forked from antrea-io/antrea
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ExternalNode] Handle ExternalNode from Antrea agent side (antrea-io#…
…3799) 1. Provide an example RBAC yaml file for Antrea agent running on VM with definitions of ClusterRole, ServiceAccount and ClusterRoleBinding. 2. Add ExternalNodeController to monitor ExternalNode CRUD, invoke interfaces to operate OVS and update interface store with ExternalEntityInterface. 3. Implement OVS interactions related to ExternalNode CRUD. 4. Add a channel for receiving ExternalEntity updates from ExternalNodeController and notifying NetworkPolicyController to reconcile rules related to the updated ExternalEntities. This is to handle the case when NetworkPolicyController reconciles rules before ExternalEntityInterface is realized in the interface store. 5. Support configuring policy bypass rules to skip ANP check. Signed-off-by: Mengdie Song <[email protected]> Co-authored-by: Wenying Dong <[email protected]>
- Loading branch information
1 parent
20ed1c4
commit ba37b8c
Showing
36 changed files
with
1,287 additions
and
88 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: vm-agent | ||
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run. | ||
--- | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: vm-agent | ||
rules: | ||
# antrea-controller distributes the CA certificate as a ConfigMap named `antrea-ca` in the Antrea deployment Namespace. | ||
# vm-agent needs to access `antrea-ca` to connect with antrea-controller. | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
resourceNames: | ||
- antrea-ca | ||
verbs: | ||
- get | ||
- watch | ||
- list | ||
# This is the content of built-in role kube-system/extension-apiserver-authentication-reader. | ||
# But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (vm-agent) will | ||
# have permission issue after bumping up apiserver library to a version that supports dynamic authentication. | ||
# See https://github.com/kubernetes/kubernetes/pull/85375 | ||
# To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on | ||
# the extension-apiserver-authentication role. | ||
- apiGroups: | ||
- "" | ||
resourceNames: | ||
- extension-apiserver-authentication | ||
resources: | ||
- configmaps | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- crd.antrea.io | ||
resources: | ||
- antreaagentinfos | ||
verbs: | ||
- get | ||
- update | ||
- apiGroups: | ||
- controlplane.antrea.io | ||
resources: | ||
- networkpolicies | ||
- appliedtogroups | ||
- addressgroups | ||
verbs: | ||
- get | ||
- watch | ||
- list | ||
- apiGroups: | ||
- controlplane.antrea.io | ||
resources: | ||
- nodestatssummaries | ||
verbs: | ||
- create | ||
- apiGroups: | ||
- controlplane.antrea.io | ||
resources: | ||
- networkpolicies/status | ||
verbs: | ||
- create | ||
- get | ||
--- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: vm-agent | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: vm-agent | ||
subjects: | ||
- kind: ServiceAccount | ||
name: vm-agent | ||
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run. | ||
--- | ||
kind: Role | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: vm-agent | ||
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run. | ||
rules: | ||
- apiGroups: | ||
- crd.antrea.io | ||
resources: | ||
- externalnodes | ||
verbs: | ||
- get | ||
- watch | ||
- list | ||
--- | ||
kind: RoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: vm-agent | ||
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run. | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: vm-agent | ||
subjects: | ||
- kind: ServiceAccount | ||
name: vm-agent | ||
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run. |
Oops, something went wrong.