@@ -38,22 +38,22 @@ import (
3838 "sigs.k8s.io/kindnet/pkg/nflog"
3939 kindnetnode "sigs.k8s.io/kindnet/pkg/node"
4040
41+ "sigs.k8s.io/kube-network-policies/pkg/api"
42+ "sigs.k8s.io/kube-network-policies/pkg/dataplane"
43+ "sigs.k8s.io/kube-network-policies/pkg/networkpolicy"
44+ "sigs.k8s.io/kube-network-policies/pkg/podinfo"
45+
4146 "github.com/prometheus/client_golang/prometheus/promhttp"
4247 "golang.org/x/sys/unix"
4348
49+ "k8s.io/apimachinery/pkg/api/meta"
4450 utilruntime "k8s.io/apimachinery/pkg/util/runtime"
4551 "k8s.io/client-go/informers"
46- v1 "k8s.io/client-go/informers/core/v1"
4752 "k8s.io/client-go/kubernetes"
4853 "k8s.io/client-go/rest"
4954 nodeutil "k8s.io/component-helpers/node/util"
5055 "k8s.io/klog/v2"
5156
52- "sigs.k8s.io/kube-network-policies/pkg/networkpolicy"
53- npaclient "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned"
54- npainformers "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions"
55- "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/apis/v1alpha1"
56-
5757 _ "k8s.io/component-base/metrics/prometheus/clientgo" // load all the prometheus client-go plugin
5858)
5959
@@ -94,15 +94,15 @@ var (
9494 metricsBindAddress string
9595 fastpathThreshold int
9696 disableCNI bool
97+ disableNRI bool
9798 nflogLevel int
9899 ipsecOverlay bool
99100)
100101
101102func init () {
102103 flag .BoolVar (& disableCNI , "disable-cni" , false , "If set, disable the CNI functionality to add IPs to Pods and routing between nodes (default false)" )
103- flag .BoolVar (& networkpolicies , "network-policy" , true , "If set, enable Network Policies (default true)" )
104- flag .BoolVar (& adminNetworkPolicy , "admin-network-policy" , false , "If set, enable Admin Network Policies (default false)" )
105- flag .BoolVar (& baselineAdminNetworkPolicy , "baseline-admin-network-policy" , false , "If set, enable Baseline Admin Network Policies (default false)" )
104+ flag .BoolVar (& disableNRI , "disable-nri" , false , "If set, disable the NRI functionality to get Pod IP information from the container runtime directly (default false)" )
105+ flag .BoolVar (& networkpolicies , "network-policy" , true , "If set, enable Network Policy GA APIs (default true)" )
106106 flag .BoolVar (& dnsCaching , "dns-caching" , true , "If set, enable Kubernetes DNS caching (default true)" )
107107 flag .BoolVar (& nat64 , "nat64" , true , "If set, enable NAT64 using the reserved prefix 64:ff9b::/96 on IPv6 only clusters (default true)" )
108108 flag .StringVar (& hostnameOverride , "hostname-override" , "" , "If non-empty, will be used as the name of the Node that kube-network-policies is running on. If unset, the node name is assumed to be the same as the node's hostname." )
@@ -157,7 +157,6 @@ func main() {
157157 }
158158
159159 config .UserAgent = "kindnet"
160- npaConfig := config // shallow copy because CRDs does not support proto
161160 // use protobuf for better performance at scale
162161 // https://kubernetes.io/docs/reference/using-api/api-concepts/#alternate-representations-of-resources
163162 config .AcceptContentTypes = "application/vnd.kubernetes.protobuf,application/json"
@@ -329,53 +328,90 @@ func main() {
329328
330329 // network policies
331330 if networkpolicies {
332- cfg := networkpolicy.Config {
333- FailOpen : true ,
334- QueueID : 102 ,
335- NodeName : nodeName ,
336- NFTableName : "kindnet-network-policies" ,
337- NetfilterBug1766Fix : true ,
338- AdminNetworkPolicy : adminNetworkPolicy ,
339- BaselineAdminNetworkPolicy : baselineAdminNetworkPolicy ,
331+ dpConfig := dataplane.Config {
332+ FailOpen : true ,
333+ QueueID : 102 ,
334+ NFTableName : "kindnet-network-policies" ,
335+ NetfilterBug1766Fix : true ,
340336 }
341337
342- var npaClient * npaclient.Clientset
343- var npaInformerFactory npainformers.SharedInformerFactory
344- var nodeInformer v1.NodeInformer
345- if adminNetworkPolicy || baselineAdminNetworkPolicy {
346- nodeInformer = informersFactory .Core ().V1 ().Nodes ()
347- npaClient , err = npaclient .NewForConfig (npaConfig )
348- if err != nil {
349- klog .Fatalf ("Failed to create Network client: %v" , err )
338+ nsInformer := informersFactory .Core ().V1 ().Namespaces ()
339+ networkPolicyInfomer := informersFactory .Networking ().V1 ().NetworkPolicies ()
340+ podInformer := informersFactory .Core ().V1 ().Pods ()
341+ // Set the memory-saving transform function on the pod informer.
342+ err = podInformer .Informer ().SetTransform (func (obj interface {}) (interface {}, error ) {
343+ if accessor , err := meta .Accessor (obj ); err == nil {
344+ accessor .SetManagedFields (nil )
350345 }
351- npaInformerFactory = npainformers .NewSharedInformerFactory (npaClient , 0 )
346+ return obj , nil
347+ })
348+ if err != nil {
349+ klog .Fatalf ("Failed to set pod informer transform: %v" , err )
350+ }
351+ // Create the Pod IP resolvers.
352+ // First, given an IP address they return the Pod name/namespace.
353+ informerResolver , err := podinfo .NewInformerResolver (podInformer .Informer ())
354+ if err != nil {
355+ klog .Fatalf ("Failed to create informer resolver: %v" , err )
352356 }
353- var anpInformer v1alpha1.AdminNetworkPolicyInformer
354- if adminNetworkPolicy {
355- anpInformer = npaInformerFactory .Policy ().V1alpha1 ().AdminNetworkPolicies ()
357+ resolvers := []podinfo.IPResolver {informerResolver }
358+
359+ // Create an NRI Pod IP resolver if enabled, since NRI connects to the container runtime
360+ // the Pod and IP information is provided at the time the Pod Sandbox is created and before
361+ // the containers start running, so policies can be enforced without race conditions.
362+ if ! disableNRI {
363+ nriIPResolver , err := podinfo .NewNRIResolver (ctx , nodeName , nil )
364+ if err != nil {
365+ klog .Infof ("failed to create NRI plugin, using apiserver information only: %v" , err )
366+ }
367+ resolvers = append (resolvers , nriIPResolver )
356368 }
357- var banpInformer v1alpha1.BaselineAdminNetworkPolicyInformer
358- if baselineAdminNetworkPolicy {
359- banpInformer = npaInformerFactory .Policy ().V1alpha1 ().BaselineAdminNetworkPolicies ()
369+
370+ // Create the pod info provider to obtain the Pod information
371+ // necessary for the network policy evaluation, it uses the resolvers
372+ // to obtain the key (Pod name and namespace) and use the informers to obtain
373+ // the labels that are necessary to match the network policies.
374+ podInfoProvider := podinfo .NewInformerProvider (
375+ podInformer ,
376+ nsInformer ,
377+ nil ,
378+ resolvers )
379+
380+ // Create the evaluators for the Pipeline to process the packets
381+ // and take a network policy action. The evaluators are processed
382+ // by the order in the array.
383+ evaluators := []api.PolicyEvaluator {}
384+
385+ // Logging evaluator must go first if enabled.
386+ if klog .V (2 ).Enabled () {
387+ evaluators = append (evaluators , networkpolicy .NewLoggingPolicy ())
360388 }
361389
362- networkPolicyController , err := networkpolicy .NewController (
363- clientset ,
364- informersFactory .Networking ().V1 ().NetworkPolicies (),
365- informersFactory .Core ().V1 ().Namespaces (),
366- informersFactory .Core ().V1 ().Pods (),
367- nodeInformer ,
368- npaClient ,
369- anpInformer ,
370- banpInformer ,
371- cfg )
390+ // Standard Network Policy goes after AdminNetworkPolicy and before BaselineAdminNetworkPolicy
391+ evaluators = append (evaluators , networkpolicy .NewStandardNetworkPolicy (
392+ nodeName ,
393+ nsInformer ,
394+ podInformer ,
395+ networkPolicyInfomer ,
396+ ))
397+
398+ policyEngine := networkpolicy .NewPolicyEngine (podInfoProvider , evaluators )
399+
400+ // Start dataplane controller
401+ networkPolicyController , err := dataplane .NewController (
402+ policyEngine ,
403+ dpConfig ,
404+ )
372405 if err != nil {
373- klog .Infof ("Error creating network policy controller: %v, skipping network policies" , err )
374- } else {
375- go func () {
376- _ = networkPolicyController .Run (ctx )
377- }()
406+ klog .ErrorS (err , "failed to create dataplane controller" )
407+ // It's better to crash loud
408+ panic (err )
378409 }
410+ go func () {
411+ if err := networkPolicyController .Run (ctx ); err != nil {
412+ utilruntime .HandleError (fmt .Errorf ("dataplane controller failed: %w" , err ))
413+ }
414+ }()
379415 }
380416
381417 // start conntrack metrics agent
0 commit comments