add switch for network policy support

kubeovn · Jul 28, 2021 · cbe8ae6 · cbe8ae6
1 parent 2c15879
commit cbe8ae6
Show file tree

Hide file tree

Showing 12 changed files with 164 additions and 73 deletions.
diff --git a/.github/workflows/build-x86-image.yaml b/.github/workflows/build-x86-image.yaml
@@ -474,6 +474,55 @@ jobs:
           sudo chmod 666 /home/runner/.kube/config
           make e2e
 
+  no-np-e2e:
+    needs: build
+    name: disable-network-policy-e2e
+    runs-on: ubuntu-18.04
+    timeout-minutes: 30
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Install Kind
+        env:
+          KIND_VERSION: v0.11.1
+        run: |
+          curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-$(uname)-amd64
+          chmod +x ./kind
+          sudo mv kind /usr/local/bin
+
+      - name: Init Kind
+        run: |
+          pip install j2cli --user
+          pip install "j2cli[yaml]" --user
+          sudo PATH=~/.local/bin:$PATH make kind-init
+
+      - name: Download image
+        uses: actions/download-artifact@v2
+        with:
+          name: image
+
+      - name: Install Kube-OVN without network policy support
+        env:
+          ENABLE_NP: "false"
+        run: |
+          docker load --input image.tar
+          sudo make kind-install
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.16
+        id: go
+
+      - name: Run E2E
+        run: |
+          go get -u github.com/onsi/ginkgo/ginkgo
+          go get -u github.com/onsi/gomega/...
+          sudo kubectl cluster-info
+          sudo chmod 666 /home/runner/.kube/config
+          make e2e
+
   push:
     needs:
       - single-e2e
@@ -485,6 +534,7 @@ jobs:
       - ipv6-vlan-e2e-single-nic
       - no-lb-e2e
       - no-lb-iptables-e2e
+      - no-np-e2e
     name: push
     runs-on: ubuntu-18.04
     steps:

diff --git a/dist/images/install-pre-1.16.sh b/dist/images/install-pre-1.16.sh
@@ -8,6 +8,7 @@ ENABLE_MIRROR=${ENABLE_MIRROR:-false}
 VLAN_NIC=${VLAN_NIC:-}
 HW_OFFLOAD=${HW_OFFLOAD:-false}
 ENABLE_LB=${ENABLE_LB:-true}
+ENABLE_NP=${ENABLE_NP:-true}
 # The nic to support container network can be a nic name or a group of regex
 # separated by comma, if empty will use the nic that the default route use
 IFACE=""
@@ -1649,6 +1650,7 @@ spec:
           - --default-vlan-id=$VLAN_ID
           - --pod-nic-type=$POD_NIC_TYPE
           - --enable-lb=$ENABLE_LB
+          - --enable-np=$ENABLE_NP
           env:
             - name: ENABLE_SSL
               value: "$ENABLE_SSL"

diff --git a/dist/images/install.sh b/dist/images/install.sh
@@ -9,6 +9,7 @@ ENABLE_MIRROR=${ENABLE_MIRROR:-false}
 VLAN_NIC=${VLAN_NIC:-}
 HW_OFFLOAD=${HW_OFFLOAD:-false}
 ENABLE_LB=${ENABLE_LB:-true}
+ENABLE_NP=${ENABLE_NP:-true}
 # The nic to support container network can be a nic name or a group of regex
 # separated by comma, if empty will use the nic that the default route use
 IFACE=""
@@ -1691,6 +1692,7 @@ spec:
           - --default-vlan-id=$VLAN_ID
           - --pod-nic-type=$POD_NIC_TYPE
           - --enable-lb=$ENABLE_LB
+          - --enable-np=$ENABLE_NP
           env:
             - name: ENABLE_SSL
               value: "$ENABLE_SSL"

diff --git a/docs/install.md b/docs/install.md
@@ -105,7 +105,8 @@ You can use `--default-cidr` flags below to config default Pod CIDR or create a
       --default-provider-name string              The vlan or vxlan type default provider interface name, default: provider (default "provider")
       --default-vlan-id int                       The default vlan id, default: 1 (default 1)
       --default-vlan-name string                  The default vlan name, default: ovn-vlan (default "ovn-vlan")
-      --default-vlan-range string                 The default vlan range, default: 1-4095 (default "1,4095")
+      --enable-lb                                 Enable load balancer, default: true (default true)
+      --enable-np                                 Enable network policy support, default: true (default true)
       --kubeconfig string                         Path to kubeconfig file with authorization and master location information. If not set use the inCluster token.
       --log_backtrace_at traceLocation            when logging hits line file:N, emit a stack trace (default :0)
       --log_dir string                            If non-empty, write log files in this directory
@@ -119,6 +120,7 @@ You can use `--default-cidr` flags below to config default Pod CIDR or create a
       --ovn-nb-addr string                        ovn-nb address
       --ovn-sb-addr string                        ovn-sb address
       --ovn-timeout int                            (default 30)
+      --pod-nic-type string                       The default pod network nic implementation type, default: veth-pair (default "veth-pair")
       --pprof-port int                            The port to get profiling data, default 10660 (default 10660)
       --skip_headers                              If true, avoid header prefixes in the log messages
       --skip_log_headers                          If true, avoid headers when opening log files
@@ -146,7 +148,7 @@ You can use `--default-cidr` flags below to config default Pod CIDR or create a
       --log_file_max_size uint            Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
       --logtostderr                       log to standard error instead of files (default true)
       --mirror-iface string               The mirror nic name that will be created by kube-ovn, default: mirror0 (default "mirror0")
-      --mtu int                           The MTU used by pod iface, default: iface MTU - 100
+      --mtu int                           The MTU used by pod iface in overlay networks, default: iface MTU - 100
       --network-type string               The ovn network type, default: geneve (default "geneve")
       --node-local-dns-ip string          If use nodelocaldns the local dns server ip should be set here, default empty.
       --ovs-socket string                 The socket to local ovs-server

diff --git a/pkg/controller/config.go b/pkg/controller/config.go
@@ -57,6 +57,7 @@ type Configuration struct {
 	DefaultVlanID        int
 
 	EnableLb bool
+	EnableNP bool
 }
 
 // ParseFlags parses cmd args then init kubeclient and conf
@@ -86,13 +87,14 @@ func ParseFlags() (*Configuration, error) {
 		argWorkerNum = pflag.Int("worker-num", 3, "The parallelism of each worker, default: 3")
 		argPprofPort = pflag.Int("pprof-port", 10660, "The port to get profiling data, default 10660")
 
-		argsNetworkType          = pflag.String("network-type", util.NetworkTypeGeneve, "The ovn network type, default: geneve")
-		argsDefaultProviderName  = pflag.String("default-provider-name", "provider", "The vlan or vxlan type default provider interface name, default: provider")
-		argsDefaultInterfaceName = pflag.String("default-interface-name", "", "The default host interface name in the vlan/vxlan type")
-		argsDefaultVlanName      = pflag.String("default-vlan-name", "ovn-vlan", "The default vlan name, default: ovn-vlan")
-		argsDefaultVlanID        = pflag.Int("default-vlan-id", 1, "The default vlan id, default: 1")
-		argsPodNicType           = pflag.String("pod-nic-type", "veth-pair", "The default pod network nic implementation type, default: veth-pair")
-		argsEnableLb             = pflag.Bool("enable-lb", true, "Enable load balancer, default: true")
+		argNetworkType          = pflag.String("network-type", util.NetworkTypeGeneve, "The ovn network type, default: geneve")
+		argDefaultProviderName  = pflag.String("default-provider-name", "provider", "The vlan or vxlan type default provider interface name, default: provider")
+		argDefaultInterfaceName = pflag.String("default-interface-name", "", "The default host interface name in the vlan/vxlan type")
+		argDefaultVlanName      = pflag.String("default-vlan-name", "ovn-vlan", "The default vlan name, default: ovn-vlan")
+		argDefaultVlanID        = pflag.Int("default-vlan-id", 1, "The default vlan id, default: 1")
+		argPodNicType           = pflag.String("pod-nic-type", "veth-pair", "The default pod network nic implementation type, default: veth-pair")
+		argEnableLb             = pflag.Bool("enable-lb", true, "Enable load balancer, default: true")
+		argEnableNP             = pflag.Bool("enable-np", true, "Enable network policy support, default: true")
 	)
 
 	klogFlags := flag.NewFlagSet("klog", flag.ExitOnError)
@@ -132,15 +134,16 @@ func ParseFlags() (*Configuration, error) {
 		ClusterUdpSessionLoadBalancer: *argClusterUdpSessionLoadBalancer,
 		WorkerNum:                     *argWorkerNum,
 		PprofPort:                     *argPprofPort,
-		NetworkType:                   *argsNetworkType,
-		DefaultVlanID:                 *argsDefaultVlanID,
-		DefaultProviderName:           *argsDefaultProviderName,
-		DefaultHostInterface:          *argsDefaultInterfaceName,
-		DefaultVlanName:               *argsDefaultVlanName,
+		NetworkType:                   *argNetworkType,
+		DefaultVlanID:                 *argDefaultVlanID,
+		DefaultProviderName:           *argDefaultProviderName,
+		DefaultHostInterface:          *argDefaultInterfaceName,
+		DefaultVlanName:               *argDefaultVlanName,
 		PodName:                       os.Getenv("POD_NAME"),
 		PodNamespace:                  os.Getenv("KUBE_NAMESPACE"),
-		PodNicType:                    *argsPodNicType,
-		EnableLb:                      *argsEnableLb,
+		PodNicType:                    *argPodNicType,
+		EnableLb:                      *argEnableLb,
+		EnableNP:                      *argEnableNP,
 	}
 
 	if config.NetworkType == util.NetworkTypeVlan && config.DefaultHostInterface == "" {

diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -152,7 +152,6 @@ func NewController(config *Configuration) *Controller {
 	nodeInformer := informerFactory.Core().V1().Nodes()
 	serviceInformer := informerFactory.Core().V1().Services()
 	endpointInformer := informerFactory.Core().V1().Endpoints()
-	npInformer := informerFactory.Networking().V1().NetworkPolicies()
 	configMapInformer := cmInformerFactory.Core().V1().ConfigMaps()
 
 	controller := &Controller{
@@ -225,11 +224,6 @@ func NewController(config *Configuration) *Controller {
 		endpointsSynced:     endpointInformer.Informer().HasSynced,
 		updateEndpointQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "UpdateEndpoint"),
 
-		npsLister:     npInformer.Lister(),
-		npsSynced:     npInformer.Informer().HasSynced,
-		updateNpQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "UpdateNp"),
-		deleteNpQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "DeleteNp"),
-
 		configMapsLister: configMapInformer.Lister(),
 		configMapsSynced: configMapInformer.Informer().HasSynced,
 
@@ -268,12 +262,6 @@ func NewController(config *Configuration) *Controller {
 		UpdateFunc: controller.enqueueUpdateEndpoint,
 	})
 
-	npInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc:    controller.enqueueAddNp,
-		UpdateFunc: controller.enqueueUpdateNp,
-		DeleteFunc: controller.enqueueDeleteNp,
-	})
-
 	vpcInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc:    controller.enqueueAddVpc,
 		UpdateFunc: controller.enqueueUpdateVpc,
@@ -304,6 +292,19 @@ func NewController(config *Configuration) *Controller {
 		UpdateFunc: controller.enqueueUpdateVlan,
 	})
 
+	if config.EnableNP {
+		npInformer := informerFactory.Networking().V1().NetworkPolicies()
+		controller.npsLister = npInformer.Lister()
+		controller.npsSynced = npInformer.Informer().HasSynced
+		controller.updateNpQueue = workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "UpdateNp")
+		controller.deleteNpQueue = workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "DeleteNp")
+		npInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+			AddFunc:    controller.enqueueAddNp,
+			UpdateFunc: controller.enqueueUpdateNp,
+			DeleteFunc: controller.enqueueDeleteNp,
+		})
+	}
+
 	return controller
 }
 
@@ -324,7 +325,15 @@ func (c *Controller) Run(stopCh <-chan struct{}) {
 	c.kubeovnInformerFactory.Start(stopCh)
 
 	klog.Info("Waiting for informer caches to sync")
-	if ok := cache.WaitForCacheSync(stopCh, c.vpcNatGatewaySynced, c.vpcSynced, c.subnetSynced, c.ipSynced, c.vlanSynced, c.podsSynced, c.namespacesSynced, c.nodesSynced, c.serviceSynced, c.endpointsSynced, c.npsSynced, c.configMapsSynced); !ok {
+	cacheSyncs := []cache.InformerSynced{
+		c.vpcNatGatewaySynced, c.vpcSynced, c.subnetSynced, c.ipSynced,
+		c.vlanSynced, c.podsSynced, c.namespacesSynced, c.nodesSynced,
+		c.serviceSynced, c.endpointsSynced, c.configMapsSynced,
+	}
+	if c.config.EnableNP {
+		cacheSyncs = append(cacheSyncs, c.npsSynced)
+	}
+	if ok := cache.WaitForCacheSync(stopCh, cacheSyncs...); !ok {
 		klog.Fatalf("failed to wait for caches to sync")
 	}
 
@@ -384,9 +393,6 @@ func (c *Controller) shutdown() {
 	c.updateServiceQueue.ShutDown()
 	c.updateEndpointQueue.ShutDown()
 
-	c.updateNpQueue.ShutDown()
-	c.deleteNpQueue.ShutDown()
-
 	c.addVlanQueue.ShutDown()
 	c.delVlanQueue.ShutDown()
 	c.updateVlanQueue.ShutDown()
@@ -403,6 +409,11 @@ func (c *Controller) shutdown() {
 	c.updateVpcDnatQueue.ShutDown()
 	c.updateVpcSnatQueue.ShutDown()
 	c.updateVpcSubnetQueue.ShutDown()
+
+	if c.config.EnableNP {
+		c.updateNpQueue.ShutDown()
+		c.deleteNpQueue.ShutDown()
+	}
 }
 
 func (c *Controller) startWorkers(stopCh <-chan struct{}) {
@@ -484,8 +495,10 @@ func (c *Controller) startWorkers(stopCh <-chan struct{}) {
 			go wait.Until(c.runUpdateEndpointWorker, time.Second, stopCh)
 		}
 
-		go wait.Until(c.runUpdateNpWorker, time.Second, stopCh)
-		go wait.Until(c.runDeleteNpWorker, time.Second, stopCh)
+		if c.config.EnableNP {
+			go wait.Until(c.runUpdateNpWorker, time.Second, stopCh)
+			go wait.Until(c.runDeleteNpWorker, time.Second, stopCh)
+		}
 
 		go wait.Until(c.runDelVlanWorker, time.Second, stopCh)
 		go wait.Until(c.runUpdateVlanWorker, time.Second, stopCh)
@@ -515,5 +528,8 @@ func (c *Controller) startWorkers(stopCh <-chan struct{}) {
 
 	go wait.Until(c.resyncSubnetMetrics, 30*time.Second, stopCh)
 	go wait.Until(c.CheckGatewayReady, 5*time.Second, stopCh)
-	go wait.Until(c.CheckNodePortGroup, 10*time.Second, stopCh)
+
+	if c.config.EnableNP {
+		go wait.Until(c.CheckNodePortGroup, 10*time.Second, stopCh)
+	}
 }
diff --git a/pkg/controller/gc.go b/pkg/controller/gc.go
@@ -456,24 +456,27 @@ func (c *Controller) gcLoadBalancer() error {
 
 func (c *Controller) gcPortGroup() error {
 	klog.Infof("start to gc network policy")
-	nps, err := c.npsLister.List(labels.Everything())
-	if err != nil {
-		klog.Errorf("failed to list network policy, %v", err)
-		return err
-	}
+	var npNames []string
+	if c.config.EnableNP {
+		nps, err := c.npsLister.List(labels.Everything())
+		if err != nil {
+			klog.Errorf("failed to list network policy, %v", err)
+			return err
+		}
 
-	npNames := make([]string, 0, len(nps))
-	for _, np := range nps {
-		npNames = append(npNames, fmt.Sprintf("%s/%s", np.Namespace, np.Name))
-	}
-	// append node port group to npNames to avoid gc node port group
-	nodes, err := c.nodesLister.List(labels.Everything())
-	if err != nil {
-		klog.Errorf("failed to list nodes, %v", err)
-		return err
-	}
-	for _, node := range nodes {
-		npNames = append(npNames, fmt.Sprintf("%s/%s", "node", node.Name))
+		npNames = make([]string, 0, len(nps))
+		for _, np := range nps {
+			npNames = append(npNames, fmt.Sprintf("%s/%s", np.Namespace, np.Name))
+		}
+		// append node port group to npNames to avoid gc node port group
+		nodes, err := c.nodesLister.List(labels.Everything())
+		if err != nil {
+			klog.Errorf("failed to list nodes, %v", err)
+			return err
+		}
+		for _, node := range nodes {
+			npNames = append(npNames, fmt.Sprintf("%s/%s", "node", node.Name))
+		}
 	}
 
 	pgs, err := c.ovnClient.ListPortGroup()
@@ -482,7 +485,7 @@ func (c *Controller) gcPortGroup() error {
 		return err
 	}
 	for _, pg := range pgs {
-		if !util.IsStringIn(fmt.Sprintf("%s/%s", pg.NpNamespace, pg.NpName), npNames) {
+		if !c.config.EnableNP || !util.IsStringIn(fmt.Sprintf("%s/%s", pg.NpNamespace, pg.NpName), npNames) {
 			klog.Infof("gc port group %s", pg.Name)
 			if err := c.handleDeleteNp(fmt.Sprintf("%s/%s", pg.NpNamespace, pg.NpName)); err != nil {
 				klog.Errorf("failed to gc np %s/%s, %v", pg.NpNamespace, pg.NpName, err)

diff --git a/pkg/controller/namespace.go b/pkg/controller/namespace.go
@@ -22,9 +22,10 @@ func (c *Controller) enqueueAddNamespace(obj interface{}) {
 	if !c.isLeader() {
 		return
 	}
-	ns := obj.(*v1.Namespace)
-	for _, np := range c.namespaceMatchNetworkPolicies(ns) {
-		c.updateNpQueue.Add(np)
+	if c.config.EnableNP {
+		for _, np := range c.namespaceMatchNetworkPolicies(obj.(*v1.Namespace)) {
+			c.updateNpQueue.Add(np)
+		}
 	}
 	var key string
 	var err error
@@ -40,9 +41,10 @@ func (c *Controller) enqueueDeleteNamespace(obj interface{}) {
 		return
 	}
 
-	ns := obj.(*v1.Namespace)
-	for _, np := range c.namespaceMatchNetworkPolicies(ns) {
-		c.updateNpQueue.Add(np)
+	if c.config.EnableNP {
+		for _, np := range c.namespaceMatchNetworkPolicies(obj.(*v1.Namespace)) {
+			c.updateNpQueue.Add(np)
+		}
 	}
 }
 
@@ -56,7 +58,7 @@ func (c *Controller) enqueueUpdateNamespace(old, new interface{}) {
 		return
 	}
 
-	if !reflect.DeepEqual(oldNs.Labels, newNs.Labels) {
+	if c.config.EnableNP && !reflect.DeepEqual(oldNs.Labels, newNs.Labels) {
 		oldNp := c.namespaceMatchNetworkPolicies(oldNs)
 		newNp := c.namespaceMatchNetworkPolicies(newNs)
 		for _, np := range util.DiffStringSlice(oldNp, newNp) {