Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds support for MultiNetworkPolicy definitions #907

Merged
merged 26 commits into from
Oct 9, 2024
+1,624 −513
Merged

Adds support for MultiNetworkPolicy definitions #907

Show file tree
Hide file tree
Changes from 25 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
a293e29
Adds support for MultiNetworkPolicy objects
nkinkade Sep 11, 2024
183d8ff
Condenses multi-networkpolicy configmaps into a single one
nkinkade Sep 11, 2024
3ade9cb
Fixes location of closing bracket in multi-networkpolicy configmap
nkinkade Sep 12, 2024
bf865c5
Fixes multi-networkplicy DaemonSet and add test policy for NDT
nkinkade Sep 12, 2024
4dd2750
Changes experiment net-attach-defs to CNI v0.3.1
nkinkade Sep 17, 2024
d662e73
Use v1beta2 of MultiNetworkPolicy
nkinkade Sep 19, 2024
f898d0e
Removes namespaceSelector from MultiNetworkPolicy
nkinkade Sep 19, 2024
6e6afa3
Uses image from m-lab fork of multi-networkpolicy-iptables
nkinkade Sep 24, 2024
fa43ae0
Adds MultiNetworkPolicy defs for msak, revt, wehe and neubot
nkinkade Sep 24, 2024
f259e11
Modifies the allowed ports for revtr in its MultiNetworkPolicy
nkinkade Sep 25, 2024
f3774ab
Loads MultiNetworkPolicies for mask, revtr, wehe and neubot
nkinkade Sep 25, 2024
38468ff
Adds podSelectors for MultiNetworkPolicies
nkinkade Sep 25, 2024
4c10942
Formats MultiNetworkPolicies as jsonnet
nkinkade Sep 25, 2024
64b4d5f
Removes podSelector from MultiNetworkPolicies
nkinkade Sep 26, 2024
6c6697b
Removes sample iptables custom rules from configmap
nkinkade Oct 7, 2024
f5e0d85
Adds new MultiNetworkPolicy template to templates.jsonnet
nkinkade Oct 9, 2024
515ed6c
Adds a MultiNetworkPolicy definition to the ndt.jsonnet manifest
nkinkade Oct 9, 2024
4b6ad50
Adds MultiNetworkPolicy definition to revtr manifest
nkinkade Oct 9, 2024
d44b36c
Adds MultiNetworkPolicy definition to the wehe manifest
nkinkade Oct 9, 2024
f55707a
Adds MultiNetworkPolicy definition to msak manifest
nkinkade Oct 9, 2024
3033844
Adds MultiNetworkPolicy definition to neubot manifest
nkinkade Oct 9, 2024
f3d0462
Removes static MultiNetworkPolicy definitions
nkinkade Oct 9, 2024
3d94eb8
Flattens arrays for experiment imports in system.jsonnet
nkinkade Oct 9, 2024
3793317
Removes import of now nonexistent static MultiNetworkPolicies
nkinkade Oct 9, 2024
bdf364c
Casts endPort string to an int
nkinkade Oct 9, 2024
4e48d2d
Adds additional comments clarify custom iptables rules
nkinkade Oct 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions config/multi-networkpolicy.jsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
kind: 'ConfigMap',
apiVersion: 'v1',
metadata: {
name: 'multi-networkpolicy-custom-rules',
namespace: 'kube-system',
labels: {
tier: 'node',
app: 'multi-networkpolicy',
},
},
// Add custom iptables rules below. The rules will not be applied unless you
// pass at least one of the following flags to multi-networkpolicy:
//
// --custom-v4-igress-rule-file
// --custom-v4-egress-rule-file
// --custom-v6-igress-rule-file
// --custom-v4-egress-rule-file
//
// Add iptables rules one per line in the appropriate sections below, minus
// "iptables -A <chain>" as that is added for you by multi-networkpolicy.
data: {
'custom-v4-ingress-rules.txt': |||
# No custom rules, yet.
|||,
'custom-v4-egress-rules.txt': |||
# No custom rules, yet.
|||,
'custom-v6-ingress-rules.txt': |||
# No custom rules, yet.
|||,
'custom-v6-egress-rules.txt': |||
# No custom rules, yet.
|||,
},
}

775 changes: 775 additions & 0 deletions k8s/custom-resource-definitions/multi-networkpolicy.jsonnet
View file
Open in desktop

Large diffs are not rendered by default.

118 changes: 118 additions & 0 deletions k8s/daemonsets/core/multi-networkpolicy.jsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
{
apiVersion: 'apps/v1',
kind: 'DaemonSet',
metadata: {
name: 'multi-networkpolicy',
namespace: 'kube-system',
labels: {
tier: 'node',
app: 'multi-networkpolicy',
name: 'multi-networkpolicy',
},
},
spec: {
selector: {
matchLabels: {
name: 'multi-networkpolicy',
},
},
updateStrategy: {
type: 'RollingUpdate',
},
template: {
metadata: {
labels: {
tier: 'node',
app: 'multi-networkpolicy',
name: 'multi-networkpolicy',
},
},
spec: {
hostNetwork: true,
nodeSelector: {
'kubernetes.io/arch': 'amd64',
},
tolerations: [
{
operator: 'Exists',
effect: 'NoSchedule',
},
],
serviceAccountName: 'multi-networkpolicy',
containers: [
{
name: 'multi-networkpolicy',
image: 'measurementlab/multi-networkpolicy-iptables:latest',
imagePullPolicy: 'Always',
command: [
'/usr/bin/multi-networkpolicy-iptables',
],
args: [
'--accept-icmp',
'--accept-icmpv6',
'--container-runtime-endpoint=/run/containerd/containerd.sock',
'--host-prefix=/host',
'--network-plugins=netctl,ipvlan',
'--pod-iptables=/var/lib/multi-networkpolicy/iptables',
],
resources: {
requests: {
cpu: '100m',
memory: '80Mi',
},
limits: {
cpu: '100m',
memory: '150Mi',
},
},
securityContext: {
privileged: true,
capabilities: {
add: [
'SYS_ADMIN',
'NET_ADMIN',
],
},
},
volumeMounts: [
{
name: 'host',
mountPath: '/host',
},
{
name: 'var-lib-multinetworkpolicy',
mountPath: '/var/lib/multi-networkpolicy',
},
{
name: 'multi-networkpolicy-custom-rules',
mountPath: '/etc/multi-networkpolicy/rules',
readOnly: true,
},
],
},
],
volumes: [
{
name: 'host',
hostPath: {
path: '/',
},
},
{
name: 'var-lib-multinetworkpolicy',
hostPath: {
path: '/var/lib/multi-networkpolicy',
},
},
{
name: 'multi-networkpolicy-custom-rules',
configMap: {
name: 'multi-networkpolicy-custom-rules',
},
},
],
},
},
},
}

207 changes: 107 additions & 100 deletions k8s/daemonsets/experiments/msak.jsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,116 +7,123 @@ local services = [
'msak/latency1=http:///latency/v1/authorize,https:///latency/v1/authorize,http:///latency/v1/result,https:///latency/v1/result',
];

exp.Experiment(expName, 1, 'pusher-' + std.extVar('PROJECT_ID'), "none", [], datatypes) + {
spec+: {
template+: {
metadata+: {
annotations+: {
'secret.reloader.stakater.com/reload': 'measurement-lab-org-tls',
},
},
spec+: {
serviceAccountName: 'heartbeat-experiment',
initContainers+: [
{
// Copy the JSON schema where jostler expects it to be.
name: 'copy-schema',
image: 'measurementlab/msak:' + expVersion,
command: [
'/bin/sh',
'-c',
'cp /msak/throughput1.json /var/spool/datatypes/throughput1.json && ' +
'cp /msak/latency1.json /var/spool/datatypes/latency1.json',
],
volumeMounts: [
exp.VolumeMountDatatypes(expName),
],
// List of ports that need to be opened in the pod network namespace.
local ports = ['80/TCP', '443/TCP', '1053/UDP'];

[
exp.Experiment(expName, 1, 'pusher-' + std.extVar('PROJECT_ID'), "none", [], datatypes) + {
spec+: {
template+: {
metadata+: {
annotations+: {
'secret.reloader.stakater.com/reload': 'measurement-lab-org-tls',
},
],
containers+: [
{
args: [
'-ws_addr=:80',
'-wss_addr=:443',
'-cert=/certs/tls.crt',
'-key=/certs/tls.key',
'-datadir=/var/spool/' + expName,
'-token.machine=$(NODE_NAME)',
'-token.verify-key=/verify/jwk_sig_EdDSA_locate_20200409.pub',
'-token.verify=true',
'-uuid-prefix-file=' + exp.uuid.prefixfile,
'-prometheusx.listen-address=$(PRIVATE_IP):9990',
],
env: [
{
name: 'NODE_NAME',
valueFrom: {
fieldRef: {
fieldPath: 'spec.nodeName',
},
spec+: {
serviceAccountName: 'heartbeat-experiment',
initContainers+: [
{
// Copy the JSON schema where jostler expects it to be.
name: 'copy-schema',
image: 'measurementlab/msak:' + expVersion,
command: [
'/bin/sh',
'-c',
'cp /msak/throughput1.json /var/spool/datatypes/throughput1.json && ' +
'cp /msak/latency1.json /var/spool/datatypes/latency1.json',
],
volumeMounts: [
exp.VolumeMountDatatypes(expName),
],
},
],
containers+: [
{
args: [
'-ws_addr=:80',
'-wss_addr=:443',
'-cert=/certs/tls.crt',
'-key=/certs/tls.key',
'-datadir=/var/spool/' + expName,
'-token.machine=$(NODE_NAME)',
'-token.verify-key=/verify/jwk_sig_EdDSA_locate_20200409.pub',
'-token.verify=true',
'-uuid-prefix-file=' + exp.uuid.prefixfile,
'-prometheusx.listen-address=$(PRIVATE_IP):9990',
],
env: [
{
name: 'NODE_NAME',
valueFrom: {
fieldRef: {
fieldPath: 'spec.nodeName',
},
},
},
},
{
name: 'PRIVATE_IP',
valueFrom: {
fieldRef: {
fieldPath: 'status.podIP',
{
name: 'PRIVATE_IP',
valueFrom: {
fieldRef: {
fieldPath: 'status.podIP',
},
},
},
],
image: 'measurementlab/msak:' + expVersion,
name: 'msak',
command: [
'/msak/msak-server',
],
securityContext: {
capabilities: {
drop: [
'all',
],
},
},
],
image: 'measurementlab/msak:' + expVersion,
name: 'msak',
command: [
'/msak/msak-server',
],
securityContext: {
capabilities: {
drop: [
'all',
],
},
volumeMounts: [
{
mountPath: '/certs',
name: 'measurement-lab-org-tls',
readOnly: true,
},
{
mountPath: '/verify',
name: 'locate-verify-keys',
readOnly: true,
},
exp.uuid.volumemount,
] + [
exp.VolumeMount(expName + '/' + d) for d in datatypes
],
ports: [
{
containerPort: 9990,
},
],
},
volumeMounts: [
{
mountPath: '/certs',
name: 'measurement-lab-org-tls',
readOnly: true,
},
{
mountPath: '/verify',
name: 'locate-verify-keys',
readOnly: true,
},
exp.uuid.volumemount,
] + [
exp.VolumeMount(expName + '/' + d) for d in datatypes
],
ports: [
{
containerPort: 9990,
] + std.flattenArrays([
exp.Heartbeat(expName, false, services),
]),
volumes+: [
{
name: 'measurement-lab-org-tls',
secret: {
secretName: 'measurement-lab-org-tls',
},
],
},
] + std.flattenArrays([
exp.Heartbeat(expName, false, services),
]),
volumes+: [
{
name: 'measurement-lab-org-tls',
secret: {
secretName: 'measurement-lab-org-tls',
},
},
{
name: 'locate-verify-keys',
secret: {
secretName: 'locate-verify-keys',
{
name: 'locate-verify-keys',
secret: {
secretName: 'locate-verify-keys',
},
},
},
exp.Metadata.volume,
],
exp.Metadata.volume,
],
},
},
},
},
}
exp.MultiNetworkPolicy(expName, 1, ports),
]

Loading