adding egressFirewall #1432
adding egressFirewall #1432
Conversation
JacobTanenbaum
force-pushed
the
egressFirewall
branch
2 times, most recently
from
39e07bb
to
d0295ae
Compare
JacobTanenbaum
force-pushed
the
egressFirewall
branch
2 times, most recently
from
2813299
to
bdf5b2d
Compare
|
For anyone playing along at home, Girish asked for some documentation on the EgressFirewall feature which Jacob will write and add to this PR. |
JacobTanenbaum
force-pushed
the
egressFirewall
branch
3 times, most recently
from
d6b2529
to
ea74a37
Compare
JacobTanenbaum
force-pushed
the
egressFirewall
branch
5 times, most recently
from
17b8051
to
7bd6b60
Compare
|
@JacobTanenbaum : you should add a config parameter for this. I don't suspect everyone using ovn-kubernetes to use egress firewall, so this code should not impact them. Could you add a config parameter, as done here: 8801fe5 and then enable that parameter for testing, as done here: 627aac7 I will go over your PR in detail later on. But I saw this and wanted to tell you |
JacobTanenbaum
force-pushed
the
egressFirewall
branch
6 times, most recently
from
6651a5b
to
e562133
Compare
| // EgressFirewallSpec is a desired state description of EgressFirewall. | ||
| type EgressFirewallSpec struct { | ||
| // a collection of egress firewall rule objects | ||
| Rules []EgressFirewallRule `json:"egress"` |
There was a problem hiding this comment.
The field name and the json name should match. It's too confusing otherwise.
go-controller/cmd/ovnkube/ovnkube.go
Outdated
| @@ -189,13 +189,13 @@ func runOvnKube(ctx *cli.Context) error { | |||
| return fmt.Errorf("failed to initialize exec helper: %v", err) | |||
| } | |||
|
|
|||
| clientset, err := util.NewClientset(&config.Kubernetes) | |||
| clientset, egressFirewallClientset, err := util.NewClientsets(&config.Kubernetes) | |||
There was a problem hiding this comment.
as with the comments I made on the egress IP bug this doesn't seem like a very clean / future-feature-friendly way of doing this. (And this PR is going to end up conflicting with the egress IP one here).
Though in contrast to that PR, this one does a much better job of keeping the egress-firewall-specific controller code separate from the generic controller code
There was a problem hiding this comment.
there is an issue to address this and make a generic APIClient in the future #1528
JacobTanenbaum
force-pushed
the
egressFirewall
branch
4 times, most recently
from
c72ec2a
to
eeeb891
Compare
edits to go-controller/hack/update-codegen.sh to correctly generate files specific to egressFirewall and changes to the linter to skip the directory for the generated egressFirewall code Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
JacobTanenbaum
force-pushed
the
egressFirewall
branch
2 times, most recently
from
69f79b4
to
954ee83
Compare
This object works on a namespace and blocks egress traffic from all the pods in a namespace to the specified cidr ranges Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
in order to watch CRDs k8s.io/apiextensions-apiserver needs to be added commited the output of go get k8s.io/apiextensions-apiserver go mod vendor Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
this will prevent the lister and informers from throwing errors. The egressFirewallWatcher is dynamically created when the CRD is added Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
JacobTanenbaum
force-pushed
the
egressFirewall
branch
from
954ee83
to
81ae98f
Compare
Fix product build issue with more straight forward bash
- What this PR does and why is it needed
This PR adds an egressFirewall object that works on a namespace and allows a cluster administrator to allow or deny traffic to external resources as specified by the cidr selector.
for example:
will deny all sctp traffic leaving from all pods on the namespace it was applied to
- Special notes for reviewers
This will be followed up with the option to allow rules to a dns name, adding the dns name resolution code will require a decent amount more code and it would be beneficial to get this reviewed and on the path to merging as this is the base functionality.
In the future there will need to be an admission controller that validates that there is only one in a namespace, for now the egressFirewall logs an error if the attempt is made to add a second egressFirewall to namespace.
- How to verify it
included is a full set of unit tests
manually test functionality:
build a cluster
apply the crd
create an egressfirewall rule
attempt to curl the specified cidr address
- Description for the changelog
adding the egressfirewall crd that will allow a cluster admin to restrict traffic leaving the cluster