Implement openflow metrics query interface

[weiqiangt]

• Add flows to calculate packet and session numbers of each NetworkPolicy
  rule.
• Provide functions to query metrics of each NetworkPolicy rule.

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

[weiqiangt]

/test-all

[codecov-commenter]

Codecov Report

Merging #1140 into master will increase coverage by 0.08%.
The diff coverage is 65.62%.

@@            Coverage Diff             @@
##           master    #1140      +/-   ##
==========================================
+ Coverage   56.20%   56.29%   +0.08%     
==========================================
  Files         105      108       +3     
  Lines       11550    12027     +477     
==========================================
+ Hits         6492     6770     +278     
- Misses       4490     4669     +179     
- Partials      568      588      +20     

Flag	Coverage Δ
#integration-tests	46.12% <31.87%> (-1.22%)	⬇️
#unit-tests	42.53% <61.53%> (+0.87%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/openflow/client.go	35.60% <ø> (ø)
pkg/agent/types/networkpolicy.go	16.66% <0.00%> (-8.34%)	⬇️
pkg/ovs/openflow/ofctrl_action.go	83.79% <ø> (+1.58%)	⬆️
pkg/agent/openflow/pipeline.go	57.11% <54.09%> (+0.31%)	⬆️
pkg/agent/openflow/network_policy.go	73.61% <66.17%> (-0.84%)	⬇️
pkg/ovs/openflow/ofctrl_builder.go	74.91% <100.00%> (+2.60%)	⬆️
...g/controller/networkpolicy/store/appliedtogroup.go	84.84% <0.00%> (-3.91%)	⬇️
pkg/agent/controller/networkpolicy/reconciler.go	69.07% <0.00%> (-3.16%)	⬇️
pkg/agent/controller/networkpolicy/cache.go	77.31% <0.00%> (-2.26%)	⬇️
pkg/apiserver/storage/ram/store.go	80.39% <0.00%> (-1.31%)	⬇️
... and 9 more

[tnqn]

Could you update the title of the PR and commit to something more specific? "Implement policy metrics" is too high level and may be confusing since this is only a part of "policy metrics", maybe "Implement openflow metrics query interface"

[antoninbas]

@weiqiangt @tnqn Apologies. I didn't realize that this PR was part of #1172. I left some relevant comments in that other PR.

[weiqiangt]

@weiqiangt @tnqn Apologies. I didn't realize that this PR was part of #1172. I left some relevant comments in that other PR.

Thanks for reviewing, I have updated the code according to your comment.

[srikartati]

Thanks for the change. I have a couple of comments.

[srikartati]

Example format to cover this scenario would be good I guess.

[weiqiangt]

Thanks, added the example format.

[srikartati]

nit: drop identifier would make this easy to read?

[weiqiangt]

Thanks, added.

[srikartati]

Is this used somewhere?

[weiqiangt]

Nope, removed.

[srikartati]

Is this supposed to be CtLabelHiMask as the range doesn't involve LabelLo value?

[weiqiangt]

Thanks for pointing it out. I have updated this part and extract the bit operations to a separate function with a unit test covers.

[antoninbas]

some minor follow-up comments

[antoninbas]

I commented in #1172 (comment). I wasn't suggesting making it a field in the client, just having a local variable for it.

[weiqiangt]

Done.

[antoninbas]

I actually thought you were going to have something like this:

collectMetricsFromFlows := func(flows []string) {
    for _, flow := range flows {
        // ...
    }
}

collectMetricsFromFlows(egressFlows)
collectMetricsFromFlows(ingressFlows)

(not a big fan of the [][]string and double for loop)

[weiqiangt]

Sure, updated.

[weiqiangt]

/test-all

[tnqn]

It will overflow once it exceeds 4G bytes? I think all the 3 metrics should be 64 bit size.

[weiqiangt]

Thanks for pointing it out, updated.

[tnqn]

comment doesn't match, and I think using number directly is more straightforward, people may be confused by endpointIPReg, I thought they have some association before, but they just share the reg, right?

[weiqiangt]

Sure, updated.

[tnqn]

declaring labelRange as two global variables to avoid repeated allocation, for example low32Range, high32Range?

[weiqiangt]

Updated.

[weiqiangt]

Updated.

[tnqn]

ditto

[weiqiangt]

Updated.

[tnqn]

Use pointer to avoid struct copy?

[weiqiangt]

Sure, updated.

[tnqn]

nit: why changing the comment position? I think the previous one is more common and neat

[weiqiangt]

Reverted.

[tnqn]

thanks @weiqiangt, LGTM

[weiqiangt]

/test-all

[srikartati]

I understand that this is merged. Trying to use this patch for adding netpol info in flow records. Have a couple of questions.

What happens to ct_label if both cluster network policy rule and k8s rule are applied on to one flow? Do we support this scenario?

[srikartati]

What happens to egress rule if only 32 bits are valid? I see that in ct_label we use 64 bits like below:

// We use the 0..31 bits of the ct_label to store the ingress rule ID and use the 32..63 bits to store the
// egress rule ID.

[weiqiangt]

Thanks for pointing it out, this should be a bug. I will create a PR to fix it.

[weiqiangt]

When matching egress rule, there should always be 8 trailing zero while the length of the matching pattern of ingress rule will never exceed 8.
In other words, if the length of idRaw exceeds 8, it must for egress, otherwise it's for ingress.

[srikartati]

I see.. makes sense. The comment was a bit confusing and misleading.

[weiqiangt]

I understand that this is merged. Trying to use this patch for adding netpol info in flow records. Have a couple of questions.

What happens to ct_label if both cluster network policy rule and k8s rule are applied on to one flow? Do we support this scenario?

For now, only the ID of the last rule which takes effect will be calculated.

[srikartati]

I understand that this is merged. Trying to use this patch for adding netpol info in flow records. Have a couple of questions.
What happens to ct_label if both cluster network policy rule and k8s rule are applied on to one flow? Do we support this scenario?

For now, only the ID of the last rule which takes effect will be calculated.

Okay. Maybe using the rest of 64bits is probably the right way I guess, right?

[srikartati]

I understand that this is merged. Trying to use this patch for adding netpol info in flow records. Have a couple of questions.
What happens to ct_label if both cluster network policy rule and k8s rule are applied on to one flow? Do we support this scenario?

For now, only the ID of the last rule which takes effect will be calculated.

Okay. Maybe using the rest of 64bits is probably the right way I guess, right?

Please ignore the above comment. I confirmed with @abhiraut that only one rule either from cluster network policy or K8s network policy is being applied.