Extend SG API to have tiers, larger priority range, and localaddress and port matching

Author: abhishek-pandey-1

charts/kube-ovn/templates/kube-ovn-crd.yaml

@@ -3507,7 +3507,13 @@ spec:
                         max: 65535
                       policy:
                         type: string
-                        description: Policy action (allow or deny)
+                        description: Policy action (allow, deny, or pass)
+                      localAddress:
+                        type: string
+                      localPortRangeMin:
+                        type: integer
+                      localPortRangeMax:
+                        type: integer
                 egressRules:
                   type: array
                   description: Egress traffic rules for the security group
@@ -3546,10 +3552,20 @@ spec:
                         max: 65535
                       policy:
                         type: string
-                        description: Policy action (allow or deny)
+                        description: Policy action (allow, deny, or pass)
+                      localAddress:
+                        type: string
+                      localPortRangeMin:
+                        type: integer
+                      localPortRangeMax:
+                        type: integer
                 allowSameGroupTraffic:
                   type: boolean
-                  description: Allow traffic between pods in the same security group
+                securityGroupTier:
+                  type: integer
+                  default: 2
+                  minimum: 2
+                  maximum: 3
             status:
               type: object
               properties:

mocks/pkg/ovs/interface.go

@@ -31,6 +31,8 @@ type SgPolicy string
 var (
 	SgPolicyAllow = SgPolicy(ovnnb.ACLActionAllow)
 	SgPolicyDrop  = SgPolicy(ovnnb.ACLActionDrop)
+	// Pass ACL processing to next tier
+	SgPolicyPass = SgPolicy(ovnnb.ACLActionPass)
 )
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -57,6 +59,7 @@ type SecurityGroupSpec struct {
 	IngressRules          []SecurityGroupRule `json:"ingressRules,omitempty"`
 	EgressRules           []SecurityGroupRule `json:"egressRules,omitempty"`
 	AllowSameGroupTraffic bool                `json:"allowSameGroupTraffic,omitempty"`
+	SecurityGroupTier     int                 `json:"securityGroupTier,omitempty"`
 }
 
 type SecurityGroupRule struct {
@@ -68,6 +71,9 @@ type SecurityGroupRule struct {
 	RemoteSecurityGroup string       `json:"remoteSecurityGroup,omitempty"`
 	PortRangeMin        int          `json:"portRangeMin,omitempty"`
 	PortRangeMax        int          `json:"portRangeMax,omitempty"`
+	LocalAddress        string       `json:"localAddress,omitempty"`
+	LocalPortRangeMin   int          `json:"localPortRangeMin,omitempty"`
+	LocalPortRangeMax   int          `json:"localPortRangeMax,omitempty"`
 	Policy              SgPolicy     `json:"policy"`
 }
 

pkg/apis/kubeovn/v1/security-group.go

@@ -72,9 +72,14 @@ func (c *Controller) initDefaultDenyAllSecurityGroup() error {
 		return err
 	}
 
-	if err := c.OVNNbClient.CreateSgDenyAllACL(util.DenyAllSecurityGroup); err != nil {
-		klog.Errorf("create deny all acl for sg %s: %v", util.DenyAllSecurityGroup, err)
-		return err
+	// Add default deny rules for all the tiers. This is to ensure that if a packet
+	// is moved between tiers during acl evaluation, it is always dropped if no explicit
+	// allow or drop rule is not hit.
+	for tier := util.SecurityGroupTierMinimum; tier <= util.SecurityGroupTierMaximum; tier++ {
+		if err := c.OVNNbClient.CreateSgDenyAllACL(util.DenyAllSecurityGroup, tier); err != nil {
+			klog.Errorf("create deny all acl for sg %s tier %d: %v", util.DenyAllSecurityGroup, tier, err)
+			return err
+		}
 	}
 
 	c.addOrUpdateSgQueue.Add(util.DenyAllSecurityGroup)
@@ -229,7 +234,7 @@ func (c *Controller) handleAddOrUpdateSg(key string, force bool) error {
 			return err
 		}
 
-		if err := c.OVNNbClient.CreateSgBaseACL(sg.Name, ovnnb.ACLDirectionToLport); err != nil {
+		if err := c.OVNNbClient.CreateSgBaseACL(sg.Name, ovnnb.ACLDirectionToLport, sg.Spec.SecurityGroupTier); err != nil {
 			klog.Error(err)
 			return err
 		}
@@ -245,7 +250,7 @@ func (c *Controller) handleAddOrUpdateSg(key string, force bool) error {
 			return err
 		}
 
-		if err := c.OVNNbClient.CreateSgBaseACL(sg.Name, ovnnb.ACLDirectionFromLport); err != nil {
+		if err := c.OVNNbClient.CreateSgBaseACL(sg.Name, ovnnb.ACLDirectionFromLport, sg.Spec.SecurityGroupTier); err != nil {
 			klog.Error(err)
 			return err
 		}
@@ -266,13 +271,21 @@ func (c *Controller) handleAddOrUpdateSg(key string, force bool) error {
 func (c *Controller) validateSgRule(sg *kubeovnv1.SecurityGroup) error {
 	// check sg rules
 	allRules := append(sg.Spec.IngressRules, sg.Spec.EgressRules...)
+	if sg.Spec.SecurityGroupTier < util.SecurityGroupTierMinimum || sg.Spec.SecurityGroupTier > util.SecurityGroupTierMaximum {
+		return fmt.Errorf("tier '%d' is not in the range [%d,%d]", sg.Spec.SecurityGroupTier, util.SecurityGroupTierMinimum, util.SecurityGroupTierMaximum)
+	}
+
 	for _, rule := range allRules {
 		if rule.IPVersion != "ipv4" && rule.IPVersion != "ipv6" {
 			return errors.New("IPVersion should be 'ipv4' or 'ipv6'")
 		}
 
-		if rule.Priority < 1 || rule.Priority > 200 {
-			return fmt.Errorf("priority '%d' is not in the range of 1 to 200", rule.Priority)
+		if rule.Priority < util.SecurityGroupPriorityMin || rule.Priority > util.SecurityGroupPriorityMax {
+			return fmt.Errorf("priority '%d' is not in the range of %d to %d", rule.Priority, util.SecurityGroupPriorityMin, util.SecurityGroupPriorityMax)
+		}
+
+		if sg.Spec.SecurityGroupTier == util.SecurityGroupTierMaximum && rule.Policy == kubeovnv1.SgPolicyPass {
+			return fmt.Errorf("policy pass not valid when the security group tier is maximum [%d]", util.SecurityGroupTierMaximum)
 		}
 
 		switch rule.RemoteType {
@@ -295,13 +308,33 @@ func (c *Controller) validateSgRule(sg *kubeovnv1.SecurityGroup) error {
 			return fmt.Errorf("not support sgRemoteType '%s'", rule.RemoteType)
 		}
 
+		if rule.LocalAddress != "" {
+			if strings.Contains(rule.LocalAddress, "/") {
+				if _, _, err := net.ParseCIDR(rule.LocalAddress); err != nil {
+					return fmt.Errorf("invalid CIDR '%s'", rule.LocalAddress)
+				}
+			} else {
+				if net.ParseIP(rule.LocalAddress) == nil {
+					return fmt.Errorf("invalid ip address '%s'", rule.LocalAddress)
+				}
+			}
+		}
+
 		if rule.Protocol == kubeovnv1.SgProtocolTCP || rule.Protocol == kubeovnv1.SgProtocolUDP {
 			if rule.PortRangeMin < 1 || rule.PortRangeMin > 65535 || rule.PortRangeMax < 1 || rule.PortRangeMax > 65535 {
 				return errors.New("portRange is out of range")
 			}
 			if rule.PortRangeMin > rule.PortRangeMax {
 				return errors.New("portRange err, range Minimum value greater than maximum value")
 			}
+			if rule.LocalAddress != "" {
+				if rule.LocalPortRangeMin < 1 || rule.LocalPortRangeMin > 65535 || rule.LocalPortRangeMax < 1 || rule.LocalPortRangeMax > 65535 {
+					return errors.New("portRange is out of range")
+				}
+				if rule.LocalPortRangeMin > rule.LocalPortRangeMax {
+					return errors.New("portRange err, range Minimum value greater than maximum value")
+				}
+			}
 		}
 	}
 	return nil

pkg/controller/security_group.go

@@ -173,8 +173,8 @@ type ACL interface {
 	UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, logRate int, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
 	CreateGatewayACL(lsName, pgName string) error
 	CreateNodeACL(pgName, nodeIPStr, joinIPStr string) error
-	CreateSgDenyAllACL(sgName string) error
-	CreateSgBaseACL(sgName, direction string) error
+	CreateSgDenyAllACL(sgName string, tier int) error
+	CreateSgBaseACL(sgName, direction string, tier int) error
 	UpdateSgACL(sg *kubeovnv1.SecurityGroup, direction string) error
 	UpdateLogicalSwitchACL(lsName, cidrBlock string, subnetAcls []kubeovnv1.ACL, allowEWTraffic bool) error
 	SetACLLog(pgName string, logEnable, isIngress bool) error

pkg/ovs/interface.go

@@ -385,16 +385,16 @@ func (c *OVNNbClient) CreateNodeACL(pgName, nodeIPStr, joinIPStr string) error {
 	return nil
 }
 
-func (c *OVNNbClient) CreateSgDenyAllACL(sgName string) error {
+func (c *OVNNbClient) CreateSgDenyAllACL(sgName string, tier int) error {
 	pgName := GetSgPortGroupName(sgName)
 
-	ingressACL, err := c.newACL(pgName, ovnnb.ACLDirectionToLport, util.SecurityGroupDropPriority, fmt.Sprintf("outport == @%s && ip", pgName), ovnnb.ACLActionDrop, util.NetpolACLTier)
+	ingressACL, err := c.newACL(pgName, ovnnb.ACLDirectionToLport, util.SecurityGroupDropPriority, fmt.Sprintf("outport == @%s && ip", pgName), ovnnb.ACLActionDrop, tier)
 	if err != nil {
 		klog.Error(err)
 		return fmt.Errorf("new deny all ingress acl for security group %s: %w", sgName, err)
 	}
 
-	egressACL, err := c.newACL(pgName, ovnnb.ACLDirectionFromLport, util.SecurityGroupDropPriority, fmt.Sprintf("inport == @%s && ip", pgName), ovnnb.ACLActionDrop, util.NetpolACLTier)
+	egressACL, err := c.newACL(pgName, ovnnb.ACLDirectionFromLport, util.SecurityGroupDropPriority, fmt.Sprintf("inport == @%s && ip", pgName), ovnnb.ACLActionDrop, tier)
 	if err != nil {
 		klog.Error(err)
 		return fmt.Errorf("new deny all egress acl for security group %s: %w", sgName, err)
@@ -410,7 +410,7 @@ func (c *OVNNbClient) CreateSgDenyAllACL(sgName string) error {
 }
 
 // CreateSgACL create allow acl for security group
-func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error {
+func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string, tier int) error {
 	pgName := GetSgPortGroupName(sgName)
 
 	// ingress rule
@@ -434,7 +434,7 @@ func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error {
 	acls := make([]*ovnnb.ACL, 0)
 
 	newACL := func(match string) {
-		acl, err := c.newACL(pgName, direction, util.SecurityGroupBasePriority, match, ovnnb.ACLActionAllowRelated, util.NetpolACLTier)
+		acl, err := c.newACL(pgName, direction, util.SecurityGroupBasePriority, match, ovnnb.ACLActionAllowRelated, tier)
 		if err != nil {
 			klog.Error(err)
 			klog.Errorf("failed to create new base ingress acl for security group %s: %v", sgName, err)
@@ -523,7 +523,7 @@ func (c *OVNNbClient) UpdateSgACL(sg *kubeovnv1.SecurityGroup, direction string)
 				NewACLMatch(ipSuffix, "", "", ""),
 				NewACLMatch(ipSuffix+"."+srcOrDst, "==", "$"+asName, ""),
 			)
-			acl, err := c.newACL(pgName, direction, util.SecurityGroupAllowPriority, match.String(), ovnnb.ACLActionAllowRelated, util.NetpolACLTier)
+			acl, err := c.newACL(pgName, direction, util.SecurityGroupAllowPriority, match.String(), ovnnb.ACLActionAllowRelated, sg.Spec.SecurityGroupTier)
 			if err != nil {
 				klog.Error(err)
 				return fmt.Errorf("new allow acl for security group %s: %w", sg.Name, err)
@@ -535,7 +535,7 @@ func (c *OVNNbClient) UpdateSgACL(sg *kubeovnv1.SecurityGroup, direction string)
 
 	/* create rule acl */
 	for _, rule := range sgRules {
-		acl, err := c.newSgRuleACL(sg.Name, direction, rule)
+		acl, err := c.newSgRuleACL(sg.Name, direction, rule, sg.Spec.SecurityGroupTier)
 		if err != nil {
 			klog.Error(err)
 			return fmt.Errorf("new rule acl for security group %s: %w", sg.Name, err)
@@ -1050,7 +1050,7 @@ func (c *OVNNbClient) newACLWithoutCheck(parent, direction, priority, match, act
 }
 
 // createSgRuleACL create security group rule acl
-func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.SecurityGroupRule) (*ovnnb.ACL, error) {
+func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.SecurityGroupRule, tier int) (*ovnnb.ACL, error) {
 	ipSuffix := "ip4"
 	if rule.IPVersion == "ipv6" {
 		ipSuffix = "ip6"
@@ -1059,13 +1059,15 @@ func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.Secu
 	pgName := GetSgPortGroupName(sgName)
 
 	// ingress rule
-	srcOrDst, portDirection := "src", "outport"
+	localSrcOrDst, remoteSrcOrDst, portDirection := "dst", "src", "outport"
 	if direction == ovnnb.ACLDirectionFromLport { // egress rule
-		srcOrDst = "dst"
+		remoteSrcOrDst = "dst"
+		localSrcOrDst = "src"
 		portDirection = "inport"
 	}
 
-	ipKey := ipSuffix + "." + srcOrDst
+	remoteipKey := ipSuffix + "." + remoteSrcOrDst
+	localipKey := ipSuffix + "." + localSrcOrDst
 
 	/* match all traffic to or from pgName */
 	allIPMatch := NewAndACLMatch(
@@ -1075,9 +1077,10 @@ func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.Secu
 
 	/* allow allowed ip traffic */
 	// type address
+
 	allowedIPMatch := NewAndACLMatch(
 		allIPMatch,
-		NewACLMatch(ipKey, "==", rule.RemoteAddress, ""),
+		NewACLMatch(remoteipKey, "==", rule.RemoteAddress, ""),
 	)
 
 	// type securityGroup
@@ -1088,7 +1091,15 @@ func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.Secu
 	if rule.RemoteType == kubeovnv1.SgRemoteTypeSg {
 		allowedIPMatch = NewAndACLMatch(
 			allIPMatch,
-			NewACLMatch(ipKey, "==", "$"+remotePgName, ""),
+			NewACLMatch(remoteipKey, "==", "$"+remotePgName, ""),
+		)
+	}
+
+	// Add a rule to match local address only if it is set
+	if rule.LocalAddress != "" {
+		allowedIPMatch = NewAndACLMatch(
+			allowedIPMatch,
+			NewACLMatch(localipKey, "==", rule.LocalAddress, ""),
 		)
 	}
 
@@ -1113,16 +1124,27 @@ func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.Secu
 			allowedIPMatch,
 			NewACLMatch(string(rule.Protocol)+".dst", "<=", strconv.Itoa(rule.PortRangeMin), strconv.Itoa(rule.PortRangeMax)),
 		)
+
+		// Add a match on source port if a local address was provided.
+		if rule.LocalAddress != "" {
+			match = NewAndACLMatch(
+				match,
+				NewACLMatch(string(rule.Protocol)+".src", "<=", strconv.Itoa(rule.LocalPortRangeMin), strconv.Itoa(rule.LocalPortRangeMax)),
+			)
+		}
 	}
 
 	action := ovnnb.ACLActionDrop
 	if rule.Policy == kubeovnv1.SgPolicyAllow {
 		action = ovnnb.ACLActionAllowRelated
 	}
+	if rule.Policy == kubeovnv1.SgPolicyPass {
+		action = ovnnb.ACLActionPass
+	}
 
 	highestPriority, _ := strconv.Atoi(util.SecurityGroupHighestPriority)
 
-	acl, err := c.newACL(pgName, direction, strconv.Itoa(highestPriority-rule.Priority), match.String(), action, util.NetpolACLTier)
+	acl, err := c.newACL(pgName, direction, strconv.Itoa(highestPriority-rule.Priority), match.String(), action, tier)
 	if err != nil {
 		klog.Error(err)
 		return nil, fmt.Errorf("new security group acl for port group %s: %w", pgName, err)