support disable networkpolicy

Signed-off-by: bingshen.wbs <bingshen.wbs@alibaba-inc.com>

Dockerfile

@@ -27,7 +27,8 @@ RUN cd /go/src/github.com/projectcalico/felix && \
 
 FROM alpine:3.8
 COPY policy/policyinit.sh /bin/
-RUN apk --update add curl ipset bash iproute2 ethtool bridge-utils && chmod +x /bin/policyinit.sh && rm -f /var/cache/apk/*
+COPY policy/uninstall_policy.sh /bin/
+RUN apk --update add curl ipset bash iproute2 ethtool bridge-utils socat grep findutils && chmod +x /bin/policyinit.sh /bin/uninstall_policy.sh && rm -f /var/cache/apk/*
 COPY --from=felix-builder /go/src/github.com/projectcalico/felix/bin/calico-felix-amd64 /bin/calico-felix
 RUN chmod +x /bin/calico-felix
 COPY --from=builder /go/src/github.com/AliyunContainerService/terway/terwayd /usr/bin/terwayd

policy/policyinit.sh

@@ -2,8 +2,8 @@
 export DATASTORE_TYPE=kubernetes
 if [ "$DATASTORE_TYPE" = "kubernetes" ]; then
     if [ -z "$KUBERNETES_SERVICE_HOST" ]; then
-       echo "can not found k8s apiserver service env, exiting"
-       exit 1
+        echo "can not found k8s apiserver service env, exiting"
+        exit 1
     fi
 fi
 export FELIX_LOGSEVERITYSYS=none
@@ -28,4 +28,9 @@ fi
 if [ ! -z $DATASTORE_TYPE ]; then
     export FELIX_DATASTORETYPE=$DATASTORE_TYPE
 fi
-exec calico-felix
+
+if [ -z $DISABLE_POLICY ] || [ x"$DISABLE_POLICY" == x"false" ] || [ x"$DISABLE_POLICY" == x"0" ]; then
+    exec calico-felix
+else
+    exec uninstall_policy.sh
+fi

policy/uninstall_policy.sh

@@ -0,0 +1,68 @@
+#!/bin/sh
+
+
+config_masquerade() {
+    # Set the CALICO_IPV4POOL_CIDR environment variable to the appropriate CIDR for this cluster if Calico is adding the traffic.
+    if [ "$CALICO_IPV4POOL_CIDR" != "" ]; then
+        clusterCIDR=$CALICO_IPV4POOL_CIDR
+
+        # Set up NAT rule so traffic gets masqueraded if it is going to any subnet other than cluster-cidr.
+        echo "Adding masquerade rule for traffic going from $clusterCIDR to ! $clusterCIDR"
+
+        if ! iptables -t nat -L terway-brb-masq; then
+            # Create a new chain in nat table.
+            iptables -t nat -N terway-brb-masq
+        fi
+
+        if ! iptables -t nat -L POSTROUTING | grep -q terway-brb; then
+            # Append that chain to POSTROUTING table.
+            iptables -t nat -A POSTROUTING -m comment --comment "terway:masq-outgoing" -j terway-brb-masq
+        fi
+
+        if ! iptables -t nat -L terway-brb-masq | grep -q $clusterCIDR; then
+            # Add MASQUERADE rule for traffic from clusterCIDR to non-clusterCIDR.
+            iptables -t nat -A terway-brb-masq -s $clusterCIDR ! -d $clusterCIDR -j MASQUERADE
+        fi
+    fi
+}
+
+cleanup_felix() {
+    # Set FORWARD action to ACCEPT so outgoing packets can go through POSTROUTING chains.
+    echo "Setting default FORWARD action to ACCEPT..."
+    iptables -P FORWARD ACCEPT
+
+    # Make sure ip_forward sysctl is set to allow ip forwarding.
+    sysctl -w net.ipv4.ip_forward=1
+
+    echo "Starting the flush Calico policy rules..."
+    echo "Make sure calico-node DaemonSet is stopped before this gets executed."
+
+    echo "Flushing all the calico iptables chains in the nat table..."
+    iptables-save -t nat | grep -oP '(?<!^:)cali-[^ ]+' | while read line; do iptables -t nat -F $line; done
+
+    echo "Flushing all the calico iptables chains in the raw table..."
+    iptables-save -t raw | grep -oP '(?<!^:)cali-[^ ]+' | while read line; do iptables -t raw -F $line; done
+
+    echo "Flushing all the calico iptables chains in the mangle table..."
+    iptables-save -t mangle | grep -oP '(?<!^:)cali-[^ ]+' | while read line; do iptables -t mangle -F $line; done
+
+    echo "Flushing all the calico iptables chains in the filter table..."
+    iptables-save -t filter | grep -oP '(?<!^:)cali-[^ ]+' | while read line; do iptables -t filter -F $line; done
+
+    echo "Cleaning up calico rules from the nat table..."
+    iptables-save -t nat | grep -e '--comment "cali:' | cut -c 3- | sed 's/^ *//;s/ *$//' | xargs -l1 iptables -t nat -D
+
+    echo "Cleaning up calico rules from the raw table..."
+    iptables-save -t raw | grep -e '--comment "cali:' | cut -c 3- | sed 's/^ *//;s/ *$//' | xargs -l1 iptables -t raw -D
+
+    echo "Cleaning up calico rules from the mangle table..."
+    iptables-save -t mangle | grep -e '--comment "cali:' | cut -c 3- | sed 's/^ *//;s/ *$//' | xargs -l1 iptables -t mangle -D
+
+    echo "Cleaning up calico rules from the filter table..."
+    iptables-save -t filter | grep -e '--comment "cali:' | cut -c 3- | sed 's/^ *//;s/ *$//' | xargs -l1 iptables -t filter -D
+}
+
+config_masquerade
+cleanup_felix
+# for health check
+exec socat PIPE TCP-LISTEN:9099,fork

terway-multiip.yml

@@ -83,6 +83,7 @@ data:
       "eniip_virtual_type": "Veth"
     }
   # eniip_virtual_type: virtual type for eni multi ip "Veth" || "IPVlan"
+  disable_network_policy: "false"
 
 ---
 
@@ -168,6 +169,12 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: DISABLE_POLICY
+          valueFrom:
+            configMapKeyRef:
+              name: eni-config
+              key: disable_network_policy
+              optional: true
         securityContext:
           privileged: true
         resources:

terway.yml

@@ -78,7 +78,7 @@ data:
       "name": "terway",
       "type": "terway"
     }
-
+  disable_network_policy: "false"
 ---
 
 apiVersion: extensions/v1beta1
@@ -155,6 +155,12 @@ spec:
                 fieldPath: spec.nodeName
           - name: Network
             value: 172.16.0.0/16
+          - name: DISABLE_POLICY
+            valueFrom:
+              configMapKeyRef:
+                name: eni-config
+                key: disable_network_policy
+                optional: true
         securityContext:
           privileged: true
         resources: