feat(netpol): add annotation for different policy enforcements

Signed-off-by: SkalaNetworks <contact@skala.network>

Author: SkalaNetworks

pkg/controller/network_policy.go

@@ -183,12 +183,14 @@ func (c *Controller) handleUpdateNp(key string) error {
 		}
 
 		for _, protocol := range protocolSet.List() {
-			defaultBlockExceptions, err := c.OVNNbClient.UpdateDefaultBlockExceptionsACLOps(npName, pgName, np.Namespace, ovnnb.ACLDirectionToLport, protocol)
-			if err != nil {
-				klog.Errorf("failed to set default block exceptions for ingress acl: %v", err)
-				return fmt.Errorf("failed to set default block exceptions for ingress acl: %w", err)
+			if isNetworkPolicyEnforcementLax(np) {
+				defaultBlockExceptions, err := c.OVNNbClient.UpdateDefaultBlockExceptionsACLOps(npName, pgName, np.Namespace, ovnnb.ACLDirectionToLport, protocol)
+				if err != nil {
+					klog.Errorf("failed to set default block exceptions for ingress acl: %v", err)
+					return fmt.Errorf("failed to set default block exceptions for ingress acl: %w", err)
+				}
+				ingressACLOps = append(ingressACLOps, defaultBlockExceptions...)
 			}
-			ingressACLOps = append(ingressACLOps, defaultBlockExceptions...)
 
 			for idx, npr := range np.Spec.Ingress {
 				// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
@@ -328,12 +330,14 @@ func (c *Controller) handleUpdateNp(key string) error {
 		}
 
 		for _, protocol := range protocolSet.List() {
-			defaultBlockExceptions, err := c.OVNNbClient.UpdateDefaultBlockExceptionsACLOps(npName, pgName, np.Namespace, ovnnb.ACLDirectionFromLport, protocol)
-			if err != nil {
-				klog.Errorf("failed to set default block exceptions for ingress acl: %v", err)
-				return fmt.Errorf("failed to set default block exceptions for ingress acl: %w", err)
+			if isNetworkPolicyEnforcementLax(np) {
+				defaultBlockExceptions, err := c.OVNNbClient.UpdateDefaultBlockExceptionsACLOps(npName, pgName, np.Namespace, ovnnb.ACLDirectionFromLport, protocol)
+				if err != nil {
+					klog.Errorf("failed to set default block exceptions for ingress acl: %v", err)
+					return fmt.Errorf("failed to set default block exceptions for ingress acl: %w", err)
+				}
+				egressACLOps = append(egressACLOps, defaultBlockExceptions...)
 			}
-			egressACLOps = append(egressACLOps, defaultBlockExceptions...)
 
 			for idx, npr := range np.Spec.Egress {
 				// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
@@ -808,3 +812,12 @@ func isNamespaceMatchNetworkPolicy(ns *corev1.Namespace, policy *netv1.NetworkPo
 	}
 	return false
 }
+
+func isNetworkPolicyEnforcementLax(policy *netv1.NetworkPolicy) bool {
+	// User provided a custom enforcement through annotations
+	if value, ok := policy.Annotations[util.NetworkPolicyEnforcementAnnotation]; ok {
+		return value == "lax"
+	}
+
+	return false
+}

pkg/util/const.go

@@ -100,20 +100,21 @@ const (
 
 	OvsDpTypeLabel = "ovn.kubernetes.io/ovs_dp_type"
 
-	VpcNameLabel               = "ovn.kubernetes.io/vpc"
-	SubnetNameLabel            = "ovn.kubernetes.io/subnet"
-	ICGatewayLabel             = "ovn.kubernetes.io/ic-gw"
-	ExGatewayLabel             = "ovn.kubernetes.io/external-gw"
-	NodeExtGwLabel             = "ovn.kubernetes.io/node-ext-gw"
-	VpcNatGatewayLabel         = "ovn.kubernetes.io/vpc-nat-gw"
-	IPReservedLabel            = "ovn.kubernetes.io/ip_reserved"
-	VpcNatGatewayNameLabel     = "ovn.kubernetes.io/vpc-nat-gw-name"
-	VpcLbLabel                 = "ovn.kubernetes.io/vpc_lb"
-	VpcDNSNameLabel            = "ovn.kubernetes.io/vpc-dns"
-	QoSLabel                   = "ovn.kubernetes.io/qos"
-	NodeNameLabel              = "ovn.kubernetes.io/node-name"
-	NetworkPolicyLogAnnotation = "ovn.kubernetes.io/enable_log"
-	ACLActionsLogAnnotation    = "ovn.kubernetes.io/log_acl_actions"
+	VpcNameLabel                       = "ovn.kubernetes.io/vpc"
+	SubnetNameLabel                    = "ovn.kubernetes.io/subnet"
+	ICGatewayLabel                     = "ovn.kubernetes.io/ic-gw"
+	ExGatewayLabel                     = "ovn.kubernetes.io/external-gw"
+	NodeExtGwLabel                     = "ovn.kubernetes.io/node-ext-gw"
+	VpcNatGatewayLabel                 = "ovn.kubernetes.io/vpc-nat-gw"
+	IPReservedLabel                    = "ovn.kubernetes.io/ip_reserved"
+	VpcNatGatewayNameLabel             = "ovn.kubernetes.io/vpc-nat-gw-name"
+	VpcLbLabel                         = "ovn.kubernetes.io/vpc_lb"
+	VpcDNSNameLabel                    = "ovn.kubernetes.io/vpc-dns"
+	QoSLabel                           = "ovn.kubernetes.io/qos"
+	NodeNameLabel                      = "ovn.kubernetes.io/node-name"
+	NetworkPolicyLogAnnotation         = "ovn.kubernetes.io/enable_log"
+	NetworkPolicyEnforcementAnnotation = "ovn.kubernetes.io/network_policy_enforcement"
+	ACLActionsLogAnnotation            = "ovn.kubernetes.io/log_acl_actions"
 
 	VpcEgressGatewayLabel  = "ovn.kubernetes.io/vpc-egress-gateway"
 	GenerateHashAnnotation = "ovn.kubernetes.io/generate-hash"