-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add addressgroup peer for in-cluster stretched NetworkPolicy enforcement #4432
Conversation
Codecov Report
@@ Coverage Diff @@
## main #4432 +/- ##
==========================================
- Coverage 67.70% 66.73% -0.98%
==========================================
Files 402 402
Lines 57253 57254 +1
==========================================
- Hits 38764 38209 -555
- Misses 15818 16395 +577
+ Partials 2671 2650 -21
|
} else if peer.Scope == v1alpha1.ScopeClusterSet { | ||
clusterSetScopeSelectors = append(clusterSetScopeSelectors, antreatypes.NewGroupSelector(np.GetNamespace(), peer.PodSelector, peer.NamespaceSelector, nil, nil)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it mean it will create AddressGroup anyway no matter it's ClusterSet scope or not?
I am wondering how we can verify that the stretchedNetworkPolicy being spitted into two parts of NP correctly? Shall we mention this on the document?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it mean it will create AddressGroup anyway no matter it's ClusterSet scope or not?
If there are any pod/nsSelectors, yes it will create AddressGroups because an AddressGroup will need to be created no matter the scope of these selectors.
I am wondering how we can verify that the stretchedNetworkPolicy being spitted into two parts of NP correctly?
E2E testcases should verify this.
@Dyanngg Does this depend on @GraysonWu 's agent PR 3914? or it can merged independently? |
Signed-off-by: Dyanngg <dingyang@vmware.com>
42fe386
to
a872430
Compare
I think it can be merged independently. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/skip-all |
…ent (antrea-io#4432) Signed-off-by: Dyanngg <dingyang@vmware.com>
This PR is to fix stretched networkpolicy enforcement on Pod
to MC Service traffic when the MC Service endpoint resides in
the same cluster of the client. Under current datapath design,
the packet will loose tunnel information which contains the
client's label identity, thus bypassing stretched policy
enforcement. For more details on this issue, refer to #4431
As a result, stretched NetworkPolicy enforcement need to be
divided into two parts: for in-cluster access, the Antrea Controller
will create an addressgroup matching the clusterSet-scoped
selector, just like cluster-scoped selectors. For cross-cluster
policy enforcement, label identity will be used to match
selected peers.
Signed-off-by: Dyanngg dingyang@vmware.com