diff --git a/README.md b/README.md index 331de95b08f..7a01286bfbe 100644 --- a/README.md +++ b/README.md @@ -106,10 +106,10 @@ Also check out [@ProjectAntrea](https://twitter.com/ProjectAntrea) on Twitter! enable fine-grained visibility into the communication among Kubernetes workloads. Theia provides visualization for Antrea network flows in Grafana dashboards, and recommends Network Policies to secure the workloads. -* **Network Policies for virtual machines**: Antrea native policies can be +* **Network Policies for virtual machines**: Antrea-native policies can be enforced on non-Kubernetes Nodes including VMs and baremetal servers. Project [Nephe](https://github.com/antrea-io/nephe) implements security policies for - VMs across clouds, leveraging Antrea native policies. + VMs across clouds, leveraging Antrea-native policies. * **Encryption**: Encryption of inter-Node Pod traffic with IPsec or WireGuard tunnels. * **Easy deployment**: Antrea is deployed by applying a single YAML manifest diff --git a/docs/antctl.md b/docs/antctl.md index 96976844d18..637864ca3b4 100644 --- a/docs/antctl.md +++ b/docs/antctl.md @@ -25,6 +25,7 @@ running in three different modes: - [controllerinfo and agentinfo commands](#controllerinfo-and-agentinfo-commands) - [NetworkPolicy commands](#networkpolicy-commands) - [Mapping endpoints to NetworkPolicies](#mapping-endpoints-to-networkpolicies) + - [Analyzing expected NetworkPolicy behavior](#analyzing-expected-networkpolicy-behavior) - [Dumping Pod network interface information](#dumping-pod-network-interface-information) - [Dumping OVS flows](#dumping-ovs-flows) - [OVS packet tracing](#ovs-packet-tracing) @@ -263,6 +264,20 @@ Namespace. This command only works in "controller mode" and **as of now it can only be run from inside the Antrea Controller Pod, and not from out-of-cluster**. +#### Analyzing expected NetworkPolicy behavior + +`antctl` supports analyzing all the existing Antrea-native NetworkPolicies, +Kubernetes NetworkPolicies and AdminNetworkPolicies to predict the effective +policy rule for traffic between source and destination Pods. + +```bash +antctl query networkpolicyevaluation -S NAMESPACE/POD -D NAMESPACE/POD +``` + +If only Pod name is provided, the command will default to the "default" Namespace. + +This command only works in "controller mode". + ### Dumping Pod network interface information `antctl` agent command `get podinterface` (or `get pi`) can dump network diff --git a/docs/feature-gates.md b/docs/feature-gates.md index 79008d60430..20de5037fe7 100644 --- a/docs/feature-gates.md +++ b/docs/feature-gates.md @@ -173,7 +173,7 @@ This feature is currently only supported for Nodes running Linux. Windows suppor Stats API, which can be accessed by kubectl get commands, e.g. `kubectl get networkpolicystats`. The statistical data includes total number of sessions, packets, and bytes allowed or denied by a NetworkPolicy. It is collected asynchronously so there may be a delay of up to 1 minute for changes to be reflected in API responses. The feature -supports K8s NetworkPolicies and Antrea native policies, the latter of which requires +supports K8s NetworkPolicies and Antrea-native policies, the latter of which requires `AntreaPolicy` to be enabled. Usage examples: ```bash diff --git a/docs/multicluster/user-guide.md b/docs/multicluster/user-guide.md index 6673f6ec657..025dc198dc0 100644 --- a/docs/multicluster/user-guide.md +++ b/docs/multicluster/user-guide.md @@ -31,7 +31,7 @@ Antrea Multi-cluster implements [Multi-cluster Service API](https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api), which allows users to create multi-cluster Services that can be accessed cross -clusters in a ClusterSet. Antrea Multi-cluster also extends Antrea native +clusters in a ClusterSet. Antrea Multi-cluster also extends Antrea-native NetworkPolicy to support Multi-cluster NetworkPolicy rules that apply to cross-cluster traffic, and ClusterNetworkPolicy replication that allows a ClusterSet admin to create ClusterNetworkPolicies which are replicated across diff --git a/docs/traceflow-guide.md b/docs/traceflow-guide.md index 5cf8b5d4782..7b555082f5d 100644 --- a/docs/traceflow-guide.md +++ b/docs/traceflow-guide.md @@ -140,7 +140,7 @@ will fail. But you can specify a different timeout value, by adding `timeout: ` to the Traceflow `spec`. In some cases, it might be useful to capture the packets dropped by -NetworkPolicies (inc. K8s NetworkPolicies or Antrea native policies). You can +NetworkPolicies (inc. K8s NetworkPolicies or Antrea-native policies). You can add `droppedOnly: true` to the live-traffic Traceflow `spec`, then the first packet that matches the Traceflow spec and is dropped by a NetworkPolicy will be captured and traced. diff --git a/hack/update-codegen-dockerized.sh b/hack/update-codegen-dockerized.sh index 33ff175fb2d..16a4e291ace 100755 --- a/hack/update-codegen-dockerized.sh +++ b/hack/update-codegen-dockerized.sh @@ -59,7 +59,7 @@ MOCKGEN_TARGETS=( "pkg/agent/util/netlink Interface testing mock_netlink_linux.go" "pkg/agent/wireguard Interface testing mock_wireguard.go" "pkg/antctl AntctlClient ." - "pkg/controller/networkpolicy EndpointQuerier testing" + "pkg/controller/networkpolicy EndpointQuerier,PolicyRuleQuerier testing" "pkg/controller/querier ControllerQuerier testing" "pkg/flowaggregator/exporter Interface testing" "pkg/ipfix IPFIXExportingProcess,IPFIXRegistry,IPFIXCollectingProcess,IPFIXAggregationProcess testing" diff --git a/pkg/agent/controller/networkpolicy/audit_logging.go b/pkg/agent/controller/networkpolicy/audit_logging.go index 841d2986209..3dd3a82695b 100644 --- a/pkg/agent/controller/networkpolicy/audit_logging.go +++ b/pkg/agent/controller/networkpolicy/audit_logging.go @@ -281,7 +281,7 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, packet *binding.Packet, c *Con ob.ofPriority = ofPriority ob.ruleName = ruleName ob.logLabel = logLabel - // Fill in placeholders for Antrea native policies without log labels, + // Fill in placeholders for Antrea-native policies without log labels, // K8s NetworkPolicies without rule names or log labels. fillLogInfoPlaceholders([]*string{&ob.ruleName, &ob.logLabel, &ob.ofPriority}) return nil diff --git a/pkg/antctl/antctl.go b/pkg/antctl/antctl.go index 2988c9b67f2..8e9de8ae044 100644 --- a/pkg/antctl/antctl.go +++ b/pkg/antctl/antctl.go @@ -41,9 +41,9 @@ import ( "antrea.io/antrea/pkg/antctl/transform/version" cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" systemv1beta1 "antrea.io/antrea/pkg/apis/system/v1beta1" + endpointServer "antrea.io/antrea/pkg/apiserver/handlers/endpoint" controllerinforest "antrea.io/antrea/pkg/apiserver/registry/system/controllerinfo" "antrea.io/antrea/pkg/client/clientset/versioned/scheme" - controllernetworkpolicy "antrea.io/antrea/pkg/controller/networkpolicy" "antrea.io/antrea/pkg/flowaggregator/apiserver/handlers/flowrecords" "antrea.io/antrea/pkg/flowaggregator/apiserver/handlers/recordmetrics" ) @@ -222,7 +222,7 @@ $ antctl get podmulticaststats pod -n namespace`, }, { name: "type", - usage: "Get NetworkPolicies with specific type. Type means the type of its source network policy: K8sNP, ACNP, ANNP", + usage: "Get NetworkPolicies with specific type. Type means the type of its source NetworkPolicy: K8sNP, ACNP, ANNP", shorthand: "T", }, }, getSortByFlag()), @@ -507,7 +507,38 @@ $ antctl get podmulticaststats pod -n namespace`, outputType: single, }, }, - transformedResponse: reflect.TypeOf(controllernetworkpolicy.EndpointQueryResponse{}), + transformedResponse: reflect.TypeOf(endpointServer.EndpointQueryResponse{}), + }, + { + use: "networkpolicyevaluation", + aliases: []string{"networkpoliciesevaluation", "networkpolicyeval", "networkpolicieseval", "netpoleval"}, + short: "Analyze effective NetworkPolicy rules.", + long: "Analyze network policies in the cluster and return the rule expected to be effective on the source and destination endpoints provided.", + example: ` Query effective NetworkPolicy rule between two Pods + $ antctl query networkpolicyevaluation -S ns1/pod1 -D ns2/pod2 +`, + commandGroup: query, + controllerEndpoint: &endpoint{ + resourceEndpoint: &resourceEndpoint{ + groupVersionResource: &cpv1beta.NetworkPolicyEvaluationVersionResource, + params: []flagInfo{ + { + name: "source", + usage: "Source endpoint of network policies. Can be a (local or remote) Pod (specified by /).", + shorthand: "S", + }, + { + name: "destination", + usage: "Source endpoint of network policies. Can be a (local or remote) Pod (specified by /).", + shorthand: "D", + }, + }, + paramsFormatter: networkpolicy.NewNetworkPolicyEvaluation, + restMethod: restPost, + }, + addonTransform: networkpolicy.EvaluationTransform, + }, + transformedResponse: reflect.TypeOf(networkpolicy.EvaluationResponse{}), }, { use: "flowrecords", diff --git a/pkg/antctl/client.go b/pkg/antctl/client.go index 31f544185cd..9b0b4583c16 100644 --- a/pkg/antctl/client.go +++ b/pkg/antctl/client.go @@ -161,22 +161,38 @@ func (c *client) resourceRequest(e *resourceEndpoint, opt *requestOption) (io.Re // If timeout is zero, there will be no timeout. restClient.Client.Timeout = opt.timeout - resGetter := restClient.Get(). + var restRequest *rest.Request + if e.restMethod == restGet { + restRequest = restClient.Get() + } else if e.restMethod == restPost { + restRequest = restClient.Post() + } + + restRequest = restRequest. NamespaceIfScoped(opt.args["namespace"], e.namespaced). Resource(e.groupVersionResource.Resource) if len(e.resourceName) != 0 { - resGetter = resGetter.Name(e.resourceName) + restRequest = restRequest.Name(e.resourceName) } else if name, ok := opt.args["name"]; ok { - resGetter = resGetter.Name(name) + restRequest = restRequest.Name(name) } for arg, val := range opt.args { if arg != "name" && arg != "namespace" { - resGetter = resGetter.Param(arg, val) + restRequest = restRequest.Param(arg, val) } } - result := resGetter.Do(context.TODO()) + + if e.paramsFormatter != nil { + obj, err := e.paramsFormatter(opt.args) + if err != nil { + return nil, err + } + restRequest = restRequest.Body(obj) + } + + result := restRequest.Do(context.TODO()) if result.Error() != nil { return nil, generateMessage(opt.commandDefinition, opt.args, true /* isResourceRequest */, result.Error()) } diff --git a/pkg/antctl/command_definition.go b/pkg/antctl/command_definition.go index 1f6cc36665a..afa6d5a29c2 100644 --- a/pkg/antctl/command_definition.go +++ b/pkg/antctl/command_definition.go @@ -26,13 +26,14 @@ import ( "github.com/spf13/cobra" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + k8sruntime "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/klog/v2" "antrea.io/antrea/pkg/antctl/output" "antrea.io/antrea/pkg/antctl/runtime" - "antrea.io/antrea/pkg/apis/controlplane/v1beta2" - "antrea.io/antrea/pkg/controller/networkpolicy" + cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + endpointserver "antrea.io/antrea/pkg/apiserver/handlers/endpoint" ) type formatterType string @@ -108,6 +109,9 @@ type resourceEndpoint struct { resourceName string namespaced bool supportSorting bool + params []flagInfo + paramsFormatter func(args map[string]string) (k8sruntime.Object, error) + restMethod restMethod } func (e *resourceEndpoint) OutputType() OutputType { @@ -138,6 +142,7 @@ func (e *resourceEndpoint) flags() []flagInfo { if e.supportSorting { flags = append(flags, getSortByFlag()) } + flags = append(flags, e.params...) return flags } @@ -149,6 +154,13 @@ func getSortByFlag() flagInfo { } } +type restMethod uint + +const ( + restGet restMethod = iota + restPost +) + type nonResourceEndpoint struct { path string params []flagInfo @@ -444,7 +456,7 @@ func (cd *commandDefinition) tableOutputForQueryEndpoint(obj interface{}, writer return nil } // iterate through each endpoint and construct response - endpointQueryResponse := obj.(*networkpolicy.EndpointQueryResponse) + endpointQueryResponse := obj.(*endpointserver.EndpointQueryResponse) for _, endpoint := range endpointQueryResponse.Endpoints { // transform applied policies to string representation policies := make([][]string, 0) @@ -455,10 +467,10 @@ func (cd *commandDefinition) tableOutputForQueryEndpoint(obj interface{}, writer // transform egress and ingress rules to string representation egress, ingress := make([][]string, 0), make([][]string, 0) for _, rule := range endpoint.Rules { - ruleStr := []string{rule.Name, rule.Namespace, strconv.Itoa(rule.RuleIndex), string(rule.UID)} - if rule.Direction == v1beta2.DirectionIn { + ruleStr := []string{rule.PolicyRef.Name, rule.PolicyRef.Namespace, strconv.Itoa(rule.RuleIndex), string(rule.PolicyRef.UID)} + if rule.Direction == cpv1beta.DirectionIn { ingress = append(ingress, ruleStr) - } else if rule.Direction == v1beta2.DirectionOut { + } else if rule.Direction == cpv1beta.DirectionOut { egress = append(egress, ruleStr) } } @@ -539,9 +551,10 @@ func (cd *commandDefinition) output(resp io.Reader, writer io.Writer, ft formatt if cd.commandGroup == get { return output.TableOutputForGetCommands(obj, writer) } else if cd.commandGroup == query { - if cd.controllerEndpoint.nonResourceEndpoint.path == "/endpoint" { + if cd.controllerEndpoint.nonResourceEndpoint != nil && cd.controllerEndpoint.nonResourceEndpoint.path == "/endpoint" { return cd.tableOutputForQueryEndpoint(obj, writer) } + return output.TableOutputForGetCommands(obj, writer) } else { return output.TableOutput(obj, writer) } @@ -550,7 +563,6 @@ func (cd *commandDefinition) output(resp io.Reader, writer io.Writer, ft formatt default: return fmt.Errorf("unsupported format type: %v", ft) } - return nil } func (cd *commandDefinition) collectFlags(cmd *cobra.Command, args []string) (map[string]string, error) { diff --git a/pkg/antctl/command_definition_test.go b/pkg/antctl/command_definition_test.go index e4c74cdc13e..b33ddcb9dcc 100644 --- a/pkg/antctl/command_definition_test.go +++ b/pkg/antctl/command_definition_test.go @@ -42,7 +42,7 @@ import ( "antrea.io/antrea/pkg/antctl/transform/version" cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" "antrea.io/antrea/pkg/apis/crd/v1beta1" - controllernetworkpolicy "antrea.io/antrea/pkg/controller/networkpolicy" + endpointServer "antrea.io/antrea/pkg/apiserver/handlers/endpoint" ) type Foobar struct { @@ -909,8 +909,8 @@ func TestGetRequestErrorFallback(t *testing.T) { } func TestTableOutputForQueryEndpoint(t *testing.T) { - policyRef0 := controllernetworkpolicy.PolicyRef{Namespace: "testNamespace", Name: "test-ingress-egress", UID: "uid-1"} - policyRef1 := controllernetworkpolicy.PolicyRef{Namespace: "testNamespace", Name: "default-deny-egress", UID: "uid-2"} + policyRef0 := cpv1beta.NetworkPolicyReference{Namespace: "testNamespace", Name: "test-ingress-egress", UID: "uid-1", Type: cpv1beta.AntreaNetworkPolicy} + policyRef1 := cpv1beta.NetworkPolicyReference{Namespace: "testNamespace", Name: "default-deny-egress", UID: "uid-2", Type: cpv1beta.AntreaNetworkPolicy} tc := []struct { name string rawResponseData interface{} @@ -918,9 +918,9 @@ func TestTableOutputForQueryEndpoint(t *testing.T) { }{ { name: "Pod selected by no policy", - rawResponseData: &controllernetworkpolicy.EndpointQueryResponse{ - Endpoints: []controllernetworkpolicy.Endpoint{ - {Namespace: "testNamespace", Name: "podA", Policies: []controllernetworkpolicy.Policy{}, Rules: []controllernetworkpolicy.Rule{}}, + rawResponseData: &endpointServer.EndpointQueryResponse{ + Endpoints: []endpointServer.Endpoint{ + {Namespace: "testNamespace", Name: "podA", Policies: []cpv1beta.NetworkPolicyReference{}, Rules: []endpointServer.Rule{}}, }, }, expected: `Endpoint testNamespace/podA @@ -934,13 +934,13 @@ Ingress Rules: None }, { name: "Pod selected by 1 policy", - rawResponseData: &controllernetworkpolicy.EndpointQueryResponse{ - Endpoints: []controllernetworkpolicy.Endpoint{ + rawResponseData: &endpointServer.EndpointQueryResponse{ + Endpoints: []endpointServer.Endpoint{ { Namespace: "testNamespace", Name: "podA", - Policies: []controllernetworkpolicy.Policy{{PolicyRef: policyRef0}}, - Rules: []controllernetworkpolicy.Rule{ + Policies: []cpv1beta.NetworkPolicyReference{policyRef0}, + Rules: []endpointServer.Rule{ {PolicyRef: policyRef0, Direction: cpv1beta.DirectionOut, RuleIndex: 0}, {PolicyRef: policyRef0, Direction: cpv1beta.DirectionIn, RuleIndex: 0}, }, @@ -964,16 +964,15 @@ test-ingress-egress testNamespace 0 uid-1 }, { name: "Pod selected by 2 different policies", - rawResponseData: &controllernetworkpolicy.EndpointQueryResponse{ - Endpoints: []controllernetworkpolicy.Endpoint{ + rawResponseData: &endpointServer.EndpointQueryResponse{ + Endpoints: []endpointServer.Endpoint{ { Namespace: "testNamespace", Name: "podA", - Policies: []controllernetworkpolicy.Policy{ - {PolicyRef: policyRef0}, - {PolicyRef: policyRef1}, + Policies: []cpv1beta.NetworkPolicyReference{ + policyRef0, policyRef1, }, - Rules: []controllernetworkpolicy.Rule{ + Rules: []endpointServer.Rule{ {PolicyRef: policyRef0, Direction: cpv1beta.DirectionOut, RuleIndex: 0}, {PolicyRef: policyRef0, Direction: cpv1beta.DirectionIn, RuleIndex: 0}, }, diff --git a/pkg/antctl/transform/networkpolicy/transform.go b/pkg/antctl/transform/networkpolicy/transform.go index b290a7b1986..c158b89644c 100644 --- a/pkg/antctl/transform/networkpolicy/transform.go +++ b/pkg/antctl/transform/networkpolicy/transform.go @@ -15,12 +15,16 @@ package networkpolicy import ( + "encoding/json" + "fmt" "io" "reflect" "sort" "strconv" + "strings" "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/kubectl/pkg/cmd/get" "k8s.io/kubectl/pkg/scheme" "k8s.io/utils/strings/slices" @@ -161,3 +165,71 @@ func (r Response) GetTableRow(maxColumnLength int) []string { func (r Response) SortRows() bool { return false } + +type EvaluationResponse struct { + *cpv1beta.NetworkPolicyEvaluation +} + +func EvaluationTransform(reader io.Reader, _ bool, _ map[string]string) (interface{}, error) { + refVal := reflect.New(reflect.TypeOf(cpv1beta.NetworkPolicyEvaluation{})) + if err := json.NewDecoder(reader).Decode(refVal.Interface()); err != nil { + return nil, err + } + return EvaluationResponse{refVal.Interface().(*cpv1beta.NetworkPolicyEvaluation)}, nil +} + +var _ common.TableOutput = new(EvaluationResponse) + +func (r EvaluationResponse) GetTableHeader() []string { + return []string{"NAME", "NAMESPACE", "POLICY-TYPE", "RULE-INDEX", "DIRECTION"} +} + +func (r EvaluationResponse) GetTableRow(_ int) []string { + if r.NetworkPolicyEvaluation != nil && r.Response != nil { + return []string{ + r.Response.NetworkPolicy.Name, + r.Response.NetworkPolicy.Namespace, + string(r.Response.NetworkPolicy.Type), + common.Int32ToString(r.Response.RuleIndex), + string(r.Response.Rule.Direction), + } + } + return make([]string, 5) +} + +func (r EvaluationResponse) SortRows() bool { + return false +} + +// parsePeer parses Namespace/Pod name, empty string is returned if the argument is not of a +// valid Namespace/Pod reference (missing pod name or invalid format). Namespace will be set +// as default if missing, string without separator will be considered as pod name. +func parsePeer(str string) (string, string) { + parts := strings.Split(str, "/") + ns, pod := "", "" + if len(parts) == 1 { + ns, pod = "default", parts[0] + } else if len(parts) == 2 { + ns, pod = parts[0], parts[1] + } + return ns, pod +} + +func NewNetworkPolicyEvaluation(args map[string]string) (runtime.Object, error) { + var ns1, pod1, ns2, pod2 string + if val, ok := args["source"]; ok { + ns1, pod1 = parsePeer(val) + } + if val, ok := args["destination"]; ok { + ns2, pod2 = parsePeer(val) + } + if pod1 == "" || pod2 == "" { + return nil, fmt.Errorf("missing entities for NetworkPolicyEvaluation request: %v", args) + } + return &cpv1beta.NetworkPolicyEvaluation{ + Request: &cpv1beta.NetworkPolicyEvaluationRequest{ + Source: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: ns1, Name: pod1}}, + Destination: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: ns2, Name: pod2}}, + }, + }, nil +} diff --git a/pkg/antctl/transform/networkpolicy/transform_test.go b/pkg/antctl/transform/networkpolicy/transform_test.go index b5fcdb411fe..8bffd2501b2 100644 --- a/pkg/antctl/transform/networkpolicy/transform_test.go +++ b/pkg/antctl/transform/networkpolicy/transform_test.go @@ -20,6 +20,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/utils/pointer" cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" @@ -130,3 +131,75 @@ func TestListTransform(t *testing.T) { }) } } + +func TestNewNetworkPolicyEvaluation(t *testing.T) { + tests := []struct { + name string + args map[string]string + expectedObject runtime.Object + expectedError string + }{ + { + name: "Successful parsing", + args: map[string]string{ + "source": "ns/pod1", + "destination": "ns/pod2", + }, + expectedObject: &cpv1beta.NetworkPolicyEvaluation{ + Request: &cpv1beta.NetworkPolicyEvaluationRequest{ + Source: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: "ns", Name: "pod1"}}, + Destination: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: "ns", Name: "pod2"}}, + }, + }, + }, + { + name: "Invalid format", + args: map[string]string{ + "destination": "ns", + }, + expectedError: "missing entities for NetworkPolicyEvaluation request", + }, + { + name: "Default namespaces", + args: map[string]string{ + "source": "pod1", + "destination": "pod2", + }, + expectedObject: &cpv1beta.NetworkPolicyEvaluation{ + Request: &cpv1beta.NetworkPolicyEvaluationRequest{ + Source: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: "default", Name: "pod1"}}, + Destination: cpv1beta.Entity{Pod: &cpv1beta.PodReference{Namespace: "default", Name: "pod2"}}, + }, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + gotObject, err := NewNetworkPolicyEvaluation(tt.args) + if tt.expectedError == "" { + require.NoError(t, err) + assert.Equal(t, tt.expectedObject, gotObject) + } else { + assert.ErrorContains(t, err, tt.expectedError) + } + }) + } +} + +func TestAccessResponse(t *testing.T) { + test := EvaluationResponse{&cpv1beta.NetworkPolicyEvaluation{}} + assert.Equal(t, []string{"NAME", "NAMESPACE", "POLICY-TYPE", "RULE-INDEX", "DIRECTION"}, test.GetTableHeader()) + assert.False(t, test.SortRows()) + assert.Equal(t, []string{"", "", "", "", ""}, test.GetTableRow(32)) + test.Response = &cpv1beta.NetworkPolicyEvaluationResponse{ + NetworkPolicy: cpv1beta.NetworkPolicyReference{ + Type: cpv1beta.K8sNetworkPolicy, + Namespace: "ns", + Name: "testName", + }, + RuleIndex: 10, + Rule: cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn}, + } + assert.Equal(t, []string{"testName", "ns", "K8sNetworkPolicy", "10", "In"}, test.GetTableRow(32)) +} diff --git a/pkg/apis/controlplane/register.go b/pkg/apis/controlplane/register.go index 42a27ddeab8..10da9773424 100644 --- a/pkg/apis/controlplane/register.go +++ b/pkg/apis/controlplane/register.go @@ -54,6 +54,7 @@ func addKnownTypes(scheme *runtime.Scheme) error { &NetworkPolicy{}, &NetworkPolicyList{}, &NetworkPolicyStatus{}, + &NetworkPolicyEvaluation{}, &NodeStatsSummary{}, &ClusterGroupMembers{}, &GroupMembers{}, diff --git a/pkg/apis/controlplane/types.go b/pkg/apis/controlplane/types.go index fdfa7624451..5a58225f67f 100644 --- a/pkg/apis/controlplane/types.go +++ b/pkg/apis/controlplane/types.go @@ -448,6 +448,42 @@ type NetworkPolicyNodeStatus struct { Message string } +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkPolicyEvaluation contains the request and response for a NetworkPolicy access review. +type NetworkPolicyEvaluation struct { + metav1.TypeMeta + Request *NetworkPolicyEvaluationRequest + Response *NetworkPolicyEvaluationResponse +} + +// Entity contains Namespace and Pod name as a request parameter. +type Entity struct { + Pod *PodReference +} + +// NetworkPolicyEvaluationRequest is the request body of NetworkPolicy access review. +type NetworkPolicyEvaluationRequest struct { + Source Entity + Destination Entity +} + +// RuleRef contains basic information for the rule. +type RuleRef struct { + Direction Direction + Name string + Action *crdv1beta1.RuleAction +} + +// NetworkPolicyEvaluationResponse is the response of NetworkPolicy access review. +type NetworkPolicyEvaluationResponse struct { + // The reference of the effective NetworkPolicy. + NetworkPolicy NetworkPolicyReference + RuleIndex int32 + // The content of the effective rule. + Rule RuleRef +} + type GroupReference struct { // Namespace of the Group. Empty for ClusterGroup. Namespace string diff --git a/pkg/apis/controlplane/v1beta2/generated.pb.go b/pkg/apis/controlplane/v1beta2/generated.pb.go index 3247f1e1ff7..79e6800e1d5 100644 --- a/pkg/apis/controlplane/v1beta2/generated.pb.go +++ b/pkg/apis/controlplane/v1beta2/generated.pb.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -411,10 +411,38 @@ func (m *EgressGroupPatch) XXX_DiscardUnknown() { var xxx_messageInfo_EgressGroupPatch proto.InternalMessageInfo +func (m *Entity) Reset() { *m = Entity{} } +func (*Entity) ProtoMessage() {} +func (*Entity) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{13} +} +func (m *Entity) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *Entity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *Entity) XXX_Merge(src proto.Message) { + xxx_messageInfo_Entity.Merge(m, src) +} +func (m *Entity) XXX_Size() int { + return m.Size() +} +func (m *Entity) XXX_DiscardUnknown() { + xxx_messageInfo_Entity.DiscardUnknown(m) +} + +var xxx_messageInfo_Entity proto.InternalMessageInfo + func (m *ExternalEntityReference) Reset() { *m = ExternalEntityReference{} } func (*ExternalEntityReference) ProtoMessage() {} func (*ExternalEntityReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{13} + return fileDescriptor_fbaa7d016762fa1d, []int{14} } func (m *ExternalEntityReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -442,7 +470,7 @@ var xxx_messageInfo_ExternalEntityReference proto.InternalMessageInfo func (m *GroupAssociation) Reset() { *m = GroupAssociation{} } func (*GroupAssociation) ProtoMessage() {} func (*GroupAssociation) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{14} + return fileDescriptor_fbaa7d016762fa1d, []int{15} } func (m *GroupAssociation) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -470,7 +498,7 @@ var xxx_messageInfo_GroupAssociation proto.InternalMessageInfo func (m *GroupMember) Reset() { *m = GroupMember{} } func (*GroupMember) ProtoMessage() {} func (*GroupMember) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{15} + return fileDescriptor_fbaa7d016762fa1d, []int{16} } func (m *GroupMember) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -498,7 +526,7 @@ var xxx_messageInfo_GroupMember proto.InternalMessageInfo func (m *GroupMembers) Reset() { *m = GroupMembers{} } func (*GroupMembers) ProtoMessage() {} func (*GroupMembers) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{16} + return fileDescriptor_fbaa7d016762fa1d, []int{17} } func (m *GroupMembers) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -526,7 +554,7 @@ var xxx_messageInfo_GroupMembers proto.InternalMessageInfo func (m *GroupReference) Reset() { *m = GroupReference{} } func (*GroupReference) ProtoMessage() {} func (*GroupReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{17} + return fileDescriptor_fbaa7d016762fa1d, []int{18} } func (m *GroupReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -554,7 +582,7 @@ var xxx_messageInfo_GroupReference proto.InternalMessageInfo func (m *HTTPProtocol) Reset() { *m = HTTPProtocol{} } func (*HTTPProtocol) ProtoMessage() {} func (*HTTPProtocol) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{18} + return fileDescriptor_fbaa7d016762fa1d, []int{19} } func (m *HTTPProtocol) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -582,7 +610,7 @@ var xxx_messageInfo_HTTPProtocol proto.InternalMessageInfo func (m *IPBlock) Reset() { *m = IPBlock{} } func (*IPBlock) ProtoMessage() {} func (*IPBlock) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{19} + return fileDescriptor_fbaa7d016762fa1d, []int{20} } func (m *IPBlock) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -610,7 +638,7 @@ var xxx_messageInfo_IPBlock proto.InternalMessageInfo func (m *IPGroupAssociation) Reset() { *m = IPGroupAssociation{} } func (*IPGroupAssociation) ProtoMessage() {} func (*IPGroupAssociation) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{20} + return fileDescriptor_fbaa7d016762fa1d, []int{21} } func (m *IPGroupAssociation) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -638,7 +666,7 @@ var xxx_messageInfo_IPGroupAssociation proto.InternalMessageInfo func (m *IPNet) Reset() { *m = IPNet{} } func (*IPNet) ProtoMessage() {} func (*IPNet) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{21} + return fileDescriptor_fbaa7d016762fa1d, []int{22} } func (m *IPNet) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -666,7 +694,7 @@ var xxx_messageInfo_IPNet proto.InternalMessageInfo func (m *L7Protocol) Reset() { *m = L7Protocol{} } func (*L7Protocol) ProtoMessage() {} func (*L7Protocol) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{22} + return fileDescriptor_fbaa7d016762fa1d, []int{23} } func (m *L7Protocol) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -694,7 +722,7 @@ var xxx_messageInfo_L7Protocol proto.InternalMessageInfo func (m *MulticastGroupInfo) Reset() { *m = MulticastGroupInfo{} } func (*MulticastGroupInfo) ProtoMessage() {} func (*MulticastGroupInfo) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{23} + return fileDescriptor_fbaa7d016762fa1d, []int{24} } func (m *MulticastGroupInfo) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -722,7 +750,7 @@ var xxx_messageInfo_MulticastGroupInfo proto.InternalMessageInfo func (m *NamedPort) Reset() { *m = NamedPort{} } func (*NamedPort) ProtoMessage() {} func (*NamedPort) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{24} + return fileDescriptor_fbaa7d016762fa1d, []int{25} } func (m *NamedPort) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -750,7 +778,7 @@ var xxx_messageInfo_NamedPort proto.InternalMessageInfo func (m *NetworkPolicy) Reset() { *m = NetworkPolicy{} } func (*NetworkPolicy) ProtoMessage() {} func (*NetworkPolicy) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{25} + return fileDescriptor_fbaa7d016762fa1d, []int{26} } func (m *NetworkPolicy) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -775,10 +803,94 @@ func (m *NetworkPolicy) XXX_DiscardUnknown() { var xxx_messageInfo_NetworkPolicy proto.InternalMessageInfo +func (m *NetworkPolicyEvaluation) Reset() { *m = NetworkPolicyEvaluation{} } +func (*NetworkPolicyEvaluation) ProtoMessage() {} +func (*NetworkPolicyEvaluation) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{27} +} +func (m *NetworkPolicyEvaluation) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *NetworkPolicyEvaluation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *NetworkPolicyEvaluation) XXX_Merge(src proto.Message) { + xxx_messageInfo_NetworkPolicyEvaluation.Merge(m, src) +} +func (m *NetworkPolicyEvaluation) XXX_Size() int { + return m.Size() +} +func (m *NetworkPolicyEvaluation) XXX_DiscardUnknown() { + xxx_messageInfo_NetworkPolicyEvaluation.DiscardUnknown(m) +} + +var xxx_messageInfo_NetworkPolicyEvaluation proto.InternalMessageInfo + +func (m *NetworkPolicyEvaluationRequest) Reset() { *m = NetworkPolicyEvaluationRequest{} } +func (*NetworkPolicyEvaluationRequest) ProtoMessage() {} +func (*NetworkPolicyEvaluationRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{28} +} +func (m *NetworkPolicyEvaluationRequest) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *NetworkPolicyEvaluationRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *NetworkPolicyEvaluationRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_NetworkPolicyEvaluationRequest.Merge(m, src) +} +func (m *NetworkPolicyEvaluationRequest) XXX_Size() int { + return m.Size() +} +func (m *NetworkPolicyEvaluationRequest) XXX_DiscardUnknown() { + xxx_messageInfo_NetworkPolicyEvaluationRequest.DiscardUnknown(m) +} + +var xxx_messageInfo_NetworkPolicyEvaluationRequest proto.InternalMessageInfo + +func (m *NetworkPolicyEvaluationResponse) Reset() { *m = NetworkPolicyEvaluationResponse{} } +func (*NetworkPolicyEvaluationResponse) ProtoMessage() {} +func (*NetworkPolicyEvaluationResponse) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{29} +} +func (m *NetworkPolicyEvaluationResponse) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *NetworkPolicyEvaluationResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *NetworkPolicyEvaluationResponse) XXX_Merge(src proto.Message) { + xxx_messageInfo_NetworkPolicyEvaluationResponse.Merge(m, src) +} +func (m *NetworkPolicyEvaluationResponse) XXX_Size() int { + return m.Size() +} +func (m *NetworkPolicyEvaluationResponse) XXX_DiscardUnknown() { + xxx_messageInfo_NetworkPolicyEvaluationResponse.DiscardUnknown(m) +} + +var xxx_messageInfo_NetworkPolicyEvaluationResponse proto.InternalMessageInfo + func (m *NetworkPolicyList) Reset() { *m = NetworkPolicyList{} } func (*NetworkPolicyList) ProtoMessage() {} func (*NetworkPolicyList) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{26} + return fileDescriptor_fbaa7d016762fa1d, []int{30} } func (m *NetworkPolicyList) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -806,7 +918,7 @@ var xxx_messageInfo_NetworkPolicyList proto.InternalMessageInfo func (m *NetworkPolicyNodeStatus) Reset() { *m = NetworkPolicyNodeStatus{} } func (*NetworkPolicyNodeStatus) ProtoMessage() {} func (*NetworkPolicyNodeStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{27} + return fileDescriptor_fbaa7d016762fa1d, []int{31} } func (m *NetworkPolicyNodeStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -834,7 +946,7 @@ var xxx_messageInfo_NetworkPolicyNodeStatus proto.InternalMessageInfo func (m *NetworkPolicyPeer) Reset() { *m = NetworkPolicyPeer{} } func (*NetworkPolicyPeer) ProtoMessage() {} func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{28} + return fileDescriptor_fbaa7d016762fa1d, []int{32} } func (m *NetworkPolicyPeer) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -862,7 +974,7 @@ var xxx_messageInfo_NetworkPolicyPeer proto.InternalMessageInfo func (m *NetworkPolicyReference) Reset() { *m = NetworkPolicyReference{} } func (*NetworkPolicyReference) ProtoMessage() {} func (*NetworkPolicyReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{29} + return fileDescriptor_fbaa7d016762fa1d, []int{33} } func (m *NetworkPolicyReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -890,7 +1002,7 @@ var xxx_messageInfo_NetworkPolicyReference proto.InternalMessageInfo func (m *NetworkPolicyRule) Reset() { *m = NetworkPolicyRule{} } func (*NetworkPolicyRule) ProtoMessage() {} func (*NetworkPolicyRule) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{30} + return fileDescriptor_fbaa7d016762fa1d, []int{34} } func (m *NetworkPolicyRule) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -918,7 +1030,7 @@ var xxx_messageInfo_NetworkPolicyRule proto.InternalMessageInfo func (m *NetworkPolicyStats) Reset() { *m = NetworkPolicyStats{} } func (*NetworkPolicyStats) ProtoMessage() {} func (*NetworkPolicyStats) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{31} + return fileDescriptor_fbaa7d016762fa1d, []int{35} } func (m *NetworkPolicyStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -946,7 +1058,7 @@ var xxx_messageInfo_NetworkPolicyStats proto.InternalMessageInfo func (m *NetworkPolicyStatus) Reset() { *m = NetworkPolicyStatus{} } func (*NetworkPolicyStatus) ProtoMessage() {} func (*NetworkPolicyStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{32} + return fileDescriptor_fbaa7d016762fa1d, []int{36} } func (m *NetworkPolicyStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -974,7 +1086,7 @@ var xxx_messageInfo_NetworkPolicyStatus proto.InternalMessageInfo func (m *NodeReference) Reset() { *m = NodeReference{} } func (*NodeReference) ProtoMessage() {} func (*NodeReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{33} + return fileDescriptor_fbaa7d016762fa1d, []int{37} } func (m *NodeReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1002,7 +1114,7 @@ var xxx_messageInfo_NodeReference proto.InternalMessageInfo func (m *NodeStatsSummary) Reset() { *m = NodeStatsSummary{} } func (*NodeStatsSummary) ProtoMessage() {} func (*NodeStatsSummary) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{34} + return fileDescriptor_fbaa7d016762fa1d, []int{38} } func (m *NodeStatsSummary) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1030,7 +1142,7 @@ var xxx_messageInfo_NodeStatsSummary proto.InternalMessageInfo func (m *PaginationGetOptions) Reset() { *m = PaginationGetOptions{} } func (*PaginationGetOptions) ProtoMessage() {} func (*PaginationGetOptions) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{35} + return fileDescriptor_fbaa7d016762fa1d, []int{39} } func (m *PaginationGetOptions) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1058,7 +1170,7 @@ var xxx_messageInfo_PaginationGetOptions proto.InternalMessageInfo func (m *PodReference) Reset() { *m = PodReference{} } func (*PodReference) ProtoMessage() {} func (*PodReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{36} + return fileDescriptor_fbaa7d016762fa1d, []int{40} } func (m *PodReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1083,10 +1195,38 @@ func (m *PodReference) XXX_DiscardUnknown() { var xxx_messageInfo_PodReference proto.InternalMessageInfo +func (m *RuleRef) Reset() { *m = RuleRef{} } +func (*RuleRef) ProtoMessage() {} +func (*RuleRef) Descriptor() ([]byte, []int) { + return fileDescriptor_fbaa7d016762fa1d, []int{41} +} +func (m *RuleRef) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *RuleRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *RuleRef) XXX_Merge(src proto.Message) { + xxx_messageInfo_RuleRef.Merge(m, src) +} +func (m *RuleRef) XXX_Size() int { + return m.Size() +} +func (m *RuleRef) XXX_DiscardUnknown() { + xxx_messageInfo_RuleRef.DiscardUnknown(m) +} + +var xxx_messageInfo_RuleRef proto.InternalMessageInfo + func (m *Service) Reset() { *m = Service{} } func (*Service) ProtoMessage() {} func (*Service) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{37} + return fileDescriptor_fbaa7d016762fa1d, []int{42} } func (m *Service) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1114,7 +1254,7 @@ var xxx_messageInfo_Service proto.InternalMessageInfo func (m *ServiceReference) Reset() { *m = ServiceReference{} } func (*ServiceReference) ProtoMessage() {} func (*ServiceReference) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{38} + return fileDescriptor_fbaa7d016762fa1d, []int{43} } func (m *ServiceReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1142,7 +1282,7 @@ var xxx_messageInfo_ServiceReference proto.InternalMessageInfo func (m *SupportBundleCollection) Reset() { *m = SupportBundleCollection{} } func (*SupportBundleCollection) ProtoMessage() {} func (*SupportBundleCollection) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{39} + return fileDescriptor_fbaa7d016762fa1d, []int{44} } func (m *SupportBundleCollection) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1170,7 +1310,7 @@ var xxx_messageInfo_SupportBundleCollection proto.InternalMessageInfo func (m *SupportBundleCollectionList) Reset() { *m = SupportBundleCollectionList{} } func (*SupportBundleCollectionList) ProtoMessage() {} func (*SupportBundleCollectionList) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{40} + return fileDescriptor_fbaa7d016762fa1d, []int{45} } func (m *SupportBundleCollectionList) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1198,7 +1338,7 @@ var xxx_messageInfo_SupportBundleCollectionList proto.InternalMessageInfo func (m *SupportBundleCollectionNodeStatus) Reset() { *m = SupportBundleCollectionNodeStatus{} } func (*SupportBundleCollectionNodeStatus) ProtoMessage() {} func (*SupportBundleCollectionNodeStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{41} + return fileDescriptor_fbaa7d016762fa1d, []int{46} } func (m *SupportBundleCollectionNodeStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1226,7 +1366,7 @@ var xxx_messageInfo_SupportBundleCollectionNodeStatus proto.InternalMessageInfo func (m *SupportBundleCollectionStatus) Reset() { *m = SupportBundleCollectionStatus{} } func (*SupportBundleCollectionStatus) ProtoMessage() {} func (*SupportBundleCollectionStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{42} + return fileDescriptor_fbaa7d016762fa1d, []int{47} } func (m *SupportBundleCollectionStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1254,7 +1394,7 @@ var xxx_messageInfo_SupportBundleCollectionStatus proto.InternalMessageInfo func (m *TLSProtocol) Reset() { *m = TLSProtocol{} } func (*TLSProtocol) ProtoMessage() {} func (*TLSProtocol) Descriptor() ([]byte, []int) { - return fileDescriptor_fbaa7d016762fa1d, []int{43} + return fileDescriptor_fbaa7d016762fa1d, []int{48} } func (m *TLSProtocol) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1293,6 +1433,7 @@ func init() { proto.RegisterType((*EgressGroup)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.EgressGroup") proto.RegisterType((*EgressGroupList)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.EgressGroupList") proto.RegisterType((*EgressGroupPatch)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.EgressGroupPatch") + proto.RegisterType((*Entity)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.Entity") proto.RegisterType((*ExternalEntityReference)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.ExternalEntityReference") proto.RegisterType((*GroupAssociation)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.GroupAssociation") proto.RegisterType((*GroupMember)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.GroupMember") @@ -1306,6 +1447,9 @@ func init() { proto.RegisterType((*MulticastGroupInfo)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.MulticastGroupInfo") proto.RegisterType((*NamedPort)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NamedPort") proto.RegisterType((*NetworkPolicy)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicy") + proto.RegisterType((*NetworkPolicyEvaluation)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyEvaluation") + proto.RegisterType((*NetworkPolicyEvaluationRequest)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyEvaluationRequest") + proto.RegisterType((*NetworkPolicyEvaluationResponse)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyEvaluationResponse") proto.RegisterType((*NetworkPolicyList)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyList") proto.RegisterType((*NetworkPolicyNodeStatus)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyNodeStatus") proto.RegisterType((*NetworkPolicyPeer)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NetworkPolicyPeer") @@ -1317,6 +1461,7 @@ func init() { proto.RegisterType((*NodeStatsSummary)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NodeStatsSummary") proto.RegisterType((*PaginationGetOptions)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.PaginationGetOptions") proto.RegisterType((*PodReference)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.PodReference") + proto.RegisterType((*RuleRef)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.RuleRef") proto.RegisterType((*Service)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.Service") proto.RegisterType((*ServiceReference)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.ServiceReference") proto.RegisterType((*SupportBundleCollection)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.SupportBundleCollection") @@ -1331,186 +1476,198 @@ func init() { } var fileDescriptor_fbaa7d016762fa1d = []byte{ - // 2862 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x1b, 0x4b, 0x6f, 0x24, 0xc5, - 0x79, 0xdb, 0x33, 0x63, 0x7b, 0xbe, 0x19, 0x7b, 0xbd, 0x65, 0x60, 0x1d, 0x60, 0xed, 0xa5, 0x49, - 0xd0, 0x26, 0x22, 0x33, 0xd8, 0x01, 0x76, 0xc3, 0x4b, 0xf1, 0x78, 0xbd, 0x66, 0x82, 0x6d, 0x86, - 0x9a, 0x01, 0x24, 0x08, 0x84, 0x76, 0x77, 0xcd, 0xb8, 0xb3, 0x3d, 0x5d, 0x4d, 0x75, 0x8d, 0x59, - 0x73, 0x88, 0x88, 0x48, 0x0e, 0xe4, 0x45, 0x94, 0x4b, 0xc4, 0x2d, 0xb7, 0x5c, 0xf2, 0x0b, 0x38, - 0x85, 0x43, 0x24, 0x8e, 0x44, 0x51, 0x14, 0x4e, 0x56, 0xd6, 0x51, 0x88, 0x38, 0xe4, 0x92, 0x5b, - 0x36, 0x8a, 0x14, 0x55, 0x75, 0xf5, 0x73, 0x66, 0xd6, 0x3b, 0xb6, 0xd7, 0x91, 0xc2, 0x9e, 0x3c, - 0xfd, 0xbd, 0xab, 0xea, 0xfb, 0xea, 0x7b, 0x74, 0x1b, 0x9e, 0x31, 0x5c, 0xce, 0x88, 0x51, 0xb1, - 0x69, 0x35, 0xf8, 0x55, 0xf5, 0xae, 0x76, 0xaa, 0x86, 0x67, 0xfb, 0x55, 0x93, 0xba, 0x9c, 0x51, - 0xc7, 0x73, 0x0c, 0x97, 0x54, 0x77, 0x16, 0xb7, 0x08, 0x37, 0x96, 0xaa, 0x1d, 0xe2, 0x12, 0x66, - 0x70, 0x62, 0x55, 0x3c, 0x46, 0x39, 0x45, 0x95, 0x80, 0xeb, 0xbb, 0x36, 0x55, 0xbf, 0x2a, 0xde, - 0xd5, 0x4e, 0x45, 0xf0, 0x57, 0x92, 0xfc, 0x15, 0xc5, 0x7f, 0xef, 0xa5, 0xe1, 0xfa, 0x7c, 0x6e, - 0x70, 0xbf, 0xba, 0xb3, 0x68, 0x38, 0xde, 0xb6, 0xb1, 0x98, 0xd5, 0x74, 0xef, 0xd7, 0x3b, 0x36, - 0xdf, 0xee, 0x6d, 0x55, 0x4c, 0xda, 0xad, 0x76, 0x68, 0x87, 0x56, 0x25, 0x78, 0xab, 0xd7, 0x96, - 0x4f, 0xf2, 0x41, 0xfe, 0x52, 0xe4, 0x8f, 0x5e, 0xbd, 0xe4, 0x4b, 0x2d, 0x9e, 0xdd, 0x35, 0xcc, - 0x6d, 0xdb, 0x25, 0x6c, 0x37, 0xd6, 0xd5, 0x25, 0xdc, 0xa8, 0xee, 0xf4, 0x2b, 0xa9, 0x0e, 0xe3, - 0x62, 0x3d, 0x97, 0xdb, 0x5d, 0xd2, 0xc7, 0xf0, 0xf8, 0x41, 0x0c, 0xbe, 0xb9, 0x4d, 0xba, 0x46, - 0x1f, 0xdf, 0x37, 0x86, 0xf1, 0xf5, 0xb8, 0xed, 0x54, 0x6d, 0x97, 0xfb, 0x9c, 0x65, 0x99, 0xf4, - 0xbf, 0x6b, 0x50, 0x5e, 0xb6, 0x2c, 0x46, 0x7c, 0x7f, 0x8d, 0xd1, 0x9e, 0x87, 0xde, 0x80, 0x49, - 0xb1, 0x12, 0xcb, 0xe0, 0xc6, 0x9c, 0x76, 0x5e, 0xbb, 0x50, 0x5a, 0x7a, 0xa4, 0x12, 0x08, 0xae, - 0x24, 0x05, 0xc7, 0x67, 0x22, 0xa8, 0x2b, 0x3b, 0x8b, 0x95, 0xe7, 0xb7, 0xbe, 0x47, 0x4c, 0xbe, - 0x41, 0xb8, 0x51, 0x43, 0x1f, 0xef, 0x2d, 0x9c, 0xda, 0xdf, 0x5b, 0x80, 0x18, 0x86, 0x23, 0xa9, - 0xa8, 0x07, 0xe5, 0x8e, 0x50, 0xb5, 0x41, 0xba, 0x5b, 0x84, 0xf9, 0x73, 0x63, 0xe7, 0x73, 0x17, - 0x4a, 0x4b, 0x4f, 0x8e, 0x78, 0xec, 0x95, 0xb5, 0x58, 0x46, 0xed, 0x2e, 0xa5, 0xb0, 0x9c, 0x00, - 0xfa, 0x38, 0xa5, 0x46, 0xff, 0xa3, 0x06, 0x33, 0xc9, 0x95, 0xae, 0xdb, 0x3e, 0x47, 0xdf, 0xe9, - 0x5b, 0x6d, 0xe5, 0xd6, 0x56, 0x2b, 0xb8, 0xe5, 0x5a, 0x67, 0x94, 0xea, 0xc9, 0x10, 0x92, 0x58, - 0xa9, 0x01, 0x05, 0x9b, 0x93, 0x6e, 0xb8, 0xc4, 0xa7, 0x46, 0x5d, 0x62, 0xd2, 0xdc, 0xda, 0x94, - 0x52, 0x54, 0xa8, 0x0b, 0x91, 0x38, 0x90, 0xac, 0xbf, 0x97, 0x83, 0x33, 0x49, 0xb2, 0x86, 0xc1, - 0xcd, 0xed, 0x13, 0x38, 0xc4, 0x1f, 0x6a, 0x70, 0xc6, 0xb0, 0x2c, 0x62, 0xad, 0x1d, 0xf3, 0x51, - 0x7e, 0x49, 0xa9, 0x15, 0xab, 0x4a, 0x4b, 0xc7, 0xfd, 0x0a, 0xd1, 0x8f, 0x35, 0x98, 0x65, 0xa4, - 0x4b, 0x77, 0x32, 0x86, 0xe4, 0x8e, 0x6e, 0xc8, 0x7d, 0xca, 0x90, 0x59, 0xdc, 0x2f, 0x1f, 0x0f, - 0x52, 0xaa, 0x7f, 0xae, 0xc1, 0xf4, 0xb2, 0xe7, 0x39, 0x36, 0xb1, 0x5a, 0xf4, 0xff, 0x3c, 0x9a, - 0xfe, 0xac, 0x01, 0x4a, 0xaf, 0xf5, 0x04, 0xe2, 0xc9, 0x4c, 0xc7, 0xd3, 0x33, 0x23, 0xc7, 0x53, - 0xca, 0xe0, 0x21, 0x11, 0xf5, 0x93, 0x1c, 0xcc, 0xa6, 0x09, 0xef, 0xc4, 0xd4, 0xff, 0x2e, 0xa6, - 0xde, 0x84, 0xd9, 0x9a, 0xe1, 0xdb, 0xe6, 0x72, 0x8f, 0x6f, 0x13, 0x97, 0xdb, 0xa6, 0xc1, 0x6d, - 0xea, 0xa2, 0x87, 0x61, 0xb2, 0xe7, 0x13, 0xe6, 0x1a, 0x5d, 0x22, 0x0f, 0xa3, 0x18, 0xfb, 0xcd, - 0x8b, 0x0a, 0x8e, 0x23, 0x0a, 0x41, 0xed, 0x19, 0xbe, 0xff, 0x16, 0x65, 0xd6, 0xdc, 0x58, 0x9a, - 0xba, 0xa1, 0xe0, 0x38, 0xa2, 0xd0, 0x17, 0x61, 0xa6, 0xd6, 0x73, 0x2d, 0x87, 0x5c, 0xb1, 0x1d, - 0xd2, 0x24, 0x6c, 0x87, 0x30, 0x74, 0x0e, 0x72, 0x3d, 0xe6, 0x28, 0x55, 0x25, 0xc5, 0x9c, 0x7b, - 0x11, 0xaf, 0x63, 0x01, 0xd7, 0xdf, 0x1f, 0x83, 0x73, 0x01, 0x4f, 0x40, 0x2f, 0xac, 0x5d, 0xa1, - 0x6e, 0xdb, 0xee, 0xf4, 0x58, 0x60, 0xf0, 0x63, 0x50, 0xda, 0x22, 0x06, 0x23, 0xac, 0x45, 0xaf, - 0x12, 0x57, 0x09, 0x9a, 0x55, 0x82, 0x4a, 0xb5, 0x18, 0x85, 0x93, 0x74, 0xe8, 0x21, 0x18, 0x37, - 0x3c, 0xfb, 0x39, 0xb2, 0xab, 0xec, 0x9e, 0x56, 0x1c, 0xe3, 0xcb, 0x8d, 0xfa, 0x73, 0x64, 0x17, - 0x2b, 0x2c, 0xfa, 0xb9, 0x06, 0xb3, 0x5b, 0xfd, 0xfb, 0x34, 0x97, 0x93, 0x8e, 0xba, 0x32, 0xea, - 0x99, 0x0d, 0xd8, 0xf2, 0xda, 0x59, 0x71, 0x6e, 0x03, 0x10, 0x78, 0x90, 0x62, 0xfd, 0xd7, 0x79, - 0x98, 0x5d, 0x71, 0x7a, 0x3e, 0x27, 0x2c, 0xe5, 0x5c, 0xb7, 0x3f, 0x8a, 0x7e, 0xa0, 0xc1, 0x0c, - 0x69, 0xb7, 0x89, 0xc9, 0xed, 0x1d, 0x72, 0x8c, 0x41, 0x34, 0xa7, 0xb4, 0xce, 0xac, 0x66, 0x84, - 0xe3, 0x3e, 0x75, 0xe8, 0xfb, 0x70, 0x26, 0x82, 0xd5, 0x1b, 0x35, 0x87, 0x9a, 0x57, 0xc3, 0xf8, - 0x79, 0x6c, 0x54, 0x1b, 0xea, 0x8d, 0x4d, 0xc2, 0xe3, 0x10, 0x5e, 0xcd, 0xca, 0xc5, 0xfd, 0xaa, - 0xd0, 0x25, 0x28, 0x73, 0xca, 0x0d, 0x27, 0x5c, 0x7e, 0xfe, 0xbc, 0x76, 0x21, 0x17, 0xdf, 0xeb, - 0xad, 0x04, 0x0e, 0xa7, 0x28, 0xd1, 0x12, 0x80, 0x7c, 0x6e, 0x18, 0x1d, 0xe2, 0xcf, 0x15, 0x24, - 0x5f, 0xb4, 0xdf, 0xad, 0x08, 0x83, 0x13, 0x54, 0xc2, 0xb7, 0xcd, 0x1e, 0x63, 0xc4, 0xe5, 0xe2, - 0x79, 0x6e, 0x5c, 0x32, 0x45, 0xbe, 0xbd, 0x12, 0xa3, 0x70, 0x92, 0x4e, 0xff, 0x4c, 0x83, 0xd2, - 0x6a, 0xe7, 0x0b, 0x50, 0x79, 0xfe, 0x41, 0x83, 0xd3, 0x89, 0x85, 0x9e, 0x40, 0xa2, 0x7c, 0x23, - 0x9d, 0x28, 0x47, 0x5e, 0x61, 0xc2, 0xda, 0x21, 0x59, 0xf2, 0xa7, 0x39, 0x98, 0x49, 0x50, 0x05, - 0x29, 0xd2, 0x02, 0xa0, 0xd1, 0xbe, 0x1f, 0xeb, 0x19, 0x26, 0xe4, 0xde, 0x49, 0x93, 0x03, 0xd2, - 0xa4, 0x03, 0x67, 0x57, 0xaf, 0x71, 0x91, 0xee, 0x9c, 0x55, 0x97, 0xdb, 0x7c, 0x17, 0x93, 0x36, - 0x61, 0xc4, 0x35, 0x09, 0x3a, 0x0f, 0xf9, 0x44, 0x9a, 0x2c, 0x2b, 0xd1, 0xf9, 0x4d, 0x91, 0x22, - 0x25, 0x06, 0x55, 0xa1, 0x28, 0xfe, 0xfa, 0x9e, 0x61, 0x12, 0x95, 0x67, 0xce, 0x28, 0xb2, 0xe2, - 0x66, 0x88, 0xc0, 0x31, 0x8d, 0xfe, 0x6f, 0x0d, 0x66, 0xa4, 0xfa, 0x65, 0xdf, 0xa7, 0xa6, 0x1d, - 0x64, 0xb8, 0x13, 0xa9, 0x8f, 0x66, 0x0c, 0xa5, 0x51, 0xad, 0xff, 0xd0, 0xa5, 0xa0, 0xe4, 0x8e, - 0x36, 0x29, 0xbe, 0xdc, 0x97, 0x33, 0xf2, 0x71, 0x9f, 0x46, 0xfd, 0xc3, 0x3c, 0x94, 0x12, 0x9b, - 0x8f, 0x5e, 0x86, 0x9c, 0x47, 0x2d, 0xb5, 0xe6, 0x91, 0x7b, 0xbc, 0x06, 0xb5, 0x62, 0x33, 0x26, - 0x44, 0x55, 0x21, 0x20, 0x42, 0x22, 0x7a, 0x57, 0x83, 0x69, 0x92, 0x3a, 0x55, 0x79, 0x3a, 0xa5, - 0xa5, 0xb5, 0x91, 0xe3, 0x79, 0xb0, 0x6f, 0xd4, 0xd0, 0xfe, 0xde, 0xc2, 0x74, 0x06, 0x99, 0x51, - 0x89, 0x1e, 0x82, 0x9c, 0xed, 0x05, 0x6e, 0x5d, 0xae, 0xdd, 0x25, 0x0c, 0xac, 0x37, 0xfc, 0x1b, - 0x7b, 0x0b, 0xc5, 0x7a, 0x43, 0x35, 0x9e, 0x58, 0x10, 0xa0, 0xd7, 0xa1, 0xe0, 0x51, 0xc6, 0x45, - 0xb2, 0x11, 0x27, 0xf2, 0xcd, 0x51, 0x6d, 0x14, 0x9e, 0x66, 0x35, 0x28, 0xe3, 0xf1, 0x8d, 0x23, - 0x9e, 0x7c, 0x1c, 0x88, 0x45, 0xaf, 0x42, 0xde, 0xa5, 0x16, 0x91, 0x39, 0xa9, 0xb4, 0xf4, 0xf4, - 0xc8, 0xe2, 0xa9, 0x45, 0xe2, 0x85, 0x4f, 0xca, 0x10, 0x10, 0x20, 0x29, 0x14, 0x75, 0x60, 0xc2, - 0x27, 0x6c, 0xc7, 0x36, 0x83, 0xf4, 0x55, 0x5a, 0xfa, 0xd6, 0xa8, 0xf2, 0x9b, 0x01, 0x7b, 0xac, - 0xa2, 0xb4, 0xbf, 0xb7, 0x30, 0x11, 0x42, 0x43, 0xe9, 0xfa, 0x07, 0x79, 0x28, 0xdf, 0x29, 0x88, - 0xee, 0x14, 0x44, 0x83, 0x0a, 0xa2, 0xdf, 0x68, 0x30, 0x9d, 0xbe, 0x97, 0xd2, 0x57, 0xb3, 0x76, - 0xf0, 0xd5, 0x1c, 0xdd, 0xf6, 0x63, 0x43, 0x6f, 0xfb, 0x1a, 0xe4, 0x7a, 0xb6, 0x25, 0x3b, 0x83, - 0x62, 0xed, 0x91, 0xa8, 0x95, 0xa9, 0x5f, 0xbe, 0xb1, 0xb7, 0xf0, 0xc0, 0xb0, 0x11, 0x22, 0xdf, - 0xf5, 0x88, 0x5f, 0x79, 0xb1, 0x7e, 0x19, 0x0b, 0x66, 0xfd, 0x6d, 0x28, 0x3f, 0xdb, 0x6a, 0x35, - 0x1a, 0x8c, 0x72, 0x6a, 0x52, 0x47, 0x68, 0xdd, 0xa6, 0x3e, 0xcf, 0xe6, 0x98, 0x67, 0xa9, 0xcf, - 0xb1, 0xc4, 0x88, 0x46, 0xa6, 0x4b, 0xf8, 0x36, 0xb5, 0xb2, 0x8d, 0xcc, 0x86, 0x84, 0x62, 0x85, - 0x15, 0x92, 0x3c, 0x83, 0x6f, 0x2b, 0xf3, 0x22, 0x49, 0x0d, 0x83, 0x6f, 0x63, 0x89, 0xd1, 0x3f, - 0xd2, 0x60, 0x42, 0x9d, 0x2b, 0x7a, 0x19, 0xf2, 0xa6, 0x6d, 0x31, 0x15, 0x38, 0x87, 0xf4, 0xa4, - 0x48, 0xc9, 0x4a, 0xfd, 0x32, 0xc6, 0x52, 0x20, 0x7a, 0x0d, 0xc6, 0xc9, 0x35, 0x93, 0x78, 0x5c, - 0x05, 0xca, 0x21, 0x45, 0x47, 0xab, 0x5c, 0x95, 0xc2, 0xb0, 0x12, 0xaa, 0xff, 0x47, 0x03, 0x54, - 0x6f, 0x7c, 0x71, 0x53, 0x68, 0x1b, 0x0a, 0x72, 0x83, 0xd0, 0x83, 0x30, 0x66, 0x7b, 0x72, 0xad, - 0xe5, 0xda, 0xec, 0xfe, 0xde, 0xc2, 0x58, 0xbd, 0x91, 0x4e, 0x2d, 0x63, 0xb6, 0x27, 0x82, 0xd7, - 0x63, 0xa4, 0x6d, 0x5f, 0x5b, 0x27, 0x6e, 0x87, 0x6f, 0x4b, 0x0f, 0x2a, 0xc4, 0xc1, 0xdb, 0x48, - 0xe0, 0x70, 0x8a, 0x52, 0xff, 0x9d, 0x06, 0xb0, 0x7e, 0x31, 0x72, 0xd3, 0x57, 0x20, 0xbf, 0xcd, - 0xb9, 0x77, 0xd8, 0x54, 0x9d, 0x74, 0xf9, 0x20, 0x83, 0x08, 0x08, 0x96, 0x32, 0xd1, 0x4b, 0x90, - 0xe3, 0x8e, 0xaf, 0x12, 0xf4, 0xc8, 0xf7, 0x6a, 0x6b, 0xbd, 0x19, 0x49, 0x96, 0x45, 0x40, 0x6b, - 0xbd, 0x89, 0x85, 0x40, 0xfd, 0x03, 0x0d, 0xd0, 0x46, 0xcf, 0x11, 0x8d, 0xb5, 0xcf, 0xe5, 0xf6, - 0xd5, 0xdd, 0x36, 0x45, 0x0f, 0x42, 0x41, 0xf6, 0x18, 0x2a, 0xe4, 0xa2, 0x94, 0x19, 0x1c, 0x4a, - 0x80, 0x43, 0xaf, 0x43, 0xde, 0xa3, 0xd6, 0xa1, 0xc7, 0xcf, 0xa9, 0xd2, 0x24, 0x0e, 0x45, 0x6a, - 0xf9, 0x58, 0xca, 0xd5, 0xdf, 0xd3, 0xa0, 0x18, 0xa5, 0x6d, 0x19, 0xba, 0x94, 0x05, 0x97, 0x40, - 0x21, 0x49, 0xcf, 0x38, 0x96, 0x98, 0x5b, 0xb8, 0x9c, 0x2e, 0xc1, 0xa4, 0xa7, 0xf6, 0x41, 0x5d, - 0x01, 0xf7, 0x47, 0x93, 0x1a, 0x05, 0xbf, 0x91, 0xf8, 0x8d, 0x23, 0x6a, 0xfd, 0x1f, 0x39, 0x98, - 0xda, 0x24, 0xfc, 0x2d, 0xca, 0xae, 0x36, 0xa8, 0x63, 0x9b, 0xbb, 0x27, 0x10, 0x4d, 0x6d, 0x28, - 0xb0, 0x9e, 0x43, 0xc2, 0x0d, 0x5e, 0x1e, 0xb9, 0x26, 0x49, 0xda, 0x8b, 0x7b, 0x0e, 0x89, 0xcf, - 0x51, 0x3c, 0xf9, 0x38, 0x10, 0x8f, 0x9e, 0x86, 0xd3, 0x46, 0x6a, 0x22, 0x19, 0xe4, 0xce, 0xa2, - 0x0c, 0x99, 0xd3, 0xe9, 0x61, 0xa5, 0x8f, 0xb3, 0xb4, 0xe8, 0x82, 0xd8, 0x54, 0x9b, 0x32, 0x51, - 0x40, 0x8a, 0xc4, 0xa7, 0xd5, 0xca, 0xc1, 0x86, 0x06, 0x30, 0x1c, 0x61, 0xd1, 0xa3, 0x50, 0xe6, - 0x36, 0x61, 0x21, 0x46, 0xa6, 0xbb, 0x42, 0x6d, 0x46, 0xa6, 0xc8, 0x04, 0x1c, 0xa7, 0xa8, 0x90, - 0x0f, 0x45, 0x9f, 0xf6, 0x98, 0x2c, 0x7e, 0x54, 0xf9, 0x74, 0xe5, 0x68, 0x5b, 0x11, 0x79, 0xdd, - 0x94, 0x48, 0x74, 0xcd, 0x50, 0x38, 0x8e, 0xf5, 0xe8, 0x7f, 0xd2, 0xe0, 0x4c, 0x8a, 0xe9, 0x04, - 0xda, 0xea, 0xad, 0x74, 0x5b, 0xfd, 0xf4, 0x91, 0x16, 0x39, 0xa4, 0xb1, 0xfe, 0xa7, 0x06, 0x67, - 0x53, 0x74, 0xa2, 0x4a, 0x6d, 0x72, 0x83, 0xf7, 0x7c, 0xf4, 0x30, 0x4c, 0x8a, 0x6a, 0x75, 0x73, - 0xc0, 0xd4, 0x73, 0x53, 0xc1, 0x71, 0x44, 0x21, 0x2a, 0x17, 0xf5, 0xb6, 0xcf, 0xa6, 0xae, 0x8c, - 0xb9, 0x44, 0xe5, 0xb2, 0x16, 0x61, 0x70, 0x82, 0x0a, 0x7d, 0x1b, 0x10, 0x23, 0x86, 0x63, 0xbf, - 0x2d, 0x1f, 0xaf, 0x18, 0xb6, 0xd3, 0x63, 0x44, 0x46, 0xe2, 0x64, 0xed, 0x5e, 0xc5, 0x8b, 0x70, - 0x1f, 0x05, 0x1e, 0xc0, 0x85, 0xbe, 0x0a, 0x13, 0x5d, 0xe2, 0xfb, 0xa2, 0x02, 0xca, 0x4b, 0x63, - 0x4f, 0x2b, 0x01, 0x13, 0x1b, 0x01, 0x18, 0x87, 0x78, 0xf9, 0x16, 0x2b, 0xb5, 0xe8, 0x06, 0x21, - 0x0c, 0x5d, 0x84, 0x29, 0x23, 0xf1, 0x6a, 0xcb, 0x9f, 0xd3, 0xa4, 0xd3, 0x9f, 0xd9, 0xdf, 0x5b, - 0x98, 0x4a, 0xbe, 0xf3, 0xf2, 0x71, 0x9a, 0x0e, 0x11, 0x98, 0xb4, 0x3d, 0x55, 0x64, 0x06, 0x47, - 0x75, 0x71, 0xf4, 0xfc, 0x2d, 0xf9, 0xe3, 0x0d, 0x8e, 0xaa, 0xcb, 0x48, 0x34, 0x5a, 0x80, 0x42, - 0xfb, 0x4d, 0xcb, 0x0d, 0x83, 0xb1, 0x28, 0xce, 0xf2, 0xca, 0x0b, 0x97, 0x37, 0x7d, 0x1c, 0xc0, - 0x11, 0x17, 0xb5, 0xa3, 0x6a, 0x01, 0xc2, 0xbe, 0xe8, 0xe8, 0x8d, 0x45, 0xa2, 0xfa, 0x0c, 0x65, - 0xe3, 0x84, 0x1e, 0x71, 0x5b, 0x38, 0xc6, 0x16, 0x71, 0xea, 0x16, 0x11, 0x1d, 0x9c, 0x2d, 0xcb, - 0xd6, 0xdc, 0x85, 0xa9, 0xe0, 0xb6, 0x58, 0x4f, 0xa3, 0x70, 0x96, 0x56, 0xff, 0x4c, 0x83, 0x7b, - 0x06, 0x47, 0x23, 0x7a, 0x0c, 0xf2, 0xa2, 0x10, 0x54, 0xbe, 0xf7, 0x40, 0x78, 0x7f, 0xb7, 0x76, - 0x3d, 0x72, 0x63, 0x6f, 0x21, 0x7d, 0x82, 0x02, 0x88, 0x25, 0xf9, 0xc8, 0xf3, 0x85, 0x28, 0x4f, - 0xe4, 0x0e, 0x2a, 0x62, 0xf3, 0x47, 0x29, 0x62, 0x3f, 0x1a, 0xcf, 0x38, 0x9d, 0xb8, 0x73, 0xd1, - 0x53, 0x50, 0xb4, 0x6c, 0x26, 0xda, 0x07, 0x1a, 0x8e, 0xe9, 0xe7, 0x43, 0x63, 0x2f, 0x87, 0x88, - 0x1b, 0xc9, 0x07, 0x1c, 0x33, 0x20, 0x13, 0xf2, 0x6d, 0x46, 0xbb, 0xaa, 0x0c, 0x38, 0x5a, 0x42, - 0x10, 0x31, 0x10, 0x2f, 0xfe, 0x0a, 0xa3, 0x5d, 0x2c, 0x85, 0xa3, 0xd7, 0x60, 0x8c, 0x53, 0x35, - 0xda, 0x3f, 0x06, 0x15, 0xa0, 0x54, 0x8c, 0xb5, 0x28, 0x1e, 0xe3, 0x54, 0x44, 0x8f, 0x9f, 0xf6, - 0xd9, 0x8b, 0x87, 0xf4, 0xd9, 0x38, 0x7a, 0x22, 0x47, 0x8d, 0x44, 0xcb, 0x97, 0x32, 0x99, 0x3c, - 0x13, 0xa7, 0xfa, 0xbe, 0xcc, 0xf4, 0x12, 0x8c, 0x1b, 0xc1, 0x99, 0x8c, 0xcb, 0x33, 0x79, 0x46, - 0xbe, 0x04, 0x09, 0x0f, 0xe3, 0x91, 0x9b, 0x7c, 0x72, 0xc2, 0x2c, 0xf5, 0xa5, 0xc9, 0x62, 0x45, - 0x1c, 0x70, 0xc0, 0x83, 0x95, 0x34, 0xf4, 0x24, 0x4c, 0x11, 0xd7, 0xd8, 0x72, 0xc8, 0x3a, 0xed, - 0x74, 0x6c, 0xb7, 0x33, 0x37, 0x21, 0xef, 0xba, 0xbb, 0x95, 0x29, 0x53, 0xab, 0x49, 0x24, 0x4e, - 0xd3, 0x0e, 0xca, 0xcb, 0x93, 0x23, 0xe4, 0xe5, 0xd0, 0xcd, 0x8b, 0x43, 0xdd, 0xfc, 0x4d, 0x28, - 0x39, 0x51, 0xf9, 0xea, 0xcf, 0x81, 0x3c, 0x8d, 0x27, 0x46, 0x3d, 0x8d, 0xb8, 0x02, 0x8e, 0x9b, - 0xd0, 0x18, 0xe6, 0xe3, 0xa4, 0x0e, 0x71, 0x2c, 0x0e, 0xed, 0xc8, 0x5b, 0x62, 0xae, 0x94, 0xce, - 0x31, 0xeb, 0x0a, 0x8e, 0x23, 0x0a, 0xfd, 0xfd, 0x1c, 0xa0, 0x94, 0x47, 0x89, 0x4c, 0xe5, 0xa3, - 0x77, 0x35, 0x98, 0x72, 0x93, 0x60, 0x95, 0x8c, 0x8f, 0xab, 0x2c, 0x88, 0x8e, 0x27, 0x8d, 0x4f, - 0xeb, 0x44, 0x1e, 0x94, 0x39, 0x33, 0xda, 0x6d, 0xdb, 0x94, 0x56, 0xa9, 0xa0, 0x7c, 0xfc, 0x26, - 0x36, 0xc8, 0xef, 0x85, 0x2a, 0xe1, 0xf7, 0x42, 0x95, 0x56, 0x82, 0x3b, 0x31, 0x2c, 0x48, 0x40, - 0x71, 0x4a, 0x03, 0x7a, 0x47, 0x83, 0x19, 0x51, 0xb2, 0x25, 0x49, 0xd4, 0x98, 0xe3, 0x89, 0x5b, - 0x57, 0x8b, 0x33, 0x12, 0xe2, 0xd6, 0x2a, 0x8b, 0xc1, 0x7d, 0xda, 0xf4, 0xbf, 0x69, 0x30, 0xdb, - 0x77, 0x22, 0xbd, 0x93, 0x98, 0x33, 0x39, 0x50, 0x10, 0xb5, 0x47, 0x98, 0x72, 0xd7, 0x8e, 0x74, - 0xd6, 0x71, 0xd5, 0x13, 0xd7, 0x49, 0x02, 0xe6, 0xe3, 0x40, 0x89, 0xbe, 0x08, 0x53, 0xa9, 0x91, - 0xde, 0xc1, 0x73, 0x6e, 0xfd, 0xc3, 0x02, 0xcc, 0x84, 0x72, 0xfd, 0x66, 0xaf, 0xdb, 0x35, 0xd8, - 0x49, 0x74, 0x09, 0x3f, 0xd2, 0xe0, 0x74, 0xd2, 0x31, 0xed, 0x68, 0x8b, 0x6a, 0x47, 0xda, 0xa2, - 0xc0, 0x37, 0xce, 0x2a, 0xdd, 0xa7, 0x37, 0xd3, 0x2a, 0x70, 0x56, 0x27, 0xfa, 0xad, 0x06, 0xf7, - 0x07, 0x5a, 0xd4, 0x8b, 0xd9, 0x0c, 0x87, 0x72, 0xd4, 0xe3, 0x30, 0xea, 0xcb, 0xca, 0xa8, 0xfb, - 0x97, 0x6f, 0xa2, 0x0f, 0xdf, 0xd4, 0x1a, 0xf4, 0x2b, 0x0d, 0xee, 0x0e, 0x08, 0xb2, 0x76, 0xe6, - 0x8f, 0xcd, 0xce, 0x73, 0xca, 0xce, 0xbb, 0x97, 0x07, 0x29, 0xc2, 0x83, 0xf5, 0x8b, 0x7e, 0xa7, - 0x1b, 0x76, 0xe4, 0xb2, 0xb4, 0x3a, 0x84, 0x31, 0xfd, 0x2d, 0x7d, 0x5c, 0x13, 0x45, 0x38, 0x1c, - 0xeb, 0xd1, 0x5f, 0x83, 0xbb, 0x1a, 0x46, 0xc7, 0x76, 0x65, 0x89, 0xbd, 0x46, 0xf8, 0xf3, 0x9e, - 0xf8, 0xe1, 0x07, 0x03, 0xb3, 0x4e, 0xe0, 0xf6, 0xb9, 0xe4, 0xc0, 0xac, 0x43, 0xb0, 0xc4, 0xa0, - 0x07, 0xa1, 0xe0, 0xd8, 0x5d, 0x9b, 0xab, 0x16, 0x20, 0x0a, 0xa7, 0x75, 0x01, 0xc4, 0x01, 0x4e, - 0x37, 0xa0, 0x9c, 0x6c, 0xf7, 0x6f, 0xc7, 0x5b, 0xa3, 0xdf, 0xe7, 0x20, 0x9c, 0x87, 0xa3, 0x47, - 0x13, 0x7d, 0x7e, 0xa0, 0x62, 0xee, 0xe0, 0x1e, 0x1f, 0x6d, 0xaa, 0x09, 0xc3, 0xd8, 0x01, 0x71, - 0xda, 0xe3, 0xb6, 0x53, 0x09, 0x3e, 0x78, 0xac, 0xd4, 0x5d, 0xfe, 0x3c, 0x6b, 0x72, 0x66, 0xbb, - 0x9d, 0x60, 0x66, 0x93, 0x98, 0x47, 0x7c, 0x05, 0x26, 0x88, 0x2b, 0x87, 0x17, 0xb2, 0x9a, 0x2a, - 0x04, 0x33, 0xfb, 0xd5, 0x00, 0x84, 0x43, 0x9c, 0xe8, 0x9f, 0x6d, 0xb3, 0xeb, 0x89, 0x8a, 0x56, - 0x56, 0x9c, 0x85, 0xa0, 0x7f, 0xae, 0xaf, 0x6c, 0x34, 0x64, 0x95, 0x1b, 0x61, 0x43, 0xca, 0x95, - 0xf0, 0x3d, 0x45, 0x82, 0x52, 0xc0, 0x70, 0x84, 0x95, 0x94, 0x1d, 0x25, 0x73, 0x3c, 0x41, 0xb9, - 0x16, 0xc9, 0x54, 0x58, 0x74, 0x49, 0xbd, 0xb4, 0x56, 0x1d, 0x8f, 0x2c, 0x50, 0x8a, 0x99, 0xf7, - 0xce, 0xe1, 0xb4, 0x2c, 0x45, 0x29, 0x96, 0xe7, 0x33, 0x53, 0x2e, 0x6f, 0x32, 0x5e, 0x5e, 0x33, - 0x00, 0xe1, 0x10, 0x87, 0x2a, 0x00, 0x3e, 0x33, 0xd5, 0xaa, 0x65, 0x31, 0x52, 0xa8, 0x4d, 0x8b, - 0xdb, 0xac, 0x19, 0x41, 0x71, 0x82, 0x42, 0x27, 0x30, 0x93, 0xed, 0x49, 0x6e, 0x87, 0xbb, 0xbc, - 0x9f, 0x87, 0xb3, 0xcd, 0x9e, 0x27, 0x0e, 0x2a, 0xf8, 0xb4, 0x66, 0x85, 0x3a, 0x8e, 0x2a, 0xb3, - 0x6f, 0xff, 0xa5, 0xfd, 0x2a, 0x14, 0xc9, 0x35, 0xcf, 0x66, 0xc4, 0x5a, 0x0e, 0xfd, 0xed, 0x6b, - 0xb7, 0xa6, 0xa2, 0x65, 0x77, 0x49, 0xbc, 0xb4, 0xd5, 0x50, 0x08, 0x8e, 0xe5, 0x89, 0xbd, 0xf0, - 0x6d, 0xd7, 0x24, 0x82, 0x54, 0x35, 0x39, 0x11, 0x43, 0x33, 0x44, 0xe0, 0x98, 0x46, 0x34, 0x92, - 0xed, 0xe8, 0x63, 0x24, 0xe9, 0x83, 0x87, 0x68, 0x24, 0xb3, 0x1f, 0x35, 0xc5, 0x3b, 0x10, 0xc3, - 0x70, 0x42, 0x0f, 0xfa, 0x99, 0x06, 0xd3, 0x46, 0xfa, 0x7b, 0xa2, 0xe0, 0xe5, 0xdb, 0xc6, 0xe1, - 0x54, 0x0f, 0xf9, 0x36, 0xaa, 0x76, 0x8f, 0xb2, 0x63, 0x3a, 0xf3, 0x61, 0x51, 0x46, 0xb9, 0xfe, - 0xb9, 0x06, 0xf7, 0x0d, 0xf1, 0x88, 0x13, 0x18, 0xfe, 0x38, 0xe9, 0xe1, 0xcf, 0xc8, 0xe5, 0xcd, - 0x10, 0xcb, 0x87, 0x8c, 0x81, 0x7e, 0x39, 0x06, 0x0f, 0x0c, 0xe1, 0x38, 0xf4, 0x40, 0xe8, 0x49, - 0x98, 0x0a, 0x7f, 0x27, 0xc3, 0x30, 0x2e, 0xa6, 0x93, 0x48, 0x9c, 0xa6, 0x0d, 0x55, 0xc9, 0x0b, - 0x2b, 0xd7, 0xaf, 0x2a, 0xb8, 0xb4, 0x42, 0x0a, 0xe1, 0xe1, 0x26, 0xed, 0x7a, 0x0e, 0xe1, 0x24, - 0xe8, 0xd2, 0x27, 0x63, 0x0f, 0x5f, 0x09, 0x11, 0x38, 0xa6, 0x11, 0x49, 0x8a, 0x30, 0x46, 0x99, - 0xf4, 0xb0, 0xc4, 0x3c, 0x7b, 0x55, 0x00, 0x71, 0x80, 0xd3, 0xff, 0xa5, 0xc1, 0xb9, 0x21, 0x9b, - 0x72, 0x62, 0x55, 0xee, 0x4e, 0xba, 0xca, 0x7d, 0xe1, 0x98, 0xdc, 0xe0, 0xc0, 0x7a, 0xf7, 0x61, - 0x28, 0x25, 0x5e, 0x12, 0xa0, 0x73, 0x90, 0xf3, 0x5d, 0x3b, 0xfb, 0x41, 0x62, 0x73, 0xb3, 0x8e, - 0x05, 0xbc, 0xd6, 0xfa, 0xf8, 0xfa, 0xfc, 0xa9, 0x4f, 0xae, 0xcf, 0x9f, 0xfa, 0xf4, 0xfa, 0xfc, - 0xa9, 0x77, 0xf6, 0xe7, 0xb5, 0x8f, 0xf7, 0xe7, 0xb5, 0x4f, 0xf6, 0xe7, 0xb5, 0x4f, 0xf7, 0xe7, - 0xb5, 0xbf, 0xec, 0xcf, 0x6b, 0xbf, 0xf8, 0xeb, 0xfc, 0xa9, 0x57, 0x2a, 0xa3, 0xfd, 0xa7, 0xc6, - 0x7f, 0x03, 0x00, 0x00, 0xff, 0xff, 0xcb, 0x02, 0x8d, 0x03, 0xda, 0x31, 0x00, 0x00, + // 3056 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x3b, 0x4d, 0x6f, 0x24, 0x57, + 0xb5, 0x53, 0xfd, 0x61, 0xbb, 0x4f, 0xdb, 0x1e, 0xcf, 0x75, 0x92, 0xf1, 0x4b, 0x32, 0xf6, 0xa4, + 0xf2, 0x5e, 0x34, 0xef, 0x29, 0xaf, 0x9d, 0x31, 0x49, 0x66, 0xc8, 0x97, 0x70, 0x7b, 0x3c, 0x4e, + 0x13, 0xdb, 0xd3, 0xb9, 0x76, 0x12, 0x91, 0x90, 0x90, 0x72, 0xd5, 0xed, 0x76, 0x31, 0xd5, 0x55, + 0x35, 0xf7, 0xde, 0x72, 0xc6, 0x41, 0x42, 0x41, 0x81, 0x45, 0x08, 0x10, 0xc4, 0x06, 0x65, 0xc7, + 0x0e, 0x09, 0xf1, 0x0b, 0xb2, 0x22, 0x0b, 0xa4, 0x2c, 0x83, 0x10, 0x22, 0x2b, 0x8b, 0x18, 0x11, + 0x94, 0x05, 0x42, 0x62, 0xc7, 0x20, 0x24, 0x74, 0x3f, 0xea, 0xab, 0xdb, 0x3d, 0x9e, 0xb6, 0x3d, + 0x46, 0x22, 0xb3, 0x72, 0xd7, 0x39, 0xe7, 0x9e, 0x73, 0xee, 0x3d, 0xe7, 0xdc, 0xf3, 0x51, 0x65, + 0x78, 0xc6, 0xf2, 0x39, 0x25, 0x56, 0xcd, 0x0d, 0x66, 0xd5, 0xaf, 0xd9, 0xf0, 0x6a, 0x7b, 0xd6, + 0x0a, 0x5d, 0x36, 0x6b, 0x07, 0x3e, 0xa7, 0x81, 0x17, 0x7a, 0x96, 0x4f, 0x66, 0xb7, 0xce, 0x6f, + 0x10, 0x6e, 0xcd, 0xcd, 0xb6, 0x89, 0x4f, 0xa8, 0xc5, 0x89, 0x53, 0x0b, 0x69, 0xc0, 0x03, 0x54, + 0x53, 0xab, 0xbe, 0xe1, 0x06, 0xfa, 0x57, 0x2d, 0xbc, 0xda, 0xae, 0x89, 0xf5, 0xb5, 0xec, 0xfa, + 0x9a, 0x5e, 0x7f, 0xef, 0xc5, 0xfe, 0xf2, 0x18, 0xb7, 0x38, 0x9b, 0xdd, 0x3a, 0x6f, 0x79, 0xe1, + 0xa6, 0x75, 0xbe, 0x5b, 0xd2, 0xbd, 0xff, 0xdf, 0x76, 0xf9, 0x66, 0xb4, 0x51, 0xb3, 0x83, 0xce, + 0x6c, 0x3b, 0x68, 0x07, 0xb3, 0x12, 0xbc, 0x11, 0xb5, 0xe4, 0x93, 0x7c, 0x90, 0xbf, 0x34, 0xf9, + 0xa3, 0x57, 0x2f, 0x32, 0x29, 0x25, 0x74, 0x3b, 0x96, 0xbd, 0xe9, 0xfa, 0x84, 0x6e, 0xa7, 0xb2, + 0x3a, 0x84, 0x5b, 0xb3, 0x5b, 0xbd, 0x42, 0x66, 0xfb, 0xad, 0xa2, 0x91, 0xcf, 0xdd, 0x0e, 0xe9, + 0x59, 0xf0, 0xf8, 0x7e, 0x0b, 0x98, 0xbd, 0x49, 0x3a, 0x56, 0xcf, 0xba, 0x2f, 0xf5, 0x5b, 0x17, + 0x71, 0xd7, 0x9b, 0x75, 0x7d, 0xce, 0x38, 0xed, 0x5e, 0x64, 0xfe, 0xd9, 0x80, 0xd1, 0x79, 0xc7, + 0xa1, 0x84, 0xb1, 0x25, 0x1a, 0x44, 0x21, 0x7a, 0x1d, 0x46, 0xc4, 0x4e, 0x1c, 0x8b, 0x5b, 0x53, + 0xc6, 0x59, 0xe3, 0x5c, 0x75, 0xee, 0x91, 0x9a, 0x62, 0x5c, 0xcb, 0x32, 0x4e, 0x6d, 0x22, 0xa8, + 0x6b, 0x5b, 0xe7, 0x6b, 0x57, 0x36, 0xbe, 0x49, 0x6c, 0xbe, 0x42, 0xb8, 0x55, 0x47, 0x1f, 0xed, + 0xcc, 0x9c, 0xd8, 0xdd, 0x99, 0x81, 0x14, 0x86, 0x13, 0xae, 0x28, 0x82, 0xd1, 0xb6, 0x10, 0xb5, + 0x42, 0x3a, 0x1b, 0x84, 0xb2, 0xa9, 0xc2, 0xd9, 0xe2, 0xb9, 0xea, 0xdc, 0x93, 0x03, 0x9a, 0xbd, + 0xb6, 0x94, 0xf2, 0xa8, 0xdf, 0xa5, 0x05, 0x8e, 0x66, 0x80, 0x0c, 0xe7, 0xc4, 0x98, 0xbf, 0x35, + 0x60, 0x22, 0xbb, 0xd3, 0x65, 0x97, 0x71, 0xf4, 0xf5, 0x9e, 0xdd, 0xd6, 0x6e, 0x6d, 0xb7, 0x62, + 0xb5, 0xdc, 0xeb, 0x84, 0x16, 0x3d, 0x12, 0x43, 0x32, 0x3b, 0xb5, 0xa0, 0xec, 0x72, 0xd2, 0x89, + 0xb7, 0xf8, 0xd4, 0xa0, 0x5b, 0xcc, 0xaa, 0x5b, 0x1f, 0xd3, 0x82, 0xca, 0x0d, 0xc1, 0x12, 0x2b, + 0xce, 0xe6, 0x3b, 0x45, 0x38, 0x95, 0x25, 0x6b, 0x5a, 0xdc, 0xde, 0x3c, 0x06, 0x23, 0x7e, 0xd7, + 0x80, 0x53, 0x96, 0xe3, 0x10, 0x67, 0xe9, 0x88, 0x4d, 0xf9, 0x5f, 0x5a, 0xac, 0xd8, 0x55, 0x9e, + 0x3b, 0xee, 0x15, 0x88, 0xbe, 0x6f, 0xc0, 0x24, 0x25, 0x9d, 0x60, 0xab, 0x4b, 0x91, 0xe2, 0xe1, + 0x15, 0xb9, 0x4f, 0x2b, 0x32, 0x89, 0x7b, 0xf9, 0xe3, 0xbd, 0x84, 0x9a, 0x9f, 0x1b, 0x30, 0x3e, + 0x1f, 0x86, 0x9e, 0x4b, 0x9c, 0xf5, 0xe0, 0x3f, 0x3c, 0x9a, 0x7e, 0x6f, 0x00, 0xca, 0xef, 0xf5, + 0x18, 0xe2, 0xc9, 0xce, 0xc7, 0xd3, 0x33, 0x03, 0xc7, 0x53, 0x4e, 0xe1, 0x3e, 0x11, 0xf5, 0x6e, + 0x11, 0x26, 0xf3, 0x84, 0x77, 0x62, 0xea, 0xdf, 0x17, 0x53, 0xd7, 0x60, 0xb2, 0x6e, 0x31, 0xd7, + 0x9e, 0x8f, 0xf8, 0x26, 0xf1, 0xb9, 0x6b, 0x5b, 0xdc, 0x0d, 0x7c, 0xf4, 0x30, 0x8c, 0x44, 0x8c, + 0x50, 0xdf, 0xea, 0x10, 0x69, 0x8c, 0x4a, 0xea, 0x37, 0x2f, 0x68, 0x38, 0x4e, 0x28, 0x04, 0x75, + 0x68, 0x31, 0xf6, 0x46, 0x40, 0x9d, 0xa9, 0x42, 0x9e, 0xba, 0xa9, 0xe1, 0x38, 0xa1, 0x30, 0xcf, + 0xc3, 0x44, 0x3d, 0xf2, 0x1d, 0x8f, 0x5c, 0x76, 0x3d, 0xb2, 0x46, 0xe8, 0x16, 0xa1, 0xe8, 0x0c, + 0x14, 0x23, 0xea, 0x69, 0x51, 0x55, 0xbd, 0xb8, 0xf8, 0x02, 0x5e, 0xc6, 0x02, 0x6e, 0xbe, 0x57, + 0x80, 0x33, 0x6a, 0x8d, 0xa2, 0x17, 0xda, 0x2e, 0x04, 0x7e, 0xcb, 0x6d, 0x47, 0x54, 0x29, 0xfc, + 0x18, 0x54, 0x37, 0x88, 0x45, 0x09, 0x5d, 0x0f, 0xae, 0x12, 0x5f, 0x33, 0x9a, 0xd4, 0x8c, 0xaa, + 0xf5, 0x14, 0x85, 0xb3, 0x74, 0xe8, 0x21, 0x18, 0xb2, 0x42, 0xf7, 0x39, 0xb2, 0xad, 0xf5, 0x1e, + 0xd7, 0x2b, 0x86, 0xe6, 0x9b, 0x8d, 0xe7, 0xc8, 0x36, 0xd6, 0x58, 0xf4, 0x23, 0x03, 0x26, 0x37, + 0x7a, 0xcf, 0x69, 0xaa, 0x28, 0x1d, 0x75, 0x61, 0x50, 0x9b, 0xed, 0x71, 0xe4, 0xf5, 0xd3, 0xc2, + 0x6e, 0x7b, 0x20, 0xf0, 0x5e, 0x82, 0xcd, 0x9f, 0x95, 0x60, 0x72, 0xc1, 0x8b, 0x18, 0x27, 0x34, + 0xe7, 0x5c, 0xb7, 0x3f, 0x8a, 0xbe, 0x63, 0xc0, 0x04, 0x69, 0xb5, 0x88, 0xcd, 0xdd, 0x2d, 0x72, + 0x84, 0x41, 0x34, 0xa5, 0xa5, 0x4e, 0x2c, 0x76, 0x31, 0xc7, 0x3d, 0xe2, 0xd0, 0xb7, 0xe1, 0x54, + 0x02, 0x6b, 0x34, 0xeb, 0x5e, 0x60, 0x5f, 0x8d, 0xe3, 0xe7, 0xb1, 0x41, 0x75, 0x68, 0x34, 0x57, + 0x09, 0x4f, 0x43, 0x78, 0xb1, 0x9b, 0x2f, 0xee, 0x15, 0x85, 0x2e, 0xc2, 0x28, 0x0f, 0xb8, 0xe5, + 0xc5, 0xdb, 0x2f, 0x9d, 0x35, 0xce, 0x15, 0xd3, 0x7b, 0x7d, 0x3d, 0x83, 0xc3, 0x39, 0x4a, 0x34, + 0x07, 0x20, 0x9f, 0x9b, 0x56, 0x9b, 0xb0, 0xa9, 0xb2, 0x5c, 0x97, 0x9c, 0xf7, 0x7a, 0x82, 0xc1, + 0x19, 0x2a, 0xe1, 0xdb, 0x76, 0x44, 0x29, 0xf1, 0xb9, 0x78, 0x9e, 0x1a, 0x92, 0x8b, 0x12, 0xdf, + 0x5e, 0x48, 0x51, 0x38, 0x4b, 0x67, 0x7e, 0x66, 0x40, 0x75, 0xb1, 0xfd, 0x05, 0xa8, 0x3c, 0x7f, + 0x63, 0xc0, 0xc9, 0xcc, 0x46, 0x8f, 0x21, 0x51, 0xbe, 0x9e, 0x4f, 0x94, 0x03, 0xef, 0x30, 0xa3, + 0x6d, 0x9f, 0x2c, 0xf9, 0x83, 0x22, 0x4c, 0x64, 0xa8, 0x54, 0x8a, 0x74, 0x00, 0x82, 0xe4, 0xdc, + 0x8f, 0xd4, 0x86, 0x19, 0xbe, 0x77, 0xd2, 0xe4, 0x1e, 0x69, 0xd2, 0x82, 0xa1, 0x45, 0x9f, 0xbb, + 0x7c, 0x1b, 0xbd, 0x04, 0xc5, 0x30, 0x70, 0xf4, 0xe1, 0x0f, 0xdc, 0x71, 0x34, 0x03, 0x07, 0x93, + 0x16, 0xa1, 0xc4, 0xb7, 0x49, 0x7d, 0x58, 0xe4, 0x38, 0x01, 0x11, 0x1c, 0x4d, 0x0f, 0x4e, 0x2f, + 0x5e, 0xe7, 0x22, 0xa3, 0x7a, 0x4a, 0x54, 0x42, 0x88, 0xce, 0x42, 0x29, 0x93, 0x89, 0x47, 0xb5, + 0xf6, 0xa5, 0x55, 0x91, 0x85, 0x25, 0x06, 0xcd, 0x42, 0x45, 0xfc, 0x65, 0xa1, 0x65, 0x13, 0x9d, + 0xca, 0x4e, 0x69, 0xb2, 0xca, 0x6a, 0x8c, 0xc0, 0x29, 0x8d, 0xf9, 0x0f, 0x03, 0x26, 0xe4, 0x0e, + 0xe7, 0x19, 0x0b, 0x6c, 0x57, 0x25, 0xd1, 0x63, 0x29, 0xc1, 0x26, 0x2c, 0x2d, 0x51, 0x1f, 0xf1, + 0x81, 0xab, 0x4d, 0xb9, 0x3a, 0x3d, 0xcd, 0x24, 0x7f, 0xcc, 0x77, 0xf1, 0xc7, 0x3d, 0x12, 0xcd, + 0x0f, 0x4a, 0x50, 0xcd, 0xd8, 0xf7, 0xb6, 0x19, 0x15, 0xbd, 0x6d, 0xc0, 0x38, 0xc9, 0x59, 0x55, + 0x5a, 0xa7, 0x3a, 0xb7, 0x34, 0xf0, 0x95, 0xb1, 0xb7, 0x6f, 0xd4, 0xd1, 0xee, 0xce, 0xcc, 0x78, + 0x17, 0xb2, 0x4b, 0x24, 0x7a, 0x08, 0x8a, 0x6e, 0xa8, 0x22, 0x67, 0xb4, 0x7e, 0x97, 0x50, 0xb0, + 0xd1, 0x64, 0x37, 0x76, 0x66, 0x2a, 0x8d, 0xa6, 0xee, 0x6d, 0xb1, 0x20, 0x40, 0xaf, 0x41, 0x39, + 0x0c, 0x28, 0x17, 0xf9, 0x4c, 0x58, 0xe4, 0xcb, 0x83, 0xea, 0x28, 0x3c, 0xcd, 0x69, 0x06, 0x94, + 0xa7, 0x97, 0x9a, 0x78, 0x62, 0x58, 0xb1, 0x45, 0xaf, 0x40, 0xc9, 0x0f, 0x1c, 0x22, 0xd3, 0x5e, + 0x75, 0xee, 0xe9, 0x81, 0xd9, 0x07, 0x0e, 0x49, 0x37, 0x3e, 0x22, 0x43, 0x40, 0x80, 0x24, 0x53, + 0xd4, 0x86, 0x61, 0x46, 0xe8, 0x96, 0x6b, 0xab, 0x0c, 0x59, 0x9d, 0xfb, 0xca, 0xa0, 0xfc, 0xd7, + 0xd4, 0xf2, 0x54, 0x44, 0x75, 0x77, 0x67, 0x66, 0x38, 0x86, 0xc6, 0xdc, 0xcd, 0xf7, 0x4b, 0x30, + 0x7a, 0xa7, 0xe6, 0xba, 0x53, 0x73, 0xed, 0x55, 0x73, 0xfd, 0xdc, 0x80, 0xf1, 0xfc, 0xbd, 0x94, + 0xbf, 0x9a, 0x8d, 0xfd, 0xaf, 0xe6, 0xe4, 0xb6, 0x2f, 0xf4, 0xbd, 0xed, 0xeb, 0x50, 0x8c, 0x5c, + 0x47, 0x36, 0x1f, 0x95, 0xfa, 0x23, 0x49, 0xb7, 0xd4, 0xb8, 0x74, 0x63, 0x67, 0xe6, 0x81, 0x7e, + 0x53, 0x4a, 0xbe, 0x1d, 0x12, 0x56, 0x7b, 0xa1, 0x71, 0x09, 0x8b, 0xc5, 0xe6, 0x9b, 0x30, 0xfa, + 0xec, 0xfa, 0x7a, 0xb3, 0x49, 0x03, 0x1e, 0xd8, 0x81, 0x27, 0xa4, 0x6e, 0x06, 0x8c, 0x77, 0xe7, + 0x98, 0x67, 0x03, 0xc6, 0xb1, 0xc4, 0x88, 0x5e, 0xa9, 0x43, 0xf8, 0x66, 0xe0, 0x74, 0xf7, 0x4a, + 0x2b, 0x12, 0x8a, 0x35, 0x56, 0x70, 0x0a, 0x2d, 0xbe, 0xa9, 0xd5, 0x4b, 0x38, 0x35, 0x2d, 0xbe, + 0x89, 0x25, 0xc6, 0xfc, 0xd0, 0x80, 0x61, 0x6d, 0x57, 0xf4, 0x12, 0x94, 0x6c, 0xd7, 0xa1, 0x3a, + 0x70, 0x0e, 0xe8, 0x49, 0x89, 0x90, 0x85, 0xc6, 0x25, 0x8c, 0x25, 0x43, 0xf4, 0x2a, 0x0c, 0x91, + 0xeb, 0x36, 0x09, 0xb9, 0x0e, 0x94, 0x03, 0xb2, 0x4e, 0x76, 0xb9, 0x28, 0x99, 0x61, 0xcd, 0xd4, + 0xfc, 0xa7, 0x01, 0xa8, 0xd1, 0xfc, 0xe2, 0xa6, 0xd0, 0x16, 0x94, 0xe5, 0x01, 0xa1, 0x07, 0xa1, + 0xe0, 0x86, 0x72, 0xaf, 0xa3, 0xf5, 0xc9, 0xdd, 0x9d, 0x99, 0x42, 0xa3, 0x99, 0x4f, 0x2d, 0x05, + 0x37, 0x14, 0xc1, 0x1b, 0x52, 0xd2, 0x72, 0xaf, 0x2f, 0x13, 0xbf, 0xcd, 0x37, 0xa5, 0x07, 0x95, + 0xd3, 0xe0, 0x6d, 0x66, 0x70, 0x38, 0x47, 0x69, 0xfe, 0xca, 0x00, 0x58, 0xbe, 0x90, 0xb8, 0xe9, + 0xcb, 0x50, 0xda, 0xe4, 0x3c, 0x3c, 0x68, 0xaa, 0xce, 0xba, 0xbc, 0xca, 0x20, 0x02, 0x82, 0x25, + 0x4f, 0xf4, 0x22, 0x14, 0xb9, 0xc7, 0x74, 0x82, 0x1e, 0xf8, 0x5e, 0x5d, 0x5f, 0x5e, 0x4b, 0x38, + 0xcb, 0x22, 0x60, 0x7d, 0x79, 0x0d, 0x0b, 0x86, 0xe6, 0xfb, 0x06, 0xa0, 0x95, 0xc8, 0x13, 0xbd, + 0x3b, 0xe3, 0xf2, 0xf8, 0x1a, 0x7e, 0x2b, 0x40, 0x0f, 0x42, 0x59, 0xb6, 0x31, 0x3a, 0xe4, 0x92, + 0x94, 0xa9, 0x8c, 0xa2, 0x70, 0xe8, 0x35, 0x28, 0x85, 0x81, 0x73, 0xe0, 0x09, 0x77, 0xae, 0x34, + 0x49, 0x43, 0x31, 0x70, 0x18, 0x96, 0x7c, 0xcd, 0x77, 0x0c, 0xa8, 0x24, 0x69, 0x5b, 0x86, 0x6e, + 0x40, 0xd5, 0x25, 0x50, 0xce, 0xd2, 0x53, 0x8e, 0x25, 0xe6, 0x16, 0x2e, 0xa7, 0x8b, 0x30, 0x12, + 0xea, 0x73, 0xd0, 0x57, 0xc0, 0xfd, 0xc9, 0x30, 0x48, 0xc3, 0x6f, 0x64, 0x7e, 0xe3, 0x84, 0xda, + 0xfc, 0x4b, 0x11, 0xc6, 0x56, 0x09, 0x7f, 0x23, 0xa0, 0x57, 0x9b, 0x81, 0xe7, 0xda, 0xdb, 0xc7, + 0x10, 0x4d, 0x2d, 0x28, 0xd3, 0xc8, 0x23, 0xf1, 0x01, 0xcf, 0x0f, 0x5c, 0x93, 0x64, 0xf5, 0xc5, + 0x91, 0x47, 0x52, 0x3b, 0x8a, 0x27, 0x86, 0x15, 0x7b, 0xf4, 0x34, 0x9c, 0xb4, 0x72, 0x43, 0x4f, + 0x95, 0x3b, 0x2b, 0x32, 0x64, 0x4e, 0xe6, 0xe7, 0xa1, 0x0c, 0x77, 0xd3, 0xa2, 0x73, 0xe2, 0x50, + 0xdd, 0x80, 0x8a, 0x02, 0x52, 0x24, 0x3e, 0xa3, 0x3e, 0xaa, 0x0e, 0x54, 0xc1, 0x70, 0x82, 0x45, + 0x8f, 0xc2, 0x28, 0x77, 0x09, 0x8d, 0x31, 0x32, 0xdd, 0x95, 0xeb, 0x13, 0x32, 0x45, 0x66, 0xe0, + 0x38, 0x47, 0x85, 0x18, 0x54, 0x58, 0x10, 0x51, 0x59, 0xfc, 0xe8, 0xf2, 0xe9, 0xf2, 0xe1, 0x8e, + 0x22, 0xf1, 0xba, 0x31, 0x91, 0xe8, 0xd6, 0x62, 0xe6, 0x38, 0x95, 0x63, 0xbe, 0x5b, 0x80, 0xd3, + 0xb9, 0x45, 0x8b, 0x5b, 0x96, 0x17, 0xa9, 0x7b, 0x34, 0x82, 0x61, 0x4a, 0xae, 0x45, 0x84, 0x71, + 0x1d, 0x8f, 0xab, 0x87, 0x52, 0x27, 0xe5, 0x8c, 0x15, 0x57, 0x55, 0xdb, 0xe9, 0x07, 0x1c, 0xcb, + 0x42, 0xdb, 0x30, 0x42, 0x09, 0x0b, 0x03, 0x9f, 0x11, 0x3d, 0xdb, 0xbb, 0x72, 0x64, 0x72, 0x15, + 0x5b, 0x65, 0xb8, 0xf8, 0x09, 0x27, 0xe2, 0xcc, 0xbf, 0x1a, 0x30, 0x7d, 0x73, 0x9d, 0xd1, 0x6b, + 0x30, 0xa4, 0x4e, 0x4f, 0x07, 0xc3, 0xe3, 0x03, 0x37, 0x11, 0xb2, 0x1f, 0x48, 0x73, 0x9a, 0x36, + 0x8b, 0xe6, 0x8a, 0x3a, 0x50, 0x75, 0x08, 0xe3, 0xae, 0xaf, 0x86, 0x9b, 0x85, 0x43, 0x09, 0x49, + 0x8a, 0xa5, 0x4b, 0x29, 0x4b, 0x9c, 0xe5, 0x6f, 0xfe, 0xa2, 0x00, 0x33, 0xfb, 0x9c, 0x16, 0xfa, + 0x56, 0xd6, 0x31, 0x8d, 0x23, 0x75, 0xcc, 0xbb, 0xb5, 0x82, 0xf9, 0x3b, 0x27, 0xe3, 0xa0, 0xa2, + 0x74, 0x13, 0xd1, 0xdb, 0xf0, 0x1d, 0x72, 0x5d, 0xa7, 0xac, 0xa4, 0x74, 0xc3, 0x31, 0x02, 0xa7, + 0x34, 0xe8, 0x6b, 0x50, 0x12, 0x0f, 0xda, 0x75, 0x2e, 0x0c, 0xaa, 0xa8, 0xe0, 0x89, 0x49, 0x2b, + 0xbd, 0x56, 0x25, 0x40, 0xb2, 0x34, 0x7f, 0x67, 0xc0, 0xa9, 0x9c, 0xa2, 0xc7, 0x30, 0xe6, 0xda, + 0xc8, 0x8f, 0xb9, 0x9e, 0x3e, 0xd4, 0xc1, 0xf7, 0x19, 0x74, 0xfd, 0xcd, 0xe8, 0xba, 0x04, 0x44, + 0x4b, 0xb7, 0xc6, 0x2d, 0x1e, 0x31, 0xf4, 0x30, 0x8c, 0x88, 0xd6, 0x6e, 0x75, 0x8f, 0xb7, 0x10, + 0xab, 0x1a, 0x8e, 0x13, 0x0a, 0x51, 0xe6, 0xeb, 0xb7, 0xef, 0xb1, 0xf3, 0x66, 0xca, 0xfc, 0xa5, + 0x04, 0x83, 0x33, 0x54, 0xe8, 0xab, 0x80, 0x28, 0xb1, 0x3c, 0xf7, 0x4d, 0xf9, 0x78, 0xd9, 0x72, + 0xbd, 0x88, 0x2a, 0xf3, 0x8d, 0xd4, 0xef, 0xd5, 0x6b, 0x11, 0xee, 0xa1, 0xc0, 0x7b, 0xac, 0x42, + 0xff, 0x0b, 0xc3, 0x1d, 0xc2, 0x98, 0x68, 0x17, 0x4a, 0x52, 0xd9, 0x93, 0x9a, 0xc1, 0xf0, 0x8a, + 0x02, 0xe3, 0x18, 0x2f, 0xdf, 0x2a, 0xe7, 0x36, 0xdd, 0x24, 0x84, 0xa2, 0x0b, 0x30, 0x66, 0x65, + 0x5e, 0x35, 0xb3, 0x29, 0x43, 0x66, 0x88, 0x53, 0xc2, 0x47, 0xb3, 0xef, 0xa0, 0x19, 0xce, 0xd3, + 0x21, 0x02, 0x23, 0x6e, 0xa8, 0x3b, 0x32, 0x65, 0xaa, 0x0b, 0x83, 0x17, 0xbb, 0x72, 0x7d, 0x7a, + 0xc0, 0x49, 0x2b, 0x96, 0xb0, 0x46, 0x33, 0x50, 0x6e, 0x5d, 0x73, 0xfc, 0x38, 0x73, 0x55, 0x84, + 0x2d, 0x2f, 0x3f, 0x7f, 0x69, 0x95, 0x61, 0x05, 0x47, 0x5c, 0x34, 0x5a, 0xba, 0x5f, 0x8e, 0x87, + 0x08, 0x87, 0xef, 0xc2, 0x33, 0xad, 0x5a, 0xcc, 0x1b, 0x67, 0xe4, 0x88, 0xd4, 0xea, 0x59, 0x1b, + 0xc4, 0x6b, 0x38, 0x44, 0xdc, 0x3c, 0xae, 0xec, 0xf1, 0x8a, 0xe7, 0xc6, 0x54, 0x6a, 0x5d, 0xce, + 0xa3, 0x70, 0x37, 0xad, 0xf9, 0x99, 0x01, 0xf7, 0xec, 0x7d, 0x43, 0xa0, 0xc7, 0xa0, 0x24, 0xba, + 0x26, 0xed, 0x7b, 0x0f, 0xc4, 0x51, 0xb9, 0xbe, 0x1d, 0x92, 0x1b, 0x3b, 0x33, 0x79, 0x0b, 0x0a, + 0x20, 0x96, 0xe4, 0x03, 0x0f, 0xe3, 0x92, 0xa2, 0xaa, 0xb8, 0x5f, 0xc7, 0x57, 0x3a, 0x4c, 0xc7, + 0xf7, 0xe1, 0x50, 0x97, 0xd3, 0x89, 0xdb, 0x05, 0x3d, 0x05, 0x15, 0xc7, 0xa5, 0xa2, 0xd7, 0x0e, + 0xe2, 0xd7, 0x66, 0xd3, 0xb1, 0xb2, 0x97, 0x62, 0xc4, 0x8d, 0xec, 0x03, 0x4e, 0x17, 0x20, 0x1b, + 0x4a, 0x2d, 0x1a, 0x74, 0x74, 0xaa, 0x38, 0x5c, 0xf5, 0x24, 0x62, 0x20, 0xdd, 0xfc, 0x65, 0x1a, + 0x74, 0xb0, 0x64, 0x8e, 0x5e, 0x85, 0x02, 0x0f, 0xf4, 0x9d, 0x7a, 0x04, 0x22, 0x40, 0x8b, 0x28, + 0xac, 0x07, 0xb8, 0xc0, 0x03, 0x11, 0x3d, 0x2c, 0xef, 0xb3, 0x17, 0x0e, 0xe8, 0xb3, 0x69, 0xf4, + 0x24, 0x8e, 0x9a, 0xb0, 0x96, 0x2f, 0x49, 0xbb, 0x8a, 0xb2, 0xb4, 0x2e, 0xee, 0x29, 0xe3, 0x5e, + 0x84, 0x21, 0x4b, 0xd9, 0x64, 0x48, 0xda, 0xe4, 0x19, 0xf9, 0x52, 0x32, 0x36, 0xc6, 0x23, 0x37, + 0xf9, 0x04, 0x8c, 0x3a, 0xfa, 0xcb, 0xaf, 0xf3, 0x32, 0x9f, 0xa8, 0x35, 0x58, 0x73, 0x43, 0x4f, + 0xc2, 0x18, 0xf1, 0xad, 0x0d, 0x8f, 0x2c, 0x07, 0xed, 0xb6, 0xeb, 0xb7, 0xa7, 0x86, 0xe5, 0x5d, + 0x97, 0xe4, 0xc2, 0xc5, 0x2c, 0x12, 0xe7, 0x69, 0xf7, 0x2a, 0x62, 0x47, 0x06, 0x28, 0x62, 0x63, + 0x37, 0xaf, 0xf4, 0x75, 0xf3, 0x6b, 0x50, 0xf5, 0x92, 0x5e, 0x8f, 0x4d, 0x81, 0xb4, 0xc6, 0x13, + 0x83, 0x5a, 0x23, 0x6d, 0x17, 0xd3, 0x22, 0x24, 0x85, 0x31, 0x9c, 0x95, 0x21, 0xcc, 0xe2, 0x05, + 0x6d, 0x79, 0x4b, 0x4c, 0x55, 0xf3, 0x39, 0x66, 0x59, 0xc3, 0x71, 0x42, 0x61, 0xbe, 0x57, 0x04, + 0x94, 0xf3, 0x28, 0x91, 0xa9, 0x18, 0x7a, 0xdb, 0x80, 0x31, 0x3f, 0x0b, 0x3e, 0x9e, 0x52, 0x25, + 0x2f, 0x13, 0x85, 0x30, 0xca, 0xa9, 0xd5, 0x6a, 0xb9, 0xb6, 0xd4, 0xea, 0x16, 0xea, 0x37, 0xf9, + 0xfd, 0x5e, 0x2d, 0xfe, 0x7e, 0xaf, 0xb6, 0x9e, 0x59, 0x9d, 0x99, 0xac, 0x65, 0xa0, 0x38, 0x27, + 0x01, 0xbd, 0x65, 0xc0, 0x84, 0xa8, 0x4e, 0xb2, 0x24, 0x7a, 0x26, 0xf8, 0xc4, 0xad, 0x8b, 0xc5, + 0x5d, 0x1c, 0xd2, 0x39, 0x44, 0x37, 0x06, 0xf7, 0x48, 0x33, 0xff, 0x64, 0xc0, 0x64, 0x8f, 0x45, + 0xa2, 0xe3, 0x18, 0xca, 0x7a, 0x50, 0x16, 0xb5, 0x47, 0x9c, 0x72, 0x97, 0x0e, 0x65, 0xeb, 0xb4, + 0xea, 0x49, 0xeb, 0x24, 0x01, 0x63, 0x58, 0x09, 0x31, 0xcf, 0xc3, 0x58, 0x6e, 0xfe, 0xbd, 0xff, + 0x4b, 0x21, 0xf3, 0x83, 0x32, 0x4c, 0xc4, 0x7c, 0xd9, 0x5a, 0xd4, 0xe9, 0x58, 0xf4, 0x38, 0x5a, + 0xea, 0xef, 0x19, 0x70, 0x32, 0xeb, 0x98, 0x6e, 0x72, 0x44, 0xf5, 0x43, 0x1d, 0x91, 0xf2, 0x8d, + 0xd3, 0x5a, 0xf6, 0xc9, 0xd5, 0xbc, 0x08, 0xdc, 0x2d, 0x13, 0xfd, 0xd2, 0x80, 0xfb, 0x95, 0x14, + 0xfd, 0xa1, 0x44, 0xd7, 0x0a, 0xed, 0xa8, 0x47, 0xa1, 0xd4, 0x7f, 0x6b, 0xa5, 0xee, 0x9f, 0xbf, + 0x89, 0x3c, 0x7c, 0x53, 0x6d, 0xd0, 0x4f, 0x0d, 0xb8, 0x5b, 0x11, 0x74, 0xeb, 0x59, 0x3a, 0x32, + 0x3d, 0xcf, 0x68, 0x3d, 0xef, 0x9e, 0xdf, 0x4b, 0x10, 0xde, 0x5b, 0x3e, 0x62, 0x50, 0xe9, 0xc4, + 0xe3, 0x2b, 0x59, 0x5a, 0x1d, 0x40, 0x99, 0xde, 0xf9, 0x57, 0x5a, 0x13, 0x25, 0x38, 0x9c, 0xca, + 0x31, 0x5f, 0x85, 0xbb, 0x9a, 0x56, 0x5b, 0xb7, 0x8a, 0x4b, 0x84, 0x5f, 0x09, 0xc5, 0x0f, 0xa6, + 0xa6, 0xcb, 0x6d, 0xe5, 0xf6, 0xc5, 0xec, 0x74, 0xb9, 0x4d, 0xb0, 0xc4, 0xa0, 0x07, 0xa1, 0xec, + 0xb9, 0x1d, 0x97, 0xeb, 0x16, 0x20, 0x09, 0xa7, 0x65, 0x01, 0xc4, 0x0a, 0x67, 0x5a, 0x30, 0x9a, + 0x9d, 0x8d, 0xdd, 0x8e, 0x57, 0xac, 0x1f, 0x1a, 0x30, 0xac, 0x3b, 0xba, 0x43, 0x56, 0x59, 0xfb, + 0x0f, 0xdd, 0xd2, 0x72, 0xa1, 0x78, 0x94, 0xe5, 0x82, 0xf9, 0xeb, 0x22, 0xc4, 0x2f, 0xc0, 0xd0, + 0xa3, 0x99, 0xc1, 0x9e, 0xda, 0xc2, 0xd4, 0xfe, 0x43, 0x3d, 0xb4, 0xaa, 0x47, 0x8a, 0x85, 0x7d, + 0xee, 0x9a, 0x88, 0xbb, 0x5e, 0x4d, 0x7d, 0x44, 0x5d, 0x6b, 0xf8, 0xfc, 0x0a, 0x5d, 0xe3, 0xd4, + 0xf5, 0xdb, 0x6a, 0x48, 0x9b, 0x19, 0x40, 0xfe, 0x0f, 0x0c, 0x13, 0x5f, 0x4e, 0x2b, 0xe5, 0x56, + 0xcb, 0x6a, 0x90, 0xb3, 0xa8, 0x40, 0x38, 0xc6, 0xa1, 0x73, 0x30, 0xe2, 0xda, 0x9d, 0x50, 0x54, + 0xe5, 0xb2, 0x6a, 0x2e, 0xab, 0xb9, 0x4b, 0x63, 0x61, 0xa5, 0x29, 0x2b, 0xf5, 0x04, 0x1b, 0x53, + 0x2e, 0xc4, 0x2f, 0x26, 0x33, 0x94, 0x02, 0x86, 0x13, 0xac, 0xa4, 0x6c, 0x6b, 0x9e, 0x43, 0x19, + 0xca, 0xa5, 0x84, 0xa7, 0xc6, 0xa2, 0x8b, 0xfa, 0x43, 0x18, 0xdd, 0xb5, 0xc9, 0x22, 0xab, 0xd2, + 0xf5, 0x2d, 0x4b, 0x3c, 0x1e, 0xcf, 0x51, 0x8a, 0xed, 0x31, 0x6a, 0xcb, 0xed, 0x8d, 0xa4, 0xdb, + 0x5b, 0x53, 0x20, 0x1c, 0xe3, 0x50, 0x0d, 0x80, 0x51, 0x5b, 0xef, 0x5a, 0x16, 0x54, 0xe5, 0xfa, + 0xb8, 0xb8, 0x91, 0xd7, 0x12, 0x28, 0xce, 0x50, 0x98, 0x04, 0x26, 0xba, 0xfb, 0xaa, 0xdb, 0xe1, + 0xf2, 0xef, 0x95, 0xe0, 0xf4, 0x5a, 0x14, 0x0a, 0x43, 0xa9, 0xcf, 0xf5, 0x16, 0x02, 0xcf, 0xd3, + 0x4e, 0x7c, 0xfb, 0x13, 0xcf, 0x2b, 0x50, 0x21, 0xd7, 0x43, 0x97, 0x12, 0x67, 0x3e, 0xf6, 0xb7, + 0xff, 0xbb, 0x35, 0x11, 0xeb, 0x6e, 0x87, 0xa4, 0x5b, 0x5b, 0x8c, 0x99, 0xe0, 0x94, 0x9f, 0x38, + 0x0b, 0xe6, 0xfa, 0x36, 0x11, 0xa4, 0x3a, 0xc8, 0x92, 0x05, 0x6b, 0x31, 0x02, 0xa7, 0x34, 0xa2, + 0x19, 0x6e, 0x25, 0x1f, 0x38, 0x4a, 0x1f, 0x3c, 0x40, 0x33, 0xdc, 0xfd, 0xa1, 0x64, 0x7a, 0x02, + 0x29, 0x0c, 0x67, 0xe4, 0xa0, 0x1f, 0x1a, 0x30, 0x6e, 0xe5, 0xbf, 0x51, 0x54, 0x6f, 0xdb, 0x57, + 0x0e, 0x26, 0xba, 0xcf, 0xf7, 0x96, 0xf5, 0x7b, 0xb4, 0x1e, 0xe3, 0x5d, 0x1f, 0x2b, 0x76, 0x09, + 0x37, 0x3f, 0x37, 0xe0, 0xbe, 0x3e, 0x1e, 0x71, 0x0c, 0x03, 0x2c, 0x2f, 0x3f, 0xc0, 0x1a, 0xb8, + 0x44, 0xeb, 0xa3, 0x79, 0x9f, 0x51, 0xd6, 0x4f, 0x0a, 0xf0, 0x40, 0x9f, 0x15, 0x07, 0x1e, 0x6a, + 0x3d, 0x09, 0x63, 0xf1, 0xef, 0x6c, 0x18, 0xa6, 0x0d, 0x41, 0x16, 0x89, 0xf3, 0xb4, 0xb1, 0x28, + 0x79, 0x61, 0x15, 0x7b, 0x45, 0xa9, 0x4b, 0x2b, 0xa6, 0x10, 0x1e, 0x6e, 0x07, 0x9d, 0xd0, 0x23, + 0x9c, 0xa8, 0x49, 0xc3, 0x48, 0xea, 0xe1, 0x0b, 0x31, 0x02, 0xa7, 0x34, 0x22, 0xd1, 0x12, 0x4a, + 0x03, 0x2a, 0x3d, 0x2c, 0xf3, 0x02, 0x6b, 0x51, 0x00, 0xb1, 0xc2, 0x99, 0x7f, 0x37, 0xe0, 0x4c, + 0x9f, 0x43, 0x39, 0xb6, 0x4a, 0x7d, 0x2b, 0x5f, 0xa9, 0x3f, 0x7f, 0x44, 0x6e, 0xb0, 0x6f, 0xcd, + 0xfe, 0x30, 0x54, 0x33, 0x6f, 0x05, 0xd1, 0x19, 0x28, 0x32, 0xdf, 0xed, 0xfe, 0xc8, 0x79, 0x6d, + 0xb5, 0x81, 0x05, 0xbc, 0xbe, 0xfe, 0xd1, 0xa7, 0xd3, 0x27, 0x3e, 0xfe, 0x74, 0xfa, 0xc4, 0x27, + 0x9f, 0x4e, 0x9f, 0x78, 0x6b, 0x77, 0xda, 0xf8, 0x68, 0x77, 0xda, 0xf8, 0x78, 0x77, 0xda, 0xf8, + 0x64, 0x77, 0xda, 0xf8, 0xc3, 0xee, 0xb4, 0xf1, 0xe3, 0x3f, 0x4e, 0x9f, 0x78, 0xb9, 0x36, 0xd8, + 0x7f, 0x7f, 0xfd, 0x2b, 0x00, 0x00, 0xff, 0xff, 0x74, 0xfb, 0x4a, 0x88, 0x2e, 0x36, 0x00, 0x00, } func (m *AddressGroup) Marshal() (dAtA []byte, err error) { @@ -2154,6 +2311,41 @@ func (m *EgressGroupPatch) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *Entity) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *Entity) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *Entity) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.Pod != nil { + { + size, err := m.Pod.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + func (m *ExternalEntityReference) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -2805,7 +2997,7 @@ func (m *NetworkPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } -func (m *NetworkPolicyList) Marshal() (dAtA []byte, err error) { +func (m *NetworkPolicyEvaluation) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -2815,44 +3007,44 @@ func (m *NetworkPolicyList) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *NetworkPolicyList) MarshalTo(dAtA []byte) (int, error) { +func (m *NetworkPolicyEvaluation) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *NetworkPolicyList) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *NetworkPolicyEvaluation) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int _ = l - if len(m.Items) > 0 { - for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- { - { - size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintGenerated(dAtA, i, uint64(size)) + if m.Response != nil { + { + size, err := m.Response.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err } - i-- - dAtA[i] = 0x12 + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) } + i-- + dAtA[i] = 0x1a } - { - size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err + if m.Request != nil { + { + size, err := m.Request.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) } - i -= size - i = encodeVarintGenerated(dAtA, i, uint64(size)) + i-- + dAtA[i] = 0x12 } - i-- - dAtA[i] = 0xa return len(dAtA) - i, nil } -func (m *NetworkPolicyNodeStatus) Marshal() (dAtA []byte, err error) { +func (m *NetworkPolicyEvaluationRequest) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -2862,41 +3054,40 @@ func (m *NetworkPolicyNodeStatus) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *NetworkPolicyNodeStatus) MarshalTo(dAtA []byte) (int, error) { +func (m *NetworkPolicyEvaluationRequest) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *NetworkPolicyNodeStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *NetworkPolicyEvaluationRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int _ = l - i -= len(m.Message) - copy(dAtA[i:], m.Message) - i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message))) - i-- - dAtA[i] = 0x22 - i-- - if m.RealizationFailure { - dAtA[i] = 1 - } else { - dAtA[i] = 0 + { + size, err := m.Destination.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) } i-- - dAtA[i] = 0x18 - i = encodeVarintGenerated(dAtA, i, uint64(m.Generation)) - i-- - dAtA[i] = 0x10 - i -= len(m.NodeName) - copy(dAtA[i:], m.NodeName) - i = encodeVarintGenerated(dAtA, i, uint64(len(m.NodeName))) + dAtA[i] = 0x12 + { + size, err := m.Source.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } i-- dAtA[i] = 0xa return len(dAtA) - i, nil } -func (m *NetworkPolicyPeer) Marshal() (dAtA []byte, err error) { +func (m *NetworkPolicyEvaluationResponse) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) n, err := m.MarshalToSizedBuffer(dAtA[:size]) @@ -2906,21 +3097,158 @@ func (m *NetworkPolicyPeer) Marshal() (dAtA []byte, err error) { return dAtA[:n], nil } -func (m *NetworkPolicyPeer) MarshalTo(dAtA []byte) (int, error) { +func (m *NetworkPolicyEvaluationResponse) MarshalTo(dAtA []byte) (int, error) { size := m.Size() return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *NetworkPolicyPeer) MarshalToSizedBuffer(dAtA []byte) (int, error) { +func (m *NetworkPolicyEvaluationResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i var l int _ = l - if len(m.LabelIdentities) > 0 { - for iNdEx := len(m.LabelIdentities) - 1; iNdEx >= 0; iNdEx-- { - i = encodeVarintGenerated(dAtA, i, uint64(m.LabelIdentities[iNdEx])) - i-- - dAtA[i] = 0x28 + { + size, err := m.Rule.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1a + i = encodeVarintGenerated(dAtA, i, uint64(m.RuleIndex)) + i-- + dAtA[i] = 0x10 + { + size, err := m.NetworkPolicy.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *NetworkPolicyList) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NetworkPolicyList) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *NetworkPolicyList) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.Items) > 0 { + for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + } + { + size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *NetworkPolicyNodeStatus) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NetworkPolicyNodeStatus) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *NetworkPolicyNodeStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + i -= len(m.Message) + copy(dAtA[i:], m.Message) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message))) + i-- + dAtA[i] = 0x22 + i-- + if m.RealizationFailure { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x18 + i = encodeVarintGenerated(dAtA, i, uint64(m.Generation)) + i-- + dAtA[i] = 0x10 + i -= len(m.NodeName) + copy(dAtA[i:], m.NodeName) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.NodeName))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *NetworkPolicyPeer) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *NetworkPolicyPeer) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *NetworkPolicyPeer) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if len(m.LabelIdentities) > 0 { + for iNdEx := len(m.LabelIdentities) - 1; iNdEx >= 0; iNdEx-- { + i = encodeVarintGenerated(dAtA, i, uint64(m.LabelIdentities[iNdEx])) + i-- + dAtA[i] = 0x28 } } if len(m.ToServices) > 0 { @@ -3411,6 +3739,46 @@ func (m *PodReference) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *RuleRef) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *RuleRef) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *RuleRef) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.Action != nil { + i -= len(*m.Action) + copy(dAtA[i:], *m.Action) + i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Action))) + i-- + dAtA[i] = 0x1a + } + i -= len(m.Name) + copy(dAtA[i:], m.Name) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name))) + i-- + dAtA[i] = 0x12 + i -= len(m.Direction) + copy(dAtA[i:], m.Direction) + i = encodeVarintGenerated(dAtA, i, uint64(len(m.Direction))) + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + func (m *Service) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -4011,6 +4379,19 @@ func (m *EgressGroupPatch) Size() (n int) { return n } +func (m *Entity) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Pod != nil { + l = m.Pod.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + return n +} + func (m *ExternalEntityReference) Size() (n int) { if m == nil { return 0 @@ -4263,6 +4644,50 @@ func (m *NetworkPolicy) Size() (n int) { return n } +func (m *NetworkPolicyEvaluation) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Request != nil { + l = m.Request.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + if m.Response != nil { + l = m.Response.Size() + n += 1 + l + sovGenerated(uint64(l)) + } + return n +} + +func (m *NetworkPolicyEvaluationRequest) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.Source.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Destination.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *NetworkPolicyEvaluationResponse) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.NetworkPolicy.Size() + n += 1 + l + sovGenerated(uint64(l)) + n += 1 + sovGenerated(uint64(m.RuleIndex)) + l = m.Rule.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + func (m *NetworkPolicyList) Size() (n int) { if m == nil { return 0 @@ -4499,6 +4924,23 @@ func (m *PodReference) Size() (n int) { return n } +func (m *RuleRef) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Direction) + n += 1 + l + sovGenerated(uint64(l)) + l = len(m.Name) + n += 1 + l + sovGenerated(uint64(l)) + if m.Action != nil { + l = len(*m.Action) + n += 1 + l + sovGenerated(uint64(l)) + } + return n +} + func (m *Service) Size() (n int) { if m == nil { return 0 @@ -4857,6 +5299,16 @@ func (this *EgressGroupPatch) String() string { }, "") return s } +func (this *Entity) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&Entity{`, + `Pod:` + strings.Replace(this.Pod.String(), "PodReference", "PodReference", 1) + `,`, + `}`, + }, "") + return s +} func (this *ExternalEntityReference) String() string { if this == nil { return "nil" @@ -5055,29 +5507,63 @@ func (this *NetworkPolicy) String() string { }, "") return s } -func (this *NetworkPolicyList) String() string { +func (this *NetworkPolicyEvaluation) String() string { if this == nil { return "nil" } - repeatedStringForItems := "[]NetworkPolicy{" - for _, f := range this.Items { - repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "NetworkPolicy", "NetworkPolicy", 1), `&`, ``, 1) + "," - } - repeatedStringForItems += "}" - s := strings.Join([]string{`&NetworkPolicyList{`, - `ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`, - `Items:` + repeatedStringForItems + `,`, + s := strings.Join([]string{`&NetworkPolicyEvaluation{`, + `Request:` + strings.Replace(this.Request.String(), "NetworkPolicyEvaluationRequest", "NetworkPolicyEvaluationRequest", 1) + `,`, + `Response:` + strings.Replace(this.Response.String(), "NetworkPolicyEvaluationResponse", "NetworkPolicyEvaluationResponse", 1) + `,`, `}`, }, "") return s } -func (this *NetworkPolicyNodeStatus) String() string { +func (this *NetworkPolicyEvaluationRequest) String() string { if this == nil { return "nil" } - s := strings.Join([]string{`&NetworkPolicyNodeStatus{`, - `NodeName:` + fmt.Sprintf("%v", this.NodeName) + `,`, - `Generation:` + fmt.Sprintf("%v", this.Generation) + `,`, + s := strings.Join([]string{`&NetworkPolicyEvaluationRequest{`, + `Source:` + strings.Replace(strings.Replace(this.Source.String(), "Entity", "Entity", 1), `&`, ``, 1) + `,`, + `Destination:` + strings.Replace(strings.Replace(this.Destination.String(), "Entity", "Entity", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *NetworkPolicyEvaluationResponse) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&NetworkPolicyEvaluationResponse{`, + `NetworkPolicy:` + strings.Replace(strings.Replace(this.NetworkPolicy.String(), "NetworkPolicyReference", "NetworkPolicyReference", 1), `&`, ``, 1) + `,`, + `RuleIndex:` + fmt.Sprintf("%v", this.RuleIndex) + `,`, + `Rule:` + strings.Replace(strings.Replace(this.Rule.String(), "RuleRef", "RuleRef", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *NetworkPolicyList) String() string { + if this == nil { + return "nil" + } + repeatedStringForItems := "[]NetworkPolicy{" + for _, f := range this.Items { + repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "NetworkPolicy", "NetworkPolicy", 1), `&`, ``, 1) + "," + } + repeatedStringForItems += "}" + s := strings.Join([]string{`&NetworkPolicyList{`, + `ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`, + `Items:` + repeatedStringForItems + `,`, + `}`, + }, "") + return s +} +func (this *NetworkPolicyNodeStatus) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&NetworkPolicyNodeStatus{`, + `NodeName:` + fmt.Sprintf("%v", this.NodeName) + `,`, + `Generation:` + fmt.Sprintf("%v", this.Generation) + `,`, `RealizationFailure:` + fmt.Sprintf("%v", this.RealizationFailure) + `,`, `Message:` + fmt.Sprintf("%v", this.Message) + `,`, `}`, @@ -5250,6 +5736,18 @@ func (this *PodReference) String() string { }, "") return s } +func (this *RuleRef) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&RuleRef{`, + `Direction:` + fmt.Sprintf("%v", this.Direction) + `,`, + `Name:` + fmt.Sprintf("%v", this.Name) + `,`, + `Action:` + valueToStringGenerated(this.Action) + `,`, + `}`, + }, "") + return s +} func (this *Service) String() string { if this == nil { return "nil" @@ -7066,6 +7564,92 @@ func (m *EgressGroupPatch) Unmarshal(dAtA []byte) error { } return nil } +func (m *Entity) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: Entity: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: Entity: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Pod", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Pod == nil { + m.Pod = &PodReference{} + } + if err := m.Pod.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *ExternalEntityReference) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -8982,7 +9566,7 @@ func (m *NetworkPolicy) Unmarshal(dAtA []byte) error { } return nil } -func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { +func (m *NetworkPolicyEvaluation) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -9005,15 +9589,15 @@ func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { fieldNum := int32(wire >> 3) wireType := int(wire & 0x7) if wireType == 4 { - return fmt.Errorf("proto: NetworkPolicyList: wiretype end group for non-group") + return fmt.Errorf("proto: NetworkPolicyEvaluation: wiretype end group for non-group") } if fieldNum <= 0 { - return fmt.Errorf("proto: NetworkPolicyList: illegal tag %d (wire type %d)", fieldNum, wire) + return fmt.Errorf("proto: NetworkPolicyEvaluation: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { - case 1: + case 2: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Request", wireType) } var msglen int for shift := uint(0); ; shift += 7 { @@ -9040,13 +9624,16 @@ func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + if m.Request == nil { + m.Request = &NetworkPolicyEvaluationRequest{} + } + if err := m.Request.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { return err } iNdEx = postIndex - case 2: + case 3: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Response", wireType) } var msglen int for shift := uint(0); ; shift += 7 { @@ -9073,8 +9660,10 @@ func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Items = append(m.Items, NetworkPolicy{}) - if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + if m.Response == nil { + m.Response = &NetworkPolicyEvaluationResponse{} + } + if err := m.Response.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { return err } iNdEx = postIndex @@ -9099,7 +9688,7 @@ func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { } return nil } -func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { +func (m *NetworkPolicyEvaluationRequest) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -9122,17 +9711,17 @@ func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { fieldNum := int32(wire >> 3) wireType := int(wire & 0x7) if wireType == 4 { - return fmt.Errorf("proto: NetworkPolicyNodeStatus: wiretype end group for non-group") + return fmt.Errorf("proto: NetworkPolicyEvaluationRequest: wiretype end group for non-group") } if fieldNum <= 0 { - return fmt.Errorf("proto: NetworkPolicyNodeStatus: illegal tag %d (wire type %d)", fieldNum, wire) + return fmt.Errorf("proto: NetworkPolicyEvaluationRequest: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { case 1: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field NodeName", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType) } - var stringLen uint64 + var msglen int for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowGenerated @@ -9142,68 +9731,30 @@ func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { } b := dAtA[iNdEx] iNdEx++ - stringLen |= uint64(b&0x7F) << shift + msglen |= int(b&0x7F) << shift if b < 0x80 { break } } - intStringLen := int(stringLen) - if intStringLen < 0 { + if msglen < 0 { return ErrInvalidLengthGenerated } - postIndex := iNdEx + intStringLen + postIndex := iNdEx + msglen if postIndex < 0 { return ErrInvalidLengthGenerated } if postIndex > l { return io.ErrUnexpectedEOF } - m.NodeName = string(dAtA[iNdEx:postIndex]) + if err := m.Source.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } iNdEx = postIndex case 2: - if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field Generation", wireType) - } - m.Generation = 0 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowGenerated - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - m.Generation |= int64(b&0x7F) << shift - if b < 0x80 { - break - } - } - case 3: - if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field RealizationFailure", wireType) - } - var v int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowGenerated - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - v |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - m.RealizationFailure = bool(v != 0) - case 4: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Destination", wireType) } - var stringLen uint64 + var msglen int for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowGenerated @@ -9213,23 +9764,24 @@ func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { } b := dAtA[iNdEx] iNdEx++ - stringLen |= uint64(b&0x7F) << shift + msglen |= int(b&0x7F) << shift if b < 0x80 { break } } - intStringLen := int(stringLen) - if intStringLen < 0 { + if msglen < 0 { return ErrInvalidLengthGenerated } - postIndex := iNdEx + intStringLen + postIndex := iNdEx + msglen if postIndex < 0 { return ErrInvalidLengthGenerated } if postIndex > l { return io.ErrUnexpectedEOF } - m.Message = string(dAtA[iNdEx:postIndex]) + if err := m.Destination.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } iNdEx = postIndex default: iNdEx = preIndex @@ -9252,7 +9804,7 @@ func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { } return nil } -func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { +func (m *NetworkPolicyEvaluationResponse) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -9275,17 +9827,17 @@ func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { fieldNum := int32(wire >> 3) wireType := int(wire & 0x7) if wireType == 4 { - return fmt.Errorf("proto: NetworkPolicyPeer: wiretype end group for non-group") + return fmt.Errorf("proto: NetworkPolicyEvaluationResponse: wiretype end group for non-group") } if fieldNum <= 0 { - return fmt.Errorf("proto: NetworkPolicyPeer: illegal tag %d (wire type %d)", fieldNum, wire) + return fmt.Errorf("proto: NetworkPolicyEvaluationResponse: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { case 1: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field AddressGroups", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field NetworkPolicy", wireType) } - var stringLen uint64 + var msglen int for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowGenerated @@ -9295,29 +9847,30 @@ func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { } b := dAtA[iNdEx] iNdEx++ - stringLen |= uint64(b&0x7F) << shift + msglen |= int(b&0x7F) << shift if b < 0x80 { break } } - intStringLen := int(stringLen) - if intStringLen < 0 { + if msglen < 0 { return ErrInvalidLengthGenerated } - postIndex := iNdEx + intStringLen + postIndex := iNdEx + msglen if postIndex < 0 { return ErrInvalidLengthGenerated } if postIndex > l { return io.ErrUnexpectedEOF } - m.AddressGroups = append(m.AddressGroups, string(dAtA[iNdEx:postIndex])) + if err := m.NetworkPolicy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } iNdEx = postIndex case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field IPBlocks", wireType) + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field RuleIndex", wireType) } - var msglen int + m.RuleIndex = 0 for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowGenerated @@ -9327,31 +9880,16 @@ func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { } b := dAtA[iNdEx] iNdEx++ - msglen |= int(b&0x7F) << shift + m.RuleIndex |= int32(b&0x7F) << shift if b < 0x80 { break } } - if msglen < 0 { - return ErrInvalidLengthGenerated - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthGenerated - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.IPBlocks = append(m.IPBlocks, IPBlock{}) - if err := m.IPBlocks[len(m.IPBlocks)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex case 3: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field FQDNs", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Rule", wireType) } - var stringLen uint64 + var msglen int for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowGenerated @@ -9361,13 +9899,432 @@ func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { } b := dAtA[iNdEx] iNdEx++ - stringLen |= uint64(b&0x7F) << shift + msglen |= int(b&0x7F) << shift if b < 0x80 { break } } - intStringLen := int(stringLen) - if intStringLen < 0 { + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Rule.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NetworkPolicyList: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NetworkPolicyList: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Items = append(m.Items, NetworkPolicy{}) + if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *NetworkPolicyNodeStatus) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NetworkPolicyNodeStatus: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NetworkPolicyNodeStatus: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field NodeName", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.NodeName = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Generation", wireType) + } + m.Generation = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.Generation |= int64(b&0x7F) << shift + if b < 0x80 { + break + } + } + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field RealizationFailure", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.RealizationFailure = bool(v != 0) + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Message = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: NetworkPolicyPeer: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: NetworkPolicyPeer: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AddressGroups", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AddressGroups = append(m.AddressGroups, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IPBlocks", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.IPBlocks = append(m.IPBlocks, IPBlock{}) + if err := m.IPBlocks[len(m.IPBlocks)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field FQDNs", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { return ErrInvalidLengthGenerated } postIndex := iNdEx + intStringLen @@ -10842,6 +11799,153 @@ func (m *PodReference) Unmarshal(dAtA []byte) error { } return nil } +func (m *RuleRef) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: RuleRef: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: RuleRef: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Direction", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Direction = Direction(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Name = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Action", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + s := antrea_io_antrea_pkg_apis_crd_v1beta1.RuleAction(dAtA[iNdEx:postIndex]) + m.Action = &s + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *Service) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 diff --git a/pkg/apis/controlplane/v1beta2/generated.proto b/pkg/apis/controlplane/v1beta2/generated.proto index e6e89d96d24..a274a15ba1f 100644 --- a/pkg/apis/controlplane/v1beta2/generated.proto +++ b/pkg/apis/controlplane/v1beta2/generated.proto @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -130,6 +130,11 @@ message EgressGroupPatch { repeated GroupMember removedGroupMembers = 3; } +// Entity contains Namespace and Pod name as a request parameter. +message Entity { + optional PodReference pod = 1; +} + // ExternalEntityReference represents a ExternalEntity Reference. message ExternalEntityReference { // The name of this ExternalEntity. @@ -289,6 +294,31 @@ message NetworkPolicy { optional NetworkPolicyReference sourceRef = 6; } +// NetworkPolicyEvaluation contains the request and response for a NetworkPolicy access review. +message NetworkPolicyEvaluation { + optional NetworkPolicyEvaluationRequest request = 2; + + optional NetworkPolicyEvaluationResponse response = 3; +} + +// NetworkPolicyEvaluationRequest is the request body of NetworkPolicy access review. +message NetworkPolicyEvaluationRequest { + optional Entity source = 1; + + optional Entity destination = 2; +} + +// NetworkPolicyEvaluationResponse is the response of NetworkPolicy access review. +message NetworkPolicyEvaluationResponse { + // The reference of the effective NetworkPolicy. + optional NetworkPolicyReference sourceRef = 1; + + optional int32 ruleIndex = 2; + + // The content of the effective rule. + optional RuleRef rule = 3; +} + // NetworkPolicyList is a list of NetworkPolicy objects. message NetworkPolicyList { optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; @@ -449,6 +479,15 @@ message PodReference { optional string namespace = 2; } +// RuleRef contains basic information for the rule. +message RuleRef { + optional string direction = 1; + + optional string name = 2; + + optional string action = 3; +} + // Service describes a port to allow traffic on. message Service { // The protocol (TCP, UDP, SCTP, or ICMP) which traffic must match. If not specified, this diff --git a/pkg/apis/controlplane/v1beta2/register.go b/pkg/apis/controlplane/v1beta2/register.go index e90252dfa8f..df95e97704e 100644 --- a/pkg/apis/controlplane/v1beta2/register.go +++ b/pkg/apis/controlplane/v1beta2/register.go @@ -44,6 +44,11 @@ var ( Version: SchemeGroupVersion.Version, Resource: "groups", } + NetworkPolicyEvaluationVersionResource = schema.GroupVersionResource{ + Group: SchemeGroupVersion.Group, + Version: SchemeGroupVersion.Version, + Resource: "networkpolicyevaluation", + } ) // Resource takes an unqualified resource and returns a Group qualified GroupResource. @@ -69,6 +74,7 @@ func addKnownTypes(scheme *runtime.Scheme) error { &NetworkPolicy{}, &NetworkPolicyList{}, &NetworkPolicyStatus{}, + &NetworkPolicyEvaluation{}, &NodeStatsSummary{}, &ClusterGroupMembers{}, &GroupMembers{}, diff --git a/pkg/apis/controlplane/v1beta2/types.go b/pkg/apis/controlplane/v1beta2/types.go index 8eae3c3cc4e..1e86441bc70 100644 --- a/pkg/apis/controlplane/v1beta2/types.go +++ b/pkg/apis/controlplane/v1beta2/types.go @@ -450,6 +450,45 @@ type NetworkPolicyNodeStatus struct { Message string `json:"message,omitempty" protobuf:"bytes,4,opt,name=message"` } +// +genclient +// +genclient:nonNamespaced +// +genclient:onlyVerbs=create +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// NetworkPolicyEvaluation contains the request and response for a NetworkPolicy access review. +type NetworkPolicyEvaluation struct { + metav1.TypeMeta `json:",inline"` + Request *NetworkPolicyEvaluationRequest `json:"request,omitempty" protobuf:"bytes,2,opt,name=request"` + Response *NetworkPolicyEvaluationResponse `json:"response,omitempty" protobuf:"bytes,3,opt,name=response"` +} + +// Entity contains Namespace and Pod name as a request parameter. +type Entity struct { + Pod *PodReference `json:"pod,omitempty" protobuf:"bytes,1,opt,name=pod"` +} + +// NetworkPolicyEvaluationRequest is the request body of NetworkPolicy access review. +type NetworkPolicyEvaluationRequest struct { + Source Entity `json:"source,omitempty" protobuf:"bytes,1,opt,name=source"` + Destination Entity `json:"destination,omitempty" protobuf:"bytes,2,opt,name=destination"` +} + +// RuleRef contains basic information for the rule. +type RuleRef struct { + Direction Direction `json:"direction,omitempty" protobuf:"bytes,1,opt,name=direction"` + Name string `json:"name,omitempty" protobuf:"bytes,2,opt,name=name"` + Action *crdv1beta1.RuleAction `json:"action,omitempty" protobuf:"bytes,3,opt,name=action,casttype=antrea.io/antrea/pkg/apis/security/v1beta1.RuleAction"` +} + +// NetworkPolicyEvaluationResponse is the response of NetworkPolicy access review. +type NetworkPolicyEvaluationResponse struct { + // The reference of the effective NetworkPolicy. + NetworkPolicy NetworkPolicyReference `json:"sourceRef,omitempty" protobuf:"bytes,1,opt,name=sourceRef"` + RuleIndex int32 `json:"ruleIndex,omitempty" protobuf:"varint,2,opt,name=ruleIndex"` + // The content of the effective rule. + Rule RuleRef `json:"rule,omitempty" protobuf:"bytes,3,opt,name=rule"` +} + type GroupReference struct { // Namespace of the Group. Empty for ClusterGroup. Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"` diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go index 09df61a866c..3c489335819 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -169,6 +169,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*Entity)(nil), (*controlplane.Entity)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_Entity_To_controlplane_Entity(a.(*Entity), b.(*controlplane.Entity), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.Entity)(nil), (*Entity)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_Entity_To_v1beta2_Entity(a.(*controlplane.Entity), b.(*Entity), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*ExternalEntityReference)(nil), (*controlplane.ExternalEntityReference)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta2_ExternalEntityReference_To_controlplane_ExternalEntityReference(a.(*ExternalEntityReference), b.(*controlplane.ExternalEntityReference), scope) }); err != nil { @@ -299,6 +309,36 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*NetworkPolicyEvaluation)(nil), (*controlplane.NetworkPolicyEvaluation)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_NetworkPolicyEvaluation_To_controlplane_NetworkPolicyEvaluation(a.(*NetworkPolicyEvaluation), b.(*controlplane.NetworkPolicyEvaluation), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.NetworkPolicyEvaluation)(nil), (*NetworkPolicyEvaluation)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_NetworkPolicyEvaluation_To_v1beta2_NetworkPolicyEvaluation(a.(*controlplane.NetworkPolicyEvaluation), b.(*NetworkPolicyEvaluation), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*NetworkPolicyEvaluationRequest)(nil), (*controlplane.NetworkPolicyEvaluationRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_NetworkPolicyEvaluationRequest_To_controlplane_NetworkPolicyEvaluationRequest(a.(*NetworkPolicyEvaluationRequest), b.(*controlplane.NetworkPolicyEvaluationRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.NetworkPolicyEvaluationRequest)(nil), (*NetworkPolicyEvaluationRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_NetworkPolicyEvaluationRequest_To_v1beta2_NetworkPolicyEvaluationRequest(a.(*controlplane.NetworkPolicyEvaluationRequest), b.(*NetworkPolicyEvaluationRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*NetworkPolicyEvaluationResponse)(nil), (*controlplane.NetworkPolicyEvaluationResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_NetworkPolicyEvaluationResponse_To_controlplane_NetworkPolicyEvaluationResponse(a.(*NetworkPolicyEvaluationResponse), b.(*controlplane.NetworkPolicyEvaluationResponse), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.NetworkPolicyEvaluationResponse)(nil), (*NetworkPolicyEvaluationResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_NetworkPolicyEvaluationResponse_To_v1beta2_NetworkPolicyEvaluationResponse(a.(*controlplane.NetworkPolicyEvaluationResponse), b.(*NetworkPolicyEvaluationResponse), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*NetworkPolicyList)(nil), (*controlplane.NetworkPolicyList)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta2_NetworkPolicyList_To_controlplane_NetworkPolicyList(a.(*NetworkPolicyList), b.(*controlplane.NetworkPolicyList), scope) }); err != nil { @@ -409,6 +449,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*RuleRef)(nil), (*controlplane.RuleRef)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta2_RuleRef_To_controlplane_RuleRef(a.(*RuleRef), b.(*controlplane.RuleRef), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*controlplane.RuleRef)(nil), (*RuleRef)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_RuleRef_To_v1beta2_RuleRef(a.(*controlplane.RuleRef), b.(*RuleRef), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*Service)(nil), (*controlplane.Service)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta2_Service_To_controlplane_Service(a.(*Service), b.(*controlplane.Service), scope) }); err != nil { @@ -787,6 +837,26 @@ func Convert_controlplane_EgressGroupPatch_To_v1beta2_EgressGroupPatch(in *contr return autoConvert_controlplane_EgressGroupPatch_To_v1beta2_EgressGroupPatch(in, out, s) } +func autoConvert_v1beta2_Entity_To_controlplane_Entity(in *Entity, out *controlplane.Entity, s conversion.Scope) error { + out.Pod = (*controlplane.PodReference)(unsafe.Pointer(in.Pod)) + return nil +} + +// Convert_v1beta2_Entity_To_controlplane_Entity is an autogenerated conversion function. +func Convert_v1beta2_Entity_To_controlplane_Entity(in *Entity, out *controlplane.Entity, s conversion.Scope) error { + return autoConvert_v1beta2_Entity_To_controlplane_Entity(in, out, s) +} + +func autoConvert_controlplane_Entity_To_v1beta2_Entity(in *controlplane.Entity, out *Entity, s conversion.Scope) error { + out.Pod = (*PodReference)(unsafe.Pointer(in.Pod)) + return nil +} + +// Convert_controlplane_Entity_To_v1beta2_Entity is an autogenerated conversion function. +func Convert_controlplane_Entity_To_v1beta2_Entity(in *controlplane.Entity, out *Entity, s conversion.Scope) error { + return autoConvert_controlplane_Entity_To_v1beta2_Entity(in, out, s) +} + func autoConvert_v1beta2_ExternalEntityReference_To_controlplane_ExternalEntityReference(in *ExternalEntityReference, out *controlplane.ExternalEntityReference, s conversion.Scope) error { out.Name = in.Name out.Namespace = in.Namespace @@ -1127,6 +1197,90 @@ func Convert_controlplane_NetworkPolicy_To_v1beta2_NetworkPolicy(in *controlplan return autoConvert_controlplane_NetworkPolicy_To_v1beta2_NetworkPolicy(in, out, s) } +func autoConvert_v1beta2_NetworkPolicyEvaluation_To_controlplane_NetworkPolicyEvaluation(in *NetworkPolicyEvaluation, out *controlplane.NetworkPolicyEvaluation, s conversion.Scope) error { + out.Request = (*controlplane.NetworkPolicyEvaluationRequest)(unsafe.Pointer(in.Request)) + out.Response = (*controlplane.NetworkPolicyEvaluationResponse)(unsafe.Pointer(in.Response)) + return nil +} + +// Convert_v1beta2_NetworkPolicyEvaluation_To_controlplane_NetworkPolicyEvaluation is an autogenerated conversion function. +func Convert_v1beta2_NetworkPolicyEvaluation_To_controlplane_NetworkPolicyEvaluation(in *NetworkPolicyEvaluation, out *controlplane.NetworkPolicyEvaluation, s conversion.Scope) error { + return autoConvert_v1beta2_NetworkPolicyEvaluation_To_controlplane_NetworkPolicyEvaluation(in, out, s) +} + +func autoConvert_controlplane_NetworkPolicyEvaluation_To_v1beta2_NetworkPolicyEvaluation(in *controlplane.NetworkPolicyEvaluation, out *NetworkPolicyEvaluation, s conversion.Scope) error { + out.Request = (*NetworkPolicyEvaluationRequest)(unsafe.Pointer(in.Request)) + out.Response = (*NetworkPolicyEvaluationResponse)(unsafe.Pointer(in.Response)) + return nil +} + +// Convert_controlplane_NetworkPolicyEvaluation_To_v1beta2_NetworkPolicyEvaluation is an autogenerated conversion function. +func Convert_controlplane_NetworkPolicyEvaluation_To_v1beta2_NetworkPolicyEvaluation(in *controlplane.NetworkPolicyEvaluation, out *NetworkPolicyEvaluation, s conversion.Scope) error { + return autoConvert_controlplane_NetworkPolicyEvaluation_To_v1beta2_NetworkPolicyEvaluation(in, out, s) +} + +func autoConvert_v1beta2_NetworkPolicyEvaluationRequest_To_controlplane_NetworkPolicyEvaluationRequest(in *NetworkPolicyEvaluationRequest, out *controlplane.NetworkPolicyEvaluationRequest, s conversion.Scope) error { + if err := Convert_v1beta2_Entity_To_controlplane_Entity(&in.Source, &out.Source, s); err != nil { + return err + } + if err := Convert_v1beta2_Entity_To_controlplane_Entity(&in.Destination, &out.Destination, s); err != nil { + return err + } + return nil +} + +// Convert_v1beta2_NetworkPolicyEvaluationRequest_To_controlplane_NetworkPolicyEvaluationRequest is an autogenerated conversion function. +func Convert_v1beta2_NetworkPolicyEvaluationRequest_To_controlplane_NetworkPolicyEvaluationRequest(in *NetworkPolicyEvaluationRequest, out *controlplane.NetworkPolicyEvaluationRequest, s conversion.Scope) error { + return autoConvert_v1beta2_NetworkPolicyEvaluationRequest_To_controlplane_NetworkPolicyEvaluationRequest(in, out, s) +} + +func autoConvert_controlplane_NetworkPolicyEvaluationRequest_To_v1beta2_NetworkPolicyEvaluationRequest(in *controlplane.NetworkPolicyEvaluationRequest, out *NetworkPolicyEvaluationRequest, s conversion.Scope) error { + if err := Convert_controlplane_Entity_To_v1beta2_Entity(&in.Source, &out.Source, s); err != nil { + return err + } + if err := Convert_controlplane_Entity_To_v1beta2_Entity(&in.Destination, &out.Destination, s); err != nil { + return err + } + return nil +} + +// Convert_controlplane_NetworkPolicyEvaluationRequest_To_v1beta2_NetworkPolicyEvaluationRequest is an autogenerated conversion function. +func Convert_controlplane_NetworkPolicyEvaluationRequest_To_v1beta2_NetworkPolicyEvaluationRequest(in *controlplane.NetworkPolicyEvaluationRequest, out *NetworkPolicyEvaluationRequest, s conversion.Scope) error { + return autoConvert_controlplane_NetworkPolicyEvaluationRequest_To_v1beta2_NetworkPolicyEvaluationRequest(in, out, s) +} + +func autoConvert_v1beta2_NetworkPolicyEvaluationResponse_To_controlplane_NetworkPolicyEvaluationResponse(in *NetworkPolicyEvaluationResponse, out *controlplane.NetworkPolicyEvaluationResponse, s conversion.Scope) error { + if err := Convert_v1beta2_NetworkPolicyReference_To_controlplane_NetworkPolicyReference(&in.NetworkPolicy, &out.NetworkPolicy, s); err != nil { + return err + } + out.RuleIndex = in.RuleIndex + if err := Convert_v1beta2_RuleRef_To_controlplane_RuleRef(&in.Rule, &out.Rule, s); err != nil { + return err + } + return nil +} + +// Convert_v1beta2_NetworkPolicyEvaluationResponse_To_controlplane_NetworkPolicyEvaluationResponse is an autogenerated conversion function. +func Convert_v1beta2_NetworkPolicyEvaluationResponse_To_controlplane_NetworkPolicyEvaluationResponse(in *NetworkPolicyEvaluationResponse, out *controlplane.NetworkPolicyEvaluationResponse, s conversion.Scope) error { + return autoConvert_v1beta2_NetworkPolicyEvaluationResponse_To_controlplane_NetworkPolicyEvaluationResponse(in, out, s) +} + +func autoConvert_controlplane_NetworkPolicyEvaluationResponse_To_v1beta2_NetworkPolicyEvaluationResponse(in *controlplane.NetworkPolicyEvaluationResponse, out *NetworkPolicyEvaluationResponse, s conversion.Scope) error { + if err := Convert_controlplane_NetworkPolicyReference_To_v1beta2_NetworkPolicyReference(&in.NetworkPolicy, &out.NetworkPolicy, s); err != nil { + return err + } + out.RuleIndex = in.RuleIndex + if err := Convert_controlplane_RuleRef_To_v1beta2_RuleRef(&in.Rule, &out.Rule, s); err != nil { + return err + } + return nil +} + +// Convert_controlplane_NetworkPolicyEvaluationResponse_To_v1beta2_NetworkPolicyEvaluationResponse is an autogenerated conversion function. +func Convert_controlplane_NetworkPolicyEvaluationResponse_To_v1beta2_NetworkPolicyEvaluationResponse(in *controlplane.NetworkPolicyEvaluationResponse, out *NetworkPolicyEvaluationResponse, s conversion.Scope) error { + return autoConvert_controlplane_NetworkPolicyEvaluationResponse_To_v1beta2_NetworkPolicyEvaluationResponse(in, out, s) +} + func autoConvert_v1beta2_NetworkPolicyList_To_controlplane_NetworkPolicyList(in *NetworkPolicyList, out *controlplane.NetworkPolicyList, s conversion.Scope) error { out.ListMeta = in.ListMeta if in.Items != nil { @@ -1484,6 +1638,30 @@ func Convert_controlplane_PodReference_To_v1beta2_PodReference(in *controlplane. return autoConvert_controlplane_PodReference_To_v1beta2_PodReference(in, out, s) } +func autoConvert_v1beta2_RuleRef_To_controlplane_RuleRef(in *RuleRef, out *controlplane.RuleRef, s conversion.Scope) error { + out.Direction = controlplane.Direction(in.Direction) + out.Name = in.Name + out.Action = (*v1beta1.RuleAction)(unsafe.Pointer(in.Action)) + return nil +} + +// Convert_v1beta2_RuleRef_To_controlplane_RuleRef is an autogenerated conversion function. +func Convert_v1beta2_RuleRef_To_controlplane_RuleRef(in *RuleRef, out *controlplane.RuleRef, s conversion.Scope) error { + return autoConvert_v1beta2_RuleRef_To_controlplane_RuleRef(in, out, s) +} + +func autoConvert_controlplane_RuleRef_To_v1beta2_RuleRef(in *controlplane.RuleRef, out *RuleRef, s conversion.Scope) error { + out.Direction = Direction(in.Direction) + out.Name = in.Name + out.Action = (*v1beta1.RuleAction)(unsafe.Pointer(in.Action)) + return nil +} + +// Convert_controlplane_RuleRef_To_v1beta2_RuleRef is an autogenerated conversion function. +func Convert_controlplane_RuleRef_To_v1beta2_RuleRef(in *controlplane.RuleRef, out *RuleRef, s conversion.Scope) error { + return autoConvert_controlplane_RuleRef_To_v1beta2_RuleRef(in, out, s) +} + func autoConvert_v1beta2_Service_To_controlplane_Service(in *Service, out *controlplane.Service, s conversion.Scope) error { out.Protocol = (*controlplane.Protocol)(unsafe.Pointer(in.Protocol)) out.Port = (*intstr.IntOrString)(unsafe.Pointer(in.Port)) diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go index 86e63a1a0db..7566eb4e40f 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -437,6 +437,27 @@ func (in *EgressGroupPatch) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Entity) DeepCopyInto(out *Entity) { + *out = *in + if in.Pod != nil { + in, out := &in.Pod, &out.Pod + *out = new(PodReference) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Entity. +func (in *Entity) DeepCopy() *Entity { + if in == nil { + return nil + } + out := new(Entity) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalEntityReference) DeepCopyInto(out *ExternalEntityReference) { *out = *in @@ -820,6 +841,77 @@ func (in *NetworkPolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyEvaluation) DeepCopyInto(out *NetworkPolicyEvaluation) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Request != nil { + in, out := &in.Request, &out.Request + *out = new(NetworkPolicyEvaluationRequest) + (*in).DeepCopyInto(*out) + } + if in.Response != nil { + in, out := &in.Response, &out.Response + *out = new(NetworkPolicyEvaluationResponse) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEvaluation. +func (in *NetworkPolicyEvaluation) DeepCopy() *NetworkPolicyEvaluation { + if in == nil { + return nil + } + out := new(NetworkPolicyEvaluation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkPolicyEvaluation) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyEvaluationRequest) DeepCopyInto(out *NetworkPolicyEvaluationRequest) { + *out = *in + in.Source.DeepCopyInto(&out.Source) + in.Destination.DeepCopyInto(&out.Destination) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEvaluationRequest. +func (in *NetworkPolicyEvaluationRequest) DeepCopy() *NetworkPolicyEvaluationRequest { + if in == nil { + return nil + } + out := new(NetworkPolicyEvaluationRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyEvaluationResponse) DeepCopyInto(out *NetworkPolicyEvaluationResponse) { + *out = *in + out.NetworkPolicy = in.NetworkPolicy + in.Rule.DeepCopyInto(&out.Rule) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEvaluationResponse. +func (in *NetworkPolicyEvaluationResponse) DeepCopy() *NetworkPolicyEvaluationResponse { + if in == nil { + return nil + } + out := new(NetworkPolicyEvaluationResponse) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkPolicyList) DeepCopyInto(out *NetworkPolicyList) { *out = *in @@ -1135,6 +1227,27 @@ func (in *PodReference) DeepCopy() *PodReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RuleRef) DeepCopyInto(out *RuleRef) { + *out = *in + if in.Action != nil { + in, out := &in.Action, &out.Action + *out = new(v1beta1.RuleAction) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleRef. +func (in *RuleRef) DeepCopy() *RuleRef { + if in == nil { + return nil + } + out := new(RuleRef) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Service) DeepCopyInto(out *Service) { *out = *in diff --git a/pkg/apis/controlplane/zz_generated.deepcopy.go b/pkg/apis/controlplane/zz_generated.deepcopy.go index c95c736789c..9f2f70f8f32 100644 --- a/pkg/apis/controlplane/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -437,6 +437,27 @@ func (in *EgressGroupPatch) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Entity) DeepCopyInto(out *Entity) { + *out = *in + if in.Pod != nil { + in, out := &in.Pod, &out.Pod + *out = new(PodReference) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Entity. +func (in *Entity) DeepCopy() *Entity { + if in == nil { + return nil + } + out := new(Entity) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalEntityReference) DeepCopyInto(out *ExternalEntityReference) { *out = *in @@ -820,6 +841,77 @@ func (in *NetworkPolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyEvaluation) DeepCopyInto(out *NetworkPolicyEvaluation) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Request != nil { + in, out := &in.Request, &out.Request + *out = new(NetworkPolicyEvaluationRequest) + (*in).DeepCopyInto(*out) + } + if in.Response != nil { + in, out := &in.Response, &out.Response + *out = new(NetworkPolicyEvaluationResponse) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEvaluation. +func (in *NetworkPolicyEvaluation) DeepCopy() *NetworkPolicyEvaluation { + if in == nil { + return nil + } + out := new(NetworkPolicyEvaluation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *NetworkPolicyEvaluation) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyEvaluationRequest) DeepCopyInto(out *NetworkPolicyEvaluationRequest) { + *out = *in + in.Source.DeepCopyInto(&out.Source) + in.Destination.DeepCopyInto(&out.Destination) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEvaluationRequest. +func (in *NetworkPolicyEvaluationRequest) DeepCopy() *NetworkPolicyEvaluationRequest { + if in == nil { + return nil + } + out := new(NetworkPolicyEvaluationRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyEvaluationResponse) DeepCopyInto(out *NetworkPolicyEvaluationResponse) { + *out = *in + out.NetworkPolicy = in.NetworkPolicy + in.Rule.DeepCopyInto(&out.Rule) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEvaluationResponse. +func (in *NetworkPolicyEvaluationResponse) DeepCopy() *NetworkPolicyEvaluationResponse { + if in == nil { + return nil + } + out := new(NetworkPolicyEvaluationResponse) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkPolicyList) DeepCopyInto(out *NetworkPolicyList) { *out = *in @@ -1135,6 +1227,27 @@ func (in *PodReference) DeepCopy() *PodReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RuleRef) DeepCopyInto(out *RuleRef) { + *out = *in + if in.Action != nil { + in, out := &in.Action, &out.Action + *out = new(v1beta1.RuleAction) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleRef. +func (in *RuleRef) DeepCopy() *RuleRef { + if in == nil { + return nil + } + out := new(RuleRef) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Service) DeepCopyInto(out *Service) { *out = *in diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go index bd61d934957..cb1db65d1fa 100644 --- a/pkg/apiserver/apiserver.go +++ b/pkg/apiserver/apiserver.go @@ -52,6 +52,7 @@ import ( "antrea.io/antrea/pkg/apiserver/registry/networkpolicy/groupmember" "antrea.io/antrea/pkg/apiserver/registry/networkpolicy/ipgroupassociation" "antrea.io/antrea/pkg/apiserver/registry/networkpolicy/networkpolicy" + "antrea.io/antrea/pkg/apiserver/registry/networkpolicy/networkpolicyevaluation" "antrea.io/antrea/pkg/apiserver/registry/stats/antreaclusternetworkpolicystats" "antrea.io/antrea/pkg/apiserver/registry/stats/antreanetworkpolicystats" "antrea.io/antrea/pkg/apiserver/registry/stats/multicastgroup" @@ -198,6 +199,7 @@ func installAPIGroup(s *APIServer, c completedConfig) error { appliedToGroupStorage := appliedtogroup.NewREST(c.extraConfig.appliedToGroupStore) networkPolicyStorage := networkpolicy.NewREST(c.extraConfig.networkPolicyStore) networkPolicyStatusStorage := networkpolicy.NewStatusREST(c.extraConfig.networkPolicyStatusController) + networkPolicyEvaluationStorage := networkpolicyevaluation.NewREST(controllernetworkpolicy.NewPolicyRuleQuerier(c.extraConfig.endpointQuerier)) clusterGroupMembershipStorage := clustergroupmember.NewREST(c.extraConfig.networkPolicyController) groupMembershipStorage := groupmember.NewREST(c.extraConfig.networkPolicyController) groupAssociationStorage := groupassociation.NewREST(c.extraConfig.networkPolicyController) @@ -212,6 +214,7 @@ func installAPIGroup(s *APIServer, c completedConfig) error { cpv1beta2Storage["appliedtogroups"] = appliedToGroupStorage cpv1beta2Storage["networkpolicies"] = networkPolicyStorage cpv1beta2Storage["networkpolicies/status"] = networkPolicyStatusStorage + cpv1beta2Storage["networkpolicyevaluation"] = networkPolicyEvaluationStorage cpv1beta2Storage["nodestatssummaries"] = nodeStatsSummaryStorage cpv1beta2Storage["groupassociations"] = groupAssociationStorage cpv1beta2Storage["ipgroupassociations"] = ipGroupAssociationStorage diff --git a/pkg/apiserver/handlers/endpoint/handler.go b/pkg/apiserver/handlers/endpoint/handler.go index ec1420eb38f..19892bae331 100644 --- a/pkg/apiserver/handlers/endpoint/handler.go +++ b/pkg/apiserver/handlers/endpoint/handler.go @@ -18,33 +18,85 @@ import ( "encoding/json" "net/http" + "antrea.io/antrea/pkg/apis/controlplane/v1beta2" "antrea.io/antrea/pkg/controller/networkpolicy" ) +// EndpointQueryResponse is the reply struct for anctl endpoint queries +type EndpointQueryResponse struct { + Endpoints []Endpoint `json:"endpoints,omitempty"` +} + +type Rule struct { + PolicyRef v1beta2.NetworkPolicyReference + Direction v1beta2.Direction + RuleIndex int +} + +type Endpoint struct { + Namespace string `json:"namespace,omitempty"` + Name string `json:"name,omitempty"` + Policies []v1beta2.NetworkPolicyReference `json:"policies,omitempty"` + Rules []Rule `json:"rules,omitempty"` +} + // HandleFunc creates a http.HandlerFunc which uses an AgentNetworkPolicyInfoQuerier // to query network policy rules in current agent. func HandleFunc(eq networkpolicy.EndpointQuerier) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { podName := r.URL.Query().Get("pod") namespace := r.URL.Query().Get("namespace") - if namespace == "" { - namespace = "default" - } // check for incomplete arguments if podName == "" { http.Error(w, "pod must be provided", http.StatusBadRequest) return } // query endpoint and handle response errors - endpointQueryResponse, err := eq.QueryNetworkPolicies(namespace, podName) + endpointNetworkPolicyRules, err := eq.QueryNetworkPolicyRules(namespace, podName) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } - if endpointQueryResponse == nil { + if endpointNetworkPolicyRules == nil { http.Error(w, "could not find any endpoints matching your selection", http.StatusNotFound) return } + + // make response policies + responsePolicies := make([]v1beta2.NetworkPolicyReference, 0) + for _, internalPolicy := range endpointNetworkPolicyRules.AppliedPolicies { + responsePolicy := v1beta2.NetworkPolicyReference{ + Type: v1beta2.NetworkPolicyType(internalPolicy.SourceRef.Type), + Namespace: internalPolicy.SourceRef.Namespace, + Name: internalPolicy.SourceRef.Name, + UID: internalPolicy.SourceRef.UID, + } + responsePolicies = append(responsePolicies, responsePolicy) + } + responseRules := make([]Rule, 0) + // create rules based on egress and ingress policies + for _, rule := range append(endpointNetworkPolicyRules.EndpointAsEgressDstRules, endpointNetworkPolicyRules.EndpointAsIngressSrcRules...) { + newRule := Rule{ + PolicyRef: v1beta2.NetworkPolicyReference{ + Type: v1beta2.NetworkPolicyType(rule.Policy.SourceRef.Type), + Namespace: rule.Policy.SourceRef.Namespace, + Name: rule.Policy.SourceRef.Name, + UID: rule.Policy.SourceRef.UID, + }, + Direction: v1beta2.Direction(rule.Rule.Direction), + RuleIndex: rule.Index, + } + responseRules = append(responseRules, newRule) + } + // for now, selector only selects a single endpoint (pod, namespace) + endpoint := Endpoint{ + Namespace: namespace, + Name: podName, + Policies: responsePolicies, + Rules: responseRules, + } + endpointQueryResponse := &EndpointQueryResponse{[]Endpoint{endpoint}} + if err := json.NewEncoder(w).Encode(*endpointQueryResponse); err != nil { http.Error(w, "failed to encode response: "+err.Error(), http.StatusInternalServerError) } diff --git a/pkg/apiserver/handlers/endpoint/handler_test.go b/pkg/apiserver/handlers/endpoint/handler_test.go index 7b63546b2fa..07ee7919a68 100644 --- a/pkg/apiserver/handlers/endpoint/handler_test.go +++ b/pkg/apiserver/handlers/endpoint/handler_test.go @@ -22,11 +22,12 @@ import ( "github.com/stretchr/testify/assert" "go.uber.org/mock/gomock" - v1 "k8s.io/api/admission/v1" - "k8s.io/apimachinery/pkg/api/errors" + "antrea.io/antrea/pkg/apis/controlplane" + "antrea.io/antrea/pkg/apis/controlplane/v1beta2" "antrea.io/antrea/pkg/controller/networkpolicy" queriermock "antrea.io/antrea/pkg/controller/networkpolicy/testing" + "antrea.io/antrea/pkg/controller/types" ) type TestCase struct { @@ -34,53 +35,12 @@ type TestCase struct { handlerRequest string expectedStatus int // expected result written by handler function - expectedContent response + expectedResponse *EndpointQueryResponse // arguments of call to mock argsMock []string // results of call to mock - mockQueryResponse response -} - -type response struct { - response *networkpolicy.EndpointQueryResponse - error error -} - -var responses = []response{ - { - response: &networkpolicy.EndpointQueryResponse{Endpoints: nil}, - error: errors.NewNotFound(v1.Resource("pod"), "pod"), - }, - { - response: &networkpolicy.EndpointQueryResponse{Endpoints: []networkpolicy.Endpoint{ - { - Policies: []networkpolicy.Policy{ - { - PolicyRef: networkpolicy.PolicyRef{Name: "policy1"}, - }, - }, - }, - }, - }, - error: nil, - }, - { - response: &networkpolicy.EndpointQueryResponse{Endpoints: []networkpolicy.Endpoint{ - { - Policies: []networkpolicy.Policy{ - { - PolicyRef: networkpolicy.PolicyRef{Name: "policy1"}, - }, - { - PolicyRef: networkpolicy.PolicyRef{Name: "policy2"}, - }, - }, - }, - }, - }, - error: nil, - }, + mockQueryResponse *networkpolicy.EndpointNetworkPolicyRules } // TestIncompleteArguments tests how the handler function responds when the user passes in a query command @@ -116,13 +76,10 @@ func TestInvalidArguments(t *testing.T) { // outline test cases with expected behavior testCases := map[string]TestCase{ "Responds with error given no invalid selection": { - handlerRequest: "?namespace=namespace&pod=pod", - expectedStatus: http.StatusNotFound, - argsMock: []string{namespace, pod}, - mockQueryResponse: response{ - response: nil, - error: nil, - }, + handlerRequest: "?namespace=namespace&pod=pod", + expectedStatus: http.StatusNotFound, + argsMock: []string{namespace, pod}, + mockQueryResponse: nil, }, } @@ -139,22 +96,35 @@ func TestSinglePolicyResponse(t *testing.T) { // outline test cases with expected behavior testCases := map[string]TestCase{ "Responds with list of single element": { - handlerRequest: "?namespace=namespace&pod=pod", - expectedStatus: http.StatusOK, - expectedContent: responses[1], - argsMock: []string{namespace, pod}, - mockQueryResponse: response{ - response: &networkpolicy.EndpointQueryResponse{Endpoints: []networkpolicy.Endpoint{ + handlerRequest: "?namespace=namespace&pod=pod", + expectedStatus: http.StatusOK, + expectedResponse: &EndpointQueryResponse{Endpoints: []Endpoint{ + { + Policies: []v1beta2.NetworkPolicyReference{ + {Name: "policy1"}, + }, + Rules: []Rule{ + {PolicyRef: v1beta2.NetworkPolicyReference{Name: "policy2"}}, + }, + }, + }, + }, + argsMock: []string{namespace, pod}, + mockQueryResponse: &networkpolicy.EndpointNetworkPolicyRules{ + AppliedPolicies: []*types.NetworkPolicy{ + {SourceRef: &controlplane.NetworkPolicyReference{Name: "policy1"}}, + }, + EndpointAsIngressSrcRules: []*networkpolicy.RuleInfo{ { - Policies: []networkpolicy.Policy{ - { - PolicyRef: networkpolicy.PolicyRef{Name: "policy1"}, - }, + Policy: &types.NetworkPolicy{ + SourceRef: &controlplane.NetworkPolicyReference{Name: "policy2"}, + }, + Index: 0, + Rule: &controlplane.NetworkPolicyRule{ + Direction: controlplane.DirectionIn, }, }, }, - }, - error: nil, }, }, } @@ -172,25 +142,22 @@ func TestMultiPolicyResponse(t *testing.T) { // outline test cases with expected behavior testCases := map[string]TestCase{ "Responds with list of single element": { - handlerRequest: "?namespace=namespace&pod=pod", - expectedStatus: http.StatusOK, - expectedContent: responses[2], - argsMock: []string{namespace, pod}, - mockQueryResponse: response{ - response: &networkpolicy.EndpointQueryResponse{Endpoints: []networkpolicy.Endpoint{ - { - Policies: []networkpolicy.Policy{ - { - PolicyRef: networkpolicy.PolicyRef{Name: "policy1"}, - }, - { - PolicyRef: networkpolicy.PolicyRef{Name: "policy2"}, - }, - }, + handlerRequest: "?namespace=namespace&pod=pod", + expectedStatus: http.StatusOK, + expectedResponse: &EndpointQueryResponse{Endpoints: []Endpoint{ + { + Policies: []v1beta2.NetworkPolicyReference{ + {Name: "policy1"}, {Name: "policy2"}, }, }, + }, + }, + argsMock: []string{namespace, pod}, + mockQueryResponse: &networkpolicy.EndpointNetworkPolicyRules{ + AppliedPolicies: []*types.NetworkPolicy{ + {SourceRef: &controlplane.NetworkPolicyReference{Name: "policy1"}}, + {SourceRef: &controlplane.NetworkPolicyReference{Name: "policy2"}}, }, - error: nil, }, }, } @@ -204,7 +171,7 @@ func evaluateTestCases(testCases map[string]TestCase, mockCtrl *gomock.Controlle // create mock querier with expected behavior outlined in testCase mockQuerier := queriermock.NewMockEndpointQuerier(mockCtrl) if tc.expectedStatus != http.StatusBadRequest { - mockQuerier.EXPECT().QueryNetworkPolicies(tc.argsMock[0], tc.argsMock[1]).Return(tc.mockQueryResponse.response, tc.mockQueryResponse.error) + mockQuerier.EXPECT().QueryNetworkPolicyRules(tc.argsMock[0], tc.argsMock[1]).Return(tc.mockQueryResponse, nil) } // initialize handler with mockQuerier handler := HandleFunc(mockQuerier) @@ -218,11 +185,14 @@ func evaluateTestCases(testCases map[string]TestCase, mockCtrl *gomock.Controlle return } // check response is expected - var received networkpolicy.EndpointQueryResponse + var received EndpointQueryResponse err = json.Unmarshal(recorder.Body.Bytes(), &received) assert.Nil(t, err) - for i, policy := range tc.expectedContent.response.Endpoints[0].Policies { + for i, policy := range tc.expectedResponse.Endpoints[0].Policies { assert.Equal(t, policy.Name, received.Endpoints[0].Policies[i].Name) } + for i, rule := range tc.expectedResponse.Endpoints[0].Rules { + assert.Equal(t, rule.PolicyRef.Name, received.Endpoints[0].Rules[i].PolicyRef.Name) + } } } diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index 626f6d18b8f..62aad5990c9 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -1,7 +1,7 @@ //go:build !ignore_autogenerated // +build !ignore_autogenerated -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -43,6 +43,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "antrea.io/antrea/pkg/apis/controlplane/v1beta2.EgressGroup": schema_pkg_apis_controlplane_v1beta2_EgressGroup(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.EgressGroupList": schema_pkg_apis_controlplane_v1beta2_EgressGroupList(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.EgressGroupPatch": schema_pkg_apis_controlplane_v1beta2_EgressGroupPatch(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.Entity": schema_pkg_apis_controlplane_v1beta2_Entity(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.ExternalEntityReference": schema_pkg_apis_controlplane_v1beta2_ExternalEntityReference(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.GroupAssociation": schema_pkg_apis_controlplane_v1beta2_GroupAssociation(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.GroupMember": schema_pkg_apis_controlplane_v1beta2_GroupMember(ref), @@ -56,6 +57,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "antrea.io/antrea/pkg/apis/controlplane/v1beta2.MulticastGroupInfo": schema_pkg_apis_controlplane_v1beta2_MulticastGroupInfo(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NamedPort": schema_pkg_apis_controlplane_v1beta2_NamedPort(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicy": schema_pkg_apis_controlplane_v1beta2_NetworkPolicy(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyEvaluation": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyEvaluation(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyEvaluationRequest": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyEvaluationRequest(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyEvaluationResponse": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyEvaluationResponse(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyList": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyList(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyNodeStatus": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyNodeStatus(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyPeer": schema_pkg_apis_controlplane_v1beta2_NetworkPolicyPeer(ref), @@ -67,6 +71,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NodeStatsSummary": schema_pkg_apis_controlplane_v1beta2_NodeStatsSummary(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.PaginationGetOptions": schema_pkg_apis_controlplane_v1beta2_PaginationGetOptions(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.PodReference": schema_pkg_apis_controlplane_v1beta2_PodReference(ref), + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.RuleRef": schema_pkg_apis_controlplane_v1beta2_RuleRef(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.Service": schema_pkg_apis_controlplane_v1beta2_Service(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.ServiceReference": schema_pkg_apis_controlplane_v1beta2_ServiceReference(ref), "antrea.io/antrea/pkg/apis/controlplane/v1beta2.SupportBundleCollection": schema_pkg_apis_controlplane_v1beta2_SupportBundleCollection(ref), @@ -1052,6 +1057,26 @@ func schema_pkg_apis_controlplane_v1beta2_EgressGroupPatch(ref common.ReferenceC } } +func schema_pkg_apis_controlplane_v1beta2_Entity(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Entity contains Namespace and Pod name as a request parameter.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "pod": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.PodReference"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.PodReference"}, + } +} + func schema_pkg_apis_controlplane_v1beta2_ExternalEntityReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -1636,6 +1661,107 @@ func schema_pkg_apis_controlplane_v1beta2_NetworkPolicy(ref common.ReferenceCall } } +func schema_pkg_apis_controlplane_v1beta2_NetworkPolicyEvaluation(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyEvaluation contains the request and response for a NetworkPolicy access review.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "request": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyEvaluationRequest"), + }, + }, + "response": { + SchemaProps: spec.SchemaProps{ + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyEvaluationResponse"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyEvaluationRequest", "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyEvaluationResponse"}, + } +} + +func schema_pkg_apis_controlplane_v1beta2_NetworkPolicyEvaluationRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyEvaluationRequest is the request body of NetworkPolicy access review.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "source": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.Entity"), + }, + }, + "destination": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.Entity"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.Entity"}, + } +} + +func schema_pkg_apis_controlplane_v1beta2_NetworkPolicyEvaluationResponse(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "NetworkPolicyEvaluationResponse is the response of NetworkPolicy access review.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "sourceRef": { + SchemaProps: spec.SchemaProps{ + Description: "The reference of the effective NetworkPolicy.", + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyReference"), + }, + }, + "ruleIndex": { + SchemaProps: spec.SchemaProps{ + Type: []string{"integer"}, + Format: "int32", + }, + }, + "rule": { + SchemaProps: spec.SchemaProps{ + Description: "The content of the effective rule.", + Default: map[string]interface{}{}, + Ref: ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.RuleRef"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyReference", "antrea.io/antrea/pkg/apis/controlplane/v1beta2.RuleRef"}, + } +} + func schema_pkg_apis_controlplane_v1beta2_NetworkPolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -2243,6 +2369,37 @@ func schema_pkg_apis_controlplane_v1beta2_PodReference(ref common.ReferenceCallb } } +func schema_pkg_apis_controlplane_v1beta2_RuleRef(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "RuleRef contains basic information for the rule.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "direction": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "name": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "action": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_controlplane_v1beta2_Service(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/pkg/apiserver/registry/networkpolicy/networkpolicyevaluation/rest.go b/pkg/apiserver/registry/networkpolicy/networkpolicyevaluation/rest.go new file mode 100644 index 00000000000..e7e0fff4e98 --- /dev/null +++ b/pkg/apiserver/registry/networkpolicy/networkpolicyevaluation/rest.go @@ -0,0 +1,67 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package networkpolicyevaluation + +import ( + "context" + "fmt" + + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apiserver/pkg/registry/rest" + + "antrea.io/antrea/pkg/apis/controlplane" + "antrea.io/antrea/pkg/controller/networkpolicy" +) + +type REST struct { + querier networkpolicy.PolicyRuleQuerier +} + +var ( + _ rest.Storage = &REST{} + _ rest.Scoper = &REST{} + _ rest.Creater = &REST{} +) + +// NewREST returns a REST object that will work against API services. +func NewREST(querier networkpolicy.PolicyRuleQuerier) *REST { + return &REST{querier} +} + +func (r *REST) New() runtime.Object { + return &controlplane.NetworkPolicyEvaluation{} +} + +func (r *REST) Destroy() { +} + +func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) { + review, ok := obj.(*controlplane.NetworkPolicyEvaluation) + if !ok { + return nil, errors.NewBadRequest(fmt.Sprintf("not a NetworkPolicyEvaluation object: %T", obj)) + } + response, err := r.querier.QueryNetworkPolicyEvaluation(review.Request) + if err != nil { + return nil, err + } + review.Response = response + return review, nil +} + +func (r *REST) NamespaceScoped() bool { + return false +} diff --git a/pkg/apiserver/registry/networkpolicy/networkpolicyevaluation/rest_test.go b/pkg/apiserver/registry/networkpolicy/networkpolicyevaluation/rest_test.go new file mode 100644 index 00000000000..3d7b950cc19 --- /dev/null +++ b/pkg/apiserver/registry/networkpolicy/networkpolicyevaluation/rest_test.go @@ -0,0 +1,96 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package networkpolicyevaluation + +import ( + "context" + "fmt" + "testing" + + "github.com/stretchr/testify/assert" + "go.uber.org/mock/gomock" + "k8s.io/apimachinery/pkg/api/errors" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + + "antrea.io/antrea/pkg/apis/controlplane" + queriermock "antrea.io/antrea/pkg/controller/networkpolicy/testing" +) + +func TestREST(t *testing.T) { + r := NewREST(nil) + assert.Equal(t, &controlplane.NetworkPolicyEvaluation{}, r.New()) + assert.False(t, r.NamespaceScoped()) +} + +func TestRESTCreate(t *testing.T) { + request := controlplane.NetworkPolicyEvaluationRequest{Source: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: "ns", Name: "pod1"}}, Destination: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: "ns", Name: "pod2"}}} + tests := []struct { + name string + obj runtime.Object + expectedReturnedObj runtime.Object + expectedErr error + mockResponse *controlplane.NetworkPolicyEvaluationResponse + mockErr error + }{ + { + name: "Succeed", + obj: &controlplane.NetworkPolicyEvaluation{ + Request: &request, + }, + expectedReturnedObj: &controlplane.NetworkPolicyEvaluation{ + Request: &request, + Response: &controlplane.NetworkPolicyEvaluationResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Name: "test"}, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn}, + }, + }, + mockResponse: &controlplane.NetworkPolicyEvaluationResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Name: "test"}, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn}, + }, + }, + { + name: "Query error", + obj: &controlplane.NetworkPolicyEvaluation{ + Request: &request, + }, + mockErr: fmt.Errorf("querier error"), + expectedErr: fmt.Errorf("querier error"), + }, + { + name: "Unexpected type", + obj: &controlplane.NetworkPolicy{ + ObjectMeta: v1.ObjectMeta{ + Name: "foo", + }, + }, + expectedErr: errors.NewBadRequest("not a NetworkPolicyEvaluation object: *controlplane.NetworkPolicy"), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + mockCtrl := gomock.NewController(t) + mockQuerier := queriermock.NewMockPolicyRuleQuerier(mockCtrl) + if tt.mockResponse != nil || tt.mockErr != nil { + mockQuerier.EXPECT().QueryNetworkPolicyEvaluation(tt.obj.(*controlplane.NetworkPolicyEvaluation).Request).Return(tt.mockResponse, tt.mockErr) + } + r := NewREST(mockQuerier) + actualObj, err := r.Create(context.TODO(), tt.obj, nil, &v1.CreateOptions{}) + assert.Equal(t, tt.expectedErr, err) + assert.Equal(t, tt.expectedReturnedObj, actualObj) + }) + } +} diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/controlplane_client.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/controlplane_client.go index 98c7b89f758..5f583d2ab4f 100644 --- a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/controlplane_client.go +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/controlplane_client.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -34,6 +34,7 @@ type ControlplaneV1beta2Interface interface { GroupMembersGetter IPGroupAssociationsGetter NetworkPoliciesGetter + NetworkPolicyEvaluationsGetter NodeStatsSummariesGetter SupportBundleCollectionsGetter } @@ -75,6 +76,10 @@ func (c *ControlplaneV1beta2Client) NetworkPolicies() NetworkPolicyInterface { return newNetworkPolicies(c) } +func (c *ControlplaneV1beta2Client) NetworkPolicyEvaluations() NetworkPolicyEvaluationInterface { + return newNetworkPolicyEvaluations(c) +} + func (c *ControlplaneV1beta2Client) NodeStatsSummaries() NodeStatsSummaryInterface { return newNodeStatsSummaries(c) } diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_controlplane_client.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_controlplane_client.go index 232d3b75f8a..d2bd98cc7e8 100644 --- a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_controlplane_client.go +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_controlplane_client.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -58,6 +58,10 @@ func (c *FakeControlplaneV1beta2) NetworkPolicies() v1beta2.NetworkPolicyInterfa return &FakeNetworkPolicies{c} } +func (c *FakeControlplaneV1beta2) NetworkPolicyEvaluations() v1beta2.NetworkPolicyEvaluationInterface { + return &FakeNetworkPolicyEvaluations{c} +} + func (c *FakeControlplaneV1beta2) NodeStatsSummaries() v1beta2.NodeStatsSummaryInterface { return &FakeNodeStatsSummaries{c} } diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_networkpolicyevaluation.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_networkpolicyevaluation.go new file mode 100644 index 00000000000..74ea3b78c39 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/fake/fake_networkpolicyevaluation.go @@ -0,0 +1,45 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1beta2 "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + schema "k8s.io/apimachinery/pkg/runtime/schema" + testing "k8s.io/client-go/testing" +) + +// FakeNetworkPolicyEvaluations implements NetworkPolicyEvaluationInterface +type FakeNetworkPolicyEvaluations struct { + Fake *FakeControlplaneV1beta2 +} + +var networkpolicyevaluationsResource = schema.GroupVersionResource{Group: "controlplane.antrea.io", Version: "v1beta2", Resource: "networkpolicyevaluations"} + +var networkpolicyevaluationsKind = schema.GroupVersionKind{Group: "controlplane.antrea.io", Version: "v1beta2", Kind: "NetworkPolicyEvaluation"} + +// Create takes the representation of a networkPolicyEvaluation and creates it. Returns the server's representation of the networkPolicyEvaluation, and an error, if there is any. +func (c *FakeNetworkPolicyEvaluations) Create(ctx context.Context, networkPolicyEvaluation *v1beta2.NetworkPolicyEvaluation, opts v1.CreateOptions) (result *v1beta2.NetworkPolicyEvaluation, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(networkpolicyevaluationsResource, networkPolicyEvaluation), &v1beta2.NetworkPolicyEvaluation{}) + if obj == nil { + return nil, err + } + return obj.(*v1beta2.NetworkPolicyEvaluation), err +} diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/generated_expansion.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/generated_expansion.go index b6b453ba588..454339cedea 100644 --- a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/generated_expansion.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -26,4 +26,6 @@ type GroupAssociationExpansion interface{} type IPGroupAssociationExpansion interface{} +type NetworkPolicyEvaluationExpansion interface{} + type NodeStatsSummaryExpansion interface{} diff --git a/pkg/client/clientset/versioned/typed/controlplane/v1beta2/networkpolicyevaluation.go b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/networkpolicyevaluation.go new file mode 100644 index 00000000000..241e320c522 --- /dev/null +++ b/pkg/client/clientset/versioned/typed/controlplane/v1beta2/networkpolicyevaluation.go @@ -0,0 +1,62 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package v1beta2 + +import ( + "context" + + v1beta2 "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + scheme "antrea.io/antrea/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + rest "k8s.io/client-go/rest" +) + +// NetworkPolicyEvaluationsGetter has a method to return a NetworkPolicyEvaluationInterface. +// A group's client should implement this interface. +type NetworkPolicyEvaluationsGetter interface { + NetworkPolicyEvaluations() NetworkPolicyEvaluationInterface +} + +// NetworkPolicyEvaluationInterface has methods to work with NetworkPolicyEvaluation resources. +type NetworkPolicyEvaluationInterface interface { + Create(ctx context.Context, networkPolicyEvaluation *v1beta2.NetworkPolicyEvaluation, opts v1.CreateOptions) (*v1beta2.NetworkPolicyEvaluation, error) + NetworkPolicyEvaluationExpansion +} + +// networkPolicyEvaluations implements NetworkPolicyEvaluationInterface +type networkPolicyEvaluations struct { + client rest.Interface +} + +// newNetworkPolicyEvaluations returns a NetworkPolicyEvaluations +func newNetworkPolicyEvaluations(c *ControlplaneV1beta2Client) *networkPolicyEvaluations { + return &networkPolicyEvaluations{ + client: c.RESTClient(), + } +} + +// Create takes the representation of a networkPolicyEvaluation and creates it. Returns the server's representation of the networkPolicyEvaluation, and an error, if there is any. +func (c *networkPolicyEvaluations) Create(ctx context.Context, networkPolicyEvaluation *v1beta2.NetworkPolicyEvaluation, opts v1.CreateOptions) (result *v1beta2.NetworkPolicyEvaluation, err error) { + result = &v1beta2.NetworkPolicyEvaluation{} + err = c.client.Post(). + Resource("networkpolicyevaluations"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(networkPolicyEvaluation). + Do(ctx). + Into(result) + return +} diff --git a/pkg/controller/networkpolicy/adminnetworkpolicy_test.go b/pkg/controller/networkpolicy/adminnetworkpolicy_test.go index c7dea83f135..4346687b04e 100644 --- a/pkg/controller/networkpolicy/adminnetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/adminnetworkpolicy_test.go @@ -416,7 +416,7 @@ func TestProcessAdminNetworkPolicy(t *testing.T) { defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, features.AdminNetworkPolicy, true) for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) actualPolicy, actualAppliedToGroups, actualAddressGroups := c.processAdminNetworkPolicy(tt.inputPolicy) assert.Equal(t, tt.expectedPolicy.UID, actualPolicy.UID) assert.Equal(t, tt.expectedPolicy.Name, actualPolicy.Name) @@ -712,7 +712,7 @@ func TestProcessBaselineAdminNetworkPolicy(t *testing.T) { defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, features.AdminNetworkPolicy, true) for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) actualPolicy, actualAppliedToGroups, actualAddressGroups := c.processBaselineAdminNetworkPolicy(tt.inputPolicy) assert.Equal(t, tt.expectedPolicy.UID, actualPolicy.UID) assert.Equal(t, tt.expectedPolicy.Name, actualPolicy.Name) diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go index 62554de4402..c0d5e7e42db 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go @@ -739,7 +739,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.serviceStore.Add(&svcA) actualPolicy, actualAppliedToGroups, actualAddressGroups := c.processAntreaNetworkPolicy(tt.inputPolicy) assert.Equal(t, tt.expectedPolicy, actualPolicy) @@ -750,7 +750,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { } func TestAddANNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) annp := getANNP() npc.addANNP(annp) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -761,7 +761,7 @@ func TestAddANNP(t *testing.T) { } func TestUpdateANNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) annp := getANNP() newANNP := annp.DeepCopy() // Make a change to the ANNP. @@ -775,7 +775,7 @@ func TestUpdateANNP(t *testing.T) { } func TestDeleteANNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) annp := getANNP() npc.deleteANNP(annp) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) diff --git a/pkg/controller/networkpolicy/clustergroup.go b/pkg/controller/networkpolicy/clustergroup.go index 735b365c241..f4cb27e0c4b 100644 --- a/pkg/controller/networkpolicy/clustergroup.go +++ b/pkg/controller/networkpolicy/clustergroup.go @@ -210,9 +210,9 @@ func (c *NetworkPolicyController) syncInternalClusterGroup(grp *antreatypes.Grou } selectorUpdated := c.processServiceReference(grp) if grp.Selector != nil { - c.groupingInterface.AddGroup(internalGroupType, grp.SourceReference.ToGroupName(), grp.Selector) + c.GroupingInterface.AddGroup(internalGroupType, grp.SourceReference.ToGroupName(), grp.Selector) } else { - c.groupingInterface.DeleteGroup(internalGroupType, grp.SourceReference.ToGroupName()) + c.GroupingInterface.DeleteGroup(internalGroupType, grp.SourceReference.ToGroupName()) } membersComputed, membersComputedStatus := true, v1.ConditionFalse @@ -368,9 +368,9 @@ func (c *NetworkPolicyController) serviceToGroupSelector(service *v1.Service) *a // queried (Pod or ExternalEntity identified by name and namespace). func (c *NetworkPolicyController) GetAssociatedGroups(name, namespace string) []antreatypes.Group { // Try Pod first, then ExternalEntity. - groups, exists := c.groupingInterface.GetGroupsForPod(namespace, name) + groups, exists := c.GroupingInterface.GetGroupsForPod(namespace, name) if !exists { - groups, exists = c.groupingInterface.GetGroupsForExternalEntity(namespace, name) + groups, exists = c.GroupingInterface.GetGroupsForExternalEntity(namespace, name) if !exists { return nil } diff --git a/pkg/controller/networkpolicy/clustergroup_test.go b/pkg/controller/networkpolicy/clustergroup_test.go index e957d024318..a32aea82100 100644 --- a/pkg/controller/networkpolicy/clustergroup_test.go +++ b/pkg/controller/networkpolicy/clustergroup_test.go @@ -167,7 +167,7 @@ func TestProcessClusterGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) actualGroup := c.processClusterGroup(tt.inputGroup) assert.Equal(t, tt.expectedGroup, actualGroup) }) @@ -269,7 +269,7 @@ func TestAddClusterGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(tt.inputGroup) key := tt.inputGroup.Name actualGroupObj, _, _ := npc.internalGroupStore.Get(key) @@ -418,7 +418,7 @@ func TestUpdateClusterGroup(t *testing.T) { }, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(&testCG) key := testCG.Name for _, tt := range tests { @@ -440,7 +440,7 @@ func TestDeleteCG(t *testing.T) { }, } key := testCG.Name - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(&testCG) npc.deleteClusterGroup(&testCG) _, found, _ := npc.internalGroupStore.Get(key) @@ -584,7 +584,7 @@ func TestFilterInternalGroupsForService(t *testing.T) { sets.New[string]("cgC"), }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.internalGroupStore.Create(grp1) npc.internalGroupStore.Create(grp2) npc.internalGroupStore.Create(grp3) @@ -688,7 +688,7 @@ func TestServiceToGroupSelector(t *testing.T) { nil, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.serviceStore.Add(svc1) npc.serviceStore.Add(svc2) npc.serviceStore.Add(svc3) @@ -858,19 +858,19 @@ func TestGetAssociatedGroups(t *testing.T) { []antreatypes.Group{}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) for i := range testPods { - npc.groupingInterface.AddPod(testPods[i]) + npc.GroupingInterface.AddPod(testPods[i]) } for j := range externalEntities { - npc.groupingInterface.AddExternalEntity(externalEntities[j]) + npc.GroupingInterface.AddExternalEntity(externalEntities[j]) } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { for i, g := range tt.existingGroups { npc.internalGroupStore.Create(&tt.existingGroups[i]) if g.Selector != nil { - npc.groupingInterface.AddGroup(internalGroupType, g.SourceReference.Name, g.Selector) + npc.GroupingInterface.AddGroup(internalGroupType, g.SourceReference.Name, g.Selector) } } groups := npc.GetAssociatedGroups(tt.queryName, tt.queryNamespace) @@ -906,17 +906,17 @@ func TestGetClusterGroupMembers(t *testing.T) { controlplane.GroupMemberSet{}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) for i := range testPods { - npc.groupingInterface.AddPod(testPods[i]) + npc.GroupingInterface.AddPod(testPods[i]) } for j := range externalEntities { - npc.groupingInterface.AddExternalEntity(externalEntities[j]) + npc.GroupingInterface.AddExternalEntity(externalEntities[j]) } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { npc.internalGroupStore.Create(&tt.group) - npc.groupingInterface.AddGroup(internalGroupType, tt.group.SourceReference.Name, tt.group.Selector) + npc.GroupingInterface.AddGroup(internalGroupType, tt.group.SourceReference.Name, tt.group.Selector) members, _, err := npc.GetGroupMembers(tt.group.SourceReference.Name) assert.Equal(t, nil, err) assert.Equal(t, tt.expectedMembers, members) @@ -972,8 +972,8 @@ func TestSyncInternalGroup(t *testing.T) { _, npc := newControllerWithoutEventHandler(nil, []runtime.Object{cnp1, cnp2, cg}) stopCh := make(chan struct{}) defer close(stopCh) - npc.crdInformerFactory.Start(stopCh) - npc.crdInformerFactory.WaitForCacheSync(stopCh) + npc.CrdInformerFactory.Start(stopCh) + npc.CrdInformerFactory.WaitForCacheSync(stopCh) // cnp1 is synced before the ClusterGroup. The rule's From should be empty as the ClusterGroup hasn't been synced, require.NoError(t, npc.syncInternalNetworkPolicy(getACNPReference(cnp1))) @@ -1153,8 +1153,8 @@ func TestGetAssociatedIPBlockGroups(t *testing.T) { _, npc := newControllerWithoutEventHandler(nil, []runtime.Object{cg1, cg2, cg2Parent}) stopCh := make(chan struct{}) defer close(stopCh) - npc.crdInformerFactory.Start(stopCh) - npc.crdInformerFactory.WaitForCacheSync(stopCh) + npc.CrdInformerFactory.Start(stopCh) + npc.CrdInformerFactory.WaitForCacheSync(stopCh) npc.addClusterGroup(cg1) npc.syncInternalGroup(internalGroupKeyFunc(cg1)) diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index 1a0d19e3921..cc1d595d26a 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -1777,7 +1777,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.addClusterGroup(&cgA) c.cgStore.Add(&cgA) c.namespaceStore.Add(&nsA) @@ -1800,7 +1800,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { } func TestAddCNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) cnp := getCNP() npc.addCNP(cnp) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -1811,7 +1811,7 @@ func TestAddCNP(t *testing.T) { } func TestUpdateCNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) cnp := getCNP() newCNP := cnp.DeepCopy() // Make a change to the CNP. @@ -1825,7 +1825,7 @@ func TestUpdateCNP(t *testing.T) { } func TestDeleteCNP(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) cnp := getCNP() npc.deleteCNP(cnp) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -1861,7 +1861,7 @@ func TestGetTierPriority(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) name := "" if tt.inputTier != nil { npc.tierStore.Add(tt.inputTier) @@ -1932,7 +1932,7 @@ func TestProcessRefGroupOrClusterGroup(t *testing.T) { }, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(&cgA) npc.addClusterGroup(&cgB) npc.addClusterGroup(&cgNested1) @@ -2193,7 +2193,7 @@ func TestFilterPerNamespaceRuleACNPsByNSLabels(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.acnpStore.Add(cnpWithSpecAppliedTo) c.acnpStore.Add(cnpWithRuleAppliedTo) c.acnpStore.Add(cnpMatchAllNamespaces) diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go index 801470383e4..0a7c61e7c33 100644 --- a/pkg/controller/networkpolicy/crd_utils.go +++ b/pkg/controller/networkpolicy/crd_utils.go @@ -368,7 +368,7 @@ func (n *NetworkPolicyController) syncInternalGroup(key string) error { grpObj, found, _ := n.internalGroupStore.Get(key) if !found { klog.V(2).InfoS("Internal group not found", "internalGroup", key) - n.groupingInterface.DeleteGroup(internalGroupType, key) + n.GroupingInterface.DeleteGroup(internalGroupType, key) return nil } grp := grpObj.(*antreatypes.Group) diff --git a/pkg/controller/networkpolicy/crd_utils_test.go b/pkg/controller/networkpolicy/crd_utils_test.go index a572e347c28..57240c1bb3f 100644 --- a/pkg/controller/networkpolicy/crd_utils_test.go +++ b/pkg/controller/networkpolicy/crd_utils_test.go @@ -472,7 +472,7 @@ func TestToAntreaPeerForCRD(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(&cgA) npc.cgStore.Add(&cgA) if tt.clusterSetScope { @@ -523,7 +523,7 @@ func TestCreateAppliedToGroupsForGroup(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Namespace: "nsB", Name: "gB", UID: "uidB"}, Spec: crdv1beta1.GroupSpec{IPBlocks: []crdv1beta1.IPBlock{{CIDR: cidr}}}, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addClusterGroup(clusterGroupWithSelector) npc.addClusterGroup(clusterGroupWithIPBlock) npc.addGroup(groupWithSelector) diff --git a/pkg/controller/networkpolicy/endpoint_querier.go b/pkg/controller/networkpolicy/endpoint_querier.go index 928e0ad5e93..23ffdd9f058 100644 --- a/pkg/controller/networkpolicy/endpoint_querier.go +++ b/pkg/controller/networkpolicy/endpoint_querier.go @@ -18,81 +18,117 @@ package networkpolicy import ( + "errors" + "sort" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/sets" "antrea.io/antrea/pkg/apis/controlplane" - cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" "antrea.io/antrea/pkg/controller/networkpolicy/store" antreatypes "antrea.io/antrea/pkg/controller/types" ) -// EndpointQuerier handles requests for antctl query +// EndpointQuerier handles requests for querying NetworkPolicies of the endpoint. type EndpointQuerier interface { - // QueryNetworkPolicies returns the list of NetworkPolicies which apply to the provided Pod, - // along with the list NetworkPolicies which select the provided Pod in one of their policy - // rules (ingress or egress). - QueryNetworkPolicies(namespace string, podName string) (*EndpointQueryResponse, error) + // QueryNetworkPolicyRules returns the list of NetworkPolicies which apply to the provided Pod, + // along with the list of NetworkPolicy ingress/egress rules which select the provided Pod. + QueryNetworkPolicyRules(namespace, podName string) (*EndpointNetworkPolicyRules, error) } -// endpointQuerier implements the EndpointQuerier interface -type endpointQuerier struct { +// EndpointQuerierImpl implements the EndpointQuerier interface +type EndpointQuerierImpl struct { networkPolicyController *NetworkPolicyController } -// EndpointQueryResponse is the reply struct for anctl endpoint queries -type EndpointQueryResponse struct { - Endpoints []Endpoint `json:"endpoints,omitempty"` +// NewEndpointQuerier returns a new *EndpointQuerierImpl. +func NewEndpointQuerier(networkPolicyController *NetworkPolicyController) *EndpointQuerierImpl { + return &EndpointQuerierImpl{ + networkPolicyController: networkPolicyController, + } +} + +// PolicyRuleQuerier handles requests for querying effective policy rule on entities. +type PolicyRuleQuerier interface { + QueryNetworkPolicyEvaluation(entities *controlplane.NetworkPolicyEvaluationRequest) (*controlplane.NetworkPolicyEvaluationResponse, error) } -type Endpoint struct { - Namespace string `json:"namespace,omitempty"` - Name string `json:"name,omitempty"` - Policies []Policy `json:"policies,omitempty"` - Rules []Rule `json:"rules,omitempty"` +// policyRuleQuerier implements the PolicyRuleQuerier interface +type policyRuleQuerier struct { + endpointQuerier EndpointQuerier } -type PolicyRef struct { - Namespace string `json:"namespace,omitempty"` - Name string `json:"name,omitempty"` - UID types.UID `json:"uid,omitempty"` +// NewPolicyRuleQuerier returns a new *policyRuleQuerier +func NewPolicyRuleQuerier(endpointQuerier EndpointQuerier) *policyRuleQuerier { + return &policyRuleQuerier{ + endpointQuerier: endpointQuerier, + } } -type Policy struct { - PolicyRef +// RuleInfo stores the original NetworkPolicy info, index of this rule in the NetworkPolicy +// corresponding ingress/egress rules, and the original rule info. +type RuleInfo struct { + Policy *antreatypes.NetworkPolicy + Index int + Rule *controlplane.NetworkPolicyRule } -type Rule struct { - PolicyRef - Direction cpv1beta.Direction `json:"direction,omitempty"` - RuleIndex int `json:"ruleindex,omitempty"` +// EndpointNetworkPolicyRules records policies applied to this endpoint, and rules +// that refer this endpoint in their address groups. +type EndpointNetworkPolicyRules struct { + Namespace string + Name string + AppliedPolicies []*antreatypes.NetworkPolicy + EndpointAsIngressSrcRules []*RuleInfo + EndpointAsEgressDstRules []*RuleInfo } -// NewEndpointQuerier returns a new *endpointQuerier. -func NewEndpointQuerier(networkPolicyController *NetworkPolicyController) *endpointQuerier { - n := &endpointQuerier{ - networkPolicyController: networkPolicyController, +type lessFunc func(p1, p2 *RuleInfo) int + +// ByRulePriority implements the Sort interface, sorting the rules within. +// Comparators should be ordered by their importance in terms of determining rule priority. +type ByRulePriority struct { + rules []*RuleInfo + comparators []lessFunc +} + +func (s ByRulePriority) Len() int { return len(s.rules) } + +func (s ByRulePriority) Swap(i, j int) { s.rules[i], s.rules[j] = s.rules[j], s.rules[i] } + +func (s ByRulePriority) Less(i, j int) bool { + p, q := s.rules[i], s.rules[j] + // Try all but the last comparison. + var k int + for k = 0; k < len(s.comparators)-1; k++ { + less := s.comparators[k] + switch less(p, q) { + case 1: // p < q + return true + case -1: // p > q + return false + } + // p == q; try the next comparison. } - return n + return s.comparators[k](p, q) == 1 } -// QueryNetworkPolicies returns kubernetes network policy references relevant to the selected -// network endpoint. Relevant policies fall into three categories: applied policies (Policies in -// Endpoint type) are policies which directly apply to an endpoint, egress and ingress rules (Rules -// in Endpoint type) are policies which reference the endpoint in an ingress/egress rule -// respectively. -func (eq *endpointQuerier) QueryNetworkPolicies(namespace string, podName string) (*EndpointQueryResponse, error) { - groups, exists := eq.networkPolicyController.groupingInterface.GetGroupsForPod(namespace, podName) +// QueryNetworkPolicyRules returns network policies and rules relevant to the selected +// network endpoint. Relevant network policies fall into three categories: applied policies +// are policies which directly apply to an endpoint, egress/ingress rules are rules which +// reference the endpoint respectively. +func (eq *EndpointQuerierImpl) QueryNetworkPolicyRules(namespace, podName string) (*EndpointNetworkPolicyRules, error) { + if namespace == "" { + namespace = "default" + } + groups, exists := eq.networkPolicyController.GroupingInterface.GetGroupsForPod(namespace, podName) if !exists { return nil, nil } - type ruleTemp struct { - policy *antreatypes.NetworkPolicy - index int - } - // create network policies categories + applied := make([]*antreatypes.NetworkPolicy, 0) - ingress := make([]*ruleTemp, 0) - egress := make([]*ruleTemp, 0) + ingress, egress := make([]*RuleInfo, 0), make([]*RuleInfo, 0) // get all appliedToGroups using filter, then get applied policies using appliedToGroup appliedToGroupKeys := groups[appliedToGroupType] // We iterate over all AppliedToGroups (same for AddressGroups below). This is acceptable @@ -132,14 +168,16 @@ func (eq *endpointQuerier) QueryNetworkPolicies(namespace string, podName string for _, rule := range policy.(*antreatypes.NetworkPolicy).Rules { for _, addressGroupTrial := range rule.To.AddressGroups { if addressGroupTrial == string(addressGroup.(*antreatypes.AddressGroup).UID) { - egress = append(egress, &ruleTemp{policy: policy.(*antreatypes.NetworkPolicy), index: egressIndex}) + egress = append(egress, &RuleInfo{Policy: policy.(*antreatypes.NetworkPolicy), Index: egressIndex, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) // an AddressGroup can only be referenced in a rule once break } } for _, addressGroupTrial := range rule.From.AddressGroups { if addressGroupTrial == string(addressGroup.(*antreatypes.AddressGroup).UID) { - ingress = append(ingress, &ruleTemp{policy: policy.(*antreatypes.NetworkPolicy), index: ingressIndex}) + ingress = append(ingress, &RuleInfo{Policy: policy.(*antreatypes.NetworkPolicy), Index: ingressIndex, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) // an AddressGroup can only be referenced in a rule once break } @@ -155,50 +193,159 @@ func (eq *endpointQuerier) QueryNetworkPolicies(namespace string, podName string } } } - // make response policies - responsePolicies := make([]Policy, 0) - for _, internalPolicy := range applied { - responsePolicy := Policy{ - PolicyRef: PolicyRef{ - Namespace: internalPolicy.SourceRef.Namespace, - Name: internalPolicy.SourceRef.Name, - UID: internalPolicy.SourceRef.UID, - }, - } - responsePolicies = append(responsePolicies, responsePolicy) - } - responseRules := make([]Rule, 0) - // create rules based on egress and ingress policies - for _, internalPolicy := range egress { - newRule := Rule{ - PolicyRef: PolicyRef{ - Namespace: internalPolicy.policy.SourceRef.Namespace, - Name: internalPolicy.policy.SourceRef.Name, - UID: internalPolicy.policy.SourceRef.UID, - }, - Direction: cpv1beta.DirectionOut, - RuleIndex: internalPolicy.index, - } - responseRules = append(responseRules, newRule) - } - for _, internalPolicy := range ingress { - newRule := Rule{ - PolicyRef: PolicyRef{ - Namespace: internalPolicy.policy.SourceRef.Namespace, - Name: internalPolicy.policy.SourceRef.Name, - UID: internalPolicy.policy.SourceRef.UID, - }, - Direction: cpv1beta.DirectionIn, - RuleIndex: internalPolicy.index, - } - responseRules = append(responseRules, newRule) - } - // for now, selector only selects a single endpoint (pod, namespace) - endpoint := Endpoint{ - Namespace: namespace, - Name: podName, - Policies: responsePolicies, - Rules: responseRules, - } - return &EndpointQueryResponse{[]Endpoint{endpoint}}, nil + return &EndpointNetworkPolicyRules{namespace, podName, applied, ingress, egress}, nil +} + +// processQueryResults processes the AppliedPolicies in endpoints, returns a set +// of the policy UIDs, and manually inserts Kubernetes NetworkPolicy default isolation +// rules if exists. The default isolation rule's direction depends on ifSource, +// and has the index of -1 to indicate lower precedence. +func processQueryResults(endpoints *EndpointNetworkPolicyRules, ifSource bool) (sets.Set[types.UID], []*RuleInfo) { + policyUIDs := sets.New[types.UID]() + isolation := make([]*RuleInfo, 0) + for _, internalPolicy := range endpoints.AppliedPolicies { + policyUIDs.Insert(internalPolicy.SourceRef.UID) + if internalPolicy.SourceRef.Type == controlplane.K8sNetworkPolicy { + // check if the Kubernetes NetworkPolicy creates ingress or egress isolation + for _, rule := range internalPolicy.Rules { + if rule.Direction == controlplane.DirectionIn && !ifSource { + isolation = append(isolation, &RuleInfo{Policy: internalPolicy, Index: -1, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) + } else if rule.Direction == controlplane.DirectionOut && ifSource { + isolation = append(isolation, &RuleInfo{Policy: internalPolicy, Index: -1, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) + } + } + } + } + return policyUIDs, isolation +} + +// predictEndpointsRules returns the predicted rules effective from srcEndpoints to dstEndpoints. +// Rules returned satisfy a. in source applied policies and destination egress rules, +// or b. in source ingress rules and destination applied policies or c. applied to KNP default isolation. +func predictEndpointsRules(srcEndpoints, dstEndpoints *EndpointNetworkPolicyRules) (commonRule *RuleInfo) { + commonRules := make([]*RuleInfo, 0) + if srcEndpoints != nil && dstEndpoints != nil { + srcPolicies, srcIsolated := processQueryResults(srcEndpoints, true) + dstPolicies, dstIsolated := processQueryResults(dstEndpoints, false) + for _, rule := range dstEndpoints.EndpointAsEgressDstRules { + if srcPolicies.Has(rule.Policy.SourceRef.UID) { + commonRules = append(commonRules, rule) + } + } + for _, rule := range srcEndpoints.EndpointAsIngressSrcRules { + if dstPolicies.Has(rule.Policy.SourceRef.UID) { + commonRules = append(commonRules, rule) + } + } + for _, defaultDropRule := range srcIsolated { + commonRules = append(commonRules, defaultDropRule) + } + for _, defaultDropRule := range dstIsolated { + commonRules = append(commonRules, defaultDropRule) + } + } + + // sort the common rules based on multiple closures, the top rule has the highest precedence + tierPriority := func(r1, r2 *RuleInfo) int { + effectiveTierPriorityK8sNP := (DefaultTierPriority + BaselineTierPriority) / 2 + r1Priority, r2Priority := effectiveTierPriorityK8sNP, effectiveTierPriorityK8sNP + if r1.Policy.TierPriority != nil { + r1Priority = *r1.Policy.TierPriority + } + if r2.Policy.TierPriority != nil { + r2Priority = *r2.Policy.TierPriority + } + if r1Priority < r2Priority { + return 1 + } else if r1Priority > r2Priority { + return -1 + } + return 0 + } + policyPriority := func(r1, r2 *RuleInfo) int { + if r1.Policy.Priority != nil && r2.Policy.Priority != nil { + if *r1.Policy.Priority < *r2.Policy.Priority { + return 1 + } else if *r1.Policy.Priority > *r2.Policy.Priority { + return -1 + } + } + return 0 + } + rulePriority := func(r1, r2 *RuleInfo) int { + // Kubernetes NetworkPolicies rules have the same default priorities, so rule index is hacked for comparison + // "-1" indicates default isolation, which has a lower precedence than KNP policy rules with ">=0" rule indexes + if r1.Policy.SourceRef.Type == controlplane.K8sNetworkPolicy && r2.Policy.SourceRef.Type == controlplane.K8sNetworkPolicy { + if r1.Index > r2.Index { + return 1 + } else if r1.Index < r2.Index { + return -1 + } + } else { + if r1.Index < r2.Index { + return 1 + } else if r1.Index > r2.Index { + return -1 + } + } + return 0 + } + defaultOrder := func(r1, r2 *RuleInfo) int { + if r1.Policy.Name < r2.Policy.Name { + return 1 + } + return 0 + } + sort.Sort(ByRulePriority{rules: commonRules, comparators: []lessFunc{tierPriority, policyPriority, rulePriority, defaultOrder}}) + if len(commonRules) > 0 { + commonRule = commonRules[0] + // filter Antrea-native policy rules with Pass action + // if pass rule currently has the highest precedence, skip the remaining rules + // until the next K8s rule or Baseline rule, or return the pass rule otherwise + isPass := func(ruleInfo *controlplane.NetworkPolicyRule) bool { + return ruleInfo.Action != nil && *ruleInfo.Action == crdv1beta1.RuleActionPass + } + if isPass(commonRule.Rule) { + for _, rule := range commonRules[1:] { + if rule.Policy.SourceRef.Type == controlplane.K8sNetworkPolicy || + (rule.Policy.TierPriority != nil && *rule.Policy.TierPriority == BaselineTierPriority && !isPass(rule.Rule)) { + commonRule = rule + break + } + } + } + } + return +} + +// QueryNetworkPolicyEvaluation returns the effective NetworkPolicy rule on given +// source and destination entities. +func (eq *policyRuleQuerier) QueryNetworkPolicyEvaluation(entities *controlplane.NetworkPolicyEvaluationRequest) (*controlplane.NetworkPolicyEvaluationResponse, error) { + if entities.Source.Pod == nil || entities.Destination.Pod == nil || entities.Source.Pod.Name == "" || entities.Destination.Pod.Name == "" { + return nil, errors.New("invalid NetworkPolicyEvaluation request entities") + } + // query endpoints and handle response errors + endpointAnalysisSource, err := eq.endpointQuerier.QueryNetworkPolicyRules(entities.Source.Pod.Namespace, entities.Source.Pod.Name) + if err != nil { + return nil, err + } + endpointAnalysisDestination, err := eq.endpointQuerier.QueryNetworkPolicyRules(entities.Destination.Pod.Namespace, entities.Destination.Pod.Name) + if err != nil { + return nil, err + } + endpointAnalysisRule := predictEndpointsRules(endpointAnalysisSource, endpointAnalysisDestination) + if endpointAnalysisRule == nil { + return nil, nil + } + return &controlplane.NetworkPolicyEvaluationResponse{ + NetworkPolicy: *endpointAnalysisRule.Policy.SourceRef, + RuleIndex: int32(endpointAnalysisRule.Index), + Rule: controlplane.RuleRef{ + Direction: endpointAnalysisRule.Rule.Direction, + Name: endpointAnalysisRule.Rule.Name, + Action: endpointAnalysisRule.Rule.Action, + }, + }, nil } diff --git a/pkg/controller/networkpolicy/endpoint_querier_perf_test.go b/pkg/controller/networkpolicy/endpoint_querier_perf_test.go index 386344d4b0e..e422a859613 100644 --- a/pkg/controller/networkpolicy/endpoint_querier_perf_test.go +++ b/pkg/controller/networkpolicy/endpoint_querier_perf_test.go @@ -15,7 +15,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -package networkpolicy +package networkpolicy_test import ( "sync" @@ -27,6 +27,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/rand" + + "antrea.io/antrea/pkg/controller/networkpolicy" ) /* @@ -47,11 +49,11 @@ func TestLargeScaleEndpointQueryManyPolicies(t *testing.T) { }, } uid := rand.String(8) - networkPolicies = []runtime.Object{newNetworkPolicy(namespace, "np-1"+uid, map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil)} - pods = []runtime.Object{newPod(namespace, "pod1"+uid, map[string]string{"app-1": "scale-1"})} + networkPolicies = []runtime.Object{networkpolicy.NewNetworkPolicy(namespace, "np-1"+uid, map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil)} + pods = []runtime.Object{networkpolicy.NewPod(namespace, "pod1"+uid, map[string]string{"app-1": "scale-1"})} return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods := getXObjects(10000, getObjects) + namespaces, networkPolicies, pods := networkpolicy.GetXObjects(10000, getObjects) testQueryEndpoint(t, 25*time.Second, namespaces[0:1], networkPolicies, pods, 10000) } @@ -62,11 +64,11 @@ func testQueryEndpoint(t *testing.T, maxExecutionTime time.Duration, namespaces var maxAlloc uint64 wg.Add(1) go func() { - statMaxMemAlloc(&maxAlloc, 500*time.Millisecond, stopCh) + networkpolicy.StatMaxMemAlloc(&maxAlloc, 500*time.Millisecond, stopCh) wg.Done() }() // create controller - objs := toRunTimeObjects(namespaces) + objs := networkpolicy.ToRunTimeObjects(namespaces) objs = append(objs, networkPolicies...) objs = append(objs, pods...) querier := makeControllerAndEndpointQuerier(objs...) @@ -75,9 +77,9 @@ func testQueryEndpoint(t *testing.T, maxExecutionTime time.Duration, namespaces // track execution time by calling query endpoint 1000 times on random pods for i := 0; i < 1000; i++ { pod, namespace := pods[i].(*v1.Pod).Name, pods[i].(*v1.Pod).Namespace - response, err := querier.QueryNetworkPolicies(namespace, pod) + response, err := querier.QueryNetworkPolicyRules(namespace, pod) require.Equal(t, err, nil) - require.Equal(t, len(response.Endpoints[0].Policies), responseLength) + require.Equal(t, len(response.AppliedPolicies), responseLength) } // Stop tracking go routines stopCh <- struct{}{} diff --git a/pkg/controller/networkpolicy/endpoint_querier_test.go b/pkg/controller/networkpolicy/endpoint_querier_test.go index c9a0a0a80dc..29d58e8655d 100644 --- a/pkg/controller/networkpolicy/endpoint_querier_test.go +++ b/pkg/controller/networkpolicy/endpoint_querier_test.go @@ -12,21 +12,28 @@ // See the License for the specific language governing permissions and // limitations under the License. -package networkpolicy +package networkpolicy_test import ( + "fmt" "testing" "time" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "go.uber.org/mock/gomock" corev1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" + "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" - "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + "antrea.io/antrea/pkg/apis/controlplane" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" + "antrea.io/antrea/pkg/controller/networkpolicy" + queriermock "antrea.io/antrea/pkg/controller/networkpolicy/testing" + antreatypes "antrea.io/antrea/pkg/controller/types" ) // pods represent kubernetes pods for testing proper query results @@ -79,15 +86,16 @@ var pods = []*corev1.Pod{ // polices represent kubernetes policies for testing proper query results // -// policy 0: select all pods and deny default ingress -// policy 1: select all pods and deny default egress +// policy 0: select all matching pods and allow ingress and egress from matching pods +// policy 1: select all matching pods and deny default egress +// policy 2: select all matching pods and allow ingress from multiple matching pods var policies = []*networkingv1.NetworkPolicy{ { ObjectMeta: metav1.ObjectMeta{ Name: "test-ingress-egress", Namespace: "testNamespace", - UID: types.UID("uid-1"), + UID: types.UID("uid-0"), }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{ @@ -125,7 +133,7 @@ var policies = []*networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "default-deny-egress", Namespace: "testNamespace", - UID: types.UID("uid-2"), + UID: types.UID("uid-1"), }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{ @@ -140,7 +148,7 @@ var policies = []*networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "test-multiple-ingress-rules", Namespace: "testNamespace", - UID: types.UID("uid-3"), + UID: types.UID("uid-2"), }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{ @@ -179,18 +187,18 @@ var namespaces = []*corev1.Namespace{ }, } -func makeControllerAndEndpointQuerier(objects ...runtime.Object) *endpointQuerier { +func makeControllerAndEndpointQuerier(objects ...runtime.Object) *networkpolicy.EndpointQuerierImpl { // create controller - _, c := newController(objects, nil) - c.heartbeatCh = make(chan heartbeat, 1000) + _, c := networkpolicy.NewController(objects, nil) + c.HeartbeatCh = make(chan networkpolicy.Heartbeat, 1000) stopCh := make(chan struct{}) // create querier with stores inside controller - querier := NewEndpointQuerier(c.NetworkPolicyController) + querier := networkpolicy.NewEndpointQuerier(c.NetworkPolicyController) // start informers and run controller - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingController.Run(stopCh) - go c.groupingInterface.Run(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingController.Run(stopCh) + go c.GroupingInterface.Run(stopCh) go c.Run(stopCh) // wait until computation is done, we assume it is done when no signal has been received on heartbeat channel for 3s. idleTimeout := 3 * time.Second @@ -199,7 +207,7 @@ func makeControllerAndEndpointQuerier(objects ...runtime.Object) *endpointQuerie for { timer.Reset(idleTimeout) select { - case <-c.heartbeatCh: + case <-c.HeartbeatCh: continue case <-timer.C: close(stopCh) @@ -212,118 +220,382 @@ func makeControllerAndEndpointQuerier(objects ...runtime.Object) *endpointQuerie return querier } -func TestEndpointQuery(t *testing.T) { - policyRef0 := PolicyRef{policies[0].Namespace, policies[0].Name, policies[0].UID} - policyRef1 := PolicyRef{policies[1].Namespace, policies[1].Name, policies[1].UID} - policyRef2 := PolicyRef{policies[2].Namespace, policies[2].Name, policies[2].UID} +func TestQueryNetworkPolicyRules(t *testing.T) { + policyRef := controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: policies[0].Namespace, Name: policies[0].Name, UID: policies[0].UID} + policyRef1 := controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: policies[1].Namespace, Name: policies[1].Name, UID: policies[1].UID} + policyRef2 := controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: policies[2].Namespace, Name: policies[2].Name, UID: policies[2].UID} + ns, podA := "testNamespace", "podA" testCases := []struct { name string objs []runtime.Object podNamespace string podName string - expectedResponse *EndpointQueryResponse + expectedResponse *networkpolicy.EndpointNetworkPolicyRules }{ { - "InvalidSelector", // provided Namespace / Name does not match any Pod - []runtime.Object{}, - "non-existing-namespace", - "non-existing-pod", - nil, + name: "No matching pod", + objs: []runtime.Object{}, + podNamespace: "non-existing-namespace", + podName: "non-existing-pod", }, { - "NoPolicy", // Pod is not selected by any policy - []runtime.Object{namespaces[0], pods[0]}, - "testNamespace", - "podA", - &EndpointQueryResponse{ - []Endpoint{ - {Namespace: "testNamespace", Name: "podA", Policies: []Policy{}, Rules: []Rule{}}, - }, - }, + name: "Empty response", + objs: []runtime.Object{namespaces[0], pods[0]}, + podNamespace: ns, + podName: podA, + expectedResponse: &networkpolicy.EndpointNetworkPolicyRules{Namespace: ns, Name: podA}, }, { - "SingleAppliedIngressEgressPolicy", // Pod is selected by a single policy - []runtime.Object{namespaces[0], pods[0], policies[0]}, - "testNamespace", - "podA", - &EndpointQueryResponse{ - []Endpoint{ - { - Namespace: "testNamespace", - Name: "podA", - Policies: []Policy{{policyRef0}}, - Rules: []Rule{ - {policyRef0, v1beta2.DirectionOut, 0}, - {policyRef0, v1beta2.DirectionIn, 0}, - }, - }, + name: "Default namespace", + objs: []runtime.Object{namespaces[0], pods[0]}, + podName: podA, + }, + { + name: "Single KNP applied with ingress and egress rules", + objs: []runtime.Object{namespaces[0], pods[0], policies[0]}, + podNamespace: ns, + podName: podA, + expectedResponse: &networkpolicy.EndpointNetworkPolicyRules{ + Namespace: ns, + Name: podA, + AppliedPolicies: []*antreatypes.NetworkPolicy{ + {SourceRef: &policyRef}, + }, + EndpointAsIngressSrcRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn}}, + }, + EndpointAsEgressDstRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionOut}}, }, }, }, { - "MultiplePolicy", // Pod is selected by different policies - []runtime.Object{namespaces[0], pods[0], policies[0], policies[1]}, - "testNamespace", - "podA", - &EndpointQueryResponse{ - []Endpoint{ - { - Namespace: "testNamespace", - Name: "podA", - Policies: []Policy{ - {policyRef0}, - {policyRef1}, - }, - Rules: []Rule{ - {policyRef0, v1beta2.DirectionOut, 0}, - {policyRef0, v1beta2.DirectionIn, 0}, - }, - }, + name: "Multiple KNP applied", // Pod is selected by different policies + objs: []runtime.Object{namespaces[0], pods[0], policies[0], policies[1]}, + podNamespace: ns, + podName: podA, + expectedResponse: &networkpolicy.EndpointNetworkPolicyRules{ + Namespace: ns, + Name: podA, + AppliedPolicies: []*antreatypes.NetworkPolicy{ + {SourceRef: &policyRef}, + {SourceRef: &policyRef1}, + }, + EndpointAsIngressSrcRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn}}, + }, + EndpointAsEgressDstRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef}, 0, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionOut}}, }, }, }, { - "MultipleRule", // Pod is selected by policy with multiple rules - []runtime.Object{namespaces[0], pods[0], policies[2]}, - "testNamespace", - "podA", - &EndpointQueryResponse{ - []Endpoint{ - { - Namespace: "testNamespace", - Name: "podA", - Policies: []Policy{ - {policyRef2}, - }, - Rules: []Rule{ - {policyRef2, v1beta2.DirectionIn, 1}, - }, - }, + name: "Single KNP applied with multiple ingress rules", // Pod is selected by policy with multiple rules + objs: []runtime.Object{namespaces[0], pods[0], policies[2]}, + podNamespace: ns, + podName: podA, + expectedResponse: &networkpolicy.EndpointNetworkPolicyRules{ + Namespace: ns, + Name: podA, + AppliedPolicies: []*antreatypes.NetworkPolicy{ + {SourceRef: &policyRef2}, + }, + EndpointAsIngressSrcRules: []*networkpolicy.RuleInfo{ + {&antreatypes.NetworkPolicy{SourceRef: &policyRef2}, 1, &controlplane.NetworkPolicyRule{Direction: controlplane.DirectionIn}}, }, }, }, } + evaluateResponse := func(expectedRules, responseRules []*networkpolicy.RuleInfo) { + assert.Equal(t, len(expectedRules), len(responseRules)) + for idx := range expectedRules { + assert.EqualValues(t, expectedRules[idx].Rule.Direction, responseRules[idx].Rule.Direction) + assert.Equal(t, expectedRules[idx].Index, responseRules[idx].Index) + assert.Equal(t, expectedRules[idx].Policy.SourceRef, responseRules[idx].Policy.SourceRef) + } + return + } + for _, tc := range testCases { tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() - endpointQuerier := makeControllerAndEndpointQuerier(tc.objs...) - response, err := endpointQuerier.QueryNetworkPolicies(tc.podNamespace, tc.podName) + response, err := endpointQuerier.QueryNetworkPolicyRules(tc.podNamespace, tc.podName) require.NoErrorf(t, err, "Expected QueryNetworkPolicies to succeed") if tc.expectedResponse == nil { - assert.Nil(t, response, "Expected nil response from QueryNetworkPolicies") + assert.Nil(t, response, "Expected nil response from QueryNetworkPolicyRules") + } else { + assert.Equal(t, tc.expectedResponse.Namespace, response.Namespace) + assert.Equal(t, tc.expectedResponse.Name, response.Name) + assert.Equal(t, len(tc.expectedResponse.AppliedPolicies), len(response.AppliedPolicies)) + var expectedPolicies, responsePolicies []*controlplane.NetworkPolicyReference + for idx, expected := range tc.expectedResponse.AppliedPolicies { + expectedPolicies = append(expectedPolicies, expected.SourceRef) + responsePolicies = append(responsePolicies, response.AppliedPolicies[idx].SourceRef) + } + assert.ElementsMatch(t, expectedPolicies, responsePolicies) + evaluateResponse(tc.expectedResponse.EndpointAsIngressSrcRules, response.EndpointAsIngressSrcRules) + evaluateResponse(tc.expectedResponse.EndpointAsEgressDstRules, response.EndpointAsEgressDstRules) + } + }) + } +} + +type AccessTestCase struct { + name string + request *controlplane.NetworkPolicyEvaluationRequest + mockQueryResponse []mockResponse + expectedResult *controlplane.NetworkPolicyEvaluationResponse + expectedErr string +} + +type mockResponse struct { + response *networkpolicy.EndpointNetworkPolicyRules + error error +} + +func TestQueryNetworkPolicyEvaluation(t *testing.T) { + mockCtrl := gomock.NewController(t) + namespace, pod1, pod2 := "ns", "pod1", "pod2" + accessRequest := &controlplane.NetworkPolicyEvaluationRequest{ + Source: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: namespace, Name: pod1}}, + Destination: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: namespace, Name: pod2}}, + } + argsMock := []string{namespace, pod1, namespace, pod2} + uid1, uid2 := types.UID(fmt.Sprint(111)), types.UID(fmt.Sprint(222)) + priority1, priority2, defaultPriority, tierEmergency := float64(10), float64(15), float64(-1), int32(50) + passAction, allowAction := crdv1beta1.RuleActionPass, crdv1beta1.RuleActionAllow + + // functions used to generate mock responses + generatePolicies := func(policyUID types.UID, policyType controlplane.NetworkPolicyType, direction controlplane.Direction, tierPriority *int32, policyPriority *float64, numRules int, action *crdv1beta1.RuleAction) []*antreatypes.NetworkPolicy { + rules := make([]controlplane.NetworkPolicyRule, numRules) + for i := 0; i < numRules; i++ { + rules[i] = controlplane.NetworkPolicyRule{ + Direction: direction, + Name: fmt.Sprintf("Policy%sRule%d", policyUID, i), + Priority: int32(i), + } + if action != nil { + rules[i].Action = action + } + } + return []*antreatypes.NetworkPolicy{{ + UID: policyUID, + Name: fmt.Sprintf("Policy%s", policyUID), + SourceRef: &controlplane.NetworkPolicyReference{Type: policyType, Namespace: namespace, Name: fmt.Sprintf("Policy%s", policyUID), UID: policyUID}, + Rules: rules, + TierPriority: tierPriority, + Priority: policyPriority, + }} + } + generateRuleInfo := func(policy *antreatypes.NetworkPolicy) []*networkpolicy.RuleInfo { + ruleInfoMatches := make([]*networkpolicy.RuleInfo, len(policy.Rules)) + for i := 0; i < len(policy.Rules); i++ { + ruleInfoMatches[i] = &networkpolicy.RuleInfo{ + Policy: policy, + Index: i, + Rule: &controlplane.NetworkPolicyRule{Direction: policy.Rules[i].Direction, Name: policy.Rules[i].Name, Action: policy.Rules[i].Action}, + } + } + return ruleInfoMatches + } + generateResponse := func(podID int, appliedPolicies []*antreatypes.NetworkPolicy, matchedRules []*networkpolicy.RuleInfo) *networkpolicy.EndpointNetworkPolicyRules { + endpointRule := &networkpolicy.EndpointNetworkPolicyRules{ + Namespace: namespace, + Name: fmt.Sprintf("pod%d", podID), + AppliedPolicies: appliedPolicies, + } + if podID == 1 { + endpointRule.EndpointAsIngressSrcRules = matchedRules + } else if podID == 2 { + endpointRule.EndpointAsEgressDstRules = matchedRules + } + return endpointRule + } + + expectedResponse111 := controlplane.NetworkPolicyEvaluationResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.AntreaNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, + RuleIndex: 0, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0", Action: &allowAction}, + } + expectedResponse222 := controlplane.NetworkPolicyEvaluationResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.AntreaNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, + RuleIndex: 0, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0", Action: &allowAction}, + } + + testCases := []AccessTestCase{ + { + name: "Pass rule fallthrough", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &tierEmergency, nil, 1, &passAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &tierEmergency, nil, 1, &passAction), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, &allowAction)[0]))}, + }, + expectedResult: &expectedResponse111, + }, + { + name: "Different Tier priorities", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &tierEmergency, nil, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, nil, 1, &allowAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, nil, 1, &allowAction), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &tierEmergency, nil, 1, &allowAction)[0]))}, + }, + expectedResult: &expectedResponse111, + }, + { + name: "Different policy priorities 1", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority2, 1, &allowAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority2, 1, &allowAction), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction)[0]))}, + }, + expectedResult: &expectedResponse111, + }, + { + name: "Different policy priorities 2", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority2, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority2, 1, &allowAction)[0]))}, + }, + expectedResult: &expectedResponse222, + }, + { + name: "Different rule priorities", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, nil, generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 2, &allowAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 2, &allowAction), nil)}, + }, + expectedResult: &expectedResponse222, + }, + { + name: "Different policy names", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.AntreaNetworkPolicy, controlplane.DirectionIn, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, &priority1, 1, &allowAction)[0]))}, + }, + expectedResult: &expectedResponse111, + }, + { + name: "KNP and baseline ANP", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, &allowAction), + generateRuleInfo(generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil)[0]))}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), + generateRuleInfo(generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.BaselineTierPriority, nil, 1, &allowAction)[0]))}, + }, + expectedResult: &controlplane.NetworkPolicyEvaluationResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, + RuleIndex: 0, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0"}, + }, + }, + { + name: "KNP and default isolation", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil), nil)}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), + generateRuleInfo(generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil)[0]))}, + }, + expectedResult: &controlplane.NetworkPolicyEvaluationResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, + RuleIndex: 0, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0"}, + }, + }, + { + name: "KNP egress default isolation", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.K8sNetworkPolicy, controlplane.DirectionOut, nil, &defaultPriority, 1, nil), nil)}, + {response: generateResponse(2, nil, nil)}, + }, + expectedResult: &controlplane.NetworkPolicyEvaluationResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, + RuleIndex: -1, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0"}, + }, + }, + { + name: "KNP ingress default isolation", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, nil, nil)}, + {response: generateResponse(2, generatePolicies(uid2, controlplane.K8sNetworkPolicy, controlplane.DirectionIn, nil, &defaultPriority, 1, nil), nil)}, + }, + expectedResult: &controlplane.NetworkPolicyEvaluationResponse{ + NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, + RuleIndex: -1, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0"}, + }, + }, + { + name: "No common rule found", + request: accessRequest, + mockQueryResponse: []mockResponse{ + {response: generateResponse(1, generatePolicies(uid1, controlplane.AntreaNetworkPolicy, controlplane.DirectionOut, &networkpolicy.DefaultTierPriority, nil, 1, &allowAction), nil)}, + {response: generateResponse(2, nil, nil)}, + }, + }, + { + name: "Querier error 1", + request: accessRequest, + mockQueryResponse: []mockResponse{{}, {error: errors.NewInternalError(fmt.Errorf("querier error"))}}, + expectedErr: "querier error", + }, + { + name: "Querier error 2", + request: accessRequest, + mockQueryResponse: []mockResponse{{error: errors.NewInternalError(fmt.Errorf("querier error"))}, {}}, + expectedErr: "querier error", + }, + { + name: "Request error", + request: &controlplane.NetworkPolicyEvaluationRequest{Destination: controlplane.Entity{Pod: &controlplane.PodReference{Namespace: namespace}}}, + expectedErr: "invalid NetworkPolicyEvaluation request entities", + }, + } + + for _, tc := range testCases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + mockQuerier := queriermock.NewMockEndpointQuerier(mockCtrl) + if tc.mockQueryResponse != nil { + for i, mock := range tc.mockQueryResponse { + mockQuerier.EXPECT().QueryNetworkPolicyRules(argsMock[2*i], argsMock[2*i+1]).Return(mock.response, mock.error) + if mock.error != nil { + break + } + } + } + policyRuleQuerier := networkpolicy.NewPolicyRuleQuerier(mockQuerier) + response, err := policyRuleQuerier.QueryNetworkPolicyEvaluation(tc.request) + if tc.expectedErr == "" { + assert.Nil(t, err) + assert.Equal(t, tc.expectedResult, response) } else { - assert.Len(t, response.Endpoints, 1, "QueryNetworkPolicies should only return responses with a single endpoint") - expectedEndpoint := &tc.expectedResponse.Endpoints[0] - endpoint := &response.Endpoints[0] - assert.Equal(t, expectedEndpoint.Namespace, endpoint.Namespace) - assert.Equal(t, expectedEndpoint.Name, endpoint.Name) - assert.ElementsMatch(t, expectedEndpoint.Rules, endpoint.Rules) - assert.ElementsMatch(t, expectedEndpoint.Policies, endpoint.Policies) + assert.ErrorContains(t, err, tc.expectedErr) } + }) } } diff --git a/pkg/controller/networkpolicy/group.go b/pkg/controller/networkpolicy/group.go index ab2486330a6..33c88ea0938 100644 --- a/pkg/controller/networkpolicy/group.go +++ b/pkg/controller/networkpolicy/group.go @@ -169,9 +169,9 @@ func (n *NetworkPolicyController) syncInternalNamespacedGroup(grp *antreatypes.G key := internalGroupKeyFunc(g) selectorUpdated := n.processServiceReference(grp) if grp.Selector != nil { - n.groupingInterface.AddGroup(internalGroupType, key, grp.Selector) + n.GroupingInterface.AddGroup(internalGroupType, key, grp.Selector) } else { - n.groupingInterface.DeleteGroup(internalGroupType, key) + n.GroupingInterface.DeleteGroup(internalGroupType, key) } membersComputed, membersComputedStatus := true, v1.ConditionFalse diff --git a/pkg/controller/networkpolicy/group_test.go b/pkg/controller/networkpolicy/group_test.go index 153266c48a0..fdc3b9d75b5 100644 --- a/pkg/controller/networkpolicy/group_test.go +++ b/pkg/controller/networkpolicy/group_test.go @@ -170,7 +170,7 @@ func TestProcessGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) actualGroup := c.processGroup(tt.inputGroup) assert.Equal(t, tt.expectedGroup, actualGroup) }) @@ -276,7 +276,7 @@ func TestAddGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addGroup(tt.inputGroup) key := fmt.Sprintf("%s/%s", tt.inputGroup.Namespace, tt.inputGroup.Name) actualGroupObj, _, _ := npc.internalGroupStore.Get(key) @@ -431,7 +431,7 @@ func TestUpdateGroup(t *testing.T) { }, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addGroup(&testG) key := fmt.Sprintf("%s/%s", testG.Namespace, testG.Name) for _, tt := range tests { @@ -453,7 +453,7 @@ func TestDeleteG(t *testing.T) { }, } key := fmt.Sprintf("%s/%s", testG.Namespace, testG.Name) - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.addGroup(&testG) npc.deleteGroup(&testG) _, found, _ := npc.internalGroupStore.Get(key) @@ -570,18 +570,18 @@ func TestGetGroupMembers(t *testing.T) { controlplane.GroupMemberSet{}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) for i := range testPods { - npc.groupingInterface.AddPod(testPods[i]) + npc.GroupingInterface.AddPod(testPods[i]) } for j := range externalEntities { - npc.groupingInterface.AddExternalEntity(externalEntities[j]) + npc.GroupingInterface.AddExternalEntity(externalEntities[j]) } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { npc.internalGroupStore.Create(&tt.group) groupName := k8s.NamespacedName(tt.group.SourceReference.Namespace, tt.group.SourceReference.Name) - npc.groupingInterface.AddGroup(internalGroupType, groupName, tt.group.Selector) + npc.GroupingInterface.AddGroup(internalGroupType, groupName, tt.group.Selector) members, _, err := npc.GetGroupMembers(groupName) assert.Equal(t, nil, err) assert.Equal(t, tt.expectedMembers, members) diff --git a/pkg/controller/networkpolicy/mutate_test.go b/pkg/controller/networkpolicy/mutate_test.go index 4d0dc25e25c..db2b555e346 100644 --- a/pkg/controller/networkpolicy/mutate_test.go +++ b/pkg/controller/networkpolicy/mutate_test.go @@ -184,7 +184,7 @@ func TestMutateAntreaClusterNetworkPolicy(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) mutator := NewNetworkPolicyMutator(controller.NetworkPolicyController) _, _, patch := mutator.mutateAntreaPolicy(tt.operation, tt.policy.Spec.Ingress, tt.policy.Spec.Egress, tt.policy.Spec.Tier) marshalExpPatch, _ := json.Marshal(tt.expectPatch) @@ -353,7 +353,7 @@ func TestMutateAntreaNetworkPolicy(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) mutator := NewNetworkPolicyMutator(controller.NetworkPolicyController) _, _, patch := mutator.mutateAntreaPolicy(tt.operation, tt.policy.Spec.Ingress, tt.policy.Spec.Egress, tt.policy.Spec.Tier) marshalExpPatch, _ := json.Marshal(tt.expectPatch) diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go index 3e83e2017f4..ae6d7faad67 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller.go @@ -253,7 +253,7 @@ type NetworkPolicyController struct { // The typical subscribers of AppliedToGroup are NetworkPolicies. appliedToGroupNotifier *notifier - groupingInterface grouping.Interface + GroupingInterface grouping.Interface // Added as a member to the struct to allow injection for testing. groupingInterfaceSynced func() bool @@ -261,12 +261,12 @@ type NetworkPolicyController struct { // Enable Stretched Networkpolicy feature which allows Antrea-native policies to select peer // from other clusters in a ClusterSet. stretchNPEnabled bool - // heartbeatCh is an internal channel for testing. It's used to know whether all tasks have been + // HeartbeatCh is an internal channel for testing. It's used to know whether all tasks have been // processed, and to count executions of each function. - heartbeatCh chan heartbeat + HeartbeatCh chan Heartbeat } -type heartbeat struct { +type Heartbeat struct { name string timestamp time.Time } @@ -432,15 +432,15 @@ func NewNetworkPolicyController(kubeClient clientset.Interface, addressGroupQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "addressGroup"), internalNetworkPolicyQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "internalNetworkPolicy"), internalGroupQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "internalGroup"), - groupingInterface: groupingInterface, + GroupingInterface: groupingInterface, groupingInterfaceSynced: groupingInterface.HasSynced, labelIdentityInterface: labelIdentityInterface, stretchNPEnabled: stretchedNPEnabled, appliedToGroupNotifier: newNotifier(), } - n.groupingInterface.AddEventHandler(appliedToGroupType, n.enqueueAppliedToGroup) - n.groupingInterface.AddEventHandler(addressGroupType, n.enqueueAddressGroup) - n.groupingInterface.AddEventHandler(internalGroupType, n.enqueueInternalGroup) + n.GroupingInterface.AddEventHandler(appliedToGroupType, n.enqueueAppliedToGroup) + n.GroupingInterface.AddEventHandler(addressGroupType, n.enqueueAddressGroup) + n.GroupingInterface.AddEventHandler(internalGroupType, n.enqueueInternalGroup) n.labelIdentityInterface.AddEventHandler(n.triggerPolicyResyncForLabelIdentityUpdates) // Add handlers for NetworkPolicy events. n.namespaceInformer = namespaceInformer @@ -563,8 +563,8 @@ func NewNetworkPolicyController(kubeClient clientset.Interface, } func (n *NetworkPolicyController) heartbeat(name string) { - if n.heartbeatCh != nil { - n.heartbeatCh <- heartbeat{ + if n.HeartbeatCh != nil { + n.HeartbeatCh <- Heartbeat{ name: name, timestamp: time.Now(), } @@ -1168,7 +1168,7 @@ func (n *NetworkPolicyController) getInternalGroupMembers(group *antreatypes.Gro // groupType and group name. func (n *NetworkPolicyController) getMemberSetForGroupType(groupType grouping.GroupType, name string) controlplane.GroupMemberSet { groupMemberSet := controlplane.GroupMemberSet{} - pods, externalEntities := n.groupingInterface.GetEntities(groupType, name) + pods, externalEntities := n.GroupingInterface.GetEntities(groupType, name) for _, pod := range pods { // HostNetwork Pods should be excluded from group members // https://github.com/antrea-io/antrea/issues/3078 @@ -1385,7 +1385,7 @@ func (n *NetworkPolicyController) getAppliedToWorkloads(g *antreatypes.AppliedTo nodes, err := n.nodeLister.List(g.Selector.NodeSelector) return nil, nil, nodes, err } - pods, ees := n.groupingInterface.GetEntities(appliedToGroupType, g.Name) + pods, ees := n.GroupingInterface.GetEntities(appliedToGroupType, g.Name) return pods, ees, nil, nil } @@ -1414,7 +1414,7 @@ func (n *NetworkPolicyController) getInternalGroupWorkloads(group *antreatypes.G } if len(group.ChildGroups) == 0 { - pods, ees := n.groupingInterface.GetEntities(internalGroupType, group.SourceReference.ToGroupName()) + pods, ees := n.GroupingInterface.GetEntities(internalGroupType, group.SourceReference.ToGroupName()) if !validateNamespace(pods, ees) { return nil, nil, &ErrNetworkPolicyAppliedToUnsupportedGroup{groupName: group.SourceReference.Name, namespace: group.SourceReference.Namespace} } @@ -1426,7 +1426,7 @@ func (n *NetworkPolicyController) getInternalGroupWorkloads(group *antreatypes.G for _, childName := range group.ChildGroups { // childNameString will either be name of the child ClusterGroup or Namespaced name of the child Group. childNameString := k8s.NamespacedName(group.SourceReference.Namespace, childName) - childPods, childEEs := n.groupingInterface.GetEntities(internalGroupType, childNameString) + childPods, childEEs := n.GroupingInterface.GetEntities(internalGroupType, childNameString) if !validateNamespace(childPods, childEEs) { return nil, nil, &ErrNetworkPolicyAppliedToUnsupportedGroup{groupName: group.SourceReference.Name, namespace: group.SourceReference.Namespace} } @@ -1580,7 +1580,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key *controlplane.Ne klog.V(2).InfoS("Creating new AppliedToGroup", "name", name, "uid", appliedToGroup.UID, "selector", appliedToGroup.Selector, "service", appliedToGroup.Service) n.appliedToGroupStore.Create(appliedToGroup) if appliedToGroup.Selector != nil { - n.groupingInterface.AddGroup(appliedToGroupType, appliedToGroup.Name, appliedToGroup.Selector) + n.GroupingInterface.AddGroup(appliedToGroupType, appliedToGroup.Name, appliedToGroup.Selector) } appliedToGroupsToSync.Insert(name) } @@ -1596,7 +1596,7 @@ func (n *NetworkPolicyController) syncInternalNetworkPolicy(key *controlplane.Ne // For an AddressGroup that selects Nodes via nodeSelector, we calculate its members via NodeLister // directly, instead of groupingInterface which handles Pod and ExternalEntity currently. if addressGroup.Selector.NodeSelector == nil { - n.groupingInterface.AddGroup(addressGroupType, addressGroup.Name, &addressGroup.Selector) + n.GroupingInterface.AddGroup(addressGroupType, addressGroup.Name, &addressGroup.Selector) } } @@ -1674,14 +1674,14 @@ func (n *NetworkPolicyController) cleanupOrphanGroups(internalNetworkPolicy *ant objs, _ := n.internalNetworkPolicyStore.GetByIndex(store.AppliedToGroupIndex, atgName) if len(objs) == 0 { n.appliedToGroupStore.Delete(atgName) - n.groupingInterface.DeleteGroup(appliedToGroupType, atgName) + n.GroupingInterface.DeleteGroup(appliedToGroupType, atgName) } } for agName := range internalNetworkPolicy.GetAddressGroups() { objs, _ := n.internalNetworkPolicyStore.GetByIndex(store.AddressGroupIndex, agName) if len(objs) == 0 { n.addressGroupStore.Delete(agName) - n.groupingInterface.DeleteGroup(addressGroupType, agName) + n.GroupingInterface.DeleteGroup(addressGroupType, agName) } } } diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go index fcc091a6e52..82c99b08ba0 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_perf_test.go @@ -64,19 +64,19 @@ func getXLargeScaleWithSmallNamespaces() (namespaces []*corev1.Namespace, networ namespace := rand.String(8) namespaces = []*corev1.Namespace{newNamespace(namespace, map[string]string{"app": namespace})} networkPolicies = []runtime.Object{ - newNetworkPolicy(namespace, "default-deny-all", nil, nil, nil, nil, nil), - newNetworkPolicy(namespace, "np-1", map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil), - newNetworkPolicy(namespace, "np-2", map[string]string{"app-2": "scale-2"}, map[string]string{"app-2": "scale-2"}, nil, nil, nil), + NewNetworkPolicy(namespace, "default-deny-all", nil, nil, nil, nil, nil), + NewNetworkPolicy(namespace, "np-1", map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil), + NewNetworkPolicy(namespace, "np-2", map[string]string{"app-2": "scale-2"}, map[string]string{"app-2": "scale-2"}, nil, nil, nil), } pods = []runtime.Object{ - newPod(namespace, "pod1", map[string]string{"app-1": "scale-1"}), - newPod(namespace, "pod2", map[string]string{"app-1": "scale-1"}), - newPod(namespace, "pod3", map[string]string{"app-2": "scale-2"}), - newPod(namespace, "pod4", map[string]string{"app-2": "scale-2"}), + NewPod(namespace, "pod1", map[string]string{"app-1": "scale-1"}), + NewPod(namespace, "pod2", map[string]string{"app-1": "scale-1"}), + NewPod(namespace, "pod3", map[string]string{"app-2": "scale-2"}), + NewPod(namespace, "pod4", map[string]string{"app-2": "scale-2"}), } return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(25000, getObjects) + namespaces, networkPolicies, pods = GetXObjects(25000, getObjects) return namespaces, networkPolicies, pods } @@ -92,18 +92,18 @@ func getXLargeScaleWithLargeNamespaces() (namespaces []*corev1.Namespace, networ newNamespace(namespace, map[string]string{"app": namespace}), } networkPolicies = []runtime.Object{ - newNetworkPolicy(namespace, "default-deny-all", nil, nil, nil, nil, nil), + NewNetworkPolicy(namespace, "default-deny-all", nil, nil, nil, nil, nil), } for i := 0; i < 100; i++ { labels := map[string]string{fmt.Sprintf("app-%d", i): fmt.Sprintf("scale-%d", i)} - networkPolicies = append(networkPolicies, newNetworkPolicy(namespace, fmt.Sprintf("np-%d", i), labels, labels, nil, nil, nil)) + networkPolicies = append(networkPolicies, NewNetworkPolicy(namespace, fmt.Sprintf("np-%d", i), labels, labels, nil, nil, nil)) for j := 0; j < 10; j++ { - pods = append(pods, newPod(namespace, fmt.Sprintf("pod-%d-%d", i, j), labels)) + pods = append(pods, NewPod(namespace, fmt.Sprintf("pod-%d-%d", i, j), labels)) } } return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(100, getObjects) + namespaces, networkPolicies, pods = GetXObjects(100, getObjects) return namespaces, networkPolicies, pods } @@ -125,11 +125,11 @@ func getXLargeScaleWithOneNamespace() (namespaces []*corev1.Namespace, networkPo namespace := rand.String(8) getObjects := func() (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, pods []runtime.Object) { namespaces = []*corev1.Namespace{newNamespace(namespace, map[string]string{"app": namespace})} - networkPolicies = []runtime.Object{newNetworkPolicy(namespace, "", map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil)} - pods = []runtime.Object{newPod(namespace, "", map[string]string{"app-1": "scale-1"})} + networkPolicies = []runtime.Object{NewNetworkPolicy(namespace, "", map[string]string{"app-1": "scale-1"}, map[string]string{"app-1": "scale-1"}, nil, nil, nil)} + pods = []runtime.Object{NewPod(namespace, "", map[string]string{"app-1": "scale-1"})} return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(10000, getObjects) + namespaces, networkPolicies, pods = GetXObjects(10000, getObjects) return namespaces[0:1], networkPolicies, pods } @@ -149,16 +149,16 @@ func getXLargeScaleWithNetpolPerPod() (namespaces []*corev1.Namespace, networkPo app2 := rand.String(8) labels2 := map[string]string{"app": fmt.Sprintf("scale-%v", app2)} networkPolicies = []runtime.Object{ - newNetworkPolicy(namespace, "", labels1, labels2, nil, nil, nil), - newNetworkPolicy(namespace, "", labels2, labels1, nil, nil, nil), + NewNetworkPolicy(namespace, "", labels1, labels2, nil, nil, nil), + NewNetworkPolicy(namespace, "", labels2, labels1, nil, nil, nil), } pods = []runtime.Object{ - newPod(namespace, "", labels1), - newPod(namespace, "", labels2), + NewPod(namespace, "", labels1), + NewPod(namespace, "", labels2), } return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(5000, getObjects) + namespaces, networkPolicies, pods = GetXObjects(5000, getObjects) return namespaces[0:1], networkPolicies, pods } @@ -185,7 +185,7 @@ func getXLargeScaleWithANNPPerExternalEntity() (namespaces []*corev1.Namespace, } return namespaces, annps, externalEntities } - namespaces, annps, externalEntities = getXObjects(5000, getObjects) + namespaces, annps, externalEntities = GetXObjects(5000, getObjects) return namespaces[0:1], annps, externalEntities } @@ -208,14 +208,14 @@ func getXLargeScaleWithClusterScopedNetpol() (namespaces []*corev1.Namespace, ne namespaces = []*corev1.Namespace{newNamespace(namespace, namespaceLabels)} for j := 0; j < 10; j++ { labels := map[string]string{"app": fmt.Sprintf("scale-%d", j)} - networkPolicies = append(networkPolicies, newNetworkPolicy(namespace, fmt.Sprintf("np-%d", j), labels, labels, namespaceLabels, nil, nil)) + networkPolicies = append(networkPolicies, NewNetworkPolicy(namespace, fmt.Sprintf("np-%d", j), labels, labels, namespaceLabels, nil, nil)) for k := 0; k < 10; k++ { - pods = append(pods, newPod(namespace, fmt.Sprintf("pod-%d-%d", j, k), labels)) + pods = append(pods, NewPod(namespace, fmt.Sprintf("pod-%d-%d", j, k), labels)) } } return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods = getXObjects(1000, getObjects) + namespaces, networkPolicies, pods = GetXObjects(1000, getObjects) return namespaces, networkPolicies, pods } @@ -240,9 +240,9 @@ func testComputeNetworkPolicy(t *testing.T, maxExecutionTime time.Duration, name } } - k8sObjs = append(k8sObjs, toRunTimeObjects(namespaces)...) - _, c := newController(k8sObjs, crdObjs) - c.heartbeatCh = make(chan heartbeat, 1000) + k8sObjs = append(k8sObjs, ToRunTimeObjects(namespaces)...) + _, c := NewController(k8sObjs, crdObjs) + c.HeartbeatCh = make(chan Heartbeat, 1000) stopCh := make(chan struct{}) @@ -261,7 +261,7 @@ func testComputeNetworkPolicy(t *testing.T, maxExecutionTime time.Duration, name for { timer.Reset(idleTimeout) select { - case heartbeat := <-c.heartbeatCh: + case heartbeat := <-c.HeartbeatCh: m, ok := executionMetrics[heartbeat.name] if !ok { m = &executionMetric{} @@ -291,18 +291,18 @@ func testComputeNetworkPolicy(t *testing.T, maxExecutionTime time.Duration, name var maxAlloc uint64 wg.Add(1) go func() { - statMaxMemAlloc(&maxAlloc, 500*time.Millisecond, stopCh) + StatMaxMemAlloc(&maxAlloc, 500*time.Millisecond, stopCh) wg.Done() }() // Everything is ready, now start timing. start := time.Now() - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingInterface.Run(stopCh) - go c.groupingController.Run(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingInterface.Run(stopCh) + go c.GroupingController.Run(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) cache.WaitForCacheSync(stopCh, c.groupingInterfaceSynced) go c.Run(stopCh) @@ -346,7 +346,7 @@ func statEvents(c *networkPolicyController, addressGroupEvents, appliedToGroupEv } } -func statMaxMemAlloc(maxAlloc *uint64, interval time.Duration, stopCh chan struct{}) { +func StatMaxMemAlloc(maxAlloc *uint64, interval time.Duration, stopCh chan struct{}) { var memStats goruntime.MemStats ticker := time.NewTicker(interval) defer ticker.Stop() @@ -371,8 +371,8 @@ func getRandomNodeName() string { return fmt.Sprintf("Node-%d", rand.Intn(1000)) } -// getXObjects calls the provided getObjectsFunc x times and aggregate the objects. -func getXObjects(x int, getObjectsFunc func() (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, entities []runtime.Object)) (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, entities []runtime.Object) { +// GetXObjects calls the provided getObjectsFunc x times and aggregate the objects. +func GetXObjects(x int, getObjectsFunc func() (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, entities []runtime.Object)) (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, entities []runtime.Object) { for i := 0; i < x; i++ { newNamespaces, newNetworkPolicies, newEntities := getObjectsFunc() namespaces = append(namespaces, newNamespaces...) @@ -382,7 +382,7 @@ func getXObjects(x int, getObjectsFunc func() (namespaces []*corev1.Namespace, n return namespaces, networkPolicies, entities } -func toRunTimeObjects(namespaces []*corev1.Namespace) []runtime.Object { +func ToRunTimeObjects(namespaces []*corev1.Namespace) []runtime.Object { objs := make([]runtime.Object, 0, len(namespaces)) for i := range namespaces { objs = append(objs, namespaces[i]) @@ -396,7 +396,7 @@ func newNamespace(name string, labels map[string]string) *corev1.Namespace { } } -func newPod(namespace, name string, labels map[string]string) *corev1.Pod { +func NewPod(namespace, name string, labels map[string]string) *corev1.Pod { if name == "" { name = "pod-" + rand.String(8) } @@ -435,7 +435,7 @@ func newExternalEntity(namespace, name string, labels map[string]string) *v1alph return externalEntity } -func newNetworkPolicy(namespace, name string, podSelector, ingressPodSelector, ingressNamespaceSelector, egressPodSelector, egressNamespaceSelector map[string]string) *networkingv1.NetworkPolicy { +func NewNetworkPolicy(namespace, name string, podSelector, ingressPodSelector, ingressNamespaceSelector, egressPodSelector, egressNamespaceSelector map[string]string) *networkingv1.NetworkPolicy { if name == "" { name = "np-" + rand.String(8) } @@ -523,26 +523,26 @@ func BenchmarkSyncAddressGroup(b *testing.B) { labels := map[string]string{"app-1": "scale-1"} getObjects := func() (namespaces []*corev1.Namespace, networkPolicies []runtime.Object, pods []runtime.Object) { namespaces = []*corev1.Namespace{newNamespace(namespace, nil)} - networkPolicies = []runtime.Object{newNetworkPolicy(namespace, "", labels, labels, nil, nil, nil)} - pods = []runtime.Object{newPod(namespace, "", labels)} + networkPolicies = []runtime.Object{NewNetworkPolicy(namespace, "", labels, labels, nil, nil, nil)} + pods = []runtime.Object{NewPod(namespace, "", labels)} return namespaces, networkPolicies, pods } - namespaces, networkPolicies, pods := getXObjects(1000, getObjects) - objs := toRunTimeObjects(namespaces[0:1]) + namespaces, networkPolicies, pods := GetXObjects(1000, getObjects) + objs := ToRunTimeObjects(namespaces[0:1]) objs = append(objs, networkPolicies...) objs = append(objs, pods...) stopCh := make(chan struct{}) defer close(stopCh) - _, c := newController(objs, nil) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingController.Run(stopCh) - go c.groupingInterface.Run(stopCh) + _, c := NewController(objs, nil) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingController.Run(stopCh) + go c.GroupingInterface.Run(stopCh) // wait for cache syncs // after that, event handlers should have been called to enqueue AppliedToGroups and // InternalNetworkPolicies. - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) cache.WaitForCacheSync(stopCh, c.groupingInterfaceSynced) for c.appliedToGroupQueue.Len() > 0 { @@ -614,7 +614,7 @@ func benchmarkInit(b *testing.B, namespaces []*corev1.Namespace, networkPolicies crdObjs = append(crdObjs, entity) } } - k8sObjs = append(k8sObjs, toRunTimeObjects(namespaces)...) + k8sObjs = append(k8sObjs, ToRunTimeObjects(namespaces)...) b.ReportAllocs() b.ResetTimer() @@ -624,28 +624,28 @@ func benchmarkInit(b *testing.B, namespaces []*corev1.Namespace, networkPolicies stopCh := make(chan struct{}) defer close(stopCh) _, c := newControllerWithoutEventHandler(k8sObjs, crdObjs) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingInterface.Run(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingInterface.Run(stopCh) defer func() { c.addressGroupStore.Stop() c.appliedToGroupStore.Stop() c.internalGroupStore.Stop() c.internalNetworkPolicyStore.Stop() }() - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) b.StartTimer() for _, namespace := range namespaces { - c.groupingInterface.AddNamespace(namespace) + c.GroupingInterface.AddNamespace(namespace) } for _, obj := range entities { switch entity := obj.(type) { case *corev1.Pod: - c.groupingInterface.AddPod(entity) + c.GroupingInterface.AddPod(entity) case *v1alpha2.ExternalEntity: - c.groupingInterface.AddExternalEntity(entity) + c.GroupingInterface.AddExternalEntity(entity) } } for _, obj := range networkPolicies { diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go index 9459934d557..eb056c00152 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go @@ -98,14 +98,14 @@ type networkPolicyController struct { appliedToGroupStore storage.Interface addressGroupStore storage.Interface internalNetworkPolicyStore storage.Interface - informerFactory informers.SharedInformerFactory - crdInformerFactory crdinformers.SharedInformerFactory - groupingController *grouping.GroupEntityController + InformerFactory informers.SharedInformerFactory + CrdInformerFactory crdinformers.SharedInformerFactory + GroupingController *grouping.GroupEntityController labelIdentityController *labelidentity.Controller } // objects is an initial set of K8s objects that is exposed through the client. -func newController(k8sObjects, crdObjects []runtime.Object) (*fake.Clientset, *networkPolicyController) { +func NewController(k8sObjects, crdObjects []runtime.Object) (*fake.Clientset, *networkPolicyController) { client := newClientset(k8sObjects...) crdClient := fakeversioned.NewSimpleClientset(crdObjects...) mcsClient := fakemcsversioned.NewSimpleClientset() @@ -232,7 +232,7 @@ func newControllerWithoutEventHandler(k8sObjects, crdObjects []runtime.Object) ( addressGroupQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "addressGroup"), internalNetworkPolicyQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "internalNetworkPolicy"), internalGroupQueue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), "internalGroup"), - groupingInterface: groupEntityIndex, + GroupingInterface: groupEntityIndex, appliedToGroupNotifier: newNotifier(), } npController.tierInformer.Informer().AddIndexers(tierIndexers) @@ -278,7 +278,7 @@ func newClientset(objects ...runtime.Object) *fake.Clientset { } func TestAddNetworkPolicy(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) np := getK8sNetworkPolicyObj() npc.addNetworkPolicy(np) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -289,7 +289,7 @@ func TestAddNetworkPolicy(t *testing.T) { } func TestDeleteNetworkPolicy(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) np := getK8sNetworkPolicyObj() npc.addNetworkPolicy(np) require.Equal(t, 1, npc.internalNetworkPolicyQueue.Len()) @@ -300,7 +300,7 @@ func TestDeleteNetworkPolicy(t *testing.T) { } func TestUpdateNetworkPolicy(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) np := getK8sNetworkPolicyObj() newNP := np.DeepCopy() newNP.Spec.Ingress = nil @@ -736,13 +736,13 @@ func TestAddPod(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.networkPolicyStore.Add(testNPObj) npc.syncInternalNetworkPolicy(getKNPReference(testNPObj)) groupKey := testCG.Name npc.addClusterGroup(testCG) npc.cgStore.Add(testCG) - npc.groupingInterface.AddPod(tt.addedPod) + npc.GroupingInterface.AddPod(tt.addedPod) appGroupID := getNormalizedUID(antreatypes.NewGroupSelector("nsA", &selectorSpec, nil, nil, nil).NormalizedName) inGroupID := getNormalizedUID(antreatypes.NewGroupSelector("nsA", &selectorIn, nil, nil, nil).NormalizedName) outGroupID := getNormalizedUID(antreatypes.NewGroupSelector("nsA", &selectorOut, nil, nil, nil).NormalizedName) @@ -827,12 +827,12 @@ func TestDeletePod(t *testing.T) { p2 := getPod("p2", ns, "", p2IP, false) // Ensure Pod p2 matches AddressGroup. p2.Labels = ruleLabels - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.networkPolicyStore.Add(matchNPObj) npc.syncInternalNetworkPolicy(getKNPReference(matchNPObj)) npc.addClusterGroup(testCG) - npc.groupingInterface.AddPod(p1) - npc.groupingInterface.AddPod(p2) + npc.GroupingInterface.AddPod(p1) + npc.GroupingInterface.AddPod(p2) npc.syncAppliedToGroup(matchAppGID) // Retrieve AddressGroup. adgs := npc.addressGroupStore.List() @@ -841,7 +841,7 @@ func TestDeletePod(t *testing.T) { addrGroup := addrGroupObj.(*antreatypes.AddressGroup) npc.syncAddressGroup(addrGroup.Name) // Delete Pod P1 matching the AppliedToGroup. - npc.groupingInterface.DeletePod(p1) + npc.GroupingInterface.DeletePod(p1) npc.syncAppliedToGroup(matchAppGID) appGroupObj, _, _ := npc.appliedToGroupStore.Get(matchAppGID) appGroup := appGroupObj.(*antreatypes.AppliedToGroup) @@ -849,7 +849,7 @@ func TestDeletePod(t *testing.T) { // Ensure Pod1 reference is removed from AppliedToGroup. assert.Len(t, podsAdded, 0, "expected Pod to be deleted from AppliedToGroup") // Delete Pod P2 matching the NetworkPolicy Rule. - npc.groupingInterface.DeletePod(p2) + npc.GroupingInterface.DeletePod(p2) npc.syncAddressGroup(addrGroup.Name) npc.syncInternalGroup(groupKey) updatedAddrGroupObj, _, _ := npc.addressGroupStore.Get(addrGroup.Name) @@ -980,18 +980,18 @@ func TestAddNamespace(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.networkPolicyStore.Add(testNPObj) npc.syncInternalNetworkPolicy(getKNPReference(testNPObj)) npc.addClusterGroup(testCG) npc.cgStore.Add(testCG) groupKey := testCG.Name - npc.groupingInterface.AddNamespace(tt.addedNamespace) + npc.GroupingInterface.AddNamespace(tt.addedNamespace) p1 := getPod("p1", "nsA", "nodeA", "1.2.3.4", false) p2 := getPod("p2", "nsA", "nodeA", "2.2.3.4", false) - npc.groupingInterface.AddPod(p1) - npc.groupingInterface.AddPod(p2) + npc.GroupingInterface.AddPod(p1) + npc.GroupingInterface.AddPod(p2) inGroupID := getNormalizedUID(antreatypes.NewGroupSelector("", nil, &selectorIn, nil, nil).NormalizedName) outGroupID := getNormalizedUID(antreatypes.NewGroupSelector("", nil, &selectorOut, nil, nil).NormalizedName) npc.syncAddressGroup(inGroupID) @@ -1139,25 +1139,25 @@ func TestDeleteNamespace(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.networkPolicyStore.Add(testNPObj) npc.syncInternalNetworkPolicy(getKNPReference(testNPObj)) npc.addClusterGroup(testCG) groupKey := testCG.Name p1 := getPod("p1", "nsA", "", "1.1.1.1", false) p2 := getPod("p2", "nsA", "", "1.1.1.2", false) - npc.groupingInterface.AddNamespace(tt.deletedNamespace) - npc.groupingInterface.AddPod(p1) - npc.groupingInterface.AddPod(p2) - npc.groupingInterface.DeleteNamespace(tt.deletedNamespace) + npc.GroupingInterface.AddNamespace(tt.deletedNamespace) + npc.GroupingInterface.AddPod(p1) + npc.GroupingInterface.AddPod(p2) + npc.GroupingInterface.DeleteNamespace(tt.deletedNamespace) inGroupID := getNormalizedUID(antreatypes.NewGroupSelector("", nil, &selectorIn, nil, nil).NormalizedName) outGroupID := getNormalizedUID(antreatypes.NewGroupSelector("", nil, &selectorOut, nil, nil).NormalizedName) npc.syncAddressGroup(inGroupID) npc.syncAddressGroup(outGroupID) npc.syncInternalGroup(groupKey) - npc.groupingInterface.DeletePod(p1) - npc.groupingInterface.DeletePod(p2) - npc.groupingInterface.DeleteNamespace(tt.deletedNamespace) + npc.GroupingInterface.DeletePod(p1) + npc.GroupingInterface.DeletePod(p2) + npc.GroupingInterface.DeleteNamespace(tt.deletedNamespace) npc.syncAddressGroup(inGroupID) npc.syncAddressGroup(outGroupID) npc.syncInternalGroup(groupKey) @@ -1270,13 +1270,13 @@ func TestAddAndUpdateService(t *testing.T) { Selector: map[string]string{"app": "test-2"}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.cgStore.Add(testCG1) npc.cgStore.Add(testCG2) npc.addClusterGroup(testCG1) npc.addClusterGroup(testCG2) - npc.groupingInterface.AddPod(testPod1) - npc.groupingInterface.AddPod(testPod2) + npc.GroupingInterface.AddPod(testPod1) + npc.GroupingInterface.AddPod(testPod2) npc.serviceStore.Add(testSvc1) npc.serviceStore.Add(testSvc2) npc.syncInternalGroup(testCG1.Name) @@ -1349,10 +1349,10 @@ func TestDeleteService(t *testing.T) { Selector: map[string]string{"app": "test"}, }, } - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) npc.cgStore.Add(testCG) npc.addClusterGroup(testCG) - npc.groupingInterface.AddPod(testPod) + npc.GroupingInterface.AddPod(testPod) npc.serviceStore.Add(testSvc) npc.syncInternalGroup(testCG.Name) memberPod := &controlplane.GroupMember{ @@ -1786,7 +1786,7 @@ func TestToAntreaPeer(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) + _, npc := NewController(nil, nil) actualPeer, _ := npc.toAntreaPeer(tt.inPeers, testNPObj, tt.direction, tt.namedPortExist) if !reflect.DeepEqual(tt.outPeer.AddressGroups, (*actualPeer).AddressGroups) { t.Errorf("Unexpected AddressGroups in Antrea Peer conversion. Expected %v, got %v", tt.outPeer.AddressGroups, (*actualPeer).AddressGroups) @@ -2202,11 +2202,11 @@ func TestProcessNetworkPolicy(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController(tt.existingObjects, nil) + _, c := NewController(tt.existingObjects, nil) stopCh := make(chan struct{}) defer close(stopCh) - c.informerFactory.Start(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) + c.InformerFactory.Start(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) actualPolicy, actualAppliedToGroups, actualAddressGroups := c.processNetworkPolicy(tt.inputPolicy) assert.Equal(t, tt.expectedPolicy, actualPolicy, "processNetworkPolicy() got unexpected result") @@ -2475,8 +2475,8 @@ func TestIPStrToIPAddress(t *testing.T) { } func TestDeleteFinalStateUnknownNetworkPolicy(t *testing.T) { - _, c := newController(nil, nil) - c.heartbeatCh = make(chan heartbeat, 2) + _, c := NewController(nil, nil) + c.HeartbeatCh = make(chan Heartbeat, 2) np := &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{Namespace: "nsA", Name: "npA", UID: "uidA"}, Spec: networkingv1.NetworkPolicySpec{ @@ -2487,11 +2487,11 @@ func TestDeleteFinalStateUnknownNetworkPolicy(t *testing.T) { c.addNetworkPolicy(np) key, _ := cache.MetaNamespaceKeyFunc(np) c.deleteNetworkPolicy(cache.DeletedFinalStateUnknown{Key: key, Obj: np}) - close(c.heartbeatCh) + close(c.HeartbeatCh) var ok bool - _, ok = <-c.heartbeatCh + _, ok = <-c.HeartbeatCh assert.True(t, ok, "Missing event on channel") - _, ok = <-c.heartbeatCh + _, ok = <-c.HeartbeatCh assert.True(t, ok, "Missing event on channel") } @@ -2659,13 +2659,13 @@ func TestGetAppliedToWorkloads(t *testing.T) { expNodes: []*corev1.Node{nodeA}, }, } - _, c := newController([]runtime.Object{nodeA, nodeB}, nil) + _, c := NewController([]runtime.Object{nodeA, nodeB}, nil) stopCh := make(chan struct{}) defer close(stopCh) - c.informerFactory.Start(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.groupingInterface.AddPod(podA) - c.groupingInterface.AddPod(podB) + c.InformerFactory.Start(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.GroupingInterface.AddPod(podA) + c.GroupingInterface.AddPod(podB) clusterGroups := []v1beta1.ClusterGroup{cgA, cgB, cgC, cgD, nestedCG1, nestedCG2} for i, cg := range clusterGroups { c.cgStore.Add(&clusterGroups[i]) @@ -2785,9 +2785,9 @@ func TestGetAddressGroupMemberSet(t *testing.T) { expMemberSet: podABMemberSet, }, } - _, c := newController(nil, nil) - c.groupingInterface.AddPod(podA) - c.groupingInterface.AddPod(podB) + _, c := NewController(nil, nil) + c.GroupingInterface.AddPod(podA) + c.GroupingInterface.AddPod(podB) clusterGroups := []v1beta1.ClusterGroup{cgA, cgB, cgC, cgD, nestedCG1, nestedCG2} for i, cg := range clusterGroups { c.cgStore.Add(&clusterGroups[i]) @@ -2808,13 +2808,13 @@ func TestGetAddressGroupMemberSet(t *testing.T) { func TestAddressGroupWithNodeSelector(t *testing.T) { stopCh := make(chan struct{}) defer close(stopCh) - _, c := newController(nil, nil) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - go c.groupingController.Run(stopCh) - go c.groupingInterface.Run(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) + _, c := NewController(nil, nil) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + go c.GroupingController.Run(stopCh) + go c.GroupingInterface.Run(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) cache.WaitForCacheSync(stopCh, c.groupingInterfaceSynced) nodeSelectorA := metav1.LabelSelector{MatchLabels: map[string]string{"env": "pro"}} @@ -3085,15 +3085,15 @@ func TestMultipleNetworkPoliciesWithSameAppliedTo(t *testing.T) { }, AppliedToGroups: []string{selectorAGroupUID}, } - _, c := newController([]runtime.Object{podA, podB, podC}, nil) + _, c := NewController([]runtime.Object{podA, podB, podC}, nil) stopCh := make(chan struct{}) defer close(stopCh) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) - go c.groupingInterface.Run(stopCh) - go c.groupingController.Run(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) + go c.GroupingInterface.Run(stopCh) + go c.GroupingController.Run(stopCh) go c.Run(stopCh) c.kubeClient.NetworkingV1().NetworkPolicies(policyA.Namespace).Create(context.TODO(), policyA, metav1.CreateOptions{}) @@ -3226,7 +3226,7 @@ func TestSyncInternalNetworkPolicy(t *testing.T) { } // Add a new policy, it should create an internal NetworkPolicy, AddressGroups and AppliedToGroups used by it. - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.acnpStore.Add(inputPolicy) networkPolicyRef := getACNPReference(inputPolicy) assert.NoError(t, c.syncInternalNetworkPolicy(networkPolicyRef)) @@ -3334,7 +3334,7 @@ func TestSyncInternalNetworkPolicyWithSameName(t *testing.T) { } // Add and sync policyA first, it should create an AppliedToGroup. - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.networkPolicyStore.Add(policyA) networkPolicyRefA := getKNPReference(policyA) assert.NoError(t, c.syncInternalNetworkPolicy(networkPolicyRefA)) @@ -3446,7 +3446,7 @@ func TestSyncInternalNetworkPolicyConcurrently(t *testing.T) { } // Add and sync policyA first, it should create an AddressGroup and AppliedToGroups. - _, c := newController(nil, nil) + _, c := NewController(nil, nil) c.networkPolicyStore.Add(policyA) networkPolicyRefA := getKNPReference(policyA) assert.NoError(t, c.syncInternalNetworkPolicy(networkPolicyRefA)) @@ -3694,15 +3694,15 @@ func TestSyncInternalNetworkPolicyWithGroups(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, c := newController([]runtime.Object{podA, podB}, nil) + _, c := NewController([]runtime.Object{podA, podB}, nil) stopCh := make(chan struct{}) defer close(stopCh) - c.informerFactory.Start(stopCh) - c.crdInformerFactory.Start(stopCh) - c.informerFactory.WaitForCacheSync(stopCh) - c.crdInformerFactory.WaitForCacheSync(stopCh) - go c.groupingInterface.Run(stopCh) - go c.groupingController.Run(stopCh) + c.InformerFactory.Start(stopCh) + c.CrdInformerFactory.Start(stopCh) + c.InformerFactory.WaitForCacheSync(stopCh) + c.CrdInformerFactory.WaitForCacheSync(stopCh) + go c.GroupingInterface.Run(stopCh) + go c.GroupingController.Run(stopCh) go c.Run(stopCh) for _, group := range tt.groups { @@ -3801,8 +3801,8 @@ func TestSyncAppliedToGroupWithExternalEntity(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, npc := newController(nil, nil) - npc.groupingInterface.AddExternalEntity(tt.addedExternalEntity) + _, npc := NewController(nil, nil) + npc.GroupingInterface.AddExternalEntity(tt.addedExternalEntity) groupSelector := antreatypes.NewGroupSelector("nsA", nil, nil, &selectorSpec, nil) appGroupID := getNormalizedUID(groupSelector.NormalizedName) appliedToGroup := &antreatypes.AppliedToGroup{ @@ -3811,7 +3811,7 @@ func TestSyncAppliedToGroupWithExternalEntity(t *testing.T) { Selector: groupSelector, } npc.appliedToGroupStore.Create(appliedToGroup) - npc.groupingInterface.AddGroup(appliedToGroupType, appliedToGroup.Name, appliedToGroup.Selector) + npc.GroupingInterface.AddGroup(appliedToGroupType, appliedToGroup.Name, appliedToGroup.Selector) npc.syncAppliedToGroup(appGroupID) appGroupObj, _, _ := npc.appliedToGroupStore.Get(appGroupID) appGroup := appGroupObj.(*antreatypes.AppliedToGroup) @@ -3848,11 +3848,11 @@ func TestSyncAppliedToGroupWithNode(t *testing.T) { }, } - _, npc := newController([]runtime.Object{nodeA, nodeB, nodeC}, nil) + _, npc := NewController([]runtime.Object{nodeA, nodeB, nodeC}, nil) stopCh := make(chan struct{}) defer close(stopCh) - npc.informerFactory.Start(stopCh) - npc.informerFactory.WaitForCacheSync(stopCh) + npc.InformerFactory.Start(stopCh) + npc.InformerFactory.WaitForCacheSync(stopCh) groupSelector := antreatypes.NewGroupSelector("", nil, nil, nil, &selector) appGroupID := getNormalizedUID(groupSelector.NormalizedName) appliedToGroup := &antreatypes.AppliedToGroup{ diff --git a/pkg/controller/networkpolicy/testing/mock_networkpolicy.go b/pkg/controller/networkpolicy/testing/mock_networkpolicy.go index ffd00ee9273..939300a0ab8 100644 --- a/pkg/controller/networkpolicy/testing/mock_networkpolicy.go +++ b/pkg/controller/networkpolicy/testing/mock_networkpolicy.go @@ -1,4 +1,4 @@ -// Copyright 2023 Antrea Authors +// Copyright 2024 Antrea Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -14,11 +14,11 @@ // // Code generated by MockGen. DO NOT EDIT. -// Source: antrea.io/antrea/pkg/controller/networkpolicy (interfaces: EndpointQuerier) +// Source: antrea.io/antrea/pkg/controller/networkpolicy (interfaces: EndpointQuerier,PolicyRuleQuerier) // // Generated by this command: // -// mockgen -copyright_file hack/boilerplate/license_header.raw.txt -destination pkg/controller/networkpolicy/testing/mock_networkpolicy.go -package testing antrea.io/antrea/pkg/controller/networkpolicy EndpointQuerier +// mockgen -copyright_file hack/boilerplate/license_header.raw.txt -destination pkg/controller/networkpolicy/testing/mock_networkpolicy.go -package testing antrea.io/antrea/pkg/controller/networkpolicy EndpointQuerier,PolicyRuleQuerier // // Package testing is a generated GoMock package. package testing @@ -26,6 +26,7 @@ package testing import ( reflect "reflect" + controlplane "antrea.io/antrea/pkg/apis/controlplane" networkpolicy "antrea.io/antrea/pkg/controller/networkpolicy" gomock "go.uber.org/mock/gomock" ) @@ -53,17 +54,55 @@ func (m *MockEndpointQuerier) EXPECT() *MockEndpointQuerierMockRecorder { return m.recorder } -// QueryNetworkPolicies mocks base method. -func (m *MockEndpointQuerier) QueryNetworkPolicies(arg0, arg1 string) (*networkpolicy.EndpointQueryResponse, error) { +// QueryNetworkPolicyRules mocks base method. +func (m *MockEndpointQuerier) QueryNetworkPolicyRules(arg0, arg1 string) (*networkpolicy.EndpointNetworkPolicyRules, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "QueryNetworkPolicies", arg0, arg1) - ret0, _ := ret[0].(*networkpolicy.EndpointQueryResponse) + ret := m.ctrl.Call(m, "QueryNetworkPolicyRules", arg0, arg1) + ret0, _ := ret[0].(*networkpolicy.EndpointNetworkPolicyRules) ret1, _ := ret[1].(error) return ret0, ret1 } -// QueryNetworkPolicies indicates an expected call of QueryNetworkPolicies. -func (mr *MockEndpointQuerierMockRecorder) QueryNetworkPolicies(arg0, arg1 any) *gomock.Call { +// QueryNetworkPolicyRules indicates an expected call of QueryNetworkPolicyRules. +func (mr *MockEndpointQuerierMockRecorder) QueryNetworkPolicyRules(arg0, arg1 any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "QueryNetworkPolicies", reflect.TypeOf((*MockEndpointQuerier)(nil).QueryNetworkPolicies), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "QueryNetworkPolicyRules", reflect.TypeOf((*MockEndpointQuerier)(nil).QueryNetworkPolicyRules), arg0, arg1) +} + +// MockPolicyRuleQuerier is a mock of PolicyRuleQuerier interface. +type MockPolicyRuleQuerier struct { + ctrl *gomock.Controller + recorder *MockPolicyRuleQuerierMockRecorder +} + +// MockPolicyRuleQuerierMockRecorder is the mock recorder for MockPolicyRuleQuerier. +type MockPolicyRuleQuerierMockRecorder struct { + mock *MockPolicyRuleQuerier +} + +// NewMockPolicyRuleQuerier creates a new mock instance. +func NewMockPolicyRuleQuerier(ctrl *gomock.Controller) *MockPolicyRuleQuerier { + mock := &MockPolicyRuleQuerier{ctrl: ctrl} + mock.recorder = &MockPolicyRuleQuerierMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use. +func (m *MockPolicyRuleQuerier) EXPECT() *MockPolicyRuleQuerierMockRecorder { + return m.recorder +} + +// QueryNetworkPolicyEvaluation mocks base method. +func (m *MockPolicyRuleQuerier) QueryNetworkPolicyEvaluation(arg0 *controlplane.NetworkPolicyEvaluationRequest) (*controlplane.NetworkPolicyEvaluationResponse, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "QueryNetworkPolicyEvaluation", arg0) + ret0, _ := ret[0].(*controlplane.NetworkPolicyEvaluationResponse) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// QueryNetworkPolicyEvaluation indicates an expected call of QueryNetworkPolicyEvaluation. +func (mr *MockPolicyRuleQuerierMockRecorder) QueryNetworkPolicyEvaluation(arg0 any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "QueryNetworkPolicyEvaluation", reflect.TypeOf((*MockPolicyRuleQuerier)(nil).QueryNetworkPolicyEvaluation), arg0) } diff --git a/pkg/controller/networkpolicy/tier_test.go b/pkg/controller/networkpolicy/tier_test.go index bcbe2fc549c..faf5c9108dc 100644 --- a/pkg/controller/networkpolicy/tier_test.go +++ b/pkg/controller/networkpolicy/tier_test.go @@ -70,7 +70,7 @@ func TestInitTier(t *testing.T) { } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - _, c := newController(nil, nil) + _, c := NewController(nil, nil) if tc.reactor != nil { c.crdClient.(*fake.Clientset).PrependReactor("create", "tiers", tc.reactor) } diff --git a/pkg/controller/networkpolicy/validate_test.go b/pkg/controller/networkpolicy/validate_test.go index 43b20fe13ca..d2731671002 100644 --- a/pkg/controller/networkpolicy/validate_test.go +++ b/pkg/controller/networkpolicy/validate_test.go @@ -1668,7 +1668,7 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { for feature, value := range tt.featureGates { defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, feature, value)() } - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) validator := NewNetworkPolicyValidator(controller.NetworkPolicyController) actualReason, allowed := validator.validateAntreaPolicy(tt.policy, "", tt.operation, authenticationv1.UserInfo{}) assert.Equal(t, tt.expectedReason, actualReason) @@ -1740,7 +1740,7 @@ func TestValidateAntreaNetworkPolicy(t *testing.T) { for feature, value := range tt.featureGates { defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, feature, value)() } - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) validator := NewNetworkPolicyValidator(controller.NetworkPolicyController) actualReason, allowed := validator.validateAntreaPolicy(tt.policy, "", tt.operation, authenticationv1.UserInfo{}) assert.Equal(t, tt.expectedReason, actualReason) @@ -2023,7 +2023,7 @@ func TestValidateAntreaClusterGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) if tt.existGroup != nil { controller.cgStore.Add(tt.existGroup) controller.addClusterGroup(tt.existGroup) @@ -2280,7 +2280,7 @@ func TestValidateAntreaGroup(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) if tt.existGroup != nil { controller.gStore.Add(tt.existGroup) controller.addGroup(tt.existGroup) @@ -2488,7 +2488,7 @@ func TestValidateTier(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) for i := 1; i <= tt.existTierNum; i++ { controller.tierStore.Add(&crdv1beta1.Tier{ ObjectMeta: metav1.ObjectMeta{ @@ -2710,7 +2710,7 @@ func TestValidateAdminNetworkPolicy(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, controller := newController(nil, nil) + _, controller := NewController(nil, nil) validator := NewNetworkPolicyValidator(controller.NetworkPolicyController) actualReason, allowed := validator.validateAdminNetworkPolicy(tt.policy, "", tt.operation, authenticationv1.UserInfo{}) assert.Equal(t, tt.expectedReason, actualReason)