Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only process traffic impacted by network policies #39

Merged
merged 1 commit into from
Jun 24, 2024
Merged

Only process traffic impacted by network policies #39

merged 1 commit into from
Jun 24, 2024

Conversation

aojea
Copy link
Contributor

@aojea aojea commented Jun 23, 2024
edited
Loading

optimize the datapath not having to send all packets to user space, only the ones that are subject of network policies

Fixes: #10, #31, #12

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 23, 2024
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 23, 2024
@aojea aojea force-pushed the local_pods branch 2 times, most recently from 0bfd312 to 0390d5e Compare June 23, 2024 17:12
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 23, 2024
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 23, 2024
@aojea aojea force-pushed the local_pods branch 3 times, most recently from f2b8372 to 6bfb5e7 Compare June 23, 2024 20:02
@aojea
Copy link
Contributor Author

aojea commented Jun 23, 2024

/assign @danwinship

Dan please take a look

@aojea aojea mentioned this pull request Jun 23, 2024
Merged
danwinship
danwinship reviewed Jun 24, 2024
View reviewed changes
Copy link

@danwinship danwinship left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like it will work (though you lose all the optimization once you add even a single ANP)...

Another possibility would be to just add "local detector" options like kube-proxy (--cluster-cidr, use node podCIDRs, etc)

pkg/networkpolicy/controller.go Outdated Show resolved Hide resolved
pkg/networkpolicy/networkpolicy.go
if networkPolicy == nil {
return nil
}
podSelector, err := metav1.LabelSelectorAsSelector(&networkPolicy.Spec.PodSelector)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So FTR, with the existing code, if you have Pod A on Node 1 that denies all ingress, and Pod B on Node 2 tries to send to it, then Node 2 will drop the packets. With this new code, Node 2 would instead forward the packet to Node 1, and then Node 1 would drop it.

Copy link
Contributor Author

@aojea aojea Jun 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, is the trade off, but at least the rules are only evaluated once in one node, previously allowed rules were evaluated twice, one in each node

cmd/main.go Show resolved Hide resolved
@aojea
Copy link
Contributor Author

aojea commented Jun 24, 2024

This looks like it will work (though you lose all the optimization once you add even a single ANP)...

Cluster Wide Policies are hard to implement in the dataplane

Another possibility would be to just add "local detector" options like kube-proxy (--cluster-cidr, use node podCIDRs, etc)

Since the controller already has the pod information this looks simpler, kube-proxy does not watch pods and need to depend on those heuristics

@aojea
optimize datpath for network policies
f0eb5c6 
Instead of sending all traffic to user space, only process
the traffic that is impacted by network policies.

If admin network policies are enabled then we process all traffic.
@aojea aojea merged commit 7c4dfc0 into kubernetes-sigs:main Jun 24, 2024
8 of 9 checks passed
@danwinship
Copy link

It would still be better for it to be a command-line option, even if it's required. Required environment variables are terrible.

@aojea
Copy link
Contributor Author

aojea commented Jun 25, 2024

It would still be better for it to be a command-line option, even if it's required. Required environment variables are terrible.

I just want to fix the flake, let me open an issue to not forget and do the change

This was referenced Jun 25, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danwinship danwinship danwinship left review comments

@thockin thockin Awaiting requested review from thockin

Assignees

@danwinship danwinship

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Do not process packet twice
3 participants
@aojea @k8s-ci-robot @danwinship