add NetworkPolicy plugin #12448
add NetworkPolicy plugin #12448
Conversation
danwinship
force-pushed
the
network-policy
branch
from
28de307 to
371c719
Compare
|
For reference, the spec is at https://github.com/kubernetes/community/blob/master/contributors/design-proposals/network-policy.md |
|
@dcbw can you find some time to look at this soon please? |
|
[test] |
danwinship
force-pushed
the
network-policy
branch
from
371c719 to
b3c4828
Compare
|
Repushed to make the UPSTREAM commit include the entire corresponding upstream commit, and to remove (incorrect) support for string-valued NetworkPolicyPort values. Note that currently no tests get run with the networkpolicy plugin, so running tests doesn't actually tell you anything (except that the handful of changes outside of networkpolicy.go didn't break anything). |
| } | ||
|
|
||
| func (np *networkPolicyPlugin) watchNetworkPolicies() { | ||
| RunEventQueue(np.node.kClient.ExtensionsClient.RESTClient(), NetworkPolicies, func(delta cache.Delta) error { |
There was a problem hiding this comment.
We have said we need to stop using event queue. Adding more uses of it isn't helping :)
There was a problem hiding this comment.
The "EventQueue" used in pkg/sdn/plugin is a wrapper around DeltaFIFO (#10070) not the old pkg/client/cache/eventqueue.go.
| np.lock.Lock() | ||
| defer np.lock.Unlock() | ||
|
|
||
| namespaces, err := np.node.kClient.Namespaces().List(kapi.ListOptions{}) |
There was a problem hiding this comment.
Is this the only network policy that reads namespaces?
There was a problem hiding this comment.
Yes. With the multitenant policy, everything it needs to track is on the NetNamespace object, but here we need to combine Namespace, NetNamespace, and NetworkPolicies.
|
pushed a fixup to get Services at least minimally working |
|
LGTM |
|
Since this is tech preview and you have to opt in by manually creating the network policy objects, this feels okay to merge to get some mileage on it before the testing and docs stabilize. But we need to get those in ASAP. |
danwinship
force-pushed
the
network-policy
branch
from
4a585c0 to
55ae2ce
Compare
|
Test change LGTM |
|
[merge] |
danwinship
force-pushed
the
network-policy
branch
from
55ae2ce to
2e37136
Compare
|
That was a pain to dig out... |
Implements DefaultDeny (with no NetworkPolicy objects), plus trivial
NetworkPolicies ("allow all" and "deny all").
danwinship
force-pushed
the
network-policy
branch
from
2e37136 to
0988c04
Compare
|
Evaluated for origin test up to 0988c04 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13085/) (Base Commit: b46ecc5) |
|
[merge] |
|
Evaluated for origin merge up to 0988c04 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13127/) (Base Commit: 766ada8) (Image: devenv-rhel7_5740) |
This adds a new plugin,
redhat/openshift-ovs-networkpolicy, which implements NetworkPolicy (and does not implement traditional openshift-sdn multitenancy). This is considered "tech preview" for 3.5 so it doesn't have to be completely flawless (eg, the pod watching code is currently not very scalable; there's a trello card about that).Still to do:
@openshift/networking PTAL