Add egressFirewall objects

This object works on a namespace and blocks egress traffic from all the pods in a namespace to the specified cidr ranges Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
ovn-org · Jun 22, 2020 · e8aec05 · e8aec05
1 parent 5fda092
commit e8aec05
Show file tree

Hide file tree

Showing 9 changed files with 1,009 additions and 31 deletions.
diff --git a/go-controller/cmd/ovnkube/ovnkube.go b/go-controller/cmd/ovnkube/ovnkube.go
@@ -188,13 +188,13 @@ func runOvnKube(ctx *cli.Context) error {
 		return fmt.Errorf("failed to initialize exec helper: %v", err)
 	}
 
-	clientset, err := util.NewClientset(&config.Kubernetes)
+	clientset, egressFirewallClientset, err := util.NewClientset(&config.Kubernetes)
 	if err != nil {
 		return err
 	}
 
 	// create factory and start the controllers asked for
-	factory, err := factory.NewWatchFactory(clientset)
+	factory, err := factory.NewWatchFactory(clientset, egressFirewallClientset)
 	if err != nil {
 		return err
 	}

diff --git a/go-controller/go.sum b/go-controller/go.sum
@@ -200,6 +200,7 @@ github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoT
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/ovn-org/ovn-kubernetes v0.3.11 h1:xlSdIlvbiz/61WLKER8ovEYwvGAXpUlsneCppHYogBw=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
@@ -400,6 +401,7 @@ k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a h1:UcxjrRMyNx/i/y8G7kPvLyy7rfbeuf1PYyBf973pgyU=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
 k8s.io/utils v0.0.0-20191114184206-e782cd3c129f h1:GiPwtSzdP43eI1hpPCbROQCCIgCuiMMNF8YUVLF3vJo=
 k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=

diff --git a/go-controller/hybrid-overlay/cmd/hybrid-overlay-node/hybrid-overlay-node.go b/go-controller/hybrid-overlay/cmd/hybrid-overlay-node/hybrid-overlay-node.go
@@ -83,7 +83,7 @@ func runHybridOverlay(ctx *cli.Context) error {
 		return fmt.Errorf("missing node name; use the 'node' flag to provide one")
 	}
 
-	clientset, err := util.NewClientset(&config.Kubernetes)
+	clientset, _, err := util.NewClientset(&config.Kubernetes)
 	if err != nil {
 		return err
 	}

diff --git a/go-controller/pkg/factory/factory.go b/go-controller/pkg/factory/factory.go
@@ -10,6 +10,12 @@ import (
 
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/metrics"
 
+	egressfirewallapi "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/crd/egressfirewall/v1"
+	egressfirewallclientset "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/crd/egressfirewall/v1/apis/clientset/versioned"
+	egressfirewallscheme "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/crd/egressfirewall/v1/apis/clientset/versioned/scheme"
+	egressfirewallinformerfactory "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/crd/egressfirewall/v1/apis/informers/externalversions"
+	egressfirewalllister "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/crd/egressfirewall/v1/apis/listers/egressfirewall/v1"
+
 	kapi "k8s.io/api/core/v1"
 	knet "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -111,6 +117,7 @@ func (i *informer) forEachHandler(obj interface{}, f func(h *Handler)) {
 }
 
 func (i *informer) addHandler(id uint64, filterFunc func(obj interface{}) bool, funcs cache.ResourceEventHandler, existingItems []interface{}) *Handler {
+
 	handler := &Handler{
 		cache.FilteringResourceEventHandler{
 			FilterFunc: filterFunc,
@@ -300,6 +307,8 @@ func newInformerLister(oType reflect.Type, sharedInformer cache.SharedIndexInfor
 		return listers.NewNodeLister(sharedInformer.GetIndexer()), nil
 	case policyType:
 		return nil, nil
+	case egressFirewallType:
+		return egressfirewalllister.NewEgressFirewallLister(sharedInformer.GetIndexer()), nil
 	}
 
 	return nil, fmt.Errorf("cannot create lister from type %v", oType)
@@ -391,6 +400,7 @@ type WatchFactory struct {
 	handlerCounter uint64
 
 	iFactory  informerfactory.SharedInformerFactory
+	efFactory egressfirewallinformerfactory.SharedInformerFactory
 	informers map[reflect.Type]*informer
 
 	stopChan chan struct{}
@@ -423,27 +433,35 @@ const (
 )
 
 var (
-	podType       reflect.Type = reflect.TypeOf(&kapi.Pod{})
-	serviceType   reflect.Type = reflect.TypeOf(&kapi.Service{})
-	endpointsType reflect.Type = reflect.TypeOf(&kapi.Endpoints{})
-	policyType    reflect.Type = reflect.TypeOf(&knet.NetworkPolicy{})
-	namespaceType reflect.Type = reflect.TypeOf(&kapi.Namespace{})
-	nodeType      reflect.Type = reflect.TypeOf(&kapi.Node{})
+	podType            reflect.Type = reflect.TypeOf(&kapi.Pod{})
+	serviceType        reflect.Type = reflect.TypeOf(&kapi.Service{})
+	endpointsType      reflect.Type = reflect.TypeOf(&kapi.Endpoints{})
+	policyType         reflect.Type = reflect.TypeOf(&knet.NetworkPolicy{})
+	namespaceType      reflect.Type = reflect.TypeOf(&kapi.Namespace{})
+	nodeType           reflect.Type = reflect.TypeOf(&kapi.Node{})
+	egressFirewallType reflect.Type = reflect.TypeOf(&egressfirewallapi.EgressFirewall{})
 )
 
 // NewWatchFactory initializes a new watch factory
-func NewWatchFactory(c kubernetes.Interface) (*WatchFactory, error) {
+func NewWatchFactory(c kubernetes.Interface, ec egressfirewallclientset.Interface) (*WatchFactory, error) {
 	// resync time is 12 hours, none of the resources being watched in ovn-kubernetes have
 	// any race condition where a resync may be required e.g. cni executable on node watching for
 	// events on pods and assuming that an 'ADD' event will contain the annotations put in by
 	// ovnkube master (currently, it is just a 'get' loop)
 	// the downside of making it tight (like 10 minutes) is needless spinning on all resources
 	wf := &WatchFactory{
 		iFactory:  informerfactory.NewSharedInformerFactory(c, resyncInterval),
+		efFactory: egressfirewallinformerfactory.NewSharedInformerFactory(ec, resyncInterval),
 		informers: make(map[reflect.Type]*informer),
 		stopChan:  make(chan struct{}),
 	}
 	var err error
+
+	err = egressfirewallapi.AddToScheme(egressfirewallscheme.Scheme)
+	if err != nil {
+		return nil, err
+	}
+
 	// Create shared informers we know we'll use
 	wf.informers[podType], err = newQueuedInformer(podType, wf.iFactory.Core().V1().Pods().Informer(), wf.stopChan)
 	if err != nil {
@@ -465,10 +483,15 @@ func NewWatchFactory(c kubernetes.Interface) (*WatchFactory, error) {
 	if err != nil {
 		return nil, err
 	}
+	wf.informers[egressFirewallType], err = newInformer(egressFirewallType, wf.efFactory.K8s().V1().EgressFirewalls().Informer())
+	if err != nil {
+		return nil, err
+	}
 	wf.informers[nodeType], err = newQueuedInformer(nodeType, wf.iFactory.Core().V1().Nodes().Informer(), wf.stopChan)
 	if err != nil {
 		return nil, err
 	}
+	wf.efFactory.Start(wf.stopChan)
 
 	wf.iFactory.Start(wf.stopChan)
 	for oType, synced := range wf.iFactory.WaitForCacheSync(wf.stopChan) {
@@ -515,6 +538,10 @@ func getObjectMeta(objType reflect.Type, obj interface{}) (*metav1.ObjectMeta, e
 		if node, ok := obj.(*kapi.Node); ok {
 			return &node.ObjectMeta, nil
 		}
+	case egressFirewallType:
+		if egressFirewall, ok := obj.(*egressfirewallapi.EgressFirewall); ok {
+			return &egressFirewall.ObjectMeta, nil
+		}
 	}
 	return nil, fmt.Errorf("cannot get ObjectMeta from type %v", objType)
 }
@@ -627,6 +654,16 @@ func (wf *WatchFactory) RemovePolicyHandler(handler *Handler) error {
 	return wf.removeHandler(policyType, handler)
 }
 
+// AddEgressFirewallHandler adds a handler function that will be executed on EgressFirewall object changes
+func (wf *WatchFactory) AddEgressFirewallHandler(handlerFuncs cache.ResourceEventHandler, processExisting func([]interface{})) (*Handler, error) {
+	return wf.addHandler(egressFirewallType, "", nil, handlerFuncs, processExisting)
+}
+
+// RemoveEgressFirewallHandler removes an EgressFirewall object event handler function
+func (wf *WatchFactory) RemoveEgressFirewallHandler(handler *Handler) error {
+	return wf.removeHandler(egressFirewallType, handler)
+}
+
 // AddNamespaceHandler adds a handler function that will be executed on Namespace object changes
 func (wf *WatchFactory) AddNamespaceHandler(handlerFuncs cache.ResourceEventHandler, processExisting func([]interface{})) (*Handler, error) {
 	return wf.addHandler(namespaceType, "", nil, handlerFuncs, processExisting)