diff --git a/cmd/routed-eni-cni-plugin/cni.go b/cmd/routed-eni-cni-plugin/cni.go index 0e38f65b23..809a411433 100644 --- a/cmd/routed-eni-cni-plugin/cni.go +++ b/cmd/routed-eni-cni-plugin/cni.go @@ -42,10 +42,13 @@ import ( "github.com/aws/amazon-vpc-cni-k8s/pkg/utils/cniutils" "github.com/aws/amazon-vpc-cni-k8s/pkg/utils/logger" pb "github.com/aws/amazon-vpc-cni-k8s/rpc" + "github.com/aws/amazon-vpc-cni-k8s/utils" ) const ipamdAddress = "127.0.0.1:50051" +const npAgentAddress = "127.0.0.1:50052" + const dummyInterfacePrefix = "dummy" var version string @@ -276,6 +279,34 @@ func add(args *skel.CmdArgs, cniTypes typeswrapper.CNITYPES, grpcClient grpcwrap // dummy interface is appended to PrevResult for use during cleanup result.Interfaces = append(result.Interfaces, dummyInterface) + if utils.IsStrictMode(r.NetworkPolicyMode) { + // Set up a connection to the network policy agent + npConn, err := grpcClient.Dial(npAgentAddress, grpc.WithTransportCredentials(insecure.NewCredentials())) + if err != nil { + log.Errorf("Failed to connect to network policy agent: %v", err) + return errors.Wrap(err, "add cmd: failed to connect to network policy agent backend server") + } + defer npConn.Close() + + //Make a GRPC call for network policy agent + npc := rpcClient.NewNPBackendClient(npConn) + + npr, err := npc.EnforceNpToPod(context.Background(), + &pb.EnforceNpRequest{ + K8S_POD_NAME: string(k8sArgs.K8S_POD_NAME), + K8S_POD_NAMESPACE: string(k8sArgs.K8S_POD_NAMESPACE), + }) + + // No need to cleanup IP and network, kubelet will send delete. + if err != nil || !npr.Success { + log.Errorf("Failed to setup default network policy for Pod Name %s and NameSpace %s: GRPC returned - %v Network policy agent returned - %v", + string(k8sArgs.K8S_POD_NAME), string(k8sArgs.K8S_POD_NAMESPACE), err, npr) + return errors.New("add cmd: failed to setup network policy in strict mode") + } + + log.Debugf("Network Policy agent returned Success : %v", npr.Success) + } + return cniTypes.PrintResult(result, conf.CNIVersion) } diff --git a/cmd/routed-eni-cni-plugin/cni_test.go b/cmd/routed-eni-cni-plugin/cni_test.go index 9b988375c5..eaa3c70a12 100644 --- a/cmd/routed-eni-cni-plugin/cni_test.go +++ b/cmd/routed-eni-cni-plugin/cni_test.go @@ -94,7 +94,7 @@ func TestCmdAdd(t *testing.T) { mockC := mock_rpc.NewMockCNIBackendClient(ctrl) mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC) - addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum} + addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum, NetworkPolicyMode: "none"} mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, nil) v4Addr := &net.IPNet{ @@ -110,6 +110,92 @@ func TestCmdAdd(t *testing.T) { assert.Nil(t, err) } +func TestCmdAddWithNPenabled(t *testing.T) { + ctrl, mocksTypes, mocksGRPC, mocksRPC, mocksNetwork := setup(t) + defer ctrl.Finish() + + stdinData, _ := json.Marshal(netConf) + + cmdArgs := &skel.CmdArgs{ContainerID: containerID, + Netns: netNS, + IfName: ifName, + StdinData: stdinData} + + mocksTypes.EXPECT().LoadArgs(gomock.Any(), gomock.Any()).Return(nil) + + conn, _ := grpc.Dial(ipamdAddress, grpc.WithInsecure()) + + mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(conn, nil) + mockC := mock_rpc.NewMockCNIBackendClient(ctrl) + mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC) + + npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure()) + + mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(npConn, nil) + mockNP := mock_rpc.NewMockNPBackendClient(ctrl) + mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP) + + addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum, NetworkPolicyMode: "strict"} + mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, nil) + + enforceNpReply := &rpc.EnforceNpReply{Success: true} + mockNP.EXPECT().EnforceNpToPod(gomock.Any(), gomock.Any()).Return(enforceNpReply, nil) + + v4Addr := &net.IPNet{ + IP: net.ParseIP(addNetworkReply.IPv4Addr), + Mask: net.IPv4Mask(255, 255, 255, 255), + } + mocksNetwork.EXPECT().SetupPodNetwork(gomock.Any(), cmdArgs.IfName, cmdArgs.Netns, + v4Addr, nil, int(addNetworkReply.DeviceNumber), gomock.Any(), gomock.Any()).Return(nil) + + mocksTypes.EXPECT().PrintResult(gomock.Any(), gomock.Any()).Return(nil) + + err := add(cmdArgs, mocksTypes, mocksGRPC, mocksRPC, mocksNetwork) + assert.Nil(t, err) +} + +func TestCmdAddWithNPenabledWithErr(t *testing.T) { + ctrl, mocksTypes, mocksGRPC, mocksRPC, mocksNetwork := setup(t) + defer ctrl.Finish() + + stdinData, _ := json.Marshal(netConf) + + cmdArgs := &skel.CmdArgs{ContainerID: containerID, + Netns: netNS, + IfName: ifName, + StdinData: stdinData} + + mocksTypes.EXPECT().LoadArgs(gomock.Any(), gomock.Any()).Return(nil) + + conn, _ := grpc.Dial(ipamdAddress, grpc.WithInsecure()) + + mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(conn, nil) + mockC := mock_rpc.NewMockCNIBackendClient(ctrl) + mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC) + + npConn, _ := grpc.Dial(npAgentAddress, grpc.WithInsecure()) + + mocksGRPC.EXPECT().Dial(gomock.Any(), gomock.Any()).Return(npConn, nil) + mockNP := mock_rpc.NewMockNPBackendClient(ctrl) + mocksRPC.EXPECT().NewNPBackendClient(npConn).Return(mockNP) + + addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum, NetworkPolicyMode: "strict"} + mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, nil) + + enforceNpReply := &rpc.EnforceNpReply{Success: false} + mockNP.EXPECT().EnforceNpToPod(gomock.Any(), gomock.Any()).Return(enforceNpReply, errors.New("Error on EnforceNpReply")) + + v4Addr := &net.IPNet{ + IP: net.ParseIP(addNetworkReply.IPv4Addr), + Mask: net.IPv4Mask(255, 255, 255, 255), + } + mocksNetwork.EXPECT().SetupPodNetwork(gomock.Any(), cmdArgs.IfName, cmdArgs.Netns, + v4Addr, nil, int(addNetworkReply.DeviceNumber), gomock.Any(), gomock.Any()).Return(nil) + + err := add(cmdArgs, mocksTypes, mocksGRPC, mocksRPC, mocksNetwork) + assert.Error(t, err) +} + func TestCmdAddNetworkErr(t *testing.T) { ctrl, mocksTypes, mocksGRPC, mocksRPC, mocksNetwork := setup(t) defer ctrl.Finish() @@ -129,7 +215,7 @@ func TestCmdAddNetworkErr(t *testing.T) { mockC := mock_rpc.NewMockCNIBackendClient(ctrl) mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC) - addNetworkReply := &rpc.AddNetworkReply{Success: false, IPv4Addr: ipAddr, DeviceNumber: devNum} + addNetworkReply := &rpc.AddNetworkReply{Success: false, IPv4Addr: ipAddr, DeviceNumber: devNum, NetworkPolicyMode: "none"} mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, errors.New("Error on AddNetworkReply")) err := add(cmdArgs, mocksTypes, mocksGRPC, mocksRPC, mocksNetwork) @@ -156,7 +242,7 @@ func TestCmdAddErrSetupPodNetwork(t *testing.T) { mockC := mock_rpc.NewMockCNIBackendClient(ctrl) mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC) - addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum} + addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, DeviceNumber: devNum, NetworkPolicyMode: "none"} mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, nil) addr := &net.IPNet{ @@ -292,7 +378,7 @@ func TestCmdAddForPodENINetwork(t *testing.T) { mocksRPC.EXPECT().NewCNIBackendClient(conn).Return(mockC) addNetworkReply := &rpc.AddNetworkReply{Success: true, IPv4Addr: ipAddr, PodENISubnetGW: "10.0.0.1", PodVlanId: 1, - PodENIMAC: "eniHardwareAddr", ParentIfIndex: 2} + PodENIMAC: "eniHardwareAddr", ParentIfIndex: 2, NetworkPolicyMode: "none"} mockC.EXPECT().AddNetwork(gomock.Any(), gomock.Any()).Return(addNetworkReply, nil) addr := &net.IPNet{ diff --git a/pkg/ipamd/ipamd.go b/pkg/ipamd/ipamd.go index 4698f20081..0a5913c7bf 100644 --- a/pkg/ipamd/ipamd.go +++ b/pkg/ipamd/ipamd.go @@ -176,6 +176,10 @@ const ( // aws error codes for insufficient IP address scenario INSUFFICIENT_CIDR_BLOCKS = "InsufficientCidrBlocks" INSUFFICIENT_FREE_IP_SUBNET = "InsufficientFreeAddressesInSubnet" + + // envEnableNetworkPolicy is used to enable IPAMD/CNI to send pod create events to network policy agent. + envNetworkPolicyMode = "NETWORK_POLICY_ENFORCING_MODE" + defaultNetworkPolicyMode = "standard" ) var log = logger.Get() @@ -219,6 +223,7 @@ type IPAMContext struct { enableManageUntaggedMode bool enablePodIPAnnotation bool maxPods int // maximum number of pods that can be scheduled on the node + networkPolicyMode string } // setUnmanagedENIs will rebuild the set of ENI IDs for ENIs tagged as "no_manage" @@ -350,6 +355,11 @@ func New(k8sClient client.Client) (*IPAMContext, error) { c.enablePodIPAnnotation = enablePodIPAnnotation() c.numNetworkCards = len(c.awsClient.GetNetworkCards()) + c.networkPolicyMode, err = getNetworkPolicyMode() + if err != nil { + return nil, err + } + err = c.awsClient.FetchInstanceTypeLimits() if err != nil { log.Errorf("Failed to get ENI limits from file:vpc_ip_limits or EC2 for %s", c.awsClient.GetInstanceType()) @@ -1735,6 +1745,16 @@ func enablePodENI() bool { return utils.GetBoolAsStringEnvVar(envEnablePodENI, false) } +func getNetworkPolicyMode() (string, error) { + if value := os.Getenv(envNetworkPolicyMode); value != "" { + if utils.IsValidNetworkPolicyEnforcingMode(value) { + return value, nil + } + return "", errors.New("invalid Network policy mode, supported modes: none, strict, standard") + } + return defaultNetworkPolicyMode, nil +} + func usePrefixDelegation() bool { return utils.GetBoolAsStringEnvVar(envEnableIpv4PrefixDelegation, false) } diff --git a/pkg/ipamd/rpc_handler.go b/pkg/ipamd/rpc_handler.go index e878c53a63..e5c7dcd9db 100644 --- a/pkg/ipamd/rpc_handler.go +++ b/pkg/ipamd/rpc_handler.go @@ -216,17 +216,18 @@ func (s *server) AddNetwork(ctx context.Context, in *rpc.AddNetworkRequest) (*rp } } resp := rpc.AddNetworkReply{ - Success: err == nil, - IPv4Addr: ipv4Addr, - IPv6Addr: ipv6Addr, - DeviceNumber: int32(deviceNumber), - UseExternalSNAT: useExternalSNAT, - VPCv4CIDRs: pbVPCV4cidrs, - VPCv6CIDRs: pbVPCV6cidrs, - PodVlanId: int32(vlanID), - PodENIMAC: branchENIMAC, - PodENISubnetGW: podENISubnetGW, - ParentIfIndex: int32(trunkENILinkIndex), + Success: err == nil, + IPv4Addr: ipv4Addr, + IPv6Addr: ipv6Addr, + DeviceNumber: int32(deviceNumber), + UseExternalSNAT: useExternalSNAT, + VPCv4CIDRs: pbVPCV4cidrs, + VPCv6CIDRs: pbVPCV6cidrs, + PodVlanId: int32(vlanID), + PodENIMAC: branchENIMAC, + PodENISubnetGW: podENISubnetGW, + ParentIfIndex: int32(trunkENILinkIndex), + NetworkPolicyMode: s.ipamContext.networkPolicyMode, } log.Infof("Send AddNetworkReply: IPv4Addr: %s, IPv6Addr: %s, DeviceNumber: %d, err: %v", ipv4Addr, ipv6Addr, deviceNumber, err) diff --git a/rpc/rpc.pb.go b/rpc/rpc.pb.go index 5dbd80c618..60bbd318a4 100644 --- a/rpc/rpc.pb.go +++ b/rpc/rpc.pb.go @@ -119,11 +119,11 @@ type AddNetworkReply struct { VPCv4CIDRs []string `protobuf:"bytes,6,rep,name=VPCv4CIDRs" json:"VPCv4CIDRs,omitempty"` VPCv6CIDRs []string `protobuf:"bytes,12,rep,name=VPCv6CIDRs" json:"VPCv6CIDRs,omitempty"` // start of pod-eni parameters - PodVlanId int32 `protobuf:"varint,7,opt,name=PodVlanId" json:"PodVlanId,omitempty"` - PodENIMAC string `protobuf:"bytes,8,opt,name=PodENIMAC" json:"PodENIMAC,omitempty"` - PodENISubnetGW string `protobuf:"bytes,9,opt,name=PodENISubnetGW" json:"PodENISubnetGW,omitempty"` - ParentIfIndex int32 `protobuf:"varint,10,opt,name=ParentIfIndex" json:"ParentIfIndex,omitempty"` - EnableNetworkPolicy bool `protobuf:"varint,13,opt,name=EnableNetworkPolicy" json:"EnableNetworkPolicy,omitempty"` + PodVlanId int32 `protobuf:"varint,7,opt,name=PodVlanId" json:"PodVlanId,omitempty"` + PodENIMAC string `protobuf:"bytes,8,opt,name=PodENIMAC" json:"PodENIMAC,omitempty"` + PodENISubnetGW string `protobuf:"bytes,9,opt,name=PodENISubnetGW" json:"PodENISubnetGW,omitempty"` + ParentIfIndex int32 `protobuf:"varint,10,opt,name=ParentIfIndex" json:"ParentIfIndex,omitempty"` + NetworkPolicyMode string `protobuf:"bytes,13,opt,name=NetworkPolicyMode" json:"NetworkPolicyMode,omitempty"` } func (m *AddNetworkReply) Reset() { *m = AddNetworkReply{} } @@ -208,11 +208,11 @@ func (m *AddNetworkReply) GetParentIfIndex() int32 { return 0 } -func (m *AddNetworkReply) GetEnableNetworkPolicy() bool { +func (m *AddNetworkReply) GetNetworkPolicyMode() string { if m != nil { - return m.EnableNetworkPolicy + return m.NetworkPolicyMode } - return false + return "" } type DelNetworkRequest struct { @@ -337,7 +337,6 @@ func (m *DelNetworkReply) GetPodVlanId() int32 { } type EnforceNpRequest struct { - ClientVersion string `protobuf:"bytes,3,opt,name=ClientVersion" json:"ClientVersion,omitempty"` K8S_POD_NAME string `protobuf:"bytes,1,opt,name=K8S_POD_NAME,json=K8SPODNAME" json:"K8S_POD_NAME,omitempty"` K8S_POD_NAMESPACE string `protobuf:"bytes,2,opt,name=K8S_POD_NAMESPACE,json=K8SPODNAMESPACE" json:"K8S_POD_NAMESPACE,omitempty"` } @@ -347,13 +346,6 @@ func (m *EnforceNpRequest) String() string { return proto.CompactText func (*EnforceNpRequest) ProtoMessage() {} func (*EnforceNpRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} } -func (m *EnforceNpRequest) GetClientVersion() string { - if m != nil { - return m.ClientVersion - } - return "" -} - func (m *EnforceNpRequest) GetK8S_POD_NAME() string { if m != nil { return m.K8S_POD_NAME @@ -565,46 +557,46 @@ var _NPBackend_serviceDesc = grpc.ServiceDesc{ func init() { proto.RegisterFile("rpc.proto", fileDescriptor0) } var fileDescriptor0 = []byte{ - // 649 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x95, 0xef, 0x4f, 0xd3, 0x40, - 0x18, 0xc7, 0x19, 0x63, 0x63, 0x7b, 0xf8, 0x31, 0x39, 0x70, 0x69, 0x16, 0x63, 0x96, 0xc6, 0x18, - 0xc4, 0x00, 0x06, 0x09, 0x21, 0x6a, 0x4c, 0x4a, 0x5b, 0x4d, 0x43, 0x38, 0x9a, 0x0e, 0x31, 0xf1, - 0xcd, 0xd2, 0x5d, 0x0f, 0x6d, 0xe8, 0xee, 0xea, 0xb5, 0x1b, 0xe0, 0x1f, 0x60, 0xfc, 0x47, 0x7c, - 0xe9, 0x4b, 0xe3, 0xbf, 0x67, 0x76, 0xed, 0x68, 0xd7, 0x21, 0xbc, 0xd1, 0xc4, 0x97, 0xcf, 0xf7, - 0xfb, 0x7c, 0xb7, 0xbb, 0xe7, 0xf9, 0xe4, 0x0a, 0x75, 0x11, 0x92, 0xad, 0x50, 0xf0, 0x98, 0xa3, - 0xb2, 0x08, 0x89, 0xfa, 0x73, 0x16, 0x56, 0x34, 0xcf, 0xc3, 0x34, 0xbe, 0xe0, 0xe2, 0xdc, 0xa1, - 0x9f, 0x07, 0x34, 0x8a, 0xd1, 0x23, 0x58, 0xd2, 0x03, 0x9f, 0xb2, 0xf8, 0x94, 0x8a, 0xc8, 0xe7, - 0x4c, 0xa9, 0xb5, 0x4b, 0xeb, 0x75, 0x67, 0x52, 0x44, 0x6d, 0x58, 0x3c, 0xdc, 0xef, 0x74, 0xed, - 0x63, 0xa3, 0x8b, 0xb5, 0x23, 0x53, 0x29, 0xc9, 0x26, 0x38, 0xdc, 0xef, 0xd8, 0xc7, 0xc6, 0x48, - 0x41, 0x1b, 0xb0, 0x92, 0xef, 0xe8, 0xd8, 0x9a, 0x6e, 0x2a, 0xb3, 0xb2, 0xad, 0x91, 0xb5, 0x49, - 0x19, 0xbd, 0x80, 0xd6, 0xb8, 0xd7, 0xc2, 0x6f, 0x1c, 0xad, 0xab, 0x1f, 0xe3, 0x13, 0xcd, 0xc2, - 0xa6, 0xd3, 0xb5, 0x0c, 0xa5, 0x2c, 0x43, 0xcd, 0x24, 0x24, 0xfd, 0x6b, 0xdb, 0x32, 0x50, 0x1b, - 0x16, 0x74, 0xce, 0x62, 0xd7, 0x67, 0x54, 0x58, 0x86, 0x32, 0x2f, 0x9b, 0xf3, 0x12, 0x6a, 0x42, - 0xd5, 0x3a, 0xc3, 0x6e, 0x9f, 0x2a, 0x15, 0x69, 0xa6, 0xd5, 0x28, 0x99, 0xde, 0x5d, 0x9a, 0xd5, - 0x24, 0x99, 0x93, 0xd0, 0x1a, 0x54, 0x30, 0x8d, 0x59, 0xa4, 0xcc, 0x49, 0x2f, 0x29, 0xd4, 0x1f, - 0x65, 0x68, 0xe4, 0xe7, 0x16, 0x06, 0x57, 0x48, 0x81, 0xf9, 0xce, 0x80, 0x10, 0x1a, 0x45, 0x72, - 0x14, 0x35, 0x67, 0x5c, 0xa2, 0x16, 0xd4, 0x2c, 0x7b, 0xb8, 0xab, 0x79, 0x9e, 0x48, 0xaf, 0x7f, - 0x5d, 0xa7, 0xde, 0x9e, 0xf4, 0x16, 0xae, 0x3d, 0x59, 0x23, 0x15, 0x16, 0x0d, 0x3a, 0xf4, 0x09, - 0xc5, 0x83, 0x7e, 0x8f, 0x0a, 0x79, 0x84, 0x8a, 0x33, 0xa1, 0xa1, 0x75, 0x68, 0xbc, 0x8b, 0xa8, - 0x79, 0x19, 0x53, 0xc1, 0xdc, 0xa0, 0x83, 0xb5, 0x13, 0x79, 0xc5, 0x9a, 0x53, 0x94, 0xd1, 0x43, - 0x80, 0x53, 0x5b, 0x1f, 0xee, 0xea, 0x96, 0xe1, 0x44, 0x4a, 0xb5, 0x5d, 0x1e, 0x6d, 0x2b, 0x53, - 0xc6, 0xfe, 0x5e, 0xe2, 0x2f, 0x66, 0x7e, 0xa2, 0xa0, 0x07, 0x50, 0xb7, 0xb9, 0x77, 0x1a, 0xb8, - 0xcc, 0xf2, 0xe4, 0x8c, 0x2b, 0x4e, 0x26, 0xa4, 0xae, 0x89, 0xad, 0x23, 0x4d, 0x4f, 0x79, 0xc9, - 0x04, 0xf4, 0x18, 0x96, 0x93, 0xa2, 0x33, 0xe8, 0x31, 0x1a, 0xbf, 0x7d, 0xaf, 0xd4, 0x65, 0x4b, - 0x41, 0x1d, 0x91, 0x67, 0xbb, 0x82, 0xb2, 0xd8, 0x3a, 0xb3, 0x98, 0x47, 0x2f, 0x15, 0x90, 0xff, - 0x33, 0x29, 0xa2, 0x67, 0xb0, 0x6a, 0x32, 0xb7, 0x17, 0xd0, 0x74, 0xfe, 0x36, 0x0f, 0x7c, 0x72, - 0xa5, 0x2c, 0xc9, 0x7b, 0xdf, 0x64, 0xa9, 0xbf, 0x66, 0x61, 0xc5, 0xa0, 0xc1, 0x5d, 0x9c, 0xd7, - 0xff, 0x6f, 0xce, 0x9b, 0x50, 0x75, 0xa8, 0x1b, 0x71, 0x36, 0xa6, 0x38, 0xa9, 0x8a, 0xfc, 0xd7, - 0x6e, 0xe3, 0xbf, 0x7a, 0x1b, 0xff, 0xf3, 0x53, 0xfc, 0xab, 0xdf, 0x4b, 0xd0, 0xc8, 0x4f, 0xee, - 0xef, 0x90, 0x5e, 0xb9, 0x83, 0xf4, 0xf2, 0x0d, 0xa4, 0x4f, 0xf0, 0x37, 0x57, 0xe0, 0x4f, 0xfd, - 0x5a, 0x82, 0x7b, 0x26, 0x3b, 0xe3, 0x82, 0x50, 0x1c, 0xfe, 0x71, 0xc1, 0xe5, 0x7f, 0xbe, 0x60, - 0x75, 0x03, 0x96, 0x73, 0xe7, 0xb8, 0x75, 0x5c, 0x3b, 0xdf, 0x4a, 0x00, 0x3a, 0xb6, 0x0e, 0x5c, - 0x72, 0x4e, 0x99, 0x87, 0x5e, 0x01, 0x64, 0x8f, 0x0a, 0x6a, 0x6e, 0x8d, 0x1e, 0xeb, 0xa9, 0xd7, - 0xb9, 0xb5, 0x36, 0xa5, 0x87, 0xc1, 0x95, 0x3a, 0x33, 0x4a, 0x67, 0x8b, 0x4a, 0xd3, 0x53, 0xcc, - 0xa7, 0xe9, 0xc2, 0x46, 0xd5, 0x99, 0x9d, 0x43, 0xa8, 0x63, 0x7b, 0x7c, 0x90, 0xd7, 0xb9, 0x3b, - 0x9c, 0x70, 0x9b, 0x7b, 0xe8, 0xbe, 0x8c, 0x15, 0x07, 0xdc, 0x5a, 0x2d, 0xca, 0xf2, 0xc7, 0x0e, - 0x9e, 0x7e, 0x78, 0xf2, 0xd1, 0x8f, 0x3f, 0x0d, 0x7a, 0x5b, 0x84, 0xf7, 0xb7, 0xdd, 0x8b, 0x68, - 0xdb, 0xed, 0xbb, 0x5f, 0x38, 0xdb, 0x1c, 0x86, 0x64, 0x93, 0x30, 0x7f, 0xf3, 0x7c, 0x3f, 0xda, - 0x16, 0x21, 0x79, 0x29, 0x42, 0xd2, 0xab, 0xca, 0xef, 0xd1, 0xf3, 0xdf, 0x01, 0x00, 0x00, 0xff, - 0xff, 0x7d, 0xfe, 0x2f, 0xcb, 0x9c, 0x06, 0x00, 0x00, + // 647 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x95, 0xdf, 0x4e, 0xdb, 0x48, + 0x14, 0xc6, 0x09, 0x21, 0x21, 0x39, 0xfc, 0xc9, 0x66, 0x96, 0x8d, 0xac, 0x68, 0xb5, 0x8a, 0xac, + 0x55, 0x45, 0x69, 0x01, 0x89, 0x22, 0x84, 0xda, 0xaa, 0x92, 0xb1, 0xd3, 0x6a, 0x84, 0x18, 0x2c, + 0x87, 0x52, 0xa9, 0x37, 0xa9, 0x33, 0x1e, 0x5a, 0x0b, 0x67, 0xc6, 0x1d, 0x3b, 0x01, 0xfa, 0x04, + 0x7d, 0x91, 0x5e, 0xf4, 0x01, 0xaa, 0xbe, 0x5e, 0x95, 0xb1, 0x83, 0x1d, 0xa7, 0x82, 0x1b, 0x2e, + 0x7a, 0x79, 0xbe, 0xef, 0x7c, 0xb6, 0xe7, 0x9c, 0x9f, 0xc6, 0x50, 0x97, 0x21, 0xdd, 0x09, 0xa5, + 0x88, 0x05, 0x2a, 0xcb, 0x90, 0xea, 0x3f, 0x16, 0xa1, 0x69, 0x78, 0x1e, 0x61, 0xf1, 0x95, 0x90, + 0x97, 0x0e, 0xfb, 0x3c, 0x62, 0x51, 0x8c, 0xfe, 0x87, 0x35, 0x33, 0xf0, 0x19, 0x8f, 0xcf, 0x99, + 0x8c, 0x7c, 0xc1, 0xb5, 0x5a, 0xa7, 0xb4, 0x59, 0x77, 0x66, 0x45, 0xd4, 0x81, 0xd5, 0xe3, 0xc3, + 0x5e, 0xdf, 0x3e, 0xb5, 0xfa, 0xc4, 0x38, 0xe9, 0x6a, 0x25, 0xd5, 0x04, 0xc7, 0x87, 0x3d, 0xfb, + 0xd4, 0x9a, 0x28, 0x68, 0x0b, 0x9a, 0xf9, 0x8e, 0x9e, 0x6d, 0x98, 0x5d, 0x6d, 0x51, 0xb5, 0x35, + 0xb2, 0x36, 0x25, 0xa3, 0xe7, 0xd0, 0x9e, 0xf6, 0x62, 0xf2, 0xda, 0x31, 0xfa, 0xe6, 0x29, 0x39, + 0x33, 0x30, 0xe9, 0x3a, 0x7d, 0x6c, 0x69, 0x65, 0x15, 0x6a, 0x25, 0x21, 0xe5, 0xdf, 0xda, 0xd8, + 0x42, 0x1d, 0x58, 0x31, 0x05, 0x8f, 0x5d, 0x9f, 0x33, 0x89, 0x2d, 0x6d, 0x59, 0x35, 0xe7, 0x25, + 0xd4, 0x82, 0x2a, 0xbe, 0x20, 0xee, 0x90, 0x69, 0x15, 0x65, 0xa6, 0xd5, 0x24, 0x99, 0x9e, 0x5d, + 0x99, 0xd5, 0x24, 0x99, 0x93, 0xd0, 0x06, 0x54, 0x08, 0x8b, 0x79, 0xa4, 0x2d, 0x29, 0x2f, 0x29, + 0xf4, 0xef, 0x65, 0x68, 0xe4, 0xe7, 0x16, 0x06, 0x37, 0x48, 0x83, 0xe5, 0xde, 0x88, 0x52, 0x16, + 0x45, 0x6a, 0x14, 0x35, 0x67, 0x5a, 0xa2, 0x36, 0xd4, 0xb0, 0x3d, 0xde, 0x37, 0x3c, 0x4f, 0xa6, + 0xc7, 0xbf, 0xad, 0x53, 0xef, 0x40, 0x79, 0x2b, 0xb7, 0x9e, 0xaa, 0x91, 0x0e, 0xab, 0x16, 0x1b, + 0xfb, 0x94, 0x91, 0xd1, 0x70, 0xc0, 0xa4, 0xfa, 0x84, 0x8a, 0x33, 0xa3, 0xa1, 0x4d, 0x68, 0xbc, + 0x8d, 0x58, 0xf7, 0x3a, 0x66, 0x92, 0xbb, 0x41, 0x8f, 0x18, 0x67, 0xea, 0x88, 0x35, 0xa7, 0x28, + 0xa3, 0xff, 0x00, 0xce, 0x6d, 0x73, 0xbc, 0x6f, 0x62, 0xcb, 0x89, 0xb4, 0x6a, 0xa7, 0x3c, 0xd9, + 0x56, 0xa6, 0x4c, 0xfd, 0x83, 0xc4, 0x5f, 0xcd, 0xfc, 0x44, 0x41, 0xff, 0x42, 0xdd, 0x16, 0xde, + 0x79, 0xe0, 0x72, 0xec, 0xa9, 0x19, 0x57, 0x9c, 0x4c, 0x48, 0xdd, 0x2e, 0xc1, 0x27, 0x86, 0x99, + 0xf2, 0x92, 0x09, 0xe8, 0x11, 0xac, 0x27, 0x45, 0x6f, 0x34, 0xe0, 0x2c, 0x7e, 0xf3, 0x4e, 0xab, + 0xab, 0x96, 0x82, 0x3a, 0x21, 0xcf, 0x76, 0x25, 0xe3, 0x31, 0xbe, 0xc0, 0xdc, 0x63, 0xd7, 0x1a, + 0xa8, 0xf7, 0xcc, 0x8a, 0xe8, 0x29, 0x34, 0xd3, 0xc9, 0xdb, 0x22, 0xf0, 0xe9, 0xcd, 0x89, 0xf0, + 0x98, 0xb6, 0xa6, 0x1e, 0x38, 0x6f, 0xe8, 0x3f, 0x17, 0xa1, 0x69, 0xb1, 0xe0, 0x3e, 0xc6, 0xeb, + 0x7f, 0x36, 0xe3, 0x2d, 0xa8, 0x3a, 0xcc, 0x8d, 0x04, 0x9f, 0x12, 0x9c, 0x54, 0x45, 0xf6, 0x6b, + 0x77, 0xb1, 0x5f, 0xbd, 0x8b, 0xfd, 0xe5, 0x39, 0xf6, 0xf5, 0x6f, 0x25, 0x68, 0xe4, 0x27, 0xf7, + 0x30, 0x94, 0x57, 0xee, 0xa1, 0xbc, 0xfc, 0x1b, 0xca, 0x67, 0xd8, 0x5b, 0x2a, 0xb0, 0xa7, 0x7f, + 0x80, 0xbf, 0xba, 0xfc, 0x42, 0x48, 0xca, 0x48, 0x38, 0xdd, 0xef, 0x83, 0x6e, 0x4e, 0xdf, 0x82, + 0xf5, 0xdc, 0x1b, 0xee, 0x9c, 0xc3, 0xde, 0xd7, 0x12, 0x80, 0x49, 0xf0, 0x91, 0x4b, 0x2f, 0x19, + 0xf7, 0xd0, 0x4b, 0x80, 0xec, 0xa6, 0x40, 0xad, 0x9d, 0xc9, 0x0d, 0x3c, 0x77, 0xe5, 0xb6, 0x37, + 0xe6, 0xf4, 0x30, 0xb8, 0xd1, 0x17, 0x26, 0xe9, 0x6c, 0x03, 0x69, 0x7a, 0x0e, 0xe6, 0x34, 0x5d, + 0x58, 0x95, 0xbe, 0xb0, 0x77, 0x0c, 0x75, 0x62, 0x4f, 0x3f, 0xe4, 0x55, 0xee, 0x0c, 0x67, 0xc2, + 0x16, 0x1e, 0xfa, 0x47, 0xc5, 0x8a, 0xa3, 0x6b, 0xff, 0x5d, 0x94, 0xd5, 0xc3, 0x8e, 0x9e, 0xbc, + 0x7f, 0xfc, 0xd1, 0x8f, 0x3f, 0x8d, 0x06, 0x3b, 0x54, 0x0c, 0x77, 0xdd, 0xab, 0x68, 0xd7, 0x1d, + 0xba, 0x5f, 0x04, 0xdf, 0x1e, 0x87, 0x74, 0x9b, 0x72, 0x7f, 0xfb, 0xf2, 0x30, 0xda, 0x95, 0x21, + 0x7d, 0x21, 0x43, 0x3a, 0xa8, 0xaa, 0x9f, 0xcc, 0xb3, 0x5f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xa9, + 0x53, 0x1a, 0x0e, 0x71, 0x06, 0x00, 0x00, } diff --git a/rpc/rpc.proto b/rpc/rpc.proto index a5d0735768..6e7322eb12 100644 --- a/rpc/rpc.proto +++ b/rpc/rpc.proto @@ -38,7 +38,7 @@ message AddNetworkReply { int32 ParentIfIndex = 10; // end of pod-eni parameters - bool EnableNetworkPolicy = 13; + string NetworkPolicyMode = 13; // next field: 14 } @@ -73,7 +73,6 @@ service NPBackend { } message EnforceNpRequest { - string ClientVersion = 3; string K8S_POD_NAME = 1; string K8S_POD_NAMESPACE = 2; } diff --git a/utils/utils.go b/utils/utils.go index d121b29162..6f59986eb2 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -3,6 +3,7 @@ package utils import ( "os" "strconv" + "strings" log "github.com/sirupsen/logrus" ) @@ -42,3 +43,30 @@ func GetEnv(env, defaultVal string) string { } return defaultVal } + +// NetworkPolicyEnforcingMode is the mode of network policy enforcement +type NetworkPolicyEnforcingMode string + +const ( + // None : no network policy enforcement + None NetworkPolicyEnforcingMode = "none" + // Strict : strict network policy enforcement + Strict NetworkPolicyEnforcingMode = "strict" + // Standard :standard network policy enforcement + Standard NetworkPolicyEnforcingMode = "standard" +) + +// IsValidNetworkPolicyEnforcingMode checks if the input string matches any of the enum values +func IsValidNetworkPolicyEnforcingMode(input string) bool { + switch strings.ToLower(input) { + case string(None), string(Strict), string(Standard): + return true + default: + return false + } +} + +// IsStrictMode checks if strict mode is enabled +func IsStrictMode(input string) bool { + return strings.ToLower(input) == string(Strict) +}