From c0130ebddb6e1927664d43faa3abaad151b561db Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 18 Dec 2024 18:08:16 -0800 Subject: [PATCH 01/18] added npm lite default deny cni changes --- cni/network/invoker.go | 3 ++- cni/network/invoker_cns.go | 5 +++++ cni/network/network.go | 2 ++ cns/NetworkContainerContract.go | 3 +++ 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/cni/network/invoker.go b/cni/network/invoker.go index 9e766d020c..369ce46f77 100644 --- a/cni/network/invoker.go +++ b/cni/network/invoker.go @@ -28,7 +28,8 @@ type IPAMAddConfig struct { type IPAMAddResult struct { interfaceInfo map[string]network.InterfaceInfo // ncResponse and host subnet prefix were moved into interface info - ipv6Enabled bool + ipv6Enabled bool + defaultDenyACL []cni.KVPair } func (ipamAddResult IPAMAddResult) PrettyString() string { diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go index 02e0ce7351..43b8001492 100644 --- a/cni/network/invoker_cns.go +++ b/cni/network/invoker_cns.go @@ -55,6 +55,7 @@ type IPResultInfo struct { skipDefaultRoutes bool routes []cns.Route pnpID string + defaultDenyACL []cni.KVPair } func (i IPResultInfo) MarshalLogObject(encoder zapcore.ObjectEncoder) error { @@ -159,6 +160,7 @@ func (invoker *CNSIPAMInvoker) Add(addConfig IPAMAddConfig) (IPAMAddResult, erro skipDefaultRoutes: response.PodIPInfo[i].SkipDefaultRoutes, routes: response.PodIPInfo[i].Routes, pnpID: response.PodIPInfo[i].PnPID, + defaultDenyACL: response.PodIPInfo[i].DefaultDenyACL, } logger.Info("Received info for pod", @@ -444,6 +446,9 @@ func configureDefaultAddResult(info *IPResultInfo, addConfig *IPAMAddConfig, add Gw: ncgw, }) } + + addResult.defaultDenyACL = append(addResult.defaultDenyACL, info.defaultDenyACL...) + // if we have multiple infra ip result infos, we effectively append routes and ip configs to that same interface info each time // the host subnet prefix (in ipv4 or ipv6) will always refer to the same interface regardless of which ip result info we look at addResult.interfaceInfo[key] = network.InterfaceInfo{ diff --git a/cni/network/network.go b/cni/network/network.go index 6b0635e1c7..a04906fa56 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -589,6 +589,8 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam DefaultInterface: %+v, SecondaryInterfaces: %+v", ipamAddResult.interfaceInfo[ifIndex], ipamAddResult.interfaceInfo)) } + logger.Info("The length of ipamAddResult defaultDenyACL's is", zap.Any("defaultDenyACLLength", ipamAddResult.defaultDenyACL)) + nwCfg.AdditionalArgs = append(nwCfg.AdditionalArgs, ipamAddResult.defaultDenyACL...) policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) // moved to addIpamInvoker // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString())) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 394f871f09..18829c3f8b 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -7,6 +7,7 @@ import ( "strconv" "strings" + "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns/types" "github.com/Azure/azure-container-networking/crd/nodenetworkconfig/api/v1alpha" "github.com/google/uuid" @@ -503,6 +504,8 @@ type PodIpInfo struct { Routes []Route // PnpId is set for backend interfaces, Pnp Id identifies VF. Plug and play id(pnp) is also called as PCI ID PnPID string + // Defauly Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes + DefaultDenyACL []cni.KVPair } type HostIPInfo struct { From 4d4eab1d3345a7fdd1df63ecf3b09f6983a6f1db Mon Sep 17 00:00:00 2001 From: rejain456 Date: Fri, 20 Dec 2024 16:49:32 -0800 Subject: [PATCH 02/18] added changes for unit tests --- cni/network/invoker_cns_test.go | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/cni/network/invoker_cns_test.go b/cni/network/invoker_cns_test.go index c2d4963151..67b8a533d8 100644 --- a/cni/network/invoker_cns_test.go +++ b/cni/network/invoker_cns_test.go @@ -521,7 +521,30 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { hostSubnetPrefix *net.IPNet options map[string]interface{} } + valueOut := []byte(`{ + "Type": "ACL", + "Action": "Block", + "Direction": "Out", + "Priority": 10000 + }`) + valueIn := []byte(`{ + "Type": "ACL", + "Action": "Block", + "Direction": "In", + "Priority": 10000 + }`) + + expectedDefaultDenyACL := []cni.KVPair{ + { + Name: "EndpointPolicy", + Value: valueOut, + }, + { + Name: "EndpointPolicy", + Value: valueIn, + }, + } tests := []struct { name string fields fields @@ -559,7 +582,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { PrimaryIP: "10.0.0.1", Subnet: "10.0.0.0/24", }, - NICType: cns.InfraNIC, + NICType: cns.InfraNIC, + DefaultDenyACL: expectedDefaultDenyACL, }, }, Response: cns.Response{ @@ -628,6 +652,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { PrimaryIP: "10.0.0.1", Subnet: "10.0.0.0/24", }, + DefaultDenyACL: expectedDefaultDenyACL, }, }, Response: cns.Response{ @@ -696,7 +721,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { PrimaryIP: "10.0.0.1", Subnet: "10.0.0.0/24", }, - NICType: cns.InfraNIC, + NICType: cns.InfraNIC, + DefaultDenyACL: expectedDefaultDenyACL, }, { PodIPConfig: cns.IPSubnet{ @@ -795,8 +821,10 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { ipamAddResult, err := invoker.Add(IPAMAddConfig{nwCfg: tt.args.nwCfg, args: tt.args.args, options: tt.args.options}) if tt.wantErr { require.Error(err) + require.Equalf([]cni.KVPair(nil), ipamAddResult.defaultDenyACL, "incorrect default deny ACL") } else { require.NoError(err) + require.Equalf(expectedDefaultDenyACL, ipamAddResult.defaultDenyACL, "incorrect default deny ACL") } for _, ifInfo := range ipamAddResult.interfaceInfo { From 4a4c990e4561b5820a027a8c6d0c44b2e05c7dfc Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 13:50:23 -0800 Subject: [PATCH 03/18] fixed test message --- cni/network/invoker_cns_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni/network/invoker_cns_test.go b/cni/network/invoker_cns_test.go index 67b8a533d8..785df5cb7e 100644 --- a/cni/network/invoker_cns_test.go +++ b/cni/network/invoker_cns_test.go @@ -824,7 +824,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { require.Equalf([]cni.KVPair(nil), ipamAddResult.defaultDenyACL, "incorrect default deny ACL") } else { require.NoError(err) - require.Equalf(expectedDefaultDenyACL, ipamAddResult.defaultDenyACL, "incorrect default deny ACL") + require.Equalf(expectedDefaultDenyACL, ipamAddResult.defaultDenyACL, "correct default deny ACL") } for _, ifInfo := range ipamAddResult.interfaceInfo { From 162714bc55535dd825913fb254d95a5023640f51 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 18:23:04 -0800 Subject: [PATCH 04/18] moved default deny acl under interfaceinfo --- cni/network/invoker.go | 3 +-- cni/network/invoker_cns.go | 3 +-- cni/network/invoker_cns_test.go | 3 +-- cni/network/network.go | 10 +++++++--- network/endpoint.go | 2 ++ 5 files changed, 12 insertions(+), 9 deletions(-) diff --git a/cni/network/invoker.go b/cni/network/invoker.go index 369ce46f77..9e766d020c 100644 --- a/cni/network/invoker.go +++ b/cni/network/invoker.go @@ -28,8 +28,7 @@ type IPAMAddConfig struct { type IPAMAddResult struct { interfaceInfo map[string]network.InterfaceInfo // ncResponse and host subnet prefix were moved into interface info - ipv6Enabled bool - defaultDenyACL []cni.KVPair + ipv6Enabled bool } func (ipamAddResult IPAMAddResult) PrettyString() string { diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go index 43b8001492..4759942100 100644 --- a/cni/network/invoker_cns.go +++ b/cni/network/invoker_cns.go @@ -447,8 +447,6 @@ func configureDefaultAddResult(info *IPResultInfo, addConfig *IPAMAddConfig, add }) } - addResult.defaultDenyACL = append(addResult.defaultDenyACL, info.defaultDenyACL...) - // if we have multiple infra ip result infos, we effectively append routes and ip configs to that same interface info each time // the host subnet prefix (in ipv4 or ipv6) will always refer to the same interface regardless of which ip result info we look at addResult.interfaceInfo[key] = network.InterfaceInfo{ @@ -457,6 +455,7 @@ func configureDefaultAddResult(info *IPResultInfo, addConfig *IPAMAddConfig, add IPConfigs: ipConfigs, Routes: resRoute, HostSubnetPrefix: *hostIPNet, + DefaultDenyACL: info.defaultDenyACL, } } diff --git a/cni/network/invoker_cns_test.go b/cni/network/invoker_cns_test.go index 785df5cb7e..eed8213db1 100644 --- a/cni/network/invoker_cns_test.go +++ b/cni/network/invoker_cns_test.go @@ -821,10 +821,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { ipamAddResult, err := invoker.Add(IPAMAddConfig{nwCfg: tt.args.nwCfg, args: tt.args.args, options: tt.args.options}) if tt.wantErr { require.Error(err) - require.Equalf([]cni.KVPair(nil), ipamAddResult.defaultDenyACL, "incorrect default deny ACL") } else { require.NoError(err) - require.Equalf(expectedDefaultDenyACL, ipamAddResult.defaultDenyACL, "correct default deny ACL") } for _, ifInfo := range ipamAddResult.interfaceInfo { @@ -837,6 +835,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { } if ifInfo.NICType == cns.InfraNIC { require.Equalf(tt.wantDefaultResult, ifInfo, "incorrect default response") + require.Equalf(expectedDefaultDenyACL, ifInfo.DefaultDenyACL, "Correct default deny ACL") } } }) diff --git a/cni/network/network.go b/cni/network/network.go index a04906fa56..5e912f4ada 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -564,7 +564,7 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { if len(ipamAddResult.interfaceInfo) > 1 && !plugin.isDualNicFeatureSupported(args.Netns) { errMsg := fmt.Sprintf("received multiple NC results %+v from CNS while dualnic feature is not supported", ipamAddResult.interfaceInfo) logger.Error("received multiple NC results from CNS while dualnic feature is not supported", - zap.Any("results", ipamAddResult.interfaceInfo)) + zap.Any("Processing interfaceInfo", ipamAddResult.interfaceInfo)) return plugin.Errorf(errMsg) } } else { @@ -589,8 +589,12 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam DefaultInterface: %+v, SecondaryInterfaces: %+v", ipamAddResult.interfaceInfo[ifIndex], ipamAddResult.interfaceInfo)) } - logger.Info("The length of ipamAddResult defaultDenyACL's is", zap.Any("defaultDenyACLLength", ipamAddResult.defaultDenyACL)) - nwCfg.AdditionalArgs = append(nwCfg.AdditionalArgs, ipamAddResult.defaultDenyACL...) + for key := range ipamAddResult.interfaceInfo { + if key == string(cns.InfraNIC) { + nwCfg.AdditionalArgs = append(nwCfg.AdditionalArgs, ipamAddResult.interfaceInfo[key].DefaultDenyACL...) + logger.Info("nwCfg.AdditionalArgs2:", zap.Any("ifInfo", nwCfg.AdditionalArgs)) + } + } policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) // moved to addIpamInvoker // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString())) diff --git a/network/endpoint.go b/network/endpoint.go index d06448d389..dd487b23d7 100644 --- a/network/endpoint.go +++ b/network/endpoint.go @@ -9,6 +9,7 @@ import ( "net" "strings" + "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cni/log" "github.com/Azure/azure-container-networking/cns" "github.com/Azure/azure-container-networking/netio" @@ -138,6 +139,7 @@ type InterfaceInfo struct { HostSubnetPrefix net.IPNet // Move this field from ipamAddResult NCResponse *cns.GetNetworkContainerResponse PnPID string + DefaultDenyACL []cni.KVPair } type IPConfig struct { From 315a5444ac85cdc4129972c5fc47f4983974b995 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 18:27:14 -0800 Subject: [PATCH 05/18] reverted a change in network --- cni/network/network.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni/network/network.go b/cni/network/network.go index 5e912f4ada..d30dca3746 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -564,7 +564,7 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { if len(ipamAddResult.interfaceInfo) > 1 && !plugin.isDualNicFeatureSupported(args.Netns) { errMsg := fmt.Sprintf("received multiple NC results %+v from CNS while dualnic feature is not supported", ipamAddResult.interfaceInfo) logger.Error("received multiple NC results from CNS while dualnic feature is not supported", - zap.Any("Processing interfaceInfo", ipamAddResult.interfaceInfo)) + zap.Any("results", ipamAddResult.interfaceInfo)) return plugin.Errorf(errMsg) } } else { From fc347fd7373c0f69b30ea118e3f7c426befd4e47 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 18:29:38 -0800 Subject: [PATCH 06/18] removed a logging line --- cni/network/network.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cni/network/network.go b/cni/network/network.go index d30dca3746..09c40614bf 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -592,7 +592,6 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { for key := range ipamAddResult.interfaceInfo { if key == string(cns.InfraNIC) { nwCfg.AdditionalArgs = append(nwCfg.AdditionalArgs, ipamAddResult.interfaceInfo[key].DefaultDenyACL...) - logger.Info("nwCfg.AdditionalArgs2:", zap.Any("ifInfo", nwCfg.AdditionalArgs)) } } policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) From 4aa3a5452e0f30a2e0dd36f51ba8d188ca6409a4 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 18:30:17 -0800 Subject: [PATCH 07/18] added a new line --- cni/network/network.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cni/network/network.go b/cni/network/network.go index 09c40614bf..056655073b 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -594,6 +594,7 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { nwCfg.AdditionalArgs = append(nwCfg.AdditionalArgs, ipamAddResult.interfaceInfo[key].DefaultDenyACL...) } } + policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) // moved to addIpamInvoker // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString())) From 86311a7d51a961ba259e643d0279f96a8e98e402 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 23:55:51 -0800 Subject: [PATCH 08/18] updated unit test --- cni/network/invoker_cns_test.go | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/cni/network/invoker_cns_test.go b/cni/network/invoker_cns_test.go index eed8213db1..d68578b753 100644 --- a/cni/network/invoker_cns_test.go +++ b/cni/network/invoker_cns_test.go @@ -612,6 +612,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { Gateway: net.ParseIP("10.0.0.1"), }, }, + DefaultDenyACL: expectedDefaultDenyACL, Routes: []network.RouteInfo{ { Dst: network.Ipv4DefaultRouteDstPrefix, @@ -681,6 +682,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { Gateway: net.ParseIP("10.0.0.1"), }, }, + DefaultDenyACL: expectedDefaultDenyACL, Routes: []network.RouteInfo{ { Dst: network.Ipv4DefaultRouteDstPrefix, @@ -742,7 +744,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { PrimaryIP: "fe80::1234:5678:9abc", Subnet: "fd11:1234::/112", }, - NICType: cns.InfraNIC, + NICType: cns.InfraNIC, + DefaultDenyACL: expectedDefaultDenyACL, }, }, Response: cns.Response{ @@ -775,6 +778,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { Gateway: net.ParseIP("fe80::1234:5678:9abc"), }, }, + DefaultDenyACL: expectedDefaultDenyACL, Routes: []network.RouteInfo{ { Dst: network.Ipv4DefaultRouteDstPrefix, @@ -799,8 +803,19 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { require: require, requestIPs: requestIPsHandler{ ipconfigArgument: getTestIPConfigsRequest(), - result: nil, - err: errors.New("failed error from CNS"), //nolint "error for ut" + result: &cns.IPConfigsResponse{ + PodIPInfo: []cns.PodIpInfo{ + { + DefaultDenyACL: expectedDefaultDenyACL, + }, + }, + Response: cns.Response{ + ReturnCode: 0, + Message: "", + }, + }, + err: errors.New("failed error from CNS"), //nolint "error for ut" + }, }, }, @@ -820,6 +835,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { } ipamAddResult, err := invoker.Add(IPAMAddConfig{nwCfg: tt.args.nwCfg, args: tt.args.args, options: tt.args.options}) if tt.wantErr { + require.Equalf([]cni.KVPair(nil), ipamAddResult.interfaceInfo[string(cns.InfraNIC)].DefaultDenyACL, "Correct default deny ACL") require.Error(err) } else { require.NoError(err) From 8b79796c41bcfc9ba0cf9b305ad12ce3e2ded98c Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 6 Jan 2025 14:59:57 -0800 Subject: [PATCH 09/18] moved cni kv pair to common folder --- cni/netconfig.go | 11 +++-------- cni/network/invoker_cns.go | 3 ++- cni/network/invoker_cns_test.go | 5 +++-- cni/network/network_windows_test.go | 3 ++- cns/NetworkContainerContract.go | 4 ++-- common/config.go | 8 ++++++++ network/endpoint.go | 4 ++-- 7 files changed, 22 insertions(+), 16 deletions(-) diff --git a/cni/netconfig.go b/cni/netconfig.go index c7e0c0ca7e..68d5cd775e 100644 --- a/cni/netconfig.go +++ b/cni/netconfig.go @@ -7,6 +7,7 @@ import ( "encoding/json" "strings" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/network/policy" cniTypes "github.com/containernetworking/cni/pkg/types" ) @@ -15,12 +16,6 @@ const ( PolicyStr string = "Policy" ) -// KVPair represents a K-V pair of a json object. -type KVPair struct { - Name string `json:"name"` - Value json.RawMessage `json:"value"` -} - type PortMapping struct { HostPort int `json:"hostPort"` ContainerPort int `json:"containerPort"` @@ -78,7 +73,7 @@ type NetworkConfig struct { DNS cniTypes.DNS `json:"dns,omitempty"` RuntimeConfig RuntimeConfig `json:"runtimeConfig,omitempty"` WindowsSettings WindowsSettings `json:"windowsSettings,omitempty"` - AdditionalArgs []KVPair `json:"AdditionalArgs,omitempty"` + AdditionalArgs []acn.KVPair `json:"AdditionalArgs,omitempty"` } type WindowsSettings struct { @@ -121,7 +116,7 @@ func ParseNetworkConfig(b []byte) (*NetworkConfig, error) { } // GetPoliciesFromNwCfg returns network policies from network config. -func GetPoliciesFromNwCfg(kvp []KVPair) []policy.Policy { +func GetPoliciesFromNwCfg(kvp []acn.KVPair) []policy.Policy { var policies []policy.Policy for _, pair := range kvp { if strings.Contains(pair.Name, PolicyStr) { diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go index 4759942100..9221cdeaa5 100644 --- a/cni/network/invoker_cns.go +++ b/cni/network/invoker_cns.go @@ -12,6 +12,7 @@ import ( "github.com/Azure/azure-container-networking/cns" cnscli "github.com/Azure/azure-container-networking/cns/client" "github.com/Azure/azure-container-networking/cns/fsnotify" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/iptables" "github.com/Azure/azure-container-networking/network" "github.com/Azure/azure-container-networking/network/networkutils" @@ -55,7 +56,7 @@ type IPResultInfo struct { skipDefaultRoutes bool routes []cns.Route pnpID string - defaultDenyACL []cni.KVPair + defaultDenyACL []acn.KVPair } func (i IPResultInfo) MarshalLogObject(encoder zapcore.ObjectEncoder) error { diff --git a/cni/network/invoker_cns_test.go b/cni/network/invoker_cns_test.go index d68578b753..75ffc499e8 100644 --- a/cni/network/invoker_cns_test.go +++ b/cni/network/invoker_cns_test.go @@ -10,6 +10,7 @@ import ( "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cni/util" "github.com/Azure/azure-container-networking/cns" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/iptables" "github.com/Azure/azure-container-networking/network" cniSkel "github.com/containernetworking/cni/pkg/skel" @@ -535,7 +536,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { "Priority": 10000 }`) - expectedDefaultDenyACL := []cni.KVPair{ + expectedDefaultDenyACL := []acn.KVPair{ { Name: "EndpointPolicy", Value: valueOut, @@ -835,7 +836,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { } ipamAddResult, err := invoker.Add(IPAMAddConfig{nwCfg: tt.args.nwCfg, args: tt.args.args, options: tt.args.options}) if tt.wantErr { - require.Equalf([]cni.KVPair(nil), ipamAddResult.interfaceInfo[string(cns.InfraNIC)].DefaultDenyACL, "Correct default deny ACL") + require.Equalf([]acn.KVPair(nil), ipamAddResult.interfaceInfo[string(cns.InfraNIC)].DefaultDenyACL, "Correct default deny ACL") require.Error(err) } else { require.NoError(err) diff --git a/cni/network/network_windows_test.go b/cni/network/network_windows_test.go index 9da54a4ca4..39da4bd414 100644 --- a/cni/network/network_windows_test.go +++ b/cni/network/network_windows_test.go @@ -12,6 +12,7 @@ import ( "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/network" "github.com/Azure/azure-container-networking/network/hnswrapper" "github.com/Azure/azure-container-networking/network/policy" @@ -941,7 +942,7 @@ func TestPluginWindowsAdd(t *testing.T) { EnableExactMatchForPodName: true, Master: "eth0", // these are added to test that policies propagate to endpoint info - AdditionalArgs: []cni.KVPair{ + AdditionalArgs: []acn.KVPair{ { Name: "EndpointPolicy", Value: GetRawOutBoundNATPolicy(), diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 18829c3f8b..72ab3f0b2e 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -7,8 +7,8 @@ import ( "strconv" "strings" - "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns/types" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/crd/nodenetworkconfig/api/v1alpha" "github.com/google/uuid" "github.com/pkg/errors" @@ -505,7 +505,7 @@ type PodIpInfo struct { // PnpId is set for backend interfaces, Pnp Id identifies VF. Plug and play id(pnp) is also called as PCI ID PnPID string // Defauly Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes - DefaultDenyACL []cni.KVPair + DefaultDenyACL []acn.KVPair } type HostIPInfo struct { diff --git a/common/config.go b/common/config.go index 3434c2e2e1..87ec27ae11 100644 --- a/common/config.go +++ b/common/config.go @@ -3,6 +3,8 @@ package common +import "encoding/json" + // Command line options. const ( // Operating environment. @@ -146,3 +148,9 @@ const ( // OptCNIConflistScenarioAlias "shorthand" for the cni conflist scenairo, see above OptCNIConflistScenarioAlias = "cniconflistscenario" ) + +// KVPair represents a K-V pair of a json object. +type KVPair struct { + Name string `json:"name"` + Value json.RawMessage `json:"value"` +} diff --git a/network/endpoint.go b/network/endpoint.go index dd487b23d7..d400b16900 100644 --- a/network/endpoint.go +++ b/network/endpoint.go @@ -9,9 +9,9 @@ import ( "net" "strings" - "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cni/log" "github.com/Azure/azure-container-networking/cns" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/netio" "github.com/Azure/azure-container-networking/netlink" "github.com/Azure/azure-container-networking/network/policy" @@ -139,7 +139,7 @@ type InterfaceInfo struct { HostSubnetPrefix net.IPNet // Move this field from ipamAddResult NCResponse *cns.GetNetworkContainerResponse PnPID string - DefaultDenyACL []cni.KVPair + DefaultDenyACL []acn.KVPair } type IPConfig struct { From 49da7b671a632cca43736f8a60c861a841368994 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 8 Jan 2025 19:17:47 -0800 Subject: [PATCH 10/18] updated cni code to match network container contract update --- cni/netconfig.go | 11 ++++++--- cni/network/invoker_cns.go | 8 +++--- cni/network/invoker_cns_test.go | 38 ++++++++++++++--------------- cni/network/network.go | 5 ++-- cni/network/network_windows_test.go | 3 +-- cns/NetworkContainerContract.go | 6 ++--- common/config.go | 8 ------ network/endpoint.go | 3 +-- 8 files changed, 38 insertions(+), 44 deletions(-) diff --git a/cni/netconfig.go b/cni/netconfig.go index 68d5cd775e..c7e0c0ca7e 100644 --- a/cni/netconfig.go +++ b/cni/netconfig.go @@ -7,7 +7,6 @@ import ( "encoding/json" "strings" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/network/policy" cniTypes "github.com/containernetworking/cni/pkg/types" ) @@ -16,6 +15,12 @@ const ( PolicyStr string = "Policy" ) +// KVPair represents a K-V pair of a json object. +type KVPair struct { + Name string `json:"name"` + Value json.RawMessage `json:"value"` +} + type PortMapping struct { HostPort int `json:"hostPort"` ContainerPort int `json:"containerPort"` @@ -73,7 +78,7 @@ type NetworkConfig struct { DNS cniTypes.DNS `json:"dns,omitempty"` RuntimeConfig RuntimeConfig `json:"runtimeConfig,omitempty"` WindowsSettings WindowsSettings `json:"windowsSettings,omitempty"` - AdditionalArgs []acn.KVPair `json:"AdditionalArgs,omitempty"` + AdditionalArgs []KVPair `json:"AdditionalArgs,omitempty"` } type WindowsSettings struct { @@ -116,7 +121,7 @@ func ParseNetworkConfig(b []byte) (*NetworkConfig, error) { } // GetPoliciesFromNwCfg returns network policies from network config. -func GetPoliciesFromNwCfg(kvp []acn.KVPair) []policy.Policy { +func GetPoliciesFromNwCfg(kvp []KVPair) []policy.Policy { var policies []policy.Policy for _, pair := range kvp { if strings.Contains(pair.Name, PolicyStr) { diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go index 9221cdeaa5..928096b361 100644 --- a/cni/network/invoker_cns.go +++ b/cni/network/invoker_cns.go @@ -12,10 +12,10 @@ import ( "github.com/Azure/azure-container-networking/cns" cnscli "github.com/Azure/azure-container-networking/cns/client" "github.com/Azure/azure-container-networking/cns/fsnotify" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/iptables" "github.com/Azure/azure-container-networking/network" "github.com/Azure/azure-container-networking/network/networkutils" + "github.com/Azure/azure-container-networking/network/policy" cniSkel "github.com/containernetworking/cni/pkg/skel" "github.com/pkg/errors" "go.uber.org/zap" @@ -56,7 +56,7 @@ type IPResultInfo struct { skipDefaultRoutes bool routes []cns.Route pnpID string - defaultDenyACL []acn.KVPair + endpointPolicies []policy.Policy } func (i IPResultInfo) MarshalLogObject(encoder zapcore.ObjectEncoder) error { @@ -161,7 +161,7 @@ func (invoker *CNSIPAMInvoker) Add(addConfig IPAMAddConfig) (IPAMAddResult, erro skipDefaultRoutes: response.PodIPInfo[i].SkipDefaultRoutes, routes: response.PodIPInfo[i].Routes, pnpID: response.PodIPInfo[i].PnPID, - defaultDenyACL: response.PodIPInfo[i].DefaultDenyACL, + endpointPolicies: response.PodIPInfo[i].EndpointPolicies, } logger.Info("Received info for pod", @@ -456,7 +456,7 @@ func configureDefaultAddResult(info *IPResultInfo, addConfig *IPAMAddConfig, add IPConfigs: ipConfigs, Routes: resRoute, HostSubnetPrefix: *hostIPNet, - DefaultDenyACL: info.defaultDenyACL, + EndpointPolicies: info.endpointPolicies, } } diff --git a/cni/network/invoker_cns_test.go b/cni/network/invoker_cns_test.go index 75ffc499e8..0ccfca779c 100644 --- a/cni/network/invoker_cns_test.go +++ b/cni/network/invoker_cns_test.go @@ -10,9 +10,9 @@ import ( "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cni/util" "github.com/Azure/azure-container-networking/cns" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/iptables" "github.com/Azure/azure-container-networking/network" + "github.com/Azure/azure-container-networking/network/policy" cniSkel "github.com/containernetworking/cni/pkg/skel" "github.com/stretchr/testify/require" ) @@ -536,14 +536,14 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { "Priority": 10000 }`) - expectedDefaultDenyACL := []acn.KVPair{ + expectedEndpointPolicies := []policy.Policy{ { - Name: "EndpointPolicy", - Value: valueOut, + Type: policy.ACLPolicy, + Data: valueOut, }, { - Name: "EndpointPolicy", - Value: valueIn, + Type: policy.ACLPolicy, + Data: valueIn, }, } tests := []struct { @@ -583,8 +583,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { PrimaryIP: "10.0.0.1", Subnet: "10.0.0.0/24", }, - NICType: cns.InfraNIC, - DefaultDenyACL: expectedDefaultDenyACL, + NICType: cns.InfraNIC, + EndpointPolicies: expectedEndpointPolicies, }, }, Response: cns.Response{ @@ -613,7 +613,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { Gateway: net.ParseIP("10.0.0.1"), }, }, - DefaultDenyACL: expectedDefaultDenyACL, + EndpointPolicies: expectedEndpointPolicies, Routes: []network.RouteInfo{ { Dst: network.Ipv4DefaultRouteDstPrefix, @@ -654,7 +654,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { PrimaryIP: "10.0.0.1", Subnet: "10.0.0.0/24", }, - DefaultDenyACL: expectedDefaultDenyACL, + EndpointPolicies: expectedEndpointPolicies, }, }, Response: cns.Response{ @@ -683,7 +683,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { Gateway: net.ParseIP("10.0.0.1"), }, }, - DefaultDenyACL: expectedDefaultDenyACL, + EndpointPolicies: expectedEndpointPolicies, Routes: []network.RouteInfo{ { Dst: network.Ipv4DefaultRouteDstPrefix, @@ -724,8 +724,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { PrimaryIP: "10.0.0.1", Subnet: "10.0.0.0/24", }, - NICType: cns.InfraNIC, - DefaultDenyACL: expectedDefaultDenyACL, + NICType: cns.InfraNIC, + EndpointPolicies: expectedEndpointPolicies, }, { PodIPConfig: cns.IPSubnet{ @@ -745,8 +745,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { PrimaryIP: "fe80::1234:5678:9abc", Subnet: "fd11:1234::/112", }, - NICType: cns.InfraNIC, - DefaultDenyACL: expectedDefaultDenyACL, + NICType: cns.InfraNIC, + EndpointPolicies: expectedEndpointPolicies, }, }, Response: cns.Response{ @@ -779,7 +779,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { Gateway: net.ParseIP("fe80::1234:5678:9abc"), }, }, - DefaultDenyACL: expectedDefaultDenyACL, + EndpointPolicies: expectedEndpointPolicies, Routes: []network.RouteInfo{ { Dst: network.Ipv4DefaultRouteDstPrefix, @@ -807,7 +807,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { result: &cns.IPConfigsResponse{ PodIPInfo: []cns.PodIpInfo{ { - DefaultDenyACL: expectedDefaultDenyACL, + EndpointPolicies: expectedEndpointPolicies, }, }, Response: cns.Response{ @@ -836,7 +836,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { } ipamAddResult, err := invoker.Add(IPAMAddConfig{nwCfg: tt.args.nwCfg, args: tt.args.args, options: tt.args.options}) if tt.wantErr { - require.Equalf([]acn.KVPair(nil), ipamAddResult.interfaceInfo[string(cns.InfraNIC)].DefaultDenyACL, "Correct default deny ACL") + require.Equalf([]policy.Policy(nil), ipamAddResult.interfaceInfo[string(cns.InfraNIC)].EndpointPolicies, "There was an error requesting IP addresses from cns") require.Error(err) } else { require.NoError(err) @@ -852,7 +852,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { } if ifInfo.NICType == cns.InfraNIC { require.Equalf(tt.wantDefaultResult, ifInfo, "incorrect default response") - require.Equalf(expectedDefaultDenyACL, ifInfo.DefaultDenyACL, "Correct default deny ACL") + require.Equalf(expectedEndpointPolicies, ifInfo.EndpointPolicies, "Correct default deny ACL") } } }) diff --git a/cni/network/network.go b/cni/network/network.go index 056655073b..ed9ce81a0c 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -589,13 +589,12 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam DefaultInterface: %+v, SecondaryInterfaces: %+v", ipamAddResult.interfaceInfo[ifIndex], ipamAddResult.interfaceInfo)) } + policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) for key := range ipamAddResult.interfaceInfo { if key == string(cns.InfraNIC) { - nwCfg.AdditionalArgs = append(nwCfg.AdditionalArgs, ipamAddResult.interfaceInfo[key].DefaultDenyACL...) + policies = append(policies, ipamAddResult.interfaceInfo[key].EndpointPolicies...) } } - - policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) // moved to addIpamInvoker // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString())) diff --git a/cni/network/network_windows_test.go b/cni/network/network_windows_test.go index 39da4bd414..9da54a4ca4 100644 --- a/cni/network/network_windows_test.go +++ b/cni/network/network_windows_test.go @@ -12,7 +12,6 @@ import ( "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/network" "github.com/Azure/azure-container-networking/network/hnswrapper" "github.com/Azure/azure-container-networking/network/policy" @@ -942,7 +941,7 @@ func TestPluginWindowsAdd(t *testing.T) { EnableExactMatchForPodName: true, Master: "eth0", // these are added to test that policies propagate to endpoint info - AdditionalArgs: []acn.KVPair{ + AdditionalArgs: []cni.KVPair{ { Name: "EndpointPolicy", Value: GetRawOutBoundNATPolicy(), diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 72ab3f0b2e..c93187a0e2 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -8,8 +8,8 @@ import ( "strings" "github.com/Azure/azure-container-networking/cns/types" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/crd/nodenetworkconfig/api/v1alpha" + "github.com/Azure/azure-container-networking/network/policy" "github.com/google/uuid" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" @@ -504,8 +504,8 @@ type PodIpInfo struct { Routes []Route // PnpId is set for backend interfaces, Pnp Id identifies VF. Plug and play id(pnp) is also called as PCI ID PnPID string - // Defauly Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes - DefaultDenyACL []acn.KVPair + // Default Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes + EndpointPolicies []policy.Policy } type HostIPInfo struct { diff --git a/common/config.go b/common/config.go index 87ec27ae11..3434c2e2e1 100644 --- a/common/config.go +++ b/common/config.go @@ -3,8 +3,6 @@ package common -import "encoding/json" - // Command line options. const ( // Operating environment. @@ -148,9 +146,3 @@ const ( // OptCNIConflistScenarioAlias "shorthand" for the cni conflist scenairo, see above OptCNIConflistScenarioAlias = "cniconflistscenario" ) - -// KVPair represents a K-V pair of a json object. -type KVPair struct { - Name string `json:"name"` - Value json.RawMessage `json:"value"` -} diff --git a/network/endpoint.go b/network/endpoint.go index d400b16900..fab75d3186 100644 --- a/network/endpoint.go +++ b/network/endpoint.go @@ -11,7 +11,6 @@ import ( "github.com/Azure/azure-container-networking/cni/log" "github.com/Azure/azure-container-networking/cns" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/netio" "github.com/Azure/azure-container-networking/netlink" "github.com/Azure/azure-container-networking/network/policy" @@ -139,7 +138,7 @@ type InterfaceInfo struct { HostSubnetPrefix net.IPNet // Move this field from ipamAddResult NCResponse *cns.GetNetworkContainerResponse PnPID string - DefaultDenyACL []acn.KVPair + EndpointPolicies []policy.Policy } type IPConfig struct { From a8a4164c56a11db04e628d8c3165a05c8720d06d Mon Sep 17 00:00:00 2001 From: rejain456 Date: Thu, 9 Jan 2025 23:37:57 -0800 Subject: [PATCH 11/18] updated unit test case --- cni/network/invoker_cns_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cni/network/invoker_cns_test.go b/cni/network/invoker_cns_test.go index 0ccfca779c..32c6b0b4df 100644 --- a/cni/network/invoker_cns_test.go +++ b/cni/network/invoker_cns_test.go @@ -538,11 +538,11 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { expectedEndpointPolicies := []policy.Policy{ { - Type: policy.ACLPolicy, + Type: policy.EndpointPolicy, Data: valueOut, }, { - Type: policy.ACLPolicy, + Type: policy.EndpointPolicy, Data: valueIn, }, } From 9ad9b5e955fe7be17a67e213130a41f89e97fc10 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Fri, 10 Jan 2025 00:00:05 -0800 Subject: [PATCH 12/18] updated unit test to add cns not sending default deny acl to cni --- cni/network/invoker_cns_test.go | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/cni/network/invoker_cns_test.go b/cni/network/invoker_cns_test.go index 32c6b0b4df..b8b6d9be98 100644 --- a/cni/network/invoker_cns_test.go +++ b/cni/network/invoker_cns_test.go @@ -547,12 +547,13 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { }, } tests := []struct { - name string - fields fields - args args - wantDefaultResult network.InterfaceInfo - wantMultitenantResult network.InterfaceInfo - wantErr bool + name string + fields fields + args args + wantDefaultDenyEndpoints bool + wantDefaultResult network.InterfaceInfo + wantMultitenantResult network.InterfaceInfo + wantErr bool }{ { name: "Test happy CNI add", @@ -623,7 +624,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { NICType: cns.InfraNIC, HostSubnetPrefix: *parseCIDR("10.0.0.0/24"), }, - wantErr: false, + wantDefaultDenyEndpoints: true, + wantErr: false, }, { name: "Test CNI add with pod ip info empty nictype", @@ -654,7 +656,6 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { PrimaryIP: "10.0.0.1", Subnet: "10.0.0.0/24", }, - EndpointPolicies: expectedEndpointPolicies, }, }, Response: cns.Response{ @@ -683,7 +684,6 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { Gateway: net.ParseIP("10.0.0.1"), }, }, - EndpointPolicies: expectedEndpointPolicies, Routes: []network.RouteInfo{ { Dst: network.Ipv4DefaultRouteDstPrefix, @@ -693,7 +693,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { NICType: cns.InfraNIC, HostSubnetPrefix: *parseCIDR("10.0.0.0/24"), }, - wantErr: false, + wantDefaultDenyEndpoints: false, + wantErr: false, }, { name: "Test happy CNI add for both ipv4 and ipv6", @@ -793,7 +794,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { NICType: cns.InfraNIC, HostSubnetPrefix: *parseCIDR("fd11:1234::/112"), }, - wantErr: false, + wantDefaultDenyEndpoints: true, + wantErr: false, }, { name: "fail to request IP addresses from cns", @@ -820,7 +822,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { }, }, }, - wantErr: true, + wantDefaultDenyEndpoints: false, + wantErr: true, }, } for _, tt := range tests { @@ -852,7 +855,11 @@ func TestCNSIPAMInvoker_Add(t *testing.T) { } if ifInfo.NICType == cns.InfraNIC { require.Equalf(tt.wantDefaultResult, ifInfo, "incorrect default response") - require.Equalf(expectedEndpointPolicies, ifInfo.EndpointPolicies, "Correct default deny ACL") + if tt.wantDefaultDenyEndpoints { + require.Equalf(expectedEndpointPolicies, ifInfo.EndpointPolicies, "Correct default deny ACL") + } else { + require.Equalf([]policy.Policy(nil), ifInfo.EndpointPolicies, "Correct default deny ACL") + } } } }) From adcabcdc8cbe56bd565c3dd02a6a814a33b1a6ab Mon Sep 17 00:00:00 2001 From: rejain456 Date: Fri, 10 Jan 2025 14:36:29 -0800 Subject: [PATCH 13/18] removed an infra nic check --- cni/network/network.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/cni/network/network.go b/cni/network/network.go index ed9ce81a0c..bb87a07177 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -590,11 +590,8 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { } policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) - for key := range ipamAddResult.interfaceInfo { - if key == string(cns.InfraNIC) { - policies = append(policies, ipamAddResult.interfaceInfo[key].EndpointPolicies...) - } - } + policies = append(policies, ipamAddResult.interfaceInfo[string(cns.InfraNIC)].EndpointPolicies...) + // moved to addIpamInvoker // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString())) From 9ca7d88d737eaff2a16800a9a31f435506287b46 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Fri, 10 Jan 2025 14:50:56 -0800 Subject: [PATCH 14/18] removed an infra nic check --- cni/network/network.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cni/network/network.go b/cni/network/network.go index bb87a07177..378084bc03 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -590,8 +590,9 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { } policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) - policies = append(policies, ipamAddResult.interfaceInfo[string(cns.InfraNIC)].EndpointPolicies...) - + for key := range ipamAddResult.interfaceInfo { + policies = append(policies, ipamAddResult.interfaceInfo[key].EndpointPolicies...) + } // moved to addIpamInvoker // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString())) From ab735cc4604fe500ccb341f474f001b098c581d7 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Fri, 10 Jan 2025 15:15:43 -0800 Subject: [PATCH 15/18] removed for loop --- cni/network/network.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cni/network/network.go b/cni/network/network.go index 378084bc03..ce5fafd8b7 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -590,9 +590,7 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { } policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) - for key := range ipamAddResult.interfaceInfo { - policies = append(policies, ipamAddResult.interfaceInfo[key].EndpointPolicies...) - } + // moved to addIpamInvoker // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString())) @@ -619,6 +617,7 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { natInfo := getNATInfo(nwCfg, options[network.SNATIPKey], enableSnatForDNS) networkID, _ := plugin.getNetworkID(args.Netns, &ifInfo, nwCfg) + policies = append(policies, ipamAddResult.interfaceInfo[key].EndpointPolicies...) createEpInfoOpt := createEpInfoOpt{ nwCfg: nwCfg, From 4cc444cdb6f1e9343a23a2bf19898a0c56b3dc0c Mon Sep 17 00:00:00 2001 From: rejain456 Date: Fri, 10 Jan 2025 15:24:23 -0800 Subject: [PATCH 16/18] removed an extra spacing --- cni/network/network.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cni/network/network.go b/cni/network/network.go index ce5fafd8b7..337c5d00c4 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -590,7 +590,6 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { } policies := cni.GetPoliciesFromNwCfg(nwCfg.AdditionalArgs) - // moved to addIpamInvoker // sendEvent(plugin, fmt.Sprintf("Allocated IPAddress from ipam interface: %+v", ipamAddResult.PrettyString())) From 227be2fc46fc6bb7ef85c30f5cd9c886da89b71f Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 15 Jan 2025 16:45:53 -0800 Subject: [PATCH 17/18] update from pr comment --- cni/network/network.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cni/network/network.go b/cni/network/network.go index 337c5d00c4..9ddb111a78 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -616,7 +616,6 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error { natInfo := getNATInfo(nwCfg, options[network.SNATIPKey], enableSnatForDNS) networkID, _ := plugin.getNetworkID(args.Netns, &ifInfo, nwCfg) - policies = append(policies, ipamAddResult.interfaceInfo[key].EndpointPolicies...) createEpInfoOpt := createEpInfoOpt{ nwCfg: nwCfg, @@ -834,6 +833,10 @@ func (plugin *NetPlugin) createEpInfo(opt *createEpInfoOpt) (*network.EndpointIn // create endpoint policies by appending to network policies // the value passed into NetworkPolicies should be unaffected since we reassign here opt.policies = append(opt.policies, endpointPolicies...) + + // appends default deny endpoint policies if infra nic and default deny bool is enabled + opt.policies = append(opt.policies, opt.ifInfo.EndpointPolicies...) + endpointInfo.EndpointPolicies = opt.policies // add even more endpoint policies epPolicies, err := getPoliciesFromRuntimeCfg(opt.nwCfg, opt.ipamAddResult.ipv6Enabled) // not specific to delegated or infra From 0efb03f59ca71a15ad960ff10c314af838d5761d Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 15 Jan 2025 16:54:06 -0800 Subject: [PATCH 18/18] updated unit test --- cni/network/network_windows_test.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/cni/network/network_windows_test.go b/cni/network/network_windows_test.go index 9da54a4ca4..1837933769 100644 --- a/cni/network/network_windows_test.go +++ b/cni/network/network_windows_test.go @@ -878,6 +878,12 @@ func GetTestCNSResponseSecondaryWindows(macAddress string) map[string]network.In SkipDefaultRoutes: true, NICType: cns.InfraNIC, HostSubnetPrefix: *getCIDRNotationForAddress("20.224.0.0/16"), + EndpointPolicies: []policy.Policy{ + { + Type: policy.EndpointPolicy, + Data: GetRawACLPolicy(), + }, + }, }, macAddress: { MacAddress: parsedMAC, @@ -1226,6 +1232,12 @@ func TestPluginWindowsAdd(t *testing.T) { Gateway: net.ParseIP("10.244.2.1"), }, }, + EndpointPolicies: []policy.Policy{ + { + Type: policy.EndpointPolicy, + Data: GetRawACLPolicy(), + }, + }, }, epIDRegex: `.*`, },