Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Except for Antrea-native ipBlock #6658

Merged
merged 2 commits into from
Oct 9, 2024
Merged

Add Except for Antrea-native ipBlock #6658

merged 2 commits into from
Oct 9, 2024

Conversation

Dyanngg
Copy link
Contributor

@Dyanngg Dyanngg commented Sep 9, 2024
edited
Loading

Fixes #6428

This PR adds an "except" field for all ipBlocks in Antrea-native policies and groups. Users can exclude certain CIDRs from the ipBlock.cidr in all resources that support ipBlocks, including AntreaClusterNetworkPolicy, AntreaNetworkPolicy, ClusterGroup and Group. Group membership and IP association query logic are also updated to accommodate this change. Documentation will follow in a separate PR.

@Dyanngg Dyanngg force-pushed the add-ipblock-except-antrea branch 4 times, most recently from c840536 to cd59fed Compare September 10, 2024 02:28
@Dyanngg Dyanngg changed the title [WIP] Add Except for Antrea-native policy ipBlock Add Except for Antrea-native ipBlock Sep 11, 2024
@Dyanngg Dyanngg force-pushed the add-ipblock-except-antrea branch 2 times, most recently from cc5df40 to 1153d8c Compare September 11, 2024 18:18
@Dyanngg Dyanngg added this to the Antrea v2.2 release milestone Sep 11, 2024
@Dyanngg Dyanngg added the area/network-policy Issues or PRs related to network policies. label Sep 11, 2024
@Dyanngg Dyanngg force-pushed the add-ipblock-except-antrea branch from 1153d8c to 413edae Compare September 12, 2024 17:51
@Dyanngg Dyanngg mentioned this pull request Sep 17, 2024
Merged
@antoninbas antoninbas added action/release-note Indicates a PR that should be included in release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Sep 23, 2024
antoninbas
antoninbas reviewed Sep 23, 2024
View reviewed changes
Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few minor comments, functionality wise it seems fine to me

hopefully @tnqn and @qiyueyao have time to take a quick look as well

pkg/controller/networkpolicy/clustergroup.go Show resolved Hide resolved
pkg/controller/networkpolicy/crd_utils.go Show resolved Hide resolved
pkg/controller/networkpolicy/clustergroup_test.go Show resolved Hide resolved
pkg/controller/networkpolicy/validate.go
Comment on lines +759 to +761
if ipb.CIDR == "" {
return "field 'cidr' is required in an ipBlock", false
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can keep this, but I assume this is guaranteed by the OpenAPI spec?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it should already be guaranteed by openAPI, just trying to keep it on par with https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/networking/validation/validation.go#L219

pkg/controller/networkpolicy/validate_test.go Show resolved Hide resolved
test/e2e/antreapolicy_test.go Outdated Show resolved Hide resolved
test/e2e/antreapolicy_test.go Outdated Show resolved Hide resolved
test/e2e/antreapolicy_test.go Outdated Show resolved Hide resolved
test/e2e/antreapolicy_test.go Outdated Show resolved Hide resolved
test/e2e/antreapolicy_test.go Outdated Show resolved Hide resolved
@Dyanngg
Add Except for Antrea-native policy ipBlock
4ee3365 
Signed-off-by: Dyanngg <dingyang@vmware.com>
@Dyanngg
Address comments
1a0c157 
Signed-off-by: Dyanngg <dingyang@vmware.com>
@Dyanngg Dyanngg force-pushed the add-ipblock-except-antrea branch from 413edae to 1a0c157 Compare September 26, 2024 17:15
@Dyanngg Dyanngg requested a review from antoninbas September 26, 2024 17:20
antoninbas
antoninbas approved these changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tnqn
tnqn reviewed Sep 27, 2024
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one question

pkg/controller/networkpolicy/validate.go
Comment on lines +1078 to +1080
if multicast && unicast {
return "can not set multicast groupAddress together with unicast ip address", false
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will multicast NetworkPolicy support the except field?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is obviously not supported for IGMP rules since the addresses you would specify in the protocol is not a CIDR to begin with. In terms of "dropping udp egress to a multicast CIDR", I would say yes, since the CIDR subtraction logic will be the same for regular and multicast IP addresses

@Dyanngg
Copy link
Contributor Author

Dyanngg commented Sep 27, 2024

/test-all

@antoninbas
Copy link
Contributor

/test-conformance

@Dyanngg
Copy link
Contributor Author

Dyanngg commented Oct 8, 2024

/test-networkpolicy /test-e2e /test-all-features-conformance

@Dyanngg
Copy link
Contributor Author

Dyanngg commented Oct 9, 2024

/test-conformance

@antoninbas
Copy link
Contributor

/test-kind-e2e

@antoninbas
Copy link
Contributor

antrea-kind-e2e-for-pull-request is broken at the moment (nothing to do with this PR)

@antoninbas antoninbas merged commit d9e37f7 into antrea-io:main Oct 9, 2024
59 of 65 checks passed
hangyan pushed a commit to hangyan/antrea that referenced this pull request Oct 29, 2024
@Dyanngg @hangyan
Add Except for Antrea-native ipBlock (antrea-io#6658)
0d094a5 
Fixes antrea-io#6428

This PR adds an "except" field for all ipBlocks in Antrea-native
policies and groups. Users can exclude certain CIDRs from the
ipBlock.cidr in all resources that support ipBlocks, including
AntreaClusterNetworkPolicy, AntreaNetworkPolicy, ClusterGroup and
Group. Group membership and IP association query logic are also updated
to accommodate this change. Documentation will follow in a separate PR.

Signed-off-by: Dyanngg <dingyang@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoninbas antoninbas antoninbas approved these changes

@tnqn tnqn tnqn approved these changes

@qiyueyao qiyueyao Awaiting requested review from qiyueyao

Assignees
No one assigned
Labels
action/release-note Indicates a PR that should be included in release notes. area/network-policy Issues or PRs related to network policies. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
Antrea v2.2 release
Development

Successfully merging this pull request may close these issues.

add except to ipBlock
3 participants
@Dyanngg @antoninbas @tnqn