Add an example that shows how NSE's IPAM Policies work

examples/features/README.md

@@ -35,4 +35,5 @@ To run any feature example follow steps for [Basic NSM setup](../basic)
 - [NSC connects to multiple services](./multiple-services)
 - [Scaled Registry K8s](./scaled-registry)
 - [NSC changes endpoints dynamically](./change-nse-dynamically)
+- [NSE IPAM Policies](./ipam-policies)
 

examples/features/ipam-policies/README.md

@@ -0,0 +1,76 @@
+# Feature IPAM Policies
+
+This example shows how NSM Endpoint can use different IPAM policies to manage IP context of connections.
+
+At this moment only NSEs have two IPAM policies:
+
+1. `default` IPAM Policy accepts any address and route sent by NSM client.
+
+2. `strict` IPAM Policy checks `source` and `destination` addresses of NSC's IP context and resets it if any of the 
+addresses do not belong to NSE's IP Pool.
+
+## Requires
+
+Make sure that you have completed steps from [basic](../../basic) setup.
+
+## Run
+
+Deploy the client and the first NSE with CIDR `172.16.1.0/31` and `default` IPAM Policy:
+```bash
+kubectl apply -k https://github.com/networkservicemesh/deployments-k8s/examples/features/ipam-policies?ref=aa271c57a3752a6115f8fd74473ecdea0ea5b12c
+```
+
+Wait for applications ready:
+```bash
+kubectl wait --for=condition=ready --timeout=1m pod -l app=alpine -n ns-ipam-policies
+```
+```bash
+kubectl wait --for=condition=ready --timeout=1m pod -l app=first-nse -n ns-ipam-policies
+```
+
+Ping the first NSE from the client:
+```bash
+kubectl exec pods/alpine -n ns-ipam-policies -- ping -c 4 172.16.1.0
+```
+
+Ping the client from the first NSE:
+```bash
+kubectl exec pods/first-nse -n ns-ipam-policies -- ping -c 4 172.16.1.1
+```
+
+Delete the first NSE:
+```bash
+kubectl delete pod -l app=first-nse -n ns-ipam-policies
+```
+
+Apply the second NSE with CIDR `172.16.2.0/31` and `strict` IPAM Policy:
+```bash
+kubectl apply -f https://raw.githubusercontent.com/networkservicemesh/deployments-k8s/aa271c57a3752a6115f8fd74473ecdea0ea5b12c/examples/features/ipam-policies/second-nse.yaml -n ns-ipam-policies
+```
+
+Ping the second NSE from the client:
+```bash
+kubectl exec pods/alpine -n ns-ipam-policies -- ping -c 4 172.16.2.0
+```
+
+Ping the client from the second NSE:
+```bash
+kubectl exec pods/second-nse -n ns-ipam-policies -- ping -c 4 172.16.2.1
+```
+
+Check routes on the client. They should contain only the routes from CIDR `172.16.2.0/31`:
+```bash
+routes=$(kubectl exec pods/alpine -n ns-ipam-policies -- ip r show dev nsm-1 | xargs) # Use xargs here just to trim whitespaces in the routes
+if [[ "$routes" != "172.16.2.0 dev nsm-1" ]]; then
+    echo "routes on the client are invalid"
+    exit
+fi
+```
+
+
+## Cleanup
+
+Delete ns:
+```bash
+kubectl delete ns ns-ipam-policies
+```

examples/features/ipam-policies/client.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine
+  labels:
+    app: alpine
+  annotations:
+    networkservicemesh.io: kernel://ipam-policies/nsm-1
+spec:
+  containers:
+  - name: alpine
+    image: alpine:3.15.0
+    imagePullPolicy: IfNotPresent
+    # simple `sleep` command would work
+    # but we need `trap` to be able to delete pods quckly
+    command: ["/bin/sh", "-c", "trap : TERM INT; sleep infinity & wait"]

examples/features/ipam-policies/first-nse.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: first-nse
+  labels:
+    app: first-nse
+    "spiffe.io/spiffe-id": "true"
+spec:
+  containers:
+    - name: nse
+      image: cmd-nse-icmp-responder
+      imagePullPolicy: IfNotPresent
+      env:
+        - name: SPIFFE_ENDPOINT_SOCKET
+          value: unix:///run/spire/sockets/agent.sock
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NSM_NAME
+          value: "$(POD_NAME)"
+        - name: NSM_LOG_LEVEL
+          value: TRACE
+        - name: NSM_CONNECT_TO
+          value: unix:///var/lib/networkservicemesh/nsm.io.sock
+        - name: NSM_SERVICE_NAMES
+          value: "ipam-policies"
+        - name: NSM_REGISTER_SERVICE
+          value: "false"
+        - name: NSM_CIDR_PREFIX
+          value: 172.16.1.0/31
+      volumeMounts:
+        - name: spire-agent-socket
+          mountPath: /run/spire/sockets
+          readOnly: true
+        - name: nsm-socket
+          mountPath: /var/lib/networkservicemesh
+          readOnly: true
+      resources:
+        requests:
+          cpu: 100m
+          memory: 40Mi
+        limits:
+          memory: 80Mi
+          cpu: 200m
+  volumes:
+    - name: spire-agent-socket
+      hostPath:
+        path: /run/spire/sockets
+        type: Directory
+    - name: nsm-socket
+      hostPath:
+        path: /var/lib/networkservicemesh
+        type: DirectoryOrCreate

examples/features/ipam-policies/kustomization.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: ns-ipam-policies
+
+resources:
+- ns-ipam-policies.yaml
+- netsvc.yaml
+- client.yaml
+- first-nse.yaml

examples/features/ipam-policies/netsvc.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: networkservicemesh.io/v1
+kind: NetworkService
+metadata:
+  name: ipam-policies
+spec:
+  payload: ETHERNET

examples/features/ipam-policies/ns-ipam-policies.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ns-ipam-policies

examples/features/ipam-policies/second-nse.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: second-nse
+  labels:
+    app: second-nse
+    "spiffe.io/spiffe-id": "true"
+spec:
+  containers:
+    - name: nse
+      image: cmd-nse-icmp-responder
+      imagePullPolicy: IfNotPresent
+      env:
+        - name: SPIFFE_ENDPOINT_SOCKET
+          value: unix:///run/spire/sockets/agent.sock
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NSM_NAME
+          value: "$(POD_NAME)"
+        - name: NSM_LOG_LEVEL
+          value: TRACE
+        - name: NSM_CONNECT_TO
+          value: unix:///var/lib/networkservicemesh/nsm.io.sock
+        - name: NSM_SERVICE_NAMES
+          value: "ipam-policies"
+        - name: NSM_REGISTER_SERVICE
+          value: "false"
+        - name: NSM_IPAM_POLICY
+          value: strict
+        - name: NSM_CIDR_PREFIX
+          value: 172.16.2.0/31
+      volumeMounts:
+        - name: spire-agent-socket
+          mountPath: /run/spire/sockets
+          readOnly: true
+        - name: nsm-socket
+          mountPath: /var/lib/networkservicemesh
+          readOnly: true
+      resources:
+        requests:
+          cpu: 100m
+          memory: 40Mi
+        limits:
+          memory: 80Mi
+          cpu: 200m
+  volumes:
+    - name: spire-agent-socket
+      hostPath:
+        path: /run/spire/sockets
+        type: Directory
+    - name: nsm-socket
+      hostPath:
+        path: /var/lib/networkservicemesh
+        type: DirectoryOrCreate