Merge pull request #3 from JacobTanenbaum/priv-release-4.9-netpol

Bug 2055379: [release-4.9] support new ingress pipeline option for ACLs

dist/images/Dockerfile.fedora

@@ -9,13 +9,13 @@
 # are built locally and included in the image (instead of the rpm)
 #
 
-FROM fedora:33
+FROM fedora:35
 
 USER root
 
 ENV PYTHONDONTWRITEBYTECODE yes
 
-ARG ovnver=ovn-21.03.0-32.fc33
+ARG ovnver=ovn-21.12.0-5.fc35
 
 # install needed rpms - openvswitch must be 2.10.4 or higher
 RUN INSTALL_PKGS=" \

go-controller/pkg/ovn/gress_policy.go

@@ -351,7 +351,11 @@ func (gp *gressPolicy) localPodSetACL(portGroupName, portGroupUUID string, aclLo
 // addOrModifyACLAllow adds or modifies an ACL with a given match to the given Port Group
 func (gp *gressPolicy) addOrModifyACLAllow(match, l4Match, portGroupUUID string, ipBlockCIDR int, aclLogging string) error {
 	var direction, action, aclName, ipBlockCIDRString string
-	direction = types.DirectionToLPort
+	if gp.policyType == knet.PolicyTypeIngress {
+		direction = types.DirectionToLPort
+	} else {
+		direction = types.DirectionFromLPort
+	}
 	action = "allow-related"
 	aclName = fmt.Sprintf("%s_%s_%v", gp.policyNamespace, gp.policyName, gp.idx)
 
@@ -383,16 +387,19 @@ func (gp *gressPolicy) addOrModifyACLAllow(match, l4Match, portGroupUUID string,
 
 	if uuid != "" {
 		// We already have an ACL. We will update it.
-		_, stderr, err = util.RunOVNNbctl("set", "acl", uuid,
+		aclSetCMD := []string{"set", "acl", uuid,
 			match,
 			fmt.Sprintf("priority=%s", types.DefaultAllowPriority),
 			fmt.Sprintf("direction=%s", direction),
 			fmt.Sprintf("action=%s", action),
 			fmt.Sprintf("log=%t", aclLogging != ""),
 			fmt.Sprintf("severity=%s", getACLLoggingSeverity(aclLogging)),
 			fmt.Sprintf("meter=%s", types.OvnACLLoggingMeter),
-			fmt.Sprintf("name=%.63s", aclName),
-		)
+			fmt.Sprintf("name=%.63s", aclName)}
+		if gp.policyType == knet.PolicyTypeEgress {
+			aclSetCMD = append(aclSetCMD, "options:apply-after-lb=true")
+		}
+		_, stderr, err = util.RunOVNNbctl(aclSetCMD...)
 		if err != nil {
 			return fmt.Errorf("failed to modify the allow-from rule for "+
 				"namespace=%s, policy=%s, stderr: %q (%v)",
@@ -401,7 +408,7 @@ func (gp *gressPolicy) addOrModifyACLAllow(match, l4Match, portGroupUUID string,
 		return nil
 	}
 
-	_, stderr, err = util.RunOVNNbctl("--id=@acl", "create",
+	aclCreateCMD := []string{"--id=@acl", "create",
 		"acl", fmt.Sprintf("priority=%s", types.DefaultAllowPriority),
 		fmt.Sprintf("direction=%s", direction),
 		match,
@@ -415,8 +422,12 @@ func (gp *gressPolicy) addOrModifyACLAllow(match, l4Match, portGroupUUID string,
 		fmt.Sprintf("external-ids:namespace=%s", gp.policyNamespace),
 		fmt.Sprintf("external-ids:policy=%s", gp.policyName),
 		fmt.Sprintf("external-ids:%s_num=%d", gp.policyType, gp.idx),
-		fmt.Sprintf("external-ids:policy_type=%s", gp.policyType),
-		"--", "add", "port_group", portGroupUUID, "acls", "@acl")
+		fmt.Sprintf("external-ids:policy_type=%s", gp.policyType)}
+	if gp.policyType == knet.PolicyTypeEgress {
+		aclCreateCMD = append(aclCreateCMD, "options:apply-after-lb=true")
+	}
+	aclCreateCMD = append(aclCreateCMD, "--", "add", "port_group", portGroupUUID, "acls", "@acl")
+	_, stderr, err = util.RunOVNNbctl(aclCreateCMD...)
 	if err != nil {
 		return fmt.Errorf("failed to create the acl allow rule for "+
 			"namespace=%s, policy=%s, stderr: %q (%v)", gp.policyNamespace,

go-controller/pkg/ovn/policy.go

@@ -128,6 +128,38 @@ func (oc *Controller) syncNetworkPolicies(networkPolicies []interface{}) {
 	if err != nil {
 		klog.Errorf("Error in syncing network policies: %v", err)
 	}
+
+	// update Egress Network policies ACLs
+	updateList := []string{}
+	// get the default ACLs put on namespaces by networkPolicies
+	uuids, stderr, err := util.RunOVNNbctl("--data=bare", "--no-heading",
+		"--columns=_uuid", "find", "ACL", "direction="+types.DirectionToLPort,
+		fmt.Sprintf("external-ids:default-deny-policy-type=%s", knet.PolicyTypeEgress))
+	if err != nil {
+		klog.Errorf("cannot update Network policy Egress ACLs:(%q) %+v", stderr, err)
+	} else {
+		updateList = append(updateList, strings.Split(uuids, "\n")...)
+	}
+	// get the ACLs generated by the network policies themselves
+	uuids, stderr, err = util.RunOVNNbctl("--data=bare", "--no-heading",
+		"--columns=_uuid", "find", "ACL", "direction="+types.DirectionToLPort,
+		fmt.Sprintf("external-ids:policy_type=%s", knet.PolicyTypeEgress))
+	if err != nil {
+		klog.Errorf("cannot update Network policy Egress ACLs:(%q) %+v", stderr, err)
+	} else {
+		updateList = append(updateList, strings.Split(uuids, "\n")...)
+	}
+	for _, uuid := range updateList {
+		// when the uuids return with none there will be at least one empty entry appended
+		if uuid == "" {
+			continue
+		}
+		if _, stderr, err := util.RunOVNNbctl("set", "acl", uuid,
+			fmt.Sprintf("direction=%s", types.DirectionFromLPort), "options:apply-after-lb=true"); err != nil {
+			klog.Errorf("failed to update EgressACL (%s), stderr: %q (%v)", uuid, stderr, err)
+		}
+	}
+
 }
 
 func addAllowACLFromNode(logicalSwitch string, mgmtPortIP net.IP, ovnNBClient goovn.Client) error {
@@ -198,15 +230,21 @@ func addACLPortGroup(policyNamespace, portGroupUUID, direction, priority, match,
 	} else {
 		policyName = policyNamespace
 	}
-	_, stderr, err := util.RunOVNNbctl("--id=@acl", "create", "acl",
+	createACLCommand := []string{"--id=@acl", "create", "acl",
 		fmt.Sprintf("priority=%s", priority),
-		fmt.Sprintf("direction=%s", direction), match, "action="+action,
+		fmt.Sprintf("direction=%s", direction),
+		match,
+		"action=" + action,
 		fmt.Sprintf("log=%t", aclLogging != ""), fmt.Sprintf("severity=%s", getACLLoggingSeverity(aclLogging)),
 		fmt.Sprintf("meter=%s", types.OvnACLLoggingMeter),
 		fmt.Sprintf("name=%.63s", policyName),
-		fmt.Sprintf("external-ids:default-deny-policy-type=%s", policyType),
-		"--", "add", "port_group", portGroupUUID,
-		"acls", "@acl")
+		fmt.Sprintf("external-ids:default-deny-policy-type=%s", policyType)}
+	if policyType == knet.PolicyTypeEgress {
+		createACLCommand = append(createACLCommand, "options:apply-after-lb=true")
+	}
+	createACLCommand = append(createACLCommand, "--", "add", "port_group", portGroupUUID, "acls", "@acl")
+
+	_, stderr, err := util.RunOVNNbctl(createACLCommand...)
 	if err != nil {
 		return fmt.Errorf("error executing create ACL command for "+
 			"policy type %s stderr: %q (%v)", policyType, stderr, err)
@@ -294,25 +332,28 @@ func defaultDenyPortGroup(namespace, gressSuffix string) string {
 // must be called with a write lock on nsInfo
 func (oc *Controller) createDefaultDenyPortGroup(ns string, nsInfo *namespaceInfo, policyType knet.PolicyType, aclLogging string, policyName string) error {
 	var portGroupName string
+	var direction string
 	if policyType == knet.PolicyTypeIngress {
 		portGroupName = defaultDenyPortGroup(ns, ingressDefaultDenySuffix)
+		direction = types.DirectionToLPort
 	} else if policyType == knet.PolicyTypeEgress {
 		portGroupName = defaultDenyPortGroup(ns, egressDefaultDenySuffix)
+		direction = types.DirectionFromLPort
 	}
 	portGroupUUID, err := createPortGroup(oc.ovnNBClient, portGroupName, portGroupName)
 	if err != nil {
 		return fmt.Errorf("failed to create port_group for %s (%v)",
 			portGroupName, err)
 	}
 	match := getACLMatch(portGroupName, "", policyType)
-	err = addACLPortGroup(ns, portGroupUUID, types.DirectionToLPort,
+	err = addACLPortGroup(ns, portGroupUUID, direction,
 		types.DefaultDenyPriority, match, "drop", policyType, aclLogging, policyName)
 	if err != nil {
 		return fmt.Errorf("failed to create default deny ACL for port group %v", err)
 	}
 
 	match = getACLMatch(portGroupName, "arp", policyType)
-	err = addACLPortGroup(ns, portGroupUUID, types.DirectionToLPort,
+	err = addACLPortGroup(ns, portGroupUUID, direction,
 		types.DefaultAllowPriority, match, "allow", policyType, "", "ARPallowPolicy")
 	if err != nil {
 		return fmt.Errorf("failed to create default allow ARP ACL for port group %v", err)