='y'
+        export E2E_REPORT_DIR=${PWD}/_artifacts
+
+        # Run tests
+        /usr/local/bin/ginkgo --nodes=25                \
+          --focus="Netpol"  \
+          /usr/local/bin/e2e.test                       \
+          --                                            \
+          --kubeconfig=${PWD}/_artifacts/kubeconfig.conf     \
+          --provider=local                              \
+          --dump-logs-on-failure=false                  \
+          --report-dir=${E2E_REPORT_DIR}                \
+          --disable-log-dump=true
+
+    - name: Upload Junit Reports
+      if: always()
+      uses: actions/upload-artifact@v2
+      with:
+        name: kind-junit-${{ env.JOB_NAME }}-${{ github.run_id }}
+        path: './_artifacts/*.xml'
+
+    - name: Export logs
+      if: always()
+      run: |
+        /usr/local/bin/kind export logs --name ${KIND_CLUSTER_NAME} --loglevel=debug ./_artifacts/logs
+
+    - name: Upload logs
+      if: always()
+      uses: actions/upload-artifact@v2
+      with:
+        name: kind-logs-${{ env.JOB_NAME }}-${{ github.run_id }}
+        path: ./_artifacts/logs

Dockerfile

@@ -0,0 +1,11 @@
+ARG GOARCH="amd64"
+FROM golang:1.22 AS builder
+WORKDIR /src
+COPY . .
+# build
+RUN go mod download
+RUN CGO_ENABLED=0 go build -o /go/bin/netpol ./cmd
+# STEP 2: Build small image
+FROM registry.k8s.io/build-image/distroless-iptables:v0.5.2
+COPY --from=builder --chown=root:root /go/bin/netpol /bin/netpol
+CMD ["/bin/netpol"]

README.md

@@ -1,6 +1,42 @@
-# kube-network-policies
+# Kubernetes network policies
+
+Network policies are hard to implement efficiently and in large clusters this is translated to performance and scalability problems.
+
+Most of the existing implementations use the same approach of processing the APIs and transforming them in the corresponding dataplane implementation: iptables, nftables, ebpf or ovs, ...
+
+This project takes a different approach. It uses the NFQUEUE functionality implemented in netfilter to process the first packet of each connection in userspace and emit a verdict. The advantage is that the dataplane implementation does not need to represent all the complex logic, allowing it to scale better. The disadvantage is that we need to pass each new connection packet through userspace.
+
+There are some performance improvements that can be applied, such as to restrict in the dataplane the packets that are sent to userspace to the ones that have network policies only, so only
+the Pods affected by network policies will hit the first byte performance.
+
+## Metrics
+
+Prometheus metrics are exposed on the address defined by the flag
+
+```
+  -metrics-bind-address string
+        The IP address and port for the metrics server to serve on (default ":9080")
+```
+
+Current implemented metrics are:
+
+* packet_process_time: Time it has taken to process each packet (microseconds)
+* packet_process_duration_microseconds: A summary of the packet processing durations in microseconds
+* packet_count: Number of packets
+* nfqueue_queue_total: The number of packets currently queued and waiting to be processed by the application
+* nfqueue_queue_dropped: Number of packets that had to be dropped by the kernel because too many packets are already waiting for user space to send back the mandatory accept/drop verdicts
+* nfqueue_user_dropped: Number of packets that were dropped within the netlink subsystem. Such drops usually happen when the corresponding socket buffer is full; that is, user space is not able to read messages fast enough
+* nfqueue_packet_id: ID of the most recent packet queued
+
+## Testing
+
+See [.docs/testing/README.md] 
+
+## References
+
+* https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
+* https://netfilter.org/projects/libnetfilter_queue/doxygen/html/
 
-Kubernetes network policies
 
 ## Community, discussion, contribution, and support
 

cmd/main.go

@@ -0,0 +1,101 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"os/signal"
+	"time"
+
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"golang.org/x/sys/unix"
+	"sigs.k8s.io/kube-network-policies/pkg/networkpolicy"
+
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/klog/v2"
+)
+
+var (
+	failOpen           bool
+	queueID            int
+	metricsBindAddress string
+)
+
+func init() {
+	flag.BoolVar(&failOpen, "fail-open", false, "If set, don't drop packets if the controller is not running")
+	flag.IntVar(&queueID, "nfqueue-id", 100, "Number of the nfqueue used")
+	flag.StringVar(&metricsBindAddress, "metrics-bind-address", ":9080", "The IP address and port for the metrics server to serve on")
+
+	flag.Usage = func() {
+		fmt.Fprint(os.Stderr, "Usage: kube-netpol [options]\n\n")
+		flag.PrintDefaults()
+	}
+}
+
+func main() {
+	// enable logging
+	klog.InitFlags(nil)
+	flag.Parse()
+	//
+	if _, _, err := net.SplitHostPort(metricsBindAddress); err != nil {
+		klog.Fatalf("error parsing metrics bind address %s : %v", metricsBindAddress, err)
+	}
+
+	cfg := networkpolicy.Config{
+		FailOpen: failOpen,
+		QueueID:  queueID,
+	}
+	// creates the in-cluster config
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		panic(err.Error())
+	}
+	// creates the clientset
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		panic(err.Error())
+	}
+
+	// trap Ctrl+C and call cancel on the context
+	ctx := context.Background()
+	ctx, cancel := context.WithCancel(ctx)
+
+	// Enable signal handler
+	signalCh := make(chan os.Signal, 2)
+	defer func() {
+		close(signalCh)
+		cancel()
+	}()
+	signal.Notify(signalCh, os.Interrupt, unix.SIGINT)
+
+	informersFactory := informers.NewSharedInformerFactory(clientset, 0)
+
+	http.Handle("/metrics", promhttp.Handler())
+	go http.ListenAndServe(metricsBindAddress, nil)
+
+	networkPolicyController := networkpolicy.NewController(
+		clientset,
+		informersFactory.Networking().V1().NetworkPolicies(),
+		informersFactory.Core().V1().Namespaces(),
+		informersFactory.Core().V1().Pods(),
+		cfg,
+	)
+	go networkPolicyController.Run(ctx)
+
+	informersFactory.Start(ctx.Done())
+
+	select {
+	case <-signalCh:
+		klog.Infof("Exiting: received signal")
+		cancel()
+	case <-ctx.Done():
+	}
+
+	// grace period to cleanup resources
+	time.Sleep(5 * time.Second)
+}