From 7a43f994d92a2394936feed28d5efd645c7776b4 Mon Sep 17 00:00:00 2001 From: GraysonWu Date: Mon, 21 Dec 2020 11:46:22 -0800 Subject: [PATCH] Support portRange in CRDs (#1557) * Support portRange in CRDs Add `endPort` at jsonPath spec.ingress/egress[*].ports[*].endPort of ACNP and ANP YAML. The internal `Service` will add `endPort` field as well. To support port range, due to ovs format, [port]:[endPort] will be transformed into a list of port/mask with bitwise match. Antrea Agent will do this transformation using a third lib. Add validation, UT, and e2e test. --- build/yamls/antrea-aks.yml | 8 + build/yamls/antrea-eks.yml | 8 + build/yamls/antrea-gke.yml | 8 + build/yamls/antrea-ipsec.yml | 8 + build/yamls/antrea.yml | 8 + build/yamls/base/crds.yml | 8 + docs/antrea-network-policy.md | 12 +- pkg/agent/openflow/network_policy.go | 71 ++- pkg/agent/openflow/network_policy_test.go | 7 +- pkg/agent/openflow/pipeline.go | 6 +- pkg/agent/types/networkpolicy.go | 7 + pkg/antctl/transform/rule/transform.go | 12 +- pkg/apis/controlplane/types.go | 4 + pkg/apis/controlplane/v1beta1/conversion.go | 22 + .../controlplane/v1beta1/conversion_test.go | 26 + .../v1beta1/zz_generated.conversion.go | 55 +- pkg/apis/controlplane/v1beta2/generated.pb.go | 238 ++++---- pkg/apis/controlplane/v1beta2/generated.proto | 5 + pkg/apis/controlplane/v1beta2/types.go | 4 + .../v1beta2/zz_generated.conversion.go | 2 + .../v1beta2/zz_generated.deepcopy.go | 5 + .../controlplane/zz_generated.deepcopy.go | 5 + pkg/apis/security/v1alpha1/types.go | 13 +- .../v1alpha1/zz_generated.deepcopy.go | 5 + pkg/apiserver/openapi/zz_generated.openapi.go | 7 + .../networkpolicy/antreanetworkpolicy_test.go | 152 ++++- .../clusternetworkpolicy_test.go | 170 +++++- pkg/controller/networkpolicy/crd_utils.go | 6 +- .../networkpolicy/crd_utils_test.go | 17 + .../networkpolicy_controller_test.go | 7 +- pkg/controller/networkpolicy/validate.go | 40 ++ test/e2e/antreapolicy_test.go | 553 ++++++++++-------- test/e2e/k8s_util.go | 26 +- test/e2e/utils/anpspecbuilder.go | 16 +- test/e2e/utils/cnpspecbuilder.go | 16 +- third_party/networkpolicy/port_range.go | 132 +++++ 36 files changed, 1223 insertions(+), 466 deletions(-) create mode 100644 third_party/networkpolicy/port_range.go diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 2ea75fa9400..c72a8b4f66c 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -125,6 +125,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -189,6 +191,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -359,6 +363,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -426,6 +432,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 5608372bd53..5bc8891f78a 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -125,6 +125,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -189,6 +191,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -359,6 +363,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -426,6 +432,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index d57a1c00337..51f316c82bd 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -125,6 +125,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -189,6 +191,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -359,6 +363,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -426,6 +432,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index d4e5fa14ecf..c491fb2e1aa 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -125,6 +125,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -189,6 +191,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -359,6 +363,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -426,6 +432,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 007684f16be..c91e44f99b5 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -125,6 +125,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -189,6 +191,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -359,6 +363,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: @@ -426,6 +432,8 @@ spec: ports: items: properties: + endPort: + type: integer port: x-kubernetes-int-or-string: true protocol: diff --git a/build/yamls/base/crds.yml b/build/yamls/base/crds.yml index 01962ee98cd..2400fdcedb5 100644 --- a/build/yamls/base/crds.yml +++ b/build/yamls/base/crds.yml @@ -342,6 +342,8 @@ spec: type: string port: x-kubernetes-int-or-string: true + endPort: + type: integer from: type: array items: @@ -391,6 +393,8 @@ spec: type: string port: x-kubernetes-int-or-string: true + endPort: + type: integer to: type: array items: @@ -522,6 +526,8 @@ spec: type: string port: x-kubernetes-int-or-string: true + endPort: + type: integer from: type: array items: @@ -572,6 +578,8 @@ spec: type: string port: x-kubernetes-int-or-string: true + endPort: + type: integer to: type: array items: diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md index 49ddfb5b84a..5198dcfcc61 100644 --- a/docs/antrea-network-policy.md +++ b/docs/antrea-network-policy.md @@ -223,6 +223,9 @@ spec: ports: - protocol: TCP port: 8080 + endPort: 9000 + - protocol: TCP + port: 6379 name: AllowFromFrontend enableLogging: false egress: @@ -266,7 +269,9 @@ default tier i.e. the "application" Tier. **ingress**: Each ClusterNetworkPolicy may consist of zero or more ordered set of ingress rules. Each rule, depending on the `action` field of the rule, -allows or drops traffic which matches both the `from` and `ports` sections. +allows or drops traffic which matches all `from`, `ports` sections. +Under `ports`, the optional field `endPort` can only be set when a numerical `port` +is set to represent a range of ports from `port` to `endPort` inclusive. Also, each rule has an optional `name` field, which should be unique within the policy describing the intention of this rule. If `name` is not provided for a rule, it will be auto-generated by Antrea. The auto-generated name will be @@ -284,7 +289,9 @@ be enforced in the order in which they are written. **egress**: Each ClusterNetworkPolicy may consist of zero or more ordered set of egress rules. Each rule, depending on the `action` field of the rule, allows -or drops traffic which matches both the `to` and `ports` sections. +or drops traffic which matches all `from`, `ports` sections. +Under `ports`, the optional field `endPort` can only be set when a numerical `port` +is set to represent a range of ports from `port` to `endPort` inclusive. Also, each rule has an optional `name` field, which should be unique within the policy describing the intention of this rule. If `name` is not provided for a rule, it will be auto-generated by Antrea. The rule name auto-generation process @@ -413,6 +420,7 @@ spec: ports: - protocol: TCP port: 8080 + endPort: 9000 name: AllowFromFrontend enableLogging: false egress: diff --git a/pkg/agent/openflow/network_policy.go b/pkg/agent/openflow/network_policy.go index ed016cb50e8..d860ad4b509 100644 --- a/pkg/agent/openflow/network_policy.go +++ b/pkg/agent/openflow/network_policy.go @@ -26,6 +26,7 @@ import ( "github.com/vmware-tanzu/antrea/pkg/apis/controlplane/v1beta2" secv1alpha1 "github.com/vmware-tanzu/antrea/pkg/apis/security/v1alpha1" binding "github.com/vmware-tanzu/antrea/pkg/ovs/openflow" + thirdpartynp "github.com/vmware-tanzu/antrea/third_party/networkpolicy" ) var ( @@ -212,8 +213,16 @@ func (m *conjunctiveMatch) generateGlobalMapKey() string { } case net.IPNet: valueStr = v.String() + case types.BitRange: + bitRange := m.matchValue.(types.BitRange) + if bitRange.Mask != nil { + valueStr = fmt.Sprintf("%d/%d", bitRange.Value, *bitRange.Mask) + } else { + // To normalize the key, set full mask while a single port is provided. + valueStr = fmt.Sprintf("%d/65535", bitRange.Value) + } default: - // The default cases include the matchValue is a Service port or an ofport Number. + // The default cases include the matchValue is an ofport Number. valueStr = fmt.Sprintf("%s", m.matchValue) } if m.priority == nil { @@ -616,26 +625,58 @@ func getServiceMatchType(protocol *v1beta2.Protocol, ipv4Enabled, ipv6Enabled bo return matchKeys } -func (c *clause) generateServicePortConjMatches(port v1beta2.Service, priority *uint16, ipv4Enabled, ipv6Enabled bool) []*conjunctiveMatch { - matchKeys := getServiceMatchType(port.Protocol, ipv4Enabled, ipv6Enabled) - // Match all ports with the given protocol type if the matchValue is not specified (value is 0). - matchValue := uint16(0) - if port.Port != nil { - matchValue = uint16(port.Port.IntVal) - } +func (c *clause) generateServicePortConjMatches(service v1beta2.Service, priority *uint16, ipv4Enabled, ipv6Enabled bool) []*conjunctiveMatch { + matchKeys := getServiceMatchType(service.Protocol, ipv4Enabled, ipv6Enabled) + ovsBitRanges := c.serviceToBitRanges(service) var matches []*conjunctiveMatch for _, matchKey := range matchKeys { - matches = append(matches, - &conjunctiveMatch{ - tableID: c.ruleTable.GetID(), - matchKey: matchKey, - matchValue: matchValue, - priority: priority, - }) + for _, ovsBitRange := range ovsBitRanges { + matches = append(matches, + &conjunctiveMatch{ + tableID: c.ruleTable.GetID(), + matchKey: matchKey, + matchValue: ovsBitRange, + priority: priority, + }) + } } return matches } +// serviceToBitRanges converts a Service to a list of BitRange. +func (c *clause) serviceToBitRanges(service v1beta2.Service) []types.BitRange { + var ovsBitRanges []types.BitRange + // If `EndPort` is equal to `Port`, then treat it as single port case. + if service.EndPort != nil && *service.EndPort > service.Port.IntVal { + // Add several antrea range services based on a port range. + portRange := thirdpartynp.PortRange{Start: uint16(service.Port.IntVal), End: uint16(*service.EndPort)} + bitRanges, err := portRange.BitwiseMatch() + if err != nil { + klog.Errorf("Error when getting BitRanges from %v: %v", portRange, err) + return ovsBitRanges + } + for _, bitRange := range bitRanges { + curBitRange := bitRange + ovsBitRanges = append(ovsBitRanges, types.BitRange{ + Value: curBitRange.Value, + Mask: &curBitRange.Mask, + }) + } + } else if service.Port != nil { + // Add single antrea service based on a single port. + ovsBitRanges = append(ovsBitRanges, types.BitRange{ + Value: uint16(service.Port.IntVal), + }) + } else { + // Match all ports with the given protocol type if `Port` and `EndPort` are not + // specified (value is 0). + ovsBitRanges = append(ovsBitRanges, types.BitRange{ + Value: uint16(0), + }) + } + return ovsBitRanges +} + // addAddrFlows translates the specified addresses to conjunctiveMatchFlows, and returns the corresponding changes on the // conjunctiveMatchFlows. func (c *clause) addAddrFlows(client *client, addrType types.AddressType, addresses []types.Address, priority *uint16) []*conjMatchFlowContextChange { diff --git a/pkg/agent/openflow/network_policy_test.go b/pkg/agent/openflow/network_policy_test.go index beaa032405e..c5787c1baaf 100644 --- a/pkg/agent/openflow/network_policy_test.go +++ b/pkg/agent/openflow/network_policy_test.go @@ -219,10 +219,11 @@ func TestInstallPolicyRuleFlows(t *testing.T) { ruleID3 := uint32(103) port1 := intstr.FromInt(8080) - port2 := intstr.FromInt(8081) + port2 := intstr.FromInt(1000) + port3 := int32(1007) tcpProtocol := v1beta2.ProtocolTCP npPort1 := v1beta2.Service{Protocol: &tcpProtocol, Port: &port1} - npPort2 := v1beta2.Service{Protocol: &tcpProtocol, Port: &port2} + npPort2 := v1beta2.Service{Protocol: &tcpProtocol, Port: &port2, EndPort: &port3} rule3 := &types.PolicyRule{ Direction: v1beta2.DirectionOut, From: parseAddresses([]string{"192.168.1.40", "192.168.1.60"}), @@ -665,7 +666,7 @@ func newMockRuleFlowBuilder(ctrl *gomock.Controller) *mocks.MockFlowBuilder { ruleFlowBuilder.EXPECT().MatchSrcIP(gomock.Any()).Return(ruleFlowBuilder).AnyTimes() ruleFlowBuilder.EXPECT().MatchInPort(gomock.Any()).Return(ruleFlowBuilder).AnyTimes() ruleFlowBuilder.EXPECT().MatchRegRange(gomock.Any(), gomock.Any(), gomock.Any()).Return(ruleFlowBuilder).AnyTimes() - ruleFlowBuilder.EXPECT().MatchDstPort(gomock.Any(), gomock.Nil()).Return(ruleFlowBuilder).AnyTimes() + ruleFlowBuilder.EXPECT().MatchDstPort(gomock.Any(), gomock.Any()).Return(ruleFlowBuilder).AnyTimes() ruleFlowBuilder.EXPECT().MatchConjID(gomock.Any()).Return(ruleFlowBuilder).AnyTimes() ruleFlowBuilder.EXPECT().MatchPriority(gomock.Any()).Return(ruleFlowBuilder).AnyTimes() ruleAction = mocks.NewMockAction(ctrl) diff --git a/pkg/agent/openflow/pipeline.go b/pkg/agent/openflow/pipeline.go index 75db03e2190..7cb407784a8 100644 --- a/pkg/agent/openflow/pipeline.go +++ b/pkg/agent/openflow/pipeline.go @@ -1347,9 +1347,9 @@ func (c *client) addFlowMatch(fb binding.FlowBuilder, matchKey *types.MatchKey, fallthrough case MatchSCTPv6DstPort: fb = fb.MatchProtocol(matchKey.GetOFProtocol()) - portValue := matchValue.(uint16) - if portValue > 0 { - fb = fb.MatchDstPort(portValue, nil) + portValue := matchValue.(types.BitRange) + if portValue.Value > 0 { + fb = fb.MatchDstPort(portValue.Value, portValue.Mask) } } return fb diff --git a/pkg/agent/types/networkpolicy.go b/pkg/agent/types/networkpolicy.go index ba7755f4b6d..b2aa117bf58 100644 --- a/pkg/agent/types/networkpolicy.go +++ b/pkg/agent/types/networkpolicy.go @@ -140,3 +140,10 @@ func (m *RuleMetric) Merge(m1 *RuleMetric) { m.Packets += m1.Packets m.Sessions += m1.Sessions } + +// A BitRange is a representation of a range of values from base value with a +// bitmask applied. +type BitRange struct { + Value uint16 + Mask *uint16 +} diff --git a/pkg/antctl/transform/rule/transform.go b/pkg/antctl/transform/rule/transform.go index 38f81d796dc..d4503a8adad 100644 --- a/pkg/antctl/transform/rule/transform.go +++ b/pkg/antctl/transform/rule/transform.go @@ -22,6 +22,7 @@ import ( type service struct { Protocol string `json:"protocol,omitempty"` Port string `json:"port,omitempty"` + EndPort string `json:"endPort,omitempty"` } type ipBlock struct { @@ -44,9 +45,18 @@ type Response struct { func serviceTransform(services ...cpv1beta.Service) []service { var ret []service for _, s := range services { + port := "nil" + endPort := "nil" + if s.Port != nil { + port = s.Port.String() + } + if s.EndPort != nil { + endPort = string(*s.EndPort) + } ret = append(ret, service{ Protocol: string(*s.Protocol), - Port: s.Port.String(), + Port: port, + EndPort: endPort, }) } return ret diff --git a/pkg/apis/controlplane/types.go b/pkg/apis/controlplane/types.go index b6e67c8b9f5..095cdb8d54e 100644 --- a/pkg/apis/controlplane/types.go +++ b/pkg/apis/controlplane/types.go @@ -218,6 +218,10 @@ type Service struct { // The port name or number on the given protocol. If not specified, this matches all port numbers. // +optional Port *intstr.IntOrString + // EndPort defines the end of the port range, being the end included within the range. + // It can only be specified when a numerical `port` is specified. + // +optional + EndPort *int32 } // NetworkPolicyPeer describes a peer of NetworkPolicyRules. diff --git a/pkg/apis/controlplane/v1beta1/conversion.go b/pkg/apis/controlplane/v1beta1/conversion.go index 9bd8f5a533c..4c8152d0523 100644 --- a/pkg/apis/controlplane/v1beta1/conversion.go +++ b/pkg/apis/controlplane/v1beta1/conversion.go @@ -415,3 +415,25 @@ func Convert_controlplane_NetworkPolicyRule_To_v1beta1_NetworkPolicyRule(in *con out.EnableLogging = in.EnableLogging return nil } + +func Convert_v1beta1_Service_To_controlplane_Service(in *Service, out *controlplane.Service, s conversion.Scope) error { + if in.Protocol != nil { + outProtocol := controlplane.Protocol(*in.Protocol) + out.Protocol = &outProtocol + } + if in.Port != nil { + out.Port = in.Port + } + return nil +} + +func Convert_controlplane_Service_To_v1beta1_Service(in *controlplane.Service, out *Service, s conversion.Scope) error { + if in.Protocol != nil { + outProtocol := Protocol(*in.Protocol) + out.Protocol = &outProtocol + } + if in.Port != nil { + out.Port = in.Port + } + return nil +} diff --git a/pkg/apis/controlplane/v1beta1/conversion_test.go b/pkg/apis/controlplane/v1beta1/conversion_test.go index 376b6330660..94de9492fa5 100644 --- a/pkg/apis/controlplane/v1beta1/conversion_test.go +++ b/pkg/apis/controlplane/v1beta1/conversion_test.go @@ -21,6 +21,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/intstr" "github.com/vmware-tanzu/antrea/pkg/apis/controlplane" ) @@ -124,6 +125,17 @@ var ( IP: IPAddress(net.ParseIP("10.0.0.2")), Ports: v1b1Ports, } + v1b1TCP = ProtocolTCP + cpTCP = controlplane.ProtocolTCP + int80 = intstr.FromInt(80) + v1b1Service = Service{ + Protocol: &v1b1TCP, + Port: &int80, + } + cpService = controlplane.Service{ + Protocol: &cpTCP, + Port: &int80, + } ) func TestConvertBetweenV1beta1AndControlplaneGroupMember(t *testing.T) { @@ -256,3 +268,17 @@ func TestConvertBetweenV1beta1AndControlplaneAppliedToGroupPatch(t *testing.T) { Convert_v1beta1_AppliedToGroupPatch_To_controlplane_AppliedToGroupPatch(&v1b1AppliedToGroupPatch, &convertedCPPatch, nil)) assert.Equal(t, cpAppliedToGroupPatch, convertedCPPatch) } + +func TestConvertBetweenV1beta1AndControlplaneService(t *testing.T) { + scheme := runtime.NewScheme() + assert.NoError(t, RegisterConversions(scheme)) + + var convertedCPService controlplane.Service + var convertedV1B1Service Service + require.NoError(t, + Convert_controlplane_Service_To_v1beta1_Service(&cpService, &convertedV1B1Service, nil)) + assert.Equal(t, v1b1Service, convertedV1B1Service, "controlplane.GroupMember -> v1beta1.GroupMember") + require.NoError(t, + Convert_v1beta1_Service_To_controlplane_Service(&v1b1Service, &convertedCPService, nil)) + assert.Equal(t, cpService, convertedCPService, "v1beta1.GroupMember -> controlplane.GroupMember") +} diff --git a/pkg/apis/controlplane/v1beta1/zz_generated.conversion.go b/pkg/apis/controlplane/v1beta1/zz_generated.conversion.go index ed0bfb5eb55..7814430a334 100644 --- a/pkg/apis/controlplane/v1beta1/zz_generated.conversion.go +++ b/pkg/apis/controlplane/v1beta1/zz_generated.conversion.go @@ -166,16 +166,6 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*Service)(nil), (*controlplane.Service)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1beta1_Service_To_controlplane_Service(a.(*Service), b.(*controlplane.Service), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*controlplane.Service)(nil), (*Service)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_controlplane_Service_To_v1beta1_Service(a.(*controlplane.Service), b.(*Service), scope) - }); err != nil { - return err - } if err := s.AddConversionFunc((*controlplane.AddressGroupPatch)(nil), (*AddressGroupPatch)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_controlplane_AddressGroupPatch_To_v1beta1_AddressGroupPatch(a.(*controlplane.AddressGroupPatch), b.(*AddressGroupPatch), scope) }); err != nil { @@ -211,6 +201,11 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddConversionFunc((*controlplane.Service)(nil), (*Service)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_controlplane_Service_To_v1beta1_Service(a.(*controlplane.Service), b.(*Service), scope) + }); err != nil { + return err + } if err := s.AddConversionFunc((*AddressGroupPatch)(nil), (*controlplane.AddressGroupPatch)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta1_AddressGroupPatch_To_controlplane_AddressGroupPatch(a.(*AddressGroupPatch), b.(*controlplane.AddressGroupPatch), scope) }); err != nil { @@ -241,6 +236,11 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddConversionFunc((*Service)(nil), (*controlplane.Service)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_Service_To_controlplane_Service(a.(*Service), b.(*controlplane.Service), scope) + }); err != nil { + return err + } return nil } @@ -758,7 +758,17 @@ func autoConvert_v1beta1_NetworkPolicyRule_To_controlplane_NetworkPolicyRule(in if err := Convert_v1beta1_NetworkPolicyPeer_To_controlplane_NetworkPolicyPeer(&in.To, &out.To, s); err != nil { return err } - out.Services = *(*[]controlplane.Service)(unsafe.Pointer(&in.Services)) + if in.Services != nil { + in, out := &in.Services, &out.Services + *out = make([]controlplane.Service, len(*in)) + for i := range *in { + if err := Convert_v1beta1_Service_To_controlplane_Service(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Services = nil + } out.Priority = in.Priority out.Action = (*v1alpha1.RuleAction)(unsafe.Pointer(in.Action)) out.EnableLogging = in.EnableLogging @@ -778,7 +788,17 @@ func autoConvert_controlplane_NetworkPolicyRule_To_v1beta1_NetworkPolicyRule(in if err := Convert_controlplane_NetworkPolicyPeer_To_v1beta1_NetworkPolicyPeer(&in.To, &out.To, s); err != nil { return err } - out.Services = *(*[]Service)(unsafe.Pointer(&in.Services)) + if in.Services != nil { + in, out := &in.Services, &out.Services + *out = make([]Service, len(*in)) + for i := range *in { + if err := Convert_controlplane_Service_To_v1beta1_Service(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Services = nil + } out.Priority = in.Priority out.Action = (*v1alpha1.RuleAction)(unsafe.Pointer(in.Action)) out.EnableLogging = in.EnableLogging @@ -866,18 +886,9 @@ func autoConvert_v1beta1_Service_To_controlplane_Service(in *Service, out *contr return nil } -// Convert_v1beta1_Service_To_controlplane_Service is an autogenerated conversion function. -func Convert_v1beta1_Service_To_controlplane_Service(in *Service, out *controlplane.Service, s conversion.Scope) error { - return autoConvert_v1beta1_Service_To_controlplane_Service(in, out, s) -} - func autoConvert_controlplane_Service_To_v1beta1_Service(in *controlplane.Service, out *Service, s conversion.Scope) error { out.Protocol = (*Protocol)(unsafe.Pointer(in.Protocol)) out.Port = (*intstr.IntOrString)(unsafe.Pointer(in.Port)) + // WARNING: in.EndPort requires manual conversion: does not exist in peer-type return nil } - -// Convert_controlplane_Service_To_v1beta1_Service is an autogenerated conversion function. -func Convert_controlplane_Service_To_v1beta1_Service(in *controlplane.Service, out *Service, s conversion.Scope) error { - return autoConvert_controlplane_Service_To_v1beta1_Service(in, out, s) -} diff --git a/pkg/apis/controlplane/v1beta2/generated.pb.go b/pkg/apis/controlplane/v1beta2/generated.pb.go index d6d18fe69bf..04f61103651 100644 --- a/pkg/apis/controlplane/v1beta2/generated.pb.go +++ b/pkg/apis/controlplane/v1beta2/generated.pb.go @@ -691,110 +691,111 @@ func init() { } var fileDescriptor_d31898dc88dbbf6e = []byte{ - // 1643 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x59, 0xcb, 0x6f, 0x1b, 0xc7, - 0x19, 0xd7, 0xf2, 0x21, 0x91, 0x23, 0x52, 0x8f, 0x91, 0x5d, 0xb3, 0xae, 0x4b, 0xca, 0xdb, 0xa2, - 0xd0, 0xa1, 0x5e, 0x5a, 0xaa, 0xdb, 0x1a, 0xa8, 0x7b, 0x10, 0x2d, 0x59, 0x60, 0x2b, 0xd3, 0xc4, - 0x48, 0xba, 0x14, 0x05, 0xda, 0xd5, 0xee, 0x90, 0x5a, 0x6b, 0xb9, 0xbb, 0x9e, 0x9d, 0x95, 0x2d, - 0x07, 0x08, 0x12, 0xe4, 0x94, 0x5c, 0xf2, 0xba, 0xe4, 0x94, 0x9b, 0x91, 0xfc, 0x0d, 0x41, 0x2e, - 0xb9, 0xf9, 0xe8, 0xa3, 0x2f, 0x21, 0x22, 0x1a, 0xc9, 0x35, 0x87, 0x00, 0x41, 0xa0, 0x53, 0x30, - 0xb3, 0xb3, 0x2f, 0x52, 0xb4, 0x15, 0x90, 0x12, 0x02, 0x24, 0x27, 0x8b, 0xdf, 0x7c, 0xf3, 0xfd, - 0x7e, 0xdf, 0x73, 0x66, 0xd6, 0x60, 0xb3, 0x6d, 0xd0, 0x3d, 0x6f, 0x57, 0xd1, 0xec, 0x4e, 0xf5, - 0xa0, 0xf3, 0x50, 0x25, 0xf8, 0x1a, 0x55, 0xad, 0xc7, 0x5e, 0x55, 0xb5, 0x28, 0xc1, 0x6a, 0xd5, - 0xd9, 0x6f, 0x57, 0x55, 0xc7, 0x70, 0xab, 0x9a, 0x6d, 0x51, 0x62, 0x9b, 0x8e, 0xa9, 0x5a, 0xb8, - 0x7a, 0xb0, 0xbc, 0x8b, 0xa9, 0xba, 0x52, 0x6d, 0x63, 0x0b, 0x13, 0x95, 0x62, 0x5d, 0x71, 0x88, - 0x4d, 0x6d, 0x78, 0x2b, 0xb2, 0xa6, 0xf8, 0xd6, 0xfe, 0xc7, 0xad, 0x29, 0xbe, 0x35, 0xc5, 0xd9, - 0x6f, 0x2b, 0xcc, 0x9a, 0x12, 0xb7, 0xa6, 0x08, 0x6b, 0x97, 0xaf, 0xc5, 0xb8, 0xb4, 0xed, 0xb6, - 0x5d, 0xe5, 0x46, 0x77, 0xbd, 0x16, 0xff, 0xc5, 0x7f, 0xf0, 0xbf, 0x7c, 0xb0, 0xcb, 0x77, 0x4e, - 0x4b, 0xdd, 0xa5, 0x2a, 0x75, 0xab, 0x07, 0xcb, 0xaa, 0xe9, 0xec, 0xa9, 0xcb, 0xfd, 0xa4, 0x2f, - 0xdf, 0xd8, 0xbf, 0xe9, 0x2a, 0x86, 0xcd, 0x74, 0x3b, 0xaa, 0xb6, 0x67, 0x58, 0x98, 0x1c, 0x46, - 0x9b, 0x3b, 0x98, 0xaa, 0xd5, 0x83, 0xc1, 0x5d, 0xd5, 0x61, 0xbb, 0x88, 0x67, 0x51, 0xa3, 0x83, - 0x07, 0x36, 0xfc, 0xed, 0x55, 0x1b, 0x5c, 0x6d, 0x0f, 0x77, 0xd4, 0x81, 0x7d, 0x7f, 0x19, 0xb6, - 0xcf, 0xa3, 0x86, 0x59, 0x35, 0x2c, 0xea, 0x52, 0xd2, 0xbf, 0x49, 0xfe, 0x5e, 0x02, 0x85, 0x55, - 0x5d, 0x27, 0xd8, 0x75, 0x37, 0x88, 0xed, 0x39, 0xf0, 0xff, 0x20, 0xc7, 0x3c, 0xd1, 0x55, 0xaa, - 0x96, 0xa4, 0x45, 0x69, 0x69, 0x7a, 0xe5, 0xba, 0xe2, 0x1b, 0x56, 0xe2, 0x86, 0xa3, 0x0c, 0x31, - 0x6d, 0xe5, 0x60, 0x59, 0xb9, 0xb7, 0x7b, 0x1f, 0x6b, 0xf4, 0x2e, 0xa6, 0x6a, 0x0d, 0x3e, 0xed, - 0x56, 0x26, 0x7a, 0xdd, 0x0a, 0x88, 0x64, 0x28, 0xb4, 0x0a, 0xdf, 0x92, 0x40, 0xa1, 0xcd, 0xb0, - 0xee, 0xe2, 0xce, 0x2e, 0x26, 0x6e, 0x29, 0xb5, 0x98, 0x5e, 0x9a, 0x5e, 0xa9, 0x2b, 0xa3, 0xd4, - 0x84, 0xb2, 0x11, 0x59, 0xac, 0x5d, 0x10, 0xf8, 0x85, 0x98, 0xd0, 0x45, 0x09, 0x50, 0xf9, 0x48, - 0x02, 0x73, 0x71, 0xc7, 0x37, 0x0d, 0x97, 0xc2, 0xff, 0x0e, 0x38, 0xaf, 0x9c, 0xce, 0x79, 0xb6, - 0x9b, 0xbb, 0x3e, 0x27, 0xa0, 0x73, 0x81, 0x24, 0xe6, 0xb8, 0x0d, 0xb2, 0x06, 0xc5, 0x9d, 0xc0, - 0xe1, 0x7f, 0x8d, 0xe6, 0x70, 0x9c, 0x7c, 0xad, 0x28, 0x60, 0xb3, 0x75, 0x06, 0x80, 0x7c, 0x1c, - 0xf9, 0x49, 0x1a, 0xcc, 0xc7, 0xd5, 0x9a, 0x2a, 0xd5, 0xf6, 0xce, 0x21, 0xc3, 0x1f, 0x48, 0x60, - 0x5e, 0xd5, 0x75, 0xac, 0x6f, 0x9c, 0x69, 0x9a, 0x7f, 0x2b, 0x48, 0x30, 0x1f, 0x93, 0x58, 0x68, - 0x10, 0x1e, 0x7e, 0x24, 0x81, 0x05, 0x82, 0x3b, 0xf6, 0x41, 0x1f, 0xad, 0xf4, 0xb8, 0x69, 0xfd, - 0x4e, 0xd0, 0x5a, 0x40, 0x83, 0x68, 0xe8, 0x24, 0x0a, 0xf2, 0x0f, 0x12, 0x98, 0x59, 0x75, 0x1c, - 0xd3, 0xc0, 0xfa, 0xb6, 0xfd, 0xcb, 0x6a, 0xc3, 0xaf, 0x25, 0x00, 0x93, 0xae, 0x9f, 0x43, 0x23, - 0x3e, 0x48, 0x36, 0xe2, 0xe6, 0x88, 0x8d, 0x98, 0xa0, 0x3f, 0xa4, 0x15, 0x3f, 0x49, 0x83, 0x85, - 0xa4, 0xe2, 0xaf, 0xcd, 0xf8, 0xf3, 0x6c, 0x46, 0x13, 0x5c, 0x5a, 0x7f, 0x44, 0x31, 0xb1, 0x54, - 0x73, 0xdd, 0xa2, 0x06, 0x3d, 0x44, 0xb8, 0x85, 0x09, 0xb6, 0x34, 0x0c, 0x17, 0x41, 0xc6, 0x52, - 0x3b, 0x98, 0x27, 0x2a, 0x5f, 0x2b, 0x08, 0xd3, 0x99, 0x86, 0xda, 0xc1, 0x88, 0xaf, 0xc0, 0x2a, - 0xc8, 0xb3, 0x7f, 0x5d, 0x47, 0xd5, 0x70, 0x29, 0xc5, 0xd5, 0xe6, 0x85, 0x5a, 0xbe, 0x11, 0x2c, - 0xa0, 0x48, 0x47, 0xfe, 0x38, 0x0d, 0xa6, 0x63, 0xf0, 0x10, 0x83, 0xb4, 0x63, 0xeb, 0xa2, 0x14, - 0x46, 0x3c, 0x21, 0x9a, 0xb6, 0x1e, 0x72, 0xaf, 0x4d, 0xf5, 0xba, 0x95, 0x34, 0x93, 0x30, 0xfb, - 0xf0, 0x7d, 0x09, 0xcc, 0xe0, 0x84, 0x97, 0x9c, 0xed, 0xf4, 0xca, 0xce, 0x68, 0x90, 0x43, 0x22, - 0x57, 0x83, 0xbd, 0x6e, 0x65, 0xa6, 0x6f, 0xb1, 0x8f, 0x00, 0xfc, 0x13, 0x48, 0x1b, 0x8e, 0x5f, - 0x02, 0x85, 0xda, 0x05, 0x46, 0xb7, 0xde, 0x74, 0x8f, 0xbb, 0x95, 0x7c, 0xbd, 0x29, 0x0e, 0x31, - 0xc4, 0x14, 0xa0, 0x09, 0xb2, 0x8e, 0x4d, 0xa8, 0x5b, 0xca, 0xf0, 0x62, 0xd9, 0x18, 0x8d, 0x31, - 0xcb, 0x8a, 0xde, 0xb4, 0x09, 0x8d, 0x1a, 0x97, 0xfd, 0x72, 0x91, 0x0f, 0x22, 0x7f, 0x29, 0x81, - 0xa9, 0x7a, 0xb3, 0x66, 0xda, 0xda, 0x3e, 0xc4, 0x20, 0xa3, 0x19, 0x3a, 0x11, 0xd9, 0xb9, 0x3d, - 0x1a, 0x70, 0xbd, 0xd9, 0xc0, 0x34, 0x2a, 0xa2, 0xdb, 0xf5, 0x35, 0x84, 0xb8, 0x79, 0xb8, 0x0f, - 0x26, 0xf1, 0x23, 0x0d, 0x3b, 0x54, 0x74, 0xe9, 0x58, 0x80, 0x66, 0x04, 0xd0, 0xe4, 0x3a, 0x37, - 0x8d, 0x04, 0x84, 0xdc, 0x02, 0x59, 0xae, 0x00, 0xff, 0x00, 0x52, 0x86, 0xc3, 0x5d, 0x2b, 0xd4, - 0x16, 0x7a, 0xdd, 0x4a, 0xaa, 0xde, 0x4c, 0x06, 0x3f, 0x65, 0x38, 0xf0, 0x26, 0x28, 0x38, 0x04, - 0xb7, 0x8c, 0x47, 0x9b, 0xd8, 0x6a, 0xd3, 0x3d, 0x5e, 0x34, 0xd9, 0x68, 0xd0, 0x37, 0x63, 0x6b, - 0x28, 0xa1, 0x29, 0xbf, 0x2d, 0x81, 0x7c, 0x18, 0x6b, 0xd6, 0x49, 0x2c, 0xbc, 0x1c, 0x2e, 0x1b, - 0x05, 0x81, 0xad, 0x21, 0xbe, 0x12, 0xf6, 0x5a, 0x6a, 0x68, 0xaf, 0xdd, 0x04, 0x39, 0x7e, 0x87, - 0xd5, 0x6c, 0xb3, 0x94, 0xe6, 0x5a, 0x57, 0x82, 0x99, 0xdf, 0x14, 0xf2, 0xe3, 0xd8, 0xdf, 0x28, - 0xd4, 0x96, 0xdf, 0xc9, 0x80, 0x62, 0x03, 0xd3, 0x87, 0x36, 0xd9, 0x6f, 0xda, 0xa6, 0xa1, 0x1d, - 0x9e, 0xc3, 0x18, 0xa6, 0x20, 0x4b, 0x3c, 0x13, 0x07, 0x93, 0xf7, 0xde, 0x88, 0x55, 0x1b, 0x67, - 0x8f, 0x3c, 0x13, 0x47, 0xd5, 0xcb, 0x7e, 0xb9, 0xc8, 0x07, 0x83, 0xff, 0x04, 0xb3, 0x6a, 0xe2, - 0xd4, 0xf1, 0xfb, 0x2b, 0xcf, 0x33, 0x3c, 0x9b, 0x3c, 0x90, 0x5c, 0xd4, 0xaf, 0x0b, 0x97, 0x58, - 0x88, 0x0d, 0x9b, 0xb0, 0xf9, 0x90, 0x59, 0x94, 0x96, 0xa4, 0x5a, 0xc1, 0x0f, 0xaf, 0x2f, 0x43, - 0xe1, 0x2a, 0xbc, 0x01, 0x0a, 0xd4, 0xc0, 0x24, 0x58, 0x29, 0x65, 0x79, 0x62, 0xe7, 0x58, 0x51, - 0x6c, 0xc7, 0xe4, 0x28, 0xa1, 0x05, 0xdf, 0x94, 0x40, 0xde, 0xb5, 0x3d, 0xa2, 0x61, 0x84, 0x5b, - 0xa5, 0x49, 0x1e, 0xf8, 0xed, 0x71, 0x46, 0x26, 0x1c, 0x40, 0x45, 0x36, 0x81, 0xb7, 0x02, 0x28, - 0x14, 0xa1, 0xca, 0x2f, 0x24, 0x30, 0x9f, 0xd8, 0x74, 0x0e, 0x17, 0x10, 0x27, 0x79, 0x01, 0xf9, - 0xf7, 0x18, 0x5d, 0x1e, 0x72, 0xff, 0x78, 0x0d, 0x5c, 0x4a, 0xa8, 0x35, 0x6c, 0x1d, 0x6f, 0x51, - 0x95, 0x7a, 0x2e, 0xfc, 0x33, 0xc8, 0x59, 0xb6, 0x8e, 0x1b, 0xd1, 0xc9, 0x16, 0x52, 0x6f, 0x08, - 0x39, 0x0a, 0x35, 0xe0, 0x0a, 0x00, 0xe2, 0x0d, 0x69, 0xd8, 0x16, 0xef, 0xce, 0x74, 0x54, 0xf9, - 0x1b, 0xe1, 0x0a, 0x8a, 0x69, 0xc9, 0x5f, 0xf4, 0x87, 0xb8, 0x89, 0x31, 0x81, 0x7f, 0x07, 0x45, - 0x35, 0xf6, 0x38, 0x71, 0x4b, 0x12, 0xaf, 0xcc, 0xf9, 0x5e, 0xb7, 0x52, 0x8c, 0xbf, 0x5a, 0x5c, - 0x94, 0xd4, 0x83, 0x2e, 0xc8, 0x19, 0x0e, 0x9f, 0xc8, 0x41, 0x00, 0xd7, 0x47, 0x9d, 0x90, 0xdc, - 0x5a, 0xe4, 0xb7, 0x10, 0xb8, 0x28, 0x04, 0x92, 0xbf, 0x91, 0xc0, 0x6f, 0x4e, 0xae, 0x2d, 0xf8, - 0x57, 0x90, 0xa1, 0x87, 0x4e, 0x10, 0xbc, 0xab, 0xc1, 0xa8, 0xda, 0x3e, 0x74, 0xf0, 0x71, 0xb7, - 0x92, 0xf4, 0x9c, 0x09, 0x11, 0x57, 0xff, 0xc9, 0x77, 0x85, 0x70, 0x24, 0xa6, 0x87, 0x8e, 0xc4, - 0x1a, 0x48, 0x7b, 0x86, 0xce, 0x5b, 0x35, 0x5f, 0xbb, 0x2e, 0x14, 0xd2, 0x3b, 0xf5, 0xb5, 0xe3, - 0x6e, 0xe5, 0xea, 0xb0, 0xcf, 0x03, 0x8c, 0x8c, 0xab, 0xec, 0xd4, 0xd7, 0x10, 0xdb, 0x2c, 0x7f, - 0x9e, 0xed, 0x4b, 0x16, 0x1b, 0x28, 0xf0, 0x16, 0xc8, 0xeb, 0x06, 0xc1, 0x1a, 0xcf, 0xba, 0xef, - 0x68, 0x39, 0x20, 0xbb, 0x16, 0x2c, 0x1c, 0xc7, 0x7f, 0xa0, 0x68, 0x03, 0x7c, 0x00, 0x32, 0x2d, - 0x62, 0x77, 0xc4, 0x1d, 0x63, 0x9c, 0xb3, 0x8f, 0x55, 0x52, 0x14, 0x8a, 0x3b, 0xc4, 0xee, 0x20, - 0x0e, 0x05, 0xf7, 0x41, 0x8a, 0xda, 0x3c, 0x54, 0x67, 0x00, 0x08, 0x04, 0x60, 0x6a, 0xdb, 0x46, - 0x29, 0x6a, 0xb3, 0x8a, 0x74, 0x31, 0x39, 0x30, 0x34, 0x1c, 0xdc, 0x4a, 0x46, 0xac, 0xc8, 0x2d, - 0xdf, 0x5a, 0x54, 0x91, 0x42, 0xe0, 0xa2, 0x10, 0x88, 0xf5, 0xad, 0xd3, 0x37, 0x6e, 0xa3, 0xf3, - 0x6f, 0x60, 0x40, 0xdf, 0x07, 0x93, 0xaa, 0x9f, 0xbd, 0x49, 0x9e, 0x3d, 0xc4, 0xee, 0x02, 0xab, - 0x41, 0xda, 0xd6, 0x4e, 0xfd, 0x89, 0x0c, 0x6b, 0x1e, 0xb3, 0x17, 0x7e, 0x25, 0x53, 0x58, 0x79, - 0xf8, 0x76, 0x90, 0x40, 0x80, 0xff, 0x00, 0x45, 0x6c, 0xa9, 0xbb, 0x26, 0xde, 0xb4, 0xdb, 0x6d, - 0xc3, 0x6a, 0x97, 0xa6, 0x16, 0xa5, 0xa5, 0x5c, 0xed, 0xa2, 0xa0, 0x57, 0x5c, 0x8f, 0x2f, 0xa2, - 0xa4, 0xee, 0x49, 0x47, 0x56, 0xee, 0xf4, 0x47, 0x96, 0xfc, 0x69, 0x0a, 0xc0, 0x44, 0xc2, 0xd8, - 0x94, 0x73, 0xd9, 0x85, 0xb7, 0x68, 0xc5, 0xc5, 0x62, 0xaa, 0x9f, 0xcd, 0x69, 0x13, 0x7a, 0x9a, - 0x5c, 0x4f, 0x32, 0x80, 0xaf, 0x83, 0x02, 0x25, 0x6a, 0xab, 0x65, 0x68, 0x9c, 0xa3, 0xe8, 0x8e, - 0xb5, 0x53, 0x33, 0xe2, 0x9f, 0x2b, 0x95, 0x30, 0x11, 0xdb, 0x31, 0x5b, 0xd1, 0x95, 0x2c, 0x2e, - 0x45, 0x09, 0x3c, 0xf9, 0x3b, 0x09, 0x2c, 0x0c, 0x84, 0xca, 0x73, 0xcf, 0xe1, 0x32, 0xf4, 0x18, - 0x64, 0xd9, 0x81, 0x12, 0x8c, 0xef, 0x9d, 0x31, 0x26, 0x21, 0x3a, 0xd8, 0xa2, 0x93, 0x90, 0xc9, - 0x5c, 0xe4, 0x43, 0xca, 0xdf, 0x66, 0xc0, 0x5c, 0xa0, 0xe4, 0x6e, 0x79, 0x9d, 0x8e, 0x4a, 0xce, - 0xe3, 0xfe, 0xf7, 0xa1, 0x04, 0x66, 0xe3, 0xe9, 0x37, 0x42, 0xef, 0x9b, 0x63, 0xf4, 0xde, 0x4f, - 0xfe, 0x25, 0xc1, 0x64, 0xb6, 0x91, 0x04, 0x44, 0xfd, 0x0c, 0xe0, 0x67, 0x12, 0xb8, 0xe2, 0xa3, - 0xdc, 0x36, 0x3d, 0x97, 0x62, 0xd2, 0xb7, 0x43, 0x3c, 0xc8, 0xc7, 0x4f, 0xf1, 0x8f, 0x82, 0xe2, - 0x95, 0xd5, 0x97, 0xa0, 0xa3, 0x97, 0x72, 0x83, 0x4f, 0x24, 0x70, 0xd1, 0x57, 0xe8, 0x67, 0x9d, - 0x39, 0x23, 0xd6, 0xbf, 0x17, 0xac, 0x2f, 0xae, 0x9e, 0x04, 0x8b, 0x4e, 0x66, 0x23, 0xab, 0xa0, - 0x10, 0x7f, 0x8a, 0x9f, 0xc5, 0x67, 0x84, 0x77, 0x25, 0x30, 0x25, 0x8e, 0x08, 0x78, 0x23, 0xf6, - 0x2e, 0xf2, 0x21, 0x4a, 0xaf, 0x7e, 0x13, 0xc1, 0x86, 0x78, 0x91, 0xa5, 0x5e, 0x51, 0xfd, 0x1e, - 0x35, 0x4c, 0xc5, 0xff, 0xcf, 0x04, 0xa5, 0x6e, 0xd1, 0x7b, 0x64, 0x8b, 0x12, 0xc3, 0x6a, 0xd7, - 0x72, 0xc9, 0xf7, 0x5b, 0xed, 0xda, 0xd3, 0xa3, 0xf2, 0xc4, 0xb3, 0xa3, 0xf2, 0xc4, 0xf3, 0xa3, - 0xf2, 0xc4, 0x1b, 0xbd, 0xb2, 0xf4, 0xb4, 0x57, 0x96, 0x9e, 0xf5, 0xca, 0xd2, 0xf3, 0x5e, 0x59, - 0xfa, 0xaa, 0x57, 0x96, 0xde, 0x7b, 0x51, 0x9e, 0xf8, 0xcf, 0x94, 0x08, 0xf6, 0x8f, 0x01, 0x00, - 0x00, 0xff, 0xff, 0xc0, 0x9c, 0x2d, 0xe3, 0x5f, 0x1a, 0x00, 0x00, + // 1664 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x59, 0xbb, 0x6f, 0x1b, 0xc9, + 0x19, 0xd7, 0xf2, 0x21, 0x91, 0x23, 0x52, 0x8f, 0x91, 0x1d, 0x33, 0x8e, 0x43, 0xca, 0x9b, 0x07, + 0x54, 0xc4, 0x4b, 0x4b, 0x71, 0x12, 0x03, 0x71, 0x0a, 0xad, 0x25, 0x0b, 0x4c, 0x64, 0x9a, 0x18, + 0x49, 0x4d, 0x10, 0x20, 0x59, 0xed, 0x0e, 0xa9, 0xb5, 0x96, 0xbb, 0xeb, 0xd9, 0x59, 0xd9, 0x72, + 0x80, 0x20, 0x41, 0xaa, 0xa4, 0xca, 0xa3, 0x49, 0x95, 0xce, 0x48, 0xfe, 0x82, 0x14, 0xc1, 0x35, + 0xd7, 0xb9, 0x74, 0xe9, 0xe6, 0x88, 0x13, 0x8d, 0xbb, 0xf6, 0x8a, 0x03, 0x0e, 0x07, 0x55, 0x87, + 0x99, 0x9d, 0x7d, 0x91, 0xa2, 0xad, 0x03, 0x29, 0xe1, 0x80, 0xbb, 0xca, 0xe2, 0x37, 0xdf, 0x7c, + 0xbf, 0xdf, 0xf7, 0x9c, 0x99, 0x35, 0xd8, 0xee, 0x98, 0xf4, 0xc0, 0xdf, 0x57, 0x74, 0xa7, 0x5b, + 0x3f, 0xea, 0x3e, 0xd5, 0x08, 0xbe, 0x45, 0x35, 0xfb, 0xb9, 0x5f, 0xd7, 0x6c, 0x4a, 0xb0, 0x56, + 0x77, 0x0f, 0x3b, 0x75, 0xcd, 0x35, 0xbd, 0xba, 0xee, 0xd8, 0x94, 0x38, 0x96, 0x6b, 0x69, 0x36, + 0xae, 0x1f, 0xad, 0xee, 0x63, 0xaa, 0xad, 0xd5, 0x3b, 0xd8, 0xc6, 0x44, 0xa3, 0xd8, 0x50, 0x5c, + 0xe2, 0x50, 0x07, 0xde, 0x8b, 0xad, 0x29, 0x81, 0xb5, 0xdf, 0x72, 0x6b, 0x4a, 0x60, 0x4d, 0x71, + 0x0f, 0x3b, 0x0a, 0xb3, 0xa6, 0x24, 0xad, 0x29, 0xc2, 0xda, 0xf5, 0x5b, 0x09, 0x2e, 0x1d, 0xa7, + 0xe3, 0xd4, 0xb9, 0xd1, 0x7d, 0xbf, 0xcd, 0x7f, 0xf1, 0x1f, 0xfc, 0xaf, 0x00, 0xec, 0xfa, 0x83, + 0xf3, 0x52, 0xf7, 0xa8, 0x46, 0xbd, 0xfa, 0xd1, 0xaa, 0x66, 0xb9, 0x07, 0xda, 0xea, 0x20, 0xe9, + 0xeb, 0x77, 0x0e, 0xef, 0x7a, 0x8a, 0xe9, 0x30, 0xdd, 0xae, 0xa6, 0x1f, 0x98, 0x36, 0x26, 0xc7, + 0xf1, 0xe6, 0x2e, 0xa6, 0x5a, 0xfd, 0x68, 0x78, 0x57, 0x7d, 0xd4, 0x2e, 0xe2, 0xdb, 0xd4, 0xec, + 0xe2, 0xa1, 0x0d, 0x3f, 0x7d, 0xd7, 0x06, 0x4f, 0x3f, 0xc0, 0x5d, 0x6d, 0x68, 0xdf, 0x8f, 0x47, + 0xed, 0xf3, 0xa9, 0x69, 0xd5, 0x4d, 0x9b, 0x7a, 0x94, 0x0c, 0x6e, 0x92, 0x3f, 0x93, 0x40, 0x69, + 0xdd, 0x30, 0x08, 0xf6, 0xbc, 0x2d, 0xe2, 0xf8, 0x2e, 0xfc, 0x1d, 0x28, 0x30, 0x4f, 0x0c, 0x8d, + 0x6a, 0x15, 0x69, 0x59, 0x5a, 0x99, 0x5d, 0xbb, 0xad, 0x04, 0x86, 0x95, 0xa4, 0xe1, 0x38, 0x43, + 0x4c, 0x5b, 0x39, 0x5a, 0x55, 0x1e, 0xed, 0x3f, 0xc6, 0x3a, 0x7d, 0x88, 0xa9, 0xa6, 0xc2, 0x97, + 0xbd, 0xda, 0x54, 0xbf, 0x57, 0x03, 0xb1, 0x0c, 0x45, 0x56, 0xe1, 0x9f, 0x25, 0x50, 0xea, 0x30, + 0xac, 0x87, 0xb8, 0xbb, 0x8f, 0x89, 0x57, 0xc9, 0x2c, 0x67, 0x57, 0x66, 0xd7, 0x1a, 0xca, 0x38, + 0x35, 0xa1, 0x6c, 0xc5, 0x16, 0xd5, 0x2b, 0x02, 0xbf, 0x94, 0x10, 0x7a, 0x28, 0x05, 0x2a, 0x9f, + 0x48, 0x60, 0x21, 0xe9, 0xf8, 0xb6, 0xe9, 0x51, 0xf8, 0x9b, 0x21, 0xe7, 0x95, 0xf3, 0x39, 0xcf, + 0x76, 0x73, 0xd7, 0x17, 0x04, 0x74, 0x21, 0x94, 0x24, 0x1c, 0x77, 0x40, 0xde, 0xa4, 0xb8, 0x1b, + 0x3a, 0xfc, 0xcb, 0xf1, 0x1c, 0x4e, 0x92, 0x57, 0xcb, 0x02, 0x36, 0xdf, 0x60, 0x00, 0x28, 0xc0, + 0x91, 0x5f, 0x64, 0xc1, 0x62, 0x52, 0xad, 0xa5, 0x51, 0xfd, 0xe0, 0x12, 0x32, 0xfc, 0x0f, 0x09, + 0x2c, 0x6a, 0x86, 0x81, 0x8d, 0xad, 0x0b, 0x4d, 0xf3, 0xb7, 0x05, 0x09, 0xe6, 0x63, 0x1a, 0x0b, + 0x0d, 0xc3, 0xc3, 0x7f, 0x49, 0x60, 0x89, 0xe0, 0xae, 0x73, 0x34, 0x40, 0x2b, 0x3b, 0x69, 0x5a, + 0xdf, 0x11, 0xb4, 0x96, 0xd0, 0x30, 0x1a, 0x3a, 0x8b, 0x82, 0xfc, 0xb9, 0x04, 0xe6, 0xd6, 0x5d, + 0xd7, 0x32, 0xb1, 0xb1, 0xeb, 0x7c, 0xbd, 0xda, 0xf0, 0x23, 0x09, 0xc0, 0xb4, 0xeb, 0x97, 0xd0, + 0x88, 0x4f, 0xd2, 0x8d, 0xb8, 0x3d, 0x66, 0x23, 0xa6, 0xe8, 0x8f, 0x68, 0xc5, 0xff, 0x64, 0xc1, + 0x52, 0x5a, 0xf1, 0x9b, 0x66, 0xfc, 0x6a, 0x36, 0xa3, 0x05, 0xae, 0x6d, 0x3e, 0xa3, 0x98, 0xd8, + 0x9a, 0xb5, 0x69, 0x53, 0x93, 0x1e, 0x23, 0xdc, 0xc6, 0x04, 0xdb, 0x3a, 0x86, 0xcb, 0x20, 0x67, + 0x6b, 0x5d, 0xcc, 0x13, 0x55, 0x54, 0x4b, 0xc2, 0x74, 0xae, 0xa9, 0x75, 0x31, 0xe2, 0x2b, 0xb0, + 0x0e, 0x8a, 0xec, 0x5f, 0xcf, 0xd5, 0x74, 0x5c, 0xc9, 0x70, 0xb5, 0x45, 0xa1, 0x56, 0x6c, 0x86, + 0x0b, 0x28, 0xd6, 0x91, 0xff, 0x9d, 0x05, 0xb3, 0x09, 0x78, 0x88, 0x41, 0xd6, 0x75, 0x0c, 0x51, + 0x0a, 0x63, 0x9e, 0x10, 0x2d, 0xc7, 0x88, 0xb8, 0xab, 0x33, 0xfd, 0x5e, 0x2d, 0xcb, 0x24, 0xcc, + 0x3e, 0xfc, 0xbb, 0x04, 0xe6, 0x70, 0xca, 0x4b, 0xce, 0x76, 0x76, 0x6d, 0x6f, 0x3c, 0xc8, 0x11, + 0x91, 0x53, 0x61, 0xbf, 0x57, 0x9b, 0x1b, 0x58, 0x1c, 0x20, 0x00, 0x7f, 0x08, 0xb2, 0xa6, 0x1b, + 0x94, 0x40, 0x49, 0xbd, 0xc2, 0xe8, 0x36, 0x5a, 0xde, 0x69, 0xaf, 0x56, 0x6c, 0xb4, 0xc4, 0x21, + 0x86, 0x98, 0x02, 0xb4, 0x40, 0xde, 0x75, 0x08, 0xf5, 0x2a, 0x39, 0x5e, 0x2c, 0x5b, 0xe3, 0x31, + 0x66, 0x59, 0x31, 0x5a, 0x0e, 0xa1, 0x71, 0xe3, 0xb2, 0x5f, 0x1e, 0x0a, 0x40, 0xe4, 0x0f, 0x24, + 0x30, 0xd3, 0x68, 0xa9, 0x96, 0xa3, 0x1f, 0x42, 0x0c, 0x72, 0xba, 0x69, 0x10, 0x91, 0x9d, 0xfb, + 0xe3, 0x01, 0x37, 0x5a, 0x4d, 0x4c, 0xe3, 0x22, 0xba, 0xdf, 0xd8, 0x40, 0x88, 0x9b, 0x87, 0x87, + 0x60, 0x1a, 0x3f, 0xd3, 0xb1, 0x4b, 0x45, 0x97, 0x4e, 0x04, 0x68, 0x4e, 0x00, 0x4d, 0x6f, 0x72, + 0xd3, 0x48, 0x40, 0xc8, 0x6d, 0x90, 0xe7, 0x0a, 0xf0, 0x7b, 0x20, 0x63, 0xba, 0xdc, 0xb5, 0x92, + 0xba, 0xd4, 0xef, 0xd5, 0x32, 0x8d, 0x56, 0x3a, 0xf8, 0x19, 0xd3, 0x85, 0x77, 0x41, 0xc9, 0x25, + 0xb8, 0x6d, 0x3e, 0xdb, 0xc6, 0x76, 0x87, 0x1e, 0xf0, 0xa2, 0xc9, 0xc7, 0x83, 0xbe, 0x95, 0x58, + 0x43, 0x29, 0x4d, 0xf9, 0x2f, 0x12, 0x28, 0x46, 0xb1, 0x66, 0x9d, 0xc4, 0xc2, 0xcb, 0xe1, 0xf2, + 0x71, 0x10, 0xd8, 0x1a, 0xe2, 0x2b, 0x51, 0xaf, 0x65, 0x46, 0xf6, 0xda, 0x5d, 0x50, 0xe0, 0x77, + 0x58, 0xdd, 0xb1, 0x2a, 0x59, 0xae, 0x75, 0x23, 0x9c, 0xf9, 0x2d, 0x21, 0x3f, 0x4d, 0xfc, 0x8d, + 0x22, 0x6d, 0xf9, 0xaf, 0x39, 0x50, 0x6e, 0x62, 0xfa, 0xd4, 0x21, 0x87, 0x2d, 0xc7, 0x32, 0xf5, + 0xe3, 0x4b, 0x18, 0xc3, 0x14, 0xe4, 0x89, 0x6f, 0xe1, 0x70, 0xf2, 0x3e, 0x1a, 0xb3, 0x6a, 0x93, + 0xec, 0x91, 0x6f, 0xe1, 0xb8, 0x7a, 0xd9, 0x2f, 0x0f, 0x05, 0x60, 0xf0, 0x17, 0x60, 0x5e, 0x4b, + 0x9d, 0x3a, 0x41, 0x7f, 0x15, 0x79, 0x86, 0xe7, 0xd3, 0x07, 0x92, 0x87, 0x06, 0x75, 0xe1, 0x0a, + 0x0b, 0xb1, 0xe9, 0x10, 0x36, 0x1f, 0x72, 0xcb, 0xd2, 0x8a, 0xa4, 0x96, 0x82, 0xf0, 0x06, 0x32, + 0x14, 0xad, 0xc2, 0x3b, 0xa0, 0x44, 0x4d, 0x4c, 0xc2, 0x95, 0x4a, 0x9e, 0x27, 0x76, 0x81, 0x15, + 0xc5, 0x6e, 0x42, 0x8e, 0x52, 0x5a, 0xf0, 0x4f, 0x12, 0x28, 0x7a, 0x8e, 0x4f, 0x74, 0x8c, 0x70, + 0xbb, 0x32, 0xcd, 0x03, 0xbf, 0x3b, 0xc9, 0xc8, 0x44, 0x03, 0xa8, 0xcc, 0x26, 0xf0, 0x4e, 0x08, + 0x85, 0x62, 0x54, 0xf9, 0x8d, 0x04, 0x16, 0x53, 0x9b, 0x2e, 0xe1, 0x02, 0xe2, 0xa6, 0x2f, 0x20, + 0xbf, 0x9a, 0xa0, 0xcb, 0x23, 0xee, 0x1f, 0xbf, 0x07, 0xd7, 0x52, 0x6a, 0x4d, 0xc7, 0xc0, 0x3b, + 0x54, 0xa3, 0xbe, 0x07, 0x7f, 0x04, 0x0a, 0xb6, 0x63, 0xe0, 0x66, 0x7c, 0xb2, 0x45, 0xd4, 0x9b, + 0x42, 0x8e, 0x22, 0x0d, 0xb8, 0x06, 0x80, 0x78, 0x43, 0x9a, 0x8e, 0xcd, 0xbb, 0x33, 0x1b, 0x57, + 0xfe, 0x56, 0xb4, 0x82, 0x12, 0x5a, 0xf2, 0xfb, 0x83, 0x21, 0x6e, 0x61, 0x4c, 0xe0, 0xcf, 0x40, + 0x59, 0x4b, 0x3c, 0x4e, 0xbc, 0x8a, 0xc4, 0x2b, 0x73, 0xb1, 0xdf, 0xab, 0x95, 0x93, 0xaf, 0x16, + 0x0f, 0xa5, 0xf5, 0xa0, 0x07, 0x0a, 0xa6, 0xcb, 0x27, 0x72, 0x18, 0xc0, 0xcd, 0x71, 0x27, 0x24, + 0xb7, 0x16, 0xfb, 0x2d, 0x04, 0x1e, 0x8a, 0x80, 0xe4, 0x8f, 0x25, 0xf0, 0xad, 0xb3, 0x6b, 0x0b, + 0xfe, 0x04, 0xe4, 0xe8, 0xb1, 0x1b, 0x06, 0xef, 0x66, 0x38, 0xaa, 0x76, 0x8f, 0x5d, 0x7c, 0xda, + 0xab, 0xa5, 0x3d, 0x67, 0x42, 0xc4, 0xd5, 0xbf, 0xf4, 0x5d, 0x21, 0x1a, 0x89, 0xd9, 0x91, 0x23, + 0x51, 0x05, 0x59, 0xdf, 0x34, 0x78, 0xab, 0x16, 0xd5, 0xdb, 0x42, 0x21, 0xbb, 0xd7, 0xd8, 0x38, + 0xed, 0xd5, 0x6e, 0x8e, 0xfa, 0x3c, 0xc0, 0xc8, 0x78, 0xca, 0x5e, 0x63, 0x03, 0xb1, 0xcd, 0xf2, + 0x7b, 0xf9, 0x81, 0x64, 0xb1, 0x81, 0x02, 0xef, 0x81, 0xa2, 0x61, 0x12, 0xac, 0xf3, 0xac, 0x07, + 0x8e, 0x56, 0x43, 0xb2, 0x1b, 0xe1, 0xc2, 0x69, 0xf2, 0x07, 0x8a, 0x37, 0xc0, 0x27, 0x20, 0xd7, + 0x26, 0x4e, 0x57, 0xdc, 0x31, 0x26, 0x39, 0xfb, 0x58, 0x25, 0xc5, 0xa1, 0x78, 0x40, 0x9c, 0x2e, + 0xe2, 0x50, 0xf0, 0x10, 0x64, 0xa8, 0xc3, 0x43, 0x75, 0x01, 0x80, 0x40, 0x00, 0x66, 0x76, 0x1d, + 0x94, 0xa1, 0x0e, 0xab, 0x48, 0x0f, 0x93, 0x23, 0x53, 0xc7, 0xe1, 0xad, 0x64, 0xcc, 0x8a, 0xdc, + 0x09, 0xac, 0xc5, 0x15, 0x29, 0x04, 0x1e, 0x8a, 0x80, 0x58, 0xdf, 0xba, 0x03, 0xe3, 0x36, 0x3e, + 0xff, 0x86, 0x06, 0xf4, 0x63, 0x30, 0xad, 0x05, 0xd9, 0x9b, 0xe6, 0xd9, 0x43, 0xec, 0x2e, 0xb0, + 0x1e, 0xa6, 0x6d, 0xe3, 0xdc, 0x9f, 0xc8, 0xb0, 0xee, 0x33, 0x7b, 0xd1, 0x57, 0x32, 0x85, 0x95, + 0x47, 0x60, 0x07, 0x09, 0x04, 0xf8, 0x73, 0x50, 0xc6, 0xb6, 0xb6, 0x6f, 0xe1, 0x6d, 0xa7, 0xd3, + 0x31, 0xed, 0x4e, 0x65, 0x66, 0x59, 0x5a, 0x29, 0xa8, 0x57, 0x05, 0xbd, 0xf2, 0x66, 0x72, 0x11, + 0xa5, 0x75, 0xcf, 0x3a, 0xb2, 0x0a, 0xe7, 0x3f, 0xb2, 0xe4, 0xff, 0x66, 0x00, 0x4c, 0x25, 0x8c, + 0x4d, 0x39, 0x8f, 0x5d, 0x78, 0xcb, 0x76, 0x52, 0x2c, 0xa6, 0xfa, 0xc5, 0x9c, 0x36, 0x91, 0xa7, + 0xe9, 0xf5, 0x34, 0x03, 0xf8, 0x07, 0x50, 0xa2, 0x44, 0x6b, 0xb7, 0x4d, 0x9d, 0x73, 0x14, 0xdd, + 0xb1, 0x71, 0x6e, 0x46, 0xfc, 0x73, 0xa5, 0x12, 0x25, 0x62, 0x37, 0x61, 0x2b, 0xbe, 0x92, 0x25, + 0xa5, 0x28, 0x85, 0x27, 0x7f, 0x2a, 0x81, 0xa5, 0xa1, 0x50, 0xf9, 0xde, 0x25, 0x5c, 0x86, 0x9e, + 0x83, 0x3c, 0x3b, 0x50, 0xc2, 0xf1, 0xbd, 0x37, 0xc1, 0x24, 0xc4, 0x07, 0x5b, 0x7c, 0x12, 0x32, + 0x99, 0x87, 0x02, 0x48, 0xf9, 0x93, 0x1c, 0x58, 0x08, 0x95, 0xbc, 0x1d, 0xbf, 0xdb, 0xd5, 0xc8, + 0x65, 0xdc, 0xff, 0xfe, 0x29, 0x81, 0xf9, 0x64, 0xfa, 0xcd, 0xc8, 0xfb, 0xd6, 0x04, 0xbd, 0x0f, + 0x92, 0x7f, 0x4d, 0x30, 0x99, 0x6f, 0xa6, 0x01, 0xd1, 0x20, 0x03, 0xf8, 0x7f, 0x09, 0xdc, 0x08, + 0x50, 0xee, 0x5b, 0xbe, 0x47, 0x31, 0x19, 0xd8, 0x21, 0x1e, 0xe4, 0x93, 0xa7, 0xf8, 0x7d, 0x41, + 0xf1, 0xc6, 0xfa, 0x5b, 0xd0, 0xd1, 0x5b, 0xb9, 0xc1, 0x17, 0x12, 0xb8, 0x1a, 0x28, 0x0c, 0xb2, + 0xce, 0x5d, 0x10, 0xeb, 0xef, 0x0a, 0xd6, 0x57, 0xd7, 0xcf, 0x82, 0x45, 0x67, 0xb3, 0x91, 0x35, + 0x50, 0x4a, 0x3e, 0xc5, 0x2f, 0xe2, 0x33, 0xc2, 0xff, 0x24, 0x30, 0x23, 0x8e, 0x08, 0x78, 0x27, + 0xf1, 0x2e, 0x0a, 0x20, 0x2a, 0xef, 0x7e, 0x13, 0xc1, 0xa6, 0x78, 0x91, 0x65, 0xde, 0x51, 0xfd, + 0x3e, 0x35, 0x2d, 0x25, 0xf8, 0xcf, 0x04, 0xa5, 0x61, 0xd3, 0x47, 0x64, 0x87, 0x12, 0xd3, 0xee, + 0xa8, 0x85, 0x81, 0xf7, 0xdb, 0x0f, 0xc0, 0x0c, 0xb6, 0xf9, 0x63, 0x8f, 0x1f, 0xc2, 0x79, 0x75, + 0xb6, 0xdf, 0xab, 0xcd, 0x6c, 0x06, 0x22, 0x14, 0xae, 0xa9, 0xb7, 0x5e, 0x9e, 0x54, 0xa7, 0x5e, + 0x9d, 0x54, 0xa7, 0x5e, 0x9f, 0x54, 0xa7, 0xfe, 0xd8, 0xaf, 0x4a, 0x2f, 0xfb, 0x55, 0xe9, 0x55, + 0xbf, 0x2a, 0xbd, 0xee, 0x57, 0xa5, 0x0f, 0xfb, 0x55, 0xe9, 0x6f, 0x6f, 0xaa, 0x53, 0xbf, 0x9e, + 0x11, 0x39, 0xf9, 0x22, 0x00, 0x00, 0xff, 0xff, 0x8f, 0x67, 0x61, 0xff, 0x86, 0x1a, 0x00, 0x00, } func (m *AddressGroup) Marshal() (dAtA []byte, err error) { @@ -1879,6 +1880,11 @@ func (m *Service) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if m.EndPort != nil { + i = encodeVarintGenerated(dAtA, i, uint64(*m.EndPort)) + i-- + dAtA[i] = 0x18 + } if m.Port != nil { { size, err := m.Port.MarshalToSizedBuffer(dAtA[:i]) @@ -2332,6 +2338,9 @@ func (m *Service) Size() (n int) { l = m.Port.Size() n += 1 + l + sovGenerated(uint64(l)) } + if m.EndPort != nil { + n += 1 + sovGenerated(uint64(*m.EndPort)) + } return n } @@ -2688,6 +2697,7 @@ func (this *Service) String() string { s := strings.Join([]string{`&Service{`, `Protocol:` + valueToStringGenerated(this.Protocol) + `,`, `Port:` + strings.Replace(fmt.Sprintf("%v", this.Port), "IntOrString", "intstr.IntOrString", 1) + `,`, + `EndPort:` + valueToStringGenerated(this.EndPort) + `,`, `}`, }, "") return s @@ -5833,6 +5843,26 @@ func (m *Service) Unmarshal(dAtA []byte) error { return err } iNdEx = postIndex + case 3: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field EndPort", wireType) + } + var v int32 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int32(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.EndPort = &v default: iNdEx = preIndex skippy, err := skipGenerated(dAtA[iNdEx:]) diff --git a/pkg/apis/controlplane/v1beta2/generated.proto b/pkg/apis/controlplane/v1beta2/generated.proto index 99461235293..9da4fdc1f5b 100644 --- a/pkg/apis/controlplane/v1beta2/generated.proto +++ b/pkg/apis/controlplane/v1beta2/generated.proto @@ -295,5 +295,10 @@ message Service { // The port name or number on the given protocol. If not specified, this matches all port numbers. // +optional optional k8s.io.apimachinery.pkg.util.intstr.IntOrString port = 2; + + // EndPort defines the end of the port range, being the end included within the range. + // It can only be specified when a numerical `port` is specified. + // +optional + optional int32 endPort = 3; } diff --git a/pkg/apis/controlplane/v1beta2/types.go b/pkg/apis/controlplane/v1beta2/types.go index 2b094da6700..98ef009f361 100644 --- a/pkg/apis/controlplane/v1beta2/types.go +++ b/pkg/apis/controlplane/v1beta2/types.go @@ -226,6 +226,10 @@ type Service struct { // The port name or number on the given protocol. If not specified, this matches all port numbers. // +optional Port *intstr.IntOrString `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"` + // EndPort defines the end of the port range, being the end included within the range. + // It can only be specified when a numerical `port` is specified. + // +optional + EndPort *int32 `json:"endPort,omitempty" protobuf:"bytes,3,opt,name=endPort"` } // NetworkPolicyPeer describes a peer of NetworkPolicyRules. diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go index e0ebe961e62..434252c752a 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go @@ -778,6 +778,7 @@ func Convert_controlplane_PodReference_To_v1beta2_PodReference(in *controlplane. func autoConvert_v1beta2_Service_To_controlplane_Service(in *Service, out *controlplane.Service, s conversion.Scope) error { out.Protocol = (*controlplane.Protocol)(unsafe.Pointer(in.Protocol)) out.Port = (*intstr.IntOrString)(unsafe.Pointer(in.Port)) + out.EndPort = (*int32)(unsafe.Pointer(in.EndPort)) return nil } @@ -789,6 +790,7 @@ func Convert_v1beta2_Service_To_controlplane_Service(in *Service, out *controlpl func autoConvert_controlplane_Service_To_v1beta2_Service(in *controlplane.Service, out *Service, s conversion.Scope) error { out.Protocol = (*Protocol)(unsafe.Pointer(in.Protocol)) out.Port = (*intstr.IntOrString)(unsafe.Pointer(in.Port)) + out.EndPort = (*int32)(unsafe.Pointer(in.EndPort)) return nil } diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go index f6385fa9673..82331975cfe 100644 --- a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go @@ -675,6 +675,11 @@ func (in *Service) DeepCopyInto(out *Service) { *out = new(intstr.IntOrString) **out = **in } + if in.EndPort != nil { + in, out := &in.EndPort, &out.EndPort + *out = new(int32) + **out = **in + } return } diff --git a/pkg/apis/controlplane/zz_generated.deepcopy.go b/pkg/apis/controlplane/zz_generated.deepcopy.go index afd47420b11..8743ac7696e 100644 --- a/pkg/apis/controlplane/zz_generated.deepcopy.go +++ b/pkg/apis/controlplane/zz_generated.deepcopy.go @@ -675,6 +675,11 @@ func (in *Service) DeepCopyInto(out *Service) { *out = new(intstr.IntOrString) **out = **in } + if in.EndPort != nil { + in, out := &in.EndPort, &out.EndPort + *out = new(int32) + **out = **in + } return } diff --git a/pkg/apis/security/v1alpha1/types.go b/pkg/apis/security/v1alpha1/types.go index 0e68d72af93..485db3cf2e6 100644 --- a/pkg/apis/security/v1alpha1/types.go +++ b/pkg/apis/security/v1alpha1/types.go @@ -95,7 +95,7 @@ type Rule struct { // Set of port and protocol allowed/denied by the rule. If this field is unset // or empty, this rule matches all ports. // +optional - Ports []NetworkPolicyPort `json:"ports"` + Ports []NetworkPolicyPort `json:"ports,omitempty"` // Rule is matched if traffic originates from workloads selected by // this field. If this field is empty, this rule matches all sources. // +optional @@ -160,13 +160,16 @@ type NetworkPolicyPort struct { // The protocol (TCP, UDP, or SCTP) which traffic must match. // If not specified, this field defaults to TCP. // +optional - Protocol *v1.Protocol `json:"protocol"` - // The port on the given protocol. This can either be a numerical + Protocol *v1.Protocol `json:"protocol,omitempty"` + // The port on the given protocol. This can be either a numerical // or named port on a Pod. If this field is not provided, this // matches all port names and numbers. - // TODO: extend it to include Port Range. // +optional - Port *intstr.IntOrString `json:"port"` + Port *intstr.IntOrString `json:"port,omitempty"` + // EndPort defines the end of the port range, being the end included within the range. + // It can only be specified when a numerical `port` is specified. + // +optional + EndPort *int32 `json:"endPort,omitempty"` } // RuleAction describes the action to be applied on traffic matching a rule. diff --git a/pkg/apis/security/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/security/v1alpha1/zz_generated.deepcopy.go index 127141542f4..848e899d851 100644 --- a/pkg/apis/security/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/security/v1alpha1/zz_generated.deepcopy.go @@ -249,6 +249,11 @@ func (in *NetworkPolicyPort) DeepCopyInto(out *NetworkPolicyPort) { *out = new(intstr.IntOrString) **out = **in } + if in.EndPort != nil { + in, out := &in.EndPort, &out.EndPort + *out = new(int32) + **out = **in + } return } diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go index b1dffb56568..a1f1ca59f3c 100644 --- a/pkg/apiserver/openapi/zz_generated.openapi.go +++ b/pkg/apiserver/openapi/zz_generated.openapi.go @@ -2835,6 +2835,13 @@ func schema_pkg_apis_controlplane_v1beta2_Service(ref common.ReferenceCallback) Ref: ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"), }, }, + "endPort": { + SchemaProps: spec.SchemaProps{ + Description: "EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified.", + Type: []string{"integer"}, + Format: "int32", + }, + }, }, }, }, diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go index 2c7b21b8d6b..86c873a1e03 100644 --- a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go @@ -37,7 +37,6 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { p10 := float64(10) allowAction := secv1alpha1.RuleActionAllow protocolTCP := controlplane.ProtocolTCP - intstr80, intstr81 := intstr.FromInt(80), intstr.FromInt(81) tests := []struct { name string inputPolicy *secv1alpha1.NetworkPolicy @@ -58,7 +57,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -74,7 +73,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, To: []secv1alpha1.NetworkPolicyPeer{ @@ -108,7 +107,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr80, + Port: &int80, }, }, Priority: 0, @@ -122,7 +121,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr81, + Port: &int81, }, }, Priority: 0, @@ -147,7 +146,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -160,7 +159,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -193,7 +192,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr80, + Port: &int80, }, }, Priority: 0, @@ -207,7 +206,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr81, + Port: &int81, }, }, Priority: 1, @@ -235,7 +234,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -253,7 +252,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { }, Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -287,7 +286,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr80, + Port: &int80, }, }, Priority: 0, @@ -302,7 +301,7 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr81, + Port: &int81, }, }, Priority: 1, @@ -318,6 +317,68 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) { expectedAppliedToGroups: 2, expectedAddressGroups: 2, }, + { + name: "with-port-range", + inputPolicy: &secv1alpha1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Namespace: "ns4", Name: "npD", UID: "uidD"}, + Spec: secv1alpha1.NetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Protocol: &k8sProtocolTCP, + Port: &int1000, + EndPort: &int32For1999, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expectedPolicy: &antreatypes.NetworkPolicy{ + UID: "uidD", + Name: "uidD", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaNetworkPolicy, + Namespace: "ns4", + Name: "npD", + UID: "uidD", + }, + Priority: &p10, + TierPriority: &DefaultTierPriority, + Rules: []controlplane.NetworkPolicyRule{ + { + Direction: controlplane.DirectionIn, + From: controlplane.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC, nil).NormalizedName)}, + }, + Services: []controlplane.Service{ + { + Protocol: toAntreaProtocol(&k8sProtocolTCP), + Port: &int1000, + EndPort: &int32For1999, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("ns4", &selectorA, nil, nil).NormalizedName)}, + }, + expectedAppliedToGroups: 1, + expectedAddressGroups: 1, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -333,7 +394,6 @@ func TestAddANP(t *testing.T) { p10 := float64(10) allowAction := secv1alpha1.RuleActionAllow protocolTCP := controlplane.ProtocolTCP - intstr80 := intstr.FromInt(80) int80 := intstr.FromInt(80) selectorAll := metav1.LabelSelector{} matchAllPeerEgress := matchAllPeer @@ -359,7 +419,7 @@ func TestAddANP(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -406,6 +466,68 @@ func TestAddANP(t *testing.T) { expAppliedToGroups: 1, expAddressGroups: 1, }, + { + name: "with-port-range", + inputPolicy: &secv1alpha1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Namespace: "nsB", Name: "npB", UID: "uidB"}, + Spec: secv1alpha1.NetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Protocol: &k8sProtocolTCP, + Port: &int1000, + EndPort: &int32For1999, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + NamespaceSelector: &selectorC, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidB", + Name: "uidB", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaNetworkPolicy, + Namespace: "nsB", + Name: "npB", + UID: "uidB", + }, + Priority: &p10, + TierPriority: &DefaultTierPriority, + Rules: []controlplane.NetworkPolicyRule{ + { + Direction: controlplane.DirectionIn, + From: controlplane.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, &selectorC, nil).NormalizedName)}, + }, + Services: []controlplane.Service{ + { + Protocol: toAntreaProtocol(&k8sProtocolTCP), + Port: &int1000, + EndPort: &int32For1999, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("nsB", &selectorA, nil, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go index 76a94c30009..5baa72cadff 100644 --- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go +++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go @@ -19,7 +19,6 @@ import ( "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/intstr" "github.com/vmware-tanzu/antrea/pkg/apis/controlplane" secv1alpha1 "github.com/vmware-tanzu/antrea/pkg/apis/security/v1alpha1" @@ -38,7 +37,6 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { } allowAction := secv1alpha1.RuleActionAllow protocolTCP := controlplane.ProtocolTCP - intstr80, intstr81 := intstr.FromInt(80), intstr.FromInt(81) selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}} @@ -62,7 +60,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -78,7 +76,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, To: []secv1alpha1.NetworkPolicyPeer{ @@ -111,7 +109,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr80, + Port: &int80, }, }, Priority: 0, @@ -125,7 +123,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr81, + Port: &int81, }, }, Priority: 0, @@ -150,7 +148,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -163,7 +161,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -195,7 +193,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr80, + Port: &int80, }, }, Priority: 0, @@ -209,7 +207,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr81, + Port: &int81, }, }, Priority: 1, @@ -235,7 +233,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -248,7 +246,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -280,7 +278,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr80, + Port: &int80, }, }, Priority: 0, @@ -294,7 +292,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { Services: []controlplane.Service{ { Protocol: &protocolTCP, - Port: &intstr81, + Port: &int81, }, }, Priority: 1, @@ -306,6 +304,66 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { expectedAppliedToGroups: 1, expectedAddressGroups: 2, }, + { + name: "with-port-range", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Namespace: "", Name: "cnpD", UID: "uidD"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Protocol: &k8sProtocolTCP, + Port: &int1000, + EndPort: &int32For1999, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expectedPolicy: &antreatypes.NetworkPolicy{ + UID: "uidD", + Name: "uidD", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpD", + UID: "uidD", + }, + Priority: &p10, + TierPriority: &DefaultTierPriority, + Rules: []controlplane.NetworkPolicyRule{ + { + Direction: controlplane.DirectionIn, + From: controlplane.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, nil, nil).NormalizedName)}, + }, + Services: []controlplane.Service{ + { + Protocol: toAntreaProtocol(&k8sProtocolTCP), + Port: &int1000, + EndPort: &int32For1999, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil, nil).NormalizedName)}, + }, + expectedAppliedToGroups: 1, + expectedAddressGroups: 1, + }, { name: "appliedTo-per-rule", inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ @@ -322,7 +380,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -341,7 +399,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) { }, Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -437,8 +495,6 @@ func TestAddCNP(t *testing.T) { } allowAction := secv1alpha1.RuleActionAllow protocolTCP := controlplane.ProtocolTCP - intstr80, intstr81 := intstr.FromInt(80), intstr.FromInt(81) - int80, int81 := intstr.FromInt(80), intstr.FromInt(81) selectorA := metav1.LabelSelector{MatchLabels: map[string]string{"foo1": "bar1"}} selectorB := metav1.LabelSelector{MatchLabels: map[string]string{"foo2": "bar2"}} selectorC := metav1.LabelSelector{MatchLabels: map[string]string{"foo3": "bar3"}} @@ -466,7 +522,7 @@ func TestAddCNP(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -524,7 +580,7 @@ func TestAddCNP(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -583,7 +639,7 @@ func TestAddCNP(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -642,7 +698,7 @@ func TestAddCNP(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -700,7 +756,7 @@ func TestAddCNP(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -716,7 +772,7 @@ func TestAddCNP(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, To: []secv1alpha1.NetworkPolicyPeer{ @@ -788,7 +844,7 @@ func TestAddCNP(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr80, + Port: &int80, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -801,7 +857,7 @@ func TestAddCNP(t *testing.T) { { Ports: []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr81, + Port: &int81, }, }, From: []secv1alpha1.NetworkPolicyPeer{ @@ -859,6 +915,66 @@ func TestAddCNP(t *testing.T) { expAppliedToGroups: 1, expAddressGroups: 2, }, + { + name: "with-port-range", + inputPolicy: &secv1alpha1.ClusterNetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{Namespace: "", Name: "cnpH", UID: "uidH"}, + Spec: secv1alpha1.ClusterNetworkPolicySpec{ + AppliedTo: []secv1alpha1.NetworkPolicyPeer{ + {PodSelector: &selectorA}, + }, + Priority: p10, + Ingress: []secv1alpha1.Rule{ + { + Ports: []secv1alpha1.NetworkPolicyPort{ + { + Protocol: &k8sProtocolTCP, + Port: &int1000, + EndPort: &int32For1999, + }, + }, + From: []secv1alpha1.NetworkPolicyPeer{ + { + PodSelector: &selectorB, + }, + }, + Action: &allowAction, + }, + }, + }, + }, + expPolicy: &antreatypes.NetworkPolicy{ + UID: "uidH", + Name: "uidH", + SourceRef: &controlplane.NetworkPolicyReference{ + Type: controlplane.AntreaClusterNetworkPolicy, + Name: "cnpH", + UID: "uidH", + }, + Priority: &p10, + TierPriority: &DefaultTierPriority, + Rules: []controlplane.NetworkPolicyRule{ + { + Direction: controlplane.DirectionIn, + From: controlplane.NetworkPolicyPeer{ + AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorB, nil, nil).NormalizedName)}, + }, + Services: []controlplane.Service{ + { + Protocol: toAntreaProtocol(&k8sProtocolTCP), + Port: &int1000, + EndPort: &int32For1999, + }, + }, + Priority: 0, + Action: &allowAction, + }, + }, + AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil, nil).NormalizedName)}, + }, + expAppliedToGroups: 1, + expAddressGroups: 1, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -878,7 +994,7 @@ func TestAddCNP(t *testing.T) { for _, tt := range tests { npc.addCNP(tt.inputPolicy) } - assert.Equal(t, 6, npc.GetNetworkPolicyNum(), "number of NetworkPolicies do not match") + assert.Equal(t, 7, npc.GetNetworkPolicyNum(), "number of NetworkPolicies do not match") assert.Equal(t, 3, npc.GetAddressGroupNum(), "number of AddressGroups do not match") assert.Equal(t, 1, npc.GetAppliedToGroupNum(), "number of AppliedToGroups do not match") } diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go index 56b8bfc82af..5457986b3e6 100644 --- a/pkg/controller/networkpolicy/crd_utils.go +++ b/pkg/controller/networkpolicy/crd_utils.go @@ -45,11 +45,11 @@ func toAntreaServicesForCRD(npPorts []secv1alpha1.NetworkPolicyPort) ([]controlp if npPort.Port != nil && npPort.Port.Type == intstr.String { namedPortExists = true } - antreaService := controlplane.Service{ + antreaServices = append(antreaServices, controlplane.Service{ Protocol: toAntreaProtocol(npPort.Protocol), Port: npPort.Port, - } - antreaServices = append(antreaServices, antreaService) + EndPort: npPort.EndPort, + }) } return antreaServices, namedPortExists } diff --git a/pkg/controller/networkpolicy/crd_utils_test.go b/pkg/controller/networkpolicy/crd_utils_test.go index 6364168ece6..f44db53811a 100644 --- a/pkg/controller/networkpolicy/crd_utils_test.go +++ b/pkg/controller/networkpolicy/crd_utils_test.go @@ -63,6 +63,23 @@ func TestToAntreaServicesForCRD(t *testing.T) { }, expNamedPortExists: true, }, + { + ports: []secv1alpha1.NetworkPolicyPort{ + { + Protocol: &k8sProtocolTCP, + Port: &int1000, + EndPort: &int32For1999, + }, + }, + expServices: []controlplane.Service{ + { + Protocol: toAntreaProtocol(&k8sProtocolTCP), + Port: &int1000, + EndPort: &int32For1999, + }, + }, + expNamedPortExists: false, + }, } for _, table := range tables { services, namedPortExist := toAntreaServicesForCRD(table.ports) diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go index 311f1986bfc..8251390592d 100644 --- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go +++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go @@ -56,8 +56,11 @@ var ( protocolTCP = controlplane.ProtocolTCP - int80 = intstr.FromInt(80) - int81 = intstr.FromInt(81) + int80 = intstr.FromInt(80) + int81 = intstr.FromInt(81) + int1000 = intstr.FromInt(1000) + + int32For1999 = int32(1999) strHTTP = intstr.FromString("http") ) diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go index bcc7df5f2a3..e5ab14e8b34 100644 --- a/pkg/controller/networkpolicy/validate.go +++ b/pkg/controller/networkpolicy/validate.go @@ -22,6 +22,7 @@ import ( admv1 "k8s.io/api/admission/v1" authenticationv1 "k8s.io/api/authentication/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog" @@ -213,6 +214,36 @@ func (v *NetworkPolicyValidator) validateAntreaPolicy(curObj, oldObj interface{} return reason, allowed } +// validatePort validates if ports is valid +func (a *antreaPolicyValidator) validatePort(ingress, egress []secv1alpha1.Rule) error { + isValid := func(rules []secv1alpha1.Rule) error { + for _, rule := range rules { + for _, port := range rule.Ports { + if port.EndPort == nil { + continue + } + if port.Port == nil { + return fmt.Errorf("if `endPort` is specified `port` must be specified") + } + if port.Port.Type == intstr.String { + return fmt.Errorf("if `port` is a string `endPort` cannot be specified") + } + if *port.EndPort < port.Port.IntVal { + return fmt.Errorf("`endPort` should be greater than or equal to `port`") + } + } + } + return nil + } + if err := isValid(ingress); err != nil { + return err + } + if err := isValid(egress); err != nil { + return err + } + return nil +} + // validateTier validates the admission of a Tier resource func (v *NetworkPolicyValidator) validateTier(curTier, oldTier *secv1alpha1.Tier, op admv1.Operation, userInfo authenticationv1.UserInfo) (string, bool) { allowed := true @@ -298,6 +329,9 @@ func (a *antreaPolicyValidator) createValidate(curObj interface{}, userInfo auth if !allowed { return reason, allowed } + if err := a.validatePort(ingress, egress); err != nil { + return err.Error(), false + } return "", true } @@ -377,6 +411,12 @@ func (a *antreaPolicyValidator) updateValidate(curObj, oldObj interface{}, userI if !allowed { return reason, allowed } + if ruleNameUnique := a.validateRuleName(ingress, egress); !ruleNameUnique { + return fmt.Sprint("rules names must be unique within the policy"), false + } + if err := a.validatePort(ingress, egress); err != nil { + return err.Error(), false + } return a.validateTierForPolicy(tier) } diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go index 3ab0cb0f6a6..e7a4f2454dd 100644 --- a/test/e2e/antreapolicy_test.go +++ b/test/e2e/antreapolicy_test.go @@ -42,7 +42,8 @@ var ( allTestList []*TestCase pods, namespaces []string podIPs map[string]string - p80, p81 int + p80, p81, p8080 int + p8085 int32 ) const ( @@ -68,19 +69,21 @@ type TestCase struct { Steps []*TestStep } -// TestStep is a single unit of testing spec. It includes the CNP specs that need to be +// TestStep is a single unit of testing spec. It includes the ACNP specs that need to be // applied for this test, the port to test traffic on and the expected Reachability matrix. type TestStep struct { Name string Reachability *Reachability Policies []metav1.Object - Port int + Port []int Duration time.Duration } func initialize(t *testing.T, data *TestData) { p80 = 80 p81 = 81 + p8080 = 8080 + p8085 = 8085 pods = []string{"a", "b", "c"} namespaces = []string{"x", "y", "z"} @@ -101,9 +104,9 @@ func initialize(t *testing.T, data *TestData) { func skipIfAntreaPolicyDisabled(tb testing.TB, data *TestData) { if featureGate, err := data.GetControllerFeatures(antreaNamespace); err != nil { - tb.Fatalf("Cannot determine if CNP enabled: %v", err) + tb.Fatalf("Cannot determine if ACNP enabled: %v", err) } else if !featureGate.Enabled(features.AntreaPolicy) { - tb.Skipf("Skipping test as it required CNP to be enabled") + tb.Skipf("Skipping test as it required ACNP to be enabled") } } @@ -151,14 +154,14 @@ func testMutateACNPNoTier(t *testing.T) { SetPriority(10.0) acnp := builder.Get() log.Debugf("creating ACNP %v", acnp.Name) - acnp, err := k8sUtils.CreateOrUpdateCNP(acnp) + acnp, err := k8sUtils.CreateOrUpdateACNP(acnp) if err != nil { failOnError(fmt.Errorf("ACNP create failed %v", err), t) } if acnp.Spec.Tier != defaultTierName { failOnError(invalidNpErr, t) } - failOnError(k8sUtils.CleanCNPs(), t) + failOnError(k8sUtils.CleanACNPs(), t) } func testMutateANPNoTier(t *testing.T) { @@ -185,11 +188,11 @@ func testMutateACNPNoRuleName(t *testing.T) { builder = builder.SetName("acnp-no-rule-name"). SetAppliedToGroup(map[string]string{"pod": "a"}, nil, nil, nil). SetPriority(10.0). - AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") acnp := builder.Get() log.Debugf("creating ACNP %v", acnp.Name) - acnp, err := k8sUtils.CreateOrUpdateCNP(acnp) + acnp, err := k8sUtils.CreateOrUpdateACNP(acnp) if err != nil { failOnError(fmt.Errorf("ACNP create failed %v", err), t) } @@ -201,7 +204,7 @@ func testMutateACNPNoRuleName(t *testing.T) { if ir[0].Name == "" { failOnError(mutateErr, t) } - failOnError(k8sUtils.CleanCNPs(), t) + failOnError(k8sUtils.CleanACNPs(), t) } func testMutateANPNoRuleName(t *testing.T) { @@ -210,7 +213,7 @@ func testMutateANPNoRuleName(t *testing.T) { builder = builder.SetName("x", "anp-no-rule-name"). SetAppliedToGroup(map[string]string{"pod": "a"}, nil). SetPriority(10.0). - AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") anp := builder.Get() log.Debugf("creating ANP %v", anp.Name) @@ -235,7 +238,7 @@ func testInvalidACNPNoPriority(t *testing.T) { builder = builder.SetName("acnp-no-priority").SetAppliedToGroup(map[string]string{"pod": "a"}, nil, nil, nil) acnp := builder.Get() log.Debugf("creating ACNP %v", acnp.Name) - if _, err := k8sUtils.CreateOrUpdateCNP(acnp); err == nil { + if _, err := k8sUtils.CreateOrUpdateACNP(acnp); err == nil { // Above creation of ACNP must fail as it is an invalid spec. failOnError(invalidNpErr, t) } @@ -245,13 +248,13 @@ func testInvalidACNPRuleNameNotUnique(t *testing.T) { invalidNpErr := fmt.Errorf("invalid Antrea ClusterNetworkPolicy without unique rule names accepted") builder := &ClusterNetworkPolicySpecBuilder{} builder = builder.SetName("acnp-rule-name-not-unique").SetAppliedToGroup(map[string]string{"pod": "a"}, nil, nil, nil). - AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "not-unique"). - AddIngress(v1.ProtocolTCP, &p81, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"}, + AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "not-unique") acnp := builder.Get() log.Debugf("creating ACNP %v", acnp.Name) - if _, err := k8sUtils.CreateOrUpdateCNP(acnp); err == nil { + if _, err := k8sUtils.CreateOrUpdateACNP(acnp); err == nil { // Above creation of ACNP must fail as it is an invalid spec. failOnError(invalidNpErr, t) } @@ -264,7 +267,7 @@ func testInvalidACNPTierDoesNotExist(t *testing.T) { SetTier("i-dont-exist") acnp := builder.Get() log.Debugf("creating ACNP %v", acnp.Name) - if _, err := k8sUtils.CreateOrUpdateCNP(acnp); err == nil { + if _, err := k8sUtils.CreateOrUpdateACNP(acnp); err == nil { // Above creation of ACNP must fail as it is an invalid spec. failOnError(invalidNpErr, t) } @@ -286,9 +289,9 @@ func testInvalidANPRuleNameNotUnique(t *testing.T) { invalidNpErr := fmt.Errorf("invalid Antrea NetworkPolicy without unique rule names accepted") builder := &AntreaNetworkPolicySpecBuilder{} builder = builder.SetName("x", "anp-rule-name-not-unique").SetAppliedToGroup(map[string]string{"pod": "a"}, nil). - AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "not-unique"). - AddIngress(v1.ProtocolTCP, &p81, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"}, + AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "not-unique") anp := builder.Get() log.Debugf("creating ANP %v", anp.Name) @@ -374,14 +377,14 @@ func testInvalidTierACNPRefDelete(t *testing.T) { SetPriority(13.0) acnp := builder.Get() log.Debugf("creating ACNP %v", acnp.Name) - if _, err = k8sUtils.CreateOrUpdateCNP(acnp); err != nil { + if _, err = k8sUtils.CreateOrUpdateACNP(acnp); err != nil { failOnError(fmt.Errorf("create ACNP failed for ACNP %s: %v", acnp.Name, err), t) } // Deleting this Tier must fail as it has referenced ACNP if err = k8sUtils.DeleteTier(tr.Name); err == nil { failOnError(invalidErr, t) } - failOnError(k8sUtils.CleanCNPs(), t) + failOnError(k8sUtils.CleanACNPs(), t) failOnError(k8sUtils.DeleteTier(tr.Name), t) } @@ -409,14 +412,14 @@ func testInvalidTierANPRefDelete(t *testing.T) { failOnError(k8sUtils.DeleteTier(tr.Name), t) } -// testCNPAllowXBtoA tests traffic from X/B to pods with label A, after applying the default deny -// k8s NetworkPolicies in all namespaces and CNP to allow X/B to A. -func testCNPAllowXBtoA(t *testing.T) { +// testACNPAllowXBtoA tests traffic from X/B to pods with label A, after applying the default deny +// k8s NetworkPolicies in all namespaces and ACNP to allow X/B to A. +func testACNPAllowXBtoA(t *testing.T) { builder := &ClusterNetworkPolicySpecBuilder{} - builder = builder.SetName("cnp-allow-xb-to-a"). + builder = builder.SetName("acnp-allow-xb-to-a"). SetPriority(1.0). SetAppliedToGroup(map[string]string{"pod": "a"}, nil, nil, nil) - builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") reachability := NewReachability(allPods, false) @@ -430,25 +433,25 @@ func testCNPAllowXBtoA(t *testing.T) { "Port 80", reachability, []metav1.Object{builder.Get()}, - 80, + []int{80}, 0, }, } testCase := []*TestCase{ - {"CNP Allow X/B to A", testStep}, + {"ACNP Allow X/B to A", testStep}, } executeTests(t, testCase) } -// testCNPAllowXBtoYA tests traffic from X/B to Y/A on named port 81, after applying the default deny -// k8s NetworkPolicies in all namespaces and CNP to allow X/B to Y/A. -func testCNPAllowXBtoYA(t *testing.T) { +// testACNPAllowXBtoYA tests traffic from X/B to Y/A on named port 81, after applying the default deny +// k8s NetworkPolicies in all namespaces and ACNP to allow X/B to Y/A. +func testACNPAllowXBtoYA(t *testing.T) { port81Name := "serve-81" builder := &ClusterNetworkPolicySpecBuilder{} - builder = builder.SetName("cnp-allow-xb-to-ya"). + builder = builder.SetName("acnp-allow-xb-to-ya"). SetPriority(2.0). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "y"}, nil, nil) - builder.AddIngress(v1.ProtocolTCP, nil, &port81Name, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + builder.AddIngress(v1.ProtocolTCP, nil, &port81Name, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") reachability := NewReachability(allPods, false) @@ -460,68 +463,68 @@ func testCNPAllowXBtoYA(t *testing.T) { "NamedPort 81", reachability, []metav1.Object{builder.Get()}, - 81, + []int{81}, 0, }, } testCase := []*TestCase{ - {"CNP Allow X/B to Y/A", testStep}, + {"ACNP Allow X/B to Y/A", testStep}, } executeTests(t, testCase) } -// testCNPPriorityOverrideDefaultDeny tests priority override in CNP. It applies a higher priority CNP to drop -// traffic from namespace Z to X/A, and in the meantime applies a lower priority CNP to allow traffic from Z to X. +// testACNPPriorityOverrideDefaultDeny tests priority override in ACNP. It applies a higher priority ACNP to drop +// traffic from namespace Z to X/A, and in the meantime applies a lower priority ACNP to allow traffic from Z to X. // It is tested with default deny k8s NetworkPolicies in all namespaces. -func testCNPPriorityOverrideDefaultDeny(t *testing.T) { +func testACNPPriorityOverrideDefaultDeny(t *testing.T) { builder1 := &ClusterNetworkPolicySpecBuilder{} - builder1 = builder1.SetName("cnp-priority2"). + builder1 = builder1.SetName("acnp-priority2"). SetPriority(2). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) - builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") builder2 := &ClusterNetworkPolicySpecBuilder{} - builder2 = builder2.SetName("cnp-priority1"). + builder2 = builder2.SetName("acnp-priority1"). SetPriority(1). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) - builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") - // Ingress from ns:z to x/a will be dropped since cnp-priority1 has higher precedence. - reachabilityBothCNP := NewReachability(allPods, false) - reachabilityBothCNP.Expect(Pod("z/a"), Pod("x/b"), true) - reachabilityBothCNP.Expect(Pod("z/a"), Pod("x/c"), true) - reachabilityBothCNP.Expect(Pod("z/b"), Pod("x/b"), true) - reachabilityBothCNP.Expect(Pod("z/b"), Pod("x/c"), true) - reachabilityBothCNP.Expect(Pod("z/c"), Pod("x/b"), true) - reachabilityBothCNP.Expect(Pod("z/c"), Pod("x/c"), true) - reachabilityBothCNP.ExpectSelf(allPods, true) + // Ingress from ns:z to x/a will be dropped since acnp-priority1 has higher precedence. + reachabilityBothACNP := NewReachability(allPods, false) + reachabilityBothACNP.Expect(Pod("z/a"), Pod("x/b"), true) + reachabilityBothACNP.Expect(Pod("z/a"), Pod("x/c"), true) + reachabilityBothACNP.Expect(Pod("z/b"), Pod("x/b"), true) + reachabilityBothACNP.Expect(Pod("z/b"), Pod("x/c"), true) + reachabilityBothACNP.Expect(Pod("z/c"), Pod("x/b"), true) + reachabilityBothACNP.Expect(Pod("z/c"), Pod("x/c"), true) + reachabilityBothACNP.ExpectSelf(allPods, true) testStep := []*TestStep{ { - "Both CNP", - reachabilityBothCNP, + "Both ACNP", + reachabilityBothACNP, []metav1.Object{builder1.Get(), builder2.Get()}, - 80, + []int{80}, 0, }, } testCase := []*TestCase{ - {"CNP PriorityOverride Default Deny", testStep}, + {"ACNP PriorityOverride Default Deny", testStep}, } executeTests(t, testCase) } -// testCNPAllowNoDefaultIsolation tests that no default isolation rules are created for Policies. -func testCNPAllowNoDefaultIsolation(t *testing.T) { +// testACNPAllowNoDefaultIsolation tests that no default isolation rules are created for Policies. +func testACNPAllowNoDefaultIsolation(t *testing.T) { builder := &ClusterNetworkPolicySpecBuilder{} - builder = builder.SetName("cnp-allow-x-ingress-y-egress-z"). + builder = builder.SetName("acnp-allow-x-ingress-y-egress-z"). SetPriority(1.1). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) - builder.AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"ns": "y"}, + builder.AddIngress(v1.ProtocolTCP, &p81, nil, nil, nil, nil, map[string]string{"ns": "y"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") - builder.AddEgress(v1.ProtocolTCP, &p81, nil, nil, nil, map[string]string{"ns": "z"}, + builder.AddEgress(v1.ProtocolTCP, &p81, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") reachability := NewReachability(allPods, true) @@ -530,23 +533,23 @@ func testCNPAllowNoDefaultIsolation(t *testing.T) { "Port 81", reachability, []metav1.Object{builder.Get()}, - 81, + []int{81}, 0, }, } testCase := []*TestCase{ - {"CNP Allow No Default Isolation", testStep}, + {"ACNP Allow No Default Isolation", testStep}, } executeTests(t, testCase) } -// testCNPDropEgress tests that a CNP is able to drop egress traffic from pods labelled A to namespace Z. -func testCNPDropEgress(t *testing.T) { +// testACNPDropEgress tests that a ACNP is able to drop egress traffic from pods labelled A to namespace Z. +func testACNPDropEgress(t *testing.T) { builder := &ClusterNetworkPolicySpecBuilder{} - builder = builder.SetName("cnp-deny-a-to-z-egress"). + builder = builder.SetName("acnp-deny-a-to-z-egress"). SetPriority(1.0). SetAppliedToGroup(map[string]string{"pod": "a"}, nil, nil, nil) - builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") reachability := NewReachability(allPods, true) @@ -564,17 +567,17 @@ func testCNPDropEgress(t *testing.T) { "Port 80", reachability, []metav1.Object{builder.Get()}, - 80, + []int{80}, 0, }, } testCase := []*TestCase{ - {"CNP Drop Egress From All Pod:a to NS:z", testStep}, + {"ACNP Drop Egress From All Pod:a to NS:z", testStep}, } executeTests(t, testCase) } -// testBaselineNamespaceIsolation tests that a CNP in the baseline Tier is able to enforce default namespace isolation, +// testBaselineNamespaceIsolation tests that a ACNP in the baseline Tier is able to enforce default namespace isolation, // which can be later overridden by developer K8s NetworkPolicies. func testBaselineNamespaceIsolation(t *testing.T) { builder := &ClusterNetworkPolicySpecBuilder{} @@ -583,11 +586,11 @@ func testBaselineNamespaceIsolation(t *testing.T) { Operator: metav1.LabelSelectorOpNotIn, Values: []string{"x"}, } - builder = builder.SetName("cnp-baseline-isolate-ns-x"). + builder = builder.SetName("acnp-baseline-isolate-ns-x"). SetTier("baseline"). SetPriority(1.0). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) - builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, + builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, &[]metav1.LabelSelectorRequirement{nsExpOtherThanX}, nil, secv1alpha1.RuleActionDrop, "") @@ -623,12 +626,12 @@ func testBaselineNamespaceIsolation(t *testing.T) { "Port 80", reachability, []metav1.Object{builder.Get(), k8sNPBuilder.Get()}, - 80, + []int{80}, 0, }, } testCase := []*TestCase{ - {"CNP baseline tier namespace isolation", testStep}, + {"ACNP baseline tier namespace isolation", testStep}, } executeTests(t, testCase) // Cleanup the K8s NetworkPolicy created for this test. @@ -636,58 +639,58 @@ func testBaselineNamespaceIsolation(t *testing.T) { time.Sleep(networkPolicyDelay) } -// testCNPPriorityOverride tests priority overriding in three Policies. Those three Policies are applied in a specific order to +// testACNPPriorityOverride tests priority overriding in three Policies. Those three Policies are applied in a specific order to // test priority reassignment, and each controls a smaller set of traffic patterns as priority increases. -func testCNPPriorityOverride(t *testing.T) { +func testACNPPriorityOverride(t *testing.T) { builder1 := &ClusterNetworkPolicySpecBuilder{} - builder1 = builder1.SetName("cnp-priority1"). + builder1 = builder1.SetName("acnp-priority1"). SetPriority(1.001). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) podZBIP, _ := podIPs["z/b"] cidr := podZBIP + "/32" // Highest priority. Drops traffic from z/b to x/a. - builder1.AddIngress(v1.ProtocolTCP, &p80, nil, &cidr, nil, nil, + builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, &cidr, nil, nil, nil, nil, nil, secv1alpha1.RuleActionDrop, "") builder2 := &ClusterNetworkPolicySpecBuilder{} - builder2 = builder2.SetName("cnp-priority2"). + builder2 = builder2.SetName("acnp-priority2"). SetPriority(1.002). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) // Medium priority. Allows traffic from z to x/a. - builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") builder3 := &ClusterNetworkPolicySpecBuilder{} - builder3 = builder3.SetName("cnp-priority3"). + builder3 = builder3.SetName("acnp-priority3"). SetPriority(1.003). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) // Lowest priority. Drops traffic from z to x. - builder3.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder3.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") - reachabilityTwoCNPs := NewReachability(allPods, true) - reachabilityTwoCNPs.Expect(Pod("z/a"), Pod("x/b"), false) - reachabilityTwoCNPs.Expect(Pod("z/a"), Pod("x/c"), false) - reachabilityTwoCNPs.Expect(Pod("z/b"), Pod("x/b"), false) - reachabilityTwoCNPs.Expect(Pod("z/b"), Pod("x/c"), false) - reachabilityTwoCNPs.Expect(Pod("z/c"), Pod("x/b"), false) - reachabilityTwoCNPs.Expect(Pod("z/c"), Pod("x/c"), false) - - reachabilityAllCNPs := NewReachability(allPods, true) - reachabilityAllCNPs.Expect(Pod("z/a"), Pod("x/b"), false) - reachabilityAllCNPs.Expect(Pod("z/a"), Pod("x/c"), false) - reachabilityAllCNPs.Expect(Pod("z/b"), Pod("x/a"), false) - reachabilityAllCNPs.Expect(Pod("z/b"), Pod("x/b"), false) - reachabilityAllCNPs.Expect(Pod("z/b"), Pod("x/c"), false) - reachabilityAllCNPs.Expect(Pod("z/c"), Pod("x/b"), false) - reachabilityAllCNPs.Expect(Pod("z/c"), Pod("x/c"), false) - - testStepTwoCNP := []*TestStep{ + reachabilityTwoACNPs := NewReachability(allPods, true) + reachabilityTwoACNPs.Expect(Pod("z/a"), Pod("x/b"), false) + reachabilityTwoACNPs.Expect(Pod("z/a"), Pod("x/c"), false) + reachabilityTwoACNPs.Expect(Pod("z/b"), Pod("x/b"), false) + reachabilityTwoACNPs.Expect(Pod("z/b"), Pod("x/c"), false) + reachabilityTwoACNPs.Expect(Pod("z/c"), Pod("x/b"), false) + reachabilityTwoACNPs.Expect(Pod("z/c"), Pod("x/c"), false) + + reachabilityAllACNPs := NewReachability(allPods, true) + reachabilityAllACNPs.Expect(Pod("z/a"), Pod("x/b"), false) + reachabilityAllACNPs.Expect(Pod("z/a"), Pod("x/c"), false) + reachabilityAllACNPs.Expect(Pod("z/b"), Pod("x/a"), false) + reachabilityAllACNPs.Expect(Pod("z/b"), Pod("x/b"), false) + reachabilityAllACNPs.Expect(Pod("z/b"), Pod("x/c"), false) + reachabilityAllACNPs.Expect(Pod("z/c"), Pod("x/b"), false) + reachabilityAllACNPs.Expect(Pod("z/c"), Pod("x/c"), false) + + testStepTwoACNP := []*TestStep{ { "Two Policies with different priorities", - reachabilityTwoCNPs, + reachabilityTwoACNPs, []metav1.Object{builder3.Get(), builder2.Get()}, - 80, + []int{80}, 0, }, } @@ -695,96 +698,96 @@ func testCNPPriorityOverride(t *testing.T) { testStepAll := []*TestStep{ { "All three Policies", - reachabilityAllCNPs, + reachabilityAllACNPs, []metav1.Object{builder3.Get(), builder1.Get(), builder2.Get()}, - 80, + []int{80}, 0, }, } testCase := []*TestCase{ - {"CNP PriorityOverride Intermediate", testStepTwoCNP}, - {"CNP PriorityOverride All", testStepAll}, + {"ACNP PriorityOverride Intermediate", testStepTwoACNP}, + {"ACNP PriorityOverride All", testStepAll}, } executeTests(t, testCase) } -// testCNPTierOverride tests tier priority overriding in three Policies. -// Each CNP controls a smaller set of traffic patterns as tier priority increases. -func testCNPTierOverride(t *testing.T) { +// testACNPTierOverride tests tier priority overriding in three Policies. +// Each ACNP controls a smaller set of traffic patterns as tier priority increases. +func testACNPTierOverride(t *testing.T) { builder1 := &ClusterNetworkPolicySpecBuilder{} - builder1 = builder1.SetName("cnp-tier-emergency"). + builder1 = builder1.SetName("acnp-tier-emergency"). SetTier("emergency"). SetPriority(100). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) podZBIP, _ := podIPs["z/b"] cidr := podZBIP + "/32" // Highest priority tier. Drops traffic from z/b to x/a. - builder1.AddIngress(v1.ProtocolTCP, &p80, nil, &cidr, nil, nil, + builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, &cidr, nil, nil, nil, nil, nil, secv1alpha1.RuleActionDrop, "") builder2 := &ClusterNetworkPolicySpecBuilder{} - builder2 = builder2.SetName("cnp-tier-securityops"). + builder2 = builder2.SetName("acnp-tier-securityops"). SetTier("securityops"). SetPriority(10). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) // Medium priority tier. Allows traffic from z to x/a. - builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") builder3 := &ClusterNetworkPolicySpecBuilder{} - builder3 = builder3.SetName("cnp-tier-application"). + builder3 = builder3.SetName("acnp-tier-application"). SetTier("application"). SetPriority(1). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) // Lowest priority tier. Drops traffic from z to x. - builder3.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder3.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") - reachabilityTwoCNPs := NewReachability(allPods, true) - reachabilityTwoCNPs.Expect(Pod("z/a"), Pod("x/b"), false) - reachabilityTwoCNPs.Expect(Pod("z/a"), Pod("x/c"), false) - reachabilityTwoCNPs.Expect(Pod("z/b"), Pod("x/b"), false) - reachabilityTwoCNPs.Expect(Pod("z/b"), Pod("x/c"), false) - reachabilityTwoCNPs.Expect(Pod("z/c"), Pod("x/b"), false) - reachabilityTwoCNPs.Expect(Pod("z/c"), Pod("x/c"), false) - - reachabilityAllCNPs := NewReachability(allPods, true) - reachabilityAllCNPs.Expect(Pod("z/a"), Pod("x/b"), false) - reachabilityAllCNPs.Expect(Pod("z/a"), Pod("x/c"), false) - reachabilityAllCNPs.Expect(Pod("z/b"), Pod("x/a"), false) - reachabilityAllCNPs.Expect(Pod("z/b"), Pod("x/b"), false) - reachabilityAllCNPs.Expect(Pod("z/b"), Pod("x/c"), false) - reachabilityAllCNPs.Expect(Pod("z/c"), Pod("x/b"), false) - reachabilityAllCNPs.Expect(Pod("z/c"), Pod("x/c"), false) - - testStepTwoCNP := []*TestStep{ + reachabilityTwoACNPs := NewReachability(allPods, true) + reachabilityTwoACNPs.Expect(Pod("z/a"), Pod("x/b"), false) + reachabilityTwoACNPs.Expect(Pod("z/a"), Pod("x/c"), false) + reachabilityTwoACNPs.Expect(Pod("z/b"), Pod("x/b"), false) + reachabilityTwoACNPs.Expect(Pod("z/b"), Pod("x/c"), false) + reachabilityTwoACNPs.Expect(Pod("z/c"), Pod("x/b"), false) + reachabilityTwoACNPs.Expect(Pod("z/c"), Pod("x/c"), false) + + reachabilityAllACNPs := NewReachability(allPods, true) + reachabilityAllACNPs.Expect(Pod("z/a"), Pod("x/b"), false) + reachabilityAllACNPs.Expect(Pod("z/a"), Pod("x/c"), false) + reachabilityAllACNPs.Expect(Pod("z/b"), Pod("x/a"), false) + reachabilityAllACNPs.Expect(Pod("z/b"), Pod("x/b"), false) + reachabilityAllACNPs.Expect(Pod("z/b"), Pod("x/c"), false) + reachabilityAllACNPs.Expect(Pod("z/c"), Pod("x/b"), false) + reachabilityAllACNPs.Expect(Pod("z/c"), Pod("x/c"), false) + + testStepTwoACNP := []*TestStep{ { "Two Policies in different tiers", - reachabilityTwoCNPs, + reachabilityTwoACNPs, []metav1.Object{builder3.Get(), builder2.Get()}, - 80, + []int{80}, 0, }, } testStepAll := []*TestStep{ { "All three Policies in different tiers", - reachabilityAllCNPs, + reachabilityAllACNPs, []metav1.Object{builder3.Get(), builder1.Get(), builder2.Get()}, - 80, + []int{80}, 0, }, } testCase := []*TestCase{ - {"CNP TierOverride Intermediate", testStepTwoCNP}, - {"CNP TierOverride All", testStepAll}, + {"ACNP TierOverride Intermediate", testStepTwoACNP}, + {"ACNP TierOverride All", testStepAll}, } executeTests(t, testCase) } -// testCNPTierOverride tests tier priority overriding in three Policies with custom created tiers. -// Each CNP controls a smaller set of traffic patterns as tier priority increases. -func testCNPCustomTiers(t *testing.T) { +// testACNPTierOverride tests tier priority overriding in three Policies with custom created tiers. +// Each ACNP controls a smaller set of traffic patterns as tier priority increases. +func testACNPCustomTiers(t *testing.T) { // Create two custom tiers with tier priority immediately next to each other. _, err := k8sUtils.CreateNewTier("high-priority", 245) failOnError(err, t) @@ -792,143 +795,204 @@ func testCNPCustomTiers(t *testing.T) { failOnError(err, t) builder1 := &ClusterNetworkPolicySpecBuilder{} - builder1 = builder1.SetName("cnp-tier-high"). + builder1 = builder1.SetName("acnp-tier-high"). SetTier("high-priority"). SetPriority(100). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) // Medium priority tier. Allows traffic from z to x/a. - builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") builder2 := &ClusterNetworkPolicySpecBuilder{} - builder2 = builder2.SetName("cnp-tier-low"). + builder2 = builder2.SetName("acnp-tier-low"). SetTier("low-priority"). SetPriority(1). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) // Lowest priority tier. Drops traffic from z to x. - builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") - reachabilityTwoCNPs := NewReachability(allPods, true) - reachabilityTwoCNPs.Expect(Pod("z/a"), Pod("x/b"), false) - reachabilityTwoCNPs.Expect(Pod("z/a"), Pod("x/c"), false) - reachabilityTwoCNPs.Expect(Pod("z/b"), Pod("x/b"), false) - reachabilityTwoCNPs.Expect(Pod("z/b"), Pod("x/c"), false) - reachabilityTwoCNPs.Expect(Pod("z/c"), Pod("x/b"), false) - reachabilityTwoCNPs.Expect(Pod("z/c"), Pod("x/c"), false) - testStepTwoCNP := []*TestStep{ + reachabilityTwoACNPs := NewReachability(allPods, true) + reachabilityTwoACNPs.Expect(Pod("z/a"), Pod("x/b"), false) + reachabilityTwoACNPs.Expect(Pod("z/a"), Pod("x/c"), false) + reachabilityTwoACNPs.Expect(Pod("z/b"), Pod("x/b"), false) + reachabilityTwoACNPs.Expect(Pod("z/b"), Pod("x/c"), false) + reachabilityTwoACNPs.Expect(Pod("z/c"), Pod("x/b"), false) + reachabilityTwoACNPs.Expect(Pod("z/c"), Pod("x/c"), false) + testStepTwoACNP := []*TestStep{ { "Two Policies in different tiers", - reachabilityTwoCNPs, + reachabilityTwoACNPs, []metav1.Object{builder2.Get(), builder1.Get()}, - 80, + []int{80}, 0, }, } testCase := []*TestCase{ - {"CNP Custom Tier priority", testStepTwoCNP}, + {"ACNP Custom Tier priority", testStepTwoACNP}, } executeTests(t, testCase) - // Cleanup customed tiers. CNPs created in those tiers need to be deleted first. - failOnError(k8sUtils.CleanCNPs(), t) + // Cleanup customed tiers. ACNPs created in those tiers need to be deleted first. + failOnError(k8sUtils.CleanACNPs(), t) time.Sleep(networkPolicyDelay) failOnError(k8sUtils.DeleteTier("high-priority"), t) failOnError(k8sUtils.DeleteTier("low-priority"), t) } -// testCNPPriorityConflictingRule tests that if there are two Policies in the cluster with rules that conflicts with -// each other, the CNP with higher priority will prevail. -func testCNPPriorityConflictingRule(t *testing.T) { +// testACNPPriorityConflictingRule tests that if there are two Policies in the cluster with rules that conflicts with +// each other, the ACNP with higher priority will prevail. +func testACNPPriorityConflictingRule(t *testing.T) { builder1 := &ClusterNetworkPolicySpecBuilder{} - builder1 = builder1.SetName("cnp-drop"). + builder1 = builder1.SetName("acnp-drop"). SetPriority(1). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) - builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder1.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") builder2 := &ClusterNetworkPolicySpecBuilder{} - builder2 = builder2.SetName("cnp-allow"). + builder2 = builder2.SetName("acnp-allow"). SetPriority(2). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) // The following ingress rule will take no effect as it is exactly the same as ingress rule of cnp-drop, // but cnp-allow has lower priority. - builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") - reachabilityBothCNP := NewReachability(allPods, true) - reachabilityBothCNP.Expect(Pod("z/a"), Pod("x/a"), false) - reachabilityBothCNP.Expect(Pod("z/a"), Pod("x/b"), false) - reachabilityBothCNP.Expect(Pod("z/a"), Pod("x/c"), false) - reachabilityBothCNP.Expect(Pod("z/b"), Pod("x/a"), false) - reachabilityBothCNP.Expect(Pod("z/b"), Pod("x/b"), false) - reachabilityBothCNP.Expect(Pod("z/b"), Pod("x/c"), false) - reachabilityBothCNP.Expect(Pod("z/c"), Pod("x/a"), false) - reachabilityBothCNP.Expect(Pod("z/c"), Pod("x/b"), false) - reachabilityBothCNP.Expect(Pod("z/c"), Pod("x/c"), false) + reachabilityBothACNP := NewReachability(allPods, true) + reachabilityBothACNP.Expect(Pod("z/a"), Pod("x/a"), false) + reachabilityBothACNP.Expect(Pod("z/a"), Pod("x/b"), false) + reachabilityBothACNP.Expect(Pod("z/a"), Pod("x/c"), false) + reachabilityBothACNP.Expect(Pod("z/b"), Pod("x/a"), false) + reachabilityBothACNP.Expect(Pod("z/b"), Pod("x/b"), false) + reachabilityBothACNP.Expect(Pod("z/b"), Pod("x/c"), false) + reachabilityBothACNP.Expect(Pod("z/c"), Pod("x/a"), false) + reachabilityBothACNP.Expect(Pod("z/c"), Pod("x/b"), false) + reachabilityBothACNP.Expect(Pod("z/c"), Pod("x/c"), false) testStep := []*TestStep{ { - "Both CNP", - reachabilityBothCNP, + "Both ACNP", + reachabilityBothACNP, []metav1.Object{builder1.Get(), builder2.Get()}, - 80, + []int{80}, 0, }, } testCase := []*TestCase{ - {"CNP Priority Conflicting Rule", testStep}, + {"ACNP Priority Conflicting Rule", testStep}, } executeTests(t, testCase) } -// testCNPPriorityConflictingRule tests that if there are two rules in the cluster that conflicts with +// testACNPPriorityConflictingRule tests that if there are two rules in the cluster that conflicts with // each other, the rule with higher precedence will prevail. -func testCNPRulePrioirty(t *testing.T) { +func testACNPRulePrioirty(t *testing.T) { builder1 := &ClusterNetworkPolicySpecBuilder{} - // cnp-deny will apply to all pods in namespace x - builder1 = builder1.SetName("cnp-deny"). + // acnp-deny will apply to all pods in namespace x + builder1 = builder1.SetName("acnp-deny"). SetPriority(5). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) - builder1.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "y"}, + builder1.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "y"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") // This rule should take no effect as it will be overridden by the first rule of cnp-allow - builder1.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder1.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") builder2 := &ClusterNetworkPolicySpecBuilder{} - // cnp-allow will also apply to all pods in namespace x - builder2 = builder2.SetName("cnp-allow"). + // acnp-allow will also apply to all pods in namespace x + builder2 = builder2.SetName("acnp-allow"). SetPriority(5). SetAppliedToGroup(nil, map[string]string{"ns": "x"}, nil, nil) - builder2.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder2.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") // This rule should take no effect as it will be overridden by the first rule of cnp-drop - builder2.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "y"}, + builder2.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "y"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") // Only egress from pods in namespace x to namespace y should be denied - reachabilityBothCNP := NewReachability(allPods, true) - reachabilityBothCNP.Expect(Pod("x/a"), Pod("y/a"), false) - reachabilityBothCNP.Expect(Pod("x/b"), Pod("y/a"), false) - reachabilityBothCNP.Expect(Pod("x/c"), Pod("y/a"), false) - reachabilityBothCNP.Expect(Pod("x/a"), Pod("y/b"), false) - reachabilityBothCNP.Expect(Pod("x/b"), Pod("y/b"), false) - reachabilityBothCNP.Expect(Pod("x/c"), Pod("y/b"), false) - reachabilityBothCNP.Expect(Pod("x/a"), Pod("y/c"), false) - reachabilityBothCNP.Expect(Pod("x/b"), Pod("y/c"), false) - reachabilityBothCNP.Expect(Pod("x/c"), Pod("y/c"), false) + reachabilityBothACNP := NewReachability(allPods, true) + reachabilityBothACNP.Expect(Pod("x/a"), Pod("y/a"), false) + reachabilityBothACNP.Expect(Pod("x/b"), Pod("y/a"), false) + reachabilityBothACNP.Expect(Pod("x/c"), Pod("y/a"), false) + reachabilityBothACNP.Expect(Pod("x/a"), Pod("y/b"), false) + reachabilityBothACNP.Expect(Pod("x/b"), Pod("y/b"), false) + reachabilityBothACNP.Expect(Pod("x/c"), Pod("y/b"), false) + reachabilityBothACNP.Expect(Pod("x/a"), Pod("y/c"), false) + reachabilityBothACNP.Expect(Pod("x/b"), Pod("y/c"), false) + reachabilityBothACNP.Expect(Pod("x/c"), Pod("y/c"), false) testStep := []*TestStep{ { - "Both CNP", - reachabilityBothCNP, + "Both ACNP", + reachabilityBothACNP, []metav1.Object{builder2.Get(), builder1.Get()}, - 80, + []int{80}, 0, }, } testCase := []*TestCase{ - {"CNP Rule Priority", testStep}, + {"ACNP Rule Priority", testStep}, + } + executeTests(t, testCase) +} + +// testACNPPortRange tests the port range in a ACNP can work. +func testACNPPortRange(t *testing.T) { + builder := &ClusterNetworkPolicySpecBuilder{} + builder = builder.SetName("acnp-deny-a-to-z-egress-port-range"). + SetPriority(1.0). + SetAppliedToGroup(map[string]string{"pod": "a"}, nil, nil, nil) + builder.AddEgress(v1.ProtocolTCP, &p8080, nil, &p8085, nil, nil, map[string]string{"ns": "z"}, + nil, nil, nil, secv1alpha1.RuleActionDrop, "acnp-port-range") + + reachability := NewReachability(allPods, true) + reachability.Expect(Pod("x/a"), Pod("z/a"), false) + reachability.Expect(Pod("x/a"), Pod("z/b"), false) + reachability.Expect(Pod("x/a"), Pod("z/c"), false) + reachability.Expect(Pod("y/a"), Pod("z/a"), false) + reachability.Expect(Pod("y/a"), Pod("z/b"), false) + reachability.Expect(Pod("y/a"), Pod("z/c"), false) + reachability.Expect(Pod("z/a"), Pod("z/b"), false) + reachability.Expect(Pod("z/a"), Pod("z/c"), false) + + var testSteps []*TestStep + testSteps = append(testSteps, &TestStep{ + fmt.Sprintf("ACNP Drop Port 8080:8085"), + reachability, + []metav1.Object{builder.Get()}, + []int{8080, 8081, 8082, 8083, 8084, 8085}, + 0, + }) + + testCase := []*TestCase{ + {"ACNP Drop Egress From All Pod:a to NS:z with a portRange", testSteps}, + } + executeTests(t, testCase) +} + +// testANPPortRange tests the port range in a ANP can work. +func testANPPortRange(t *testing.T) { + builder := &AntreaNetworkPolicySpecBuilder{} + builder = builder.SetName("y", "anp-deny-yb-to-xc-egress-port-range"). + SetPriority(1.0). + SetAppliedToGroup(map[string]string{"pod": "b"}, nil) + builder.AddEgress(v1.ProtocolTCP, &p8080, nil, &p8085, nil, map[string]string{"pod": "c"}, map[string]string{"ns": "x"}, + nil, nil, nil, secv1alpha1.RuleActionDrop, "anp-port-range") + + reachability := NewReachability(allPods, true) + reachability.Expect(Pod("y/b"), Pod("x/c"), false) + + var testSteps []*TestStep + testSteps = append(testSteps, &TestStep{ + fmt.Sprintf("ANP Drop Port 8080:8085"), + reachability, + []metav1.Object{builder.Get()}, + []int{8080, 8081, 8082, 8083, 8084, 8085}, + 0, + }) + + testCase := []*TestCase{ + {"ANP Drop Egreee y/b to x/c with a portRange", testSteps}, } executeTests(t, testCase) } @@ -941,7 +1005,7 @@ func testANPBasic(t *testing.T) { builder = builder.SetName("y", "np1"). SetPriority(1.0). SetAppliedToGroup(map[string]string{"pod": "a"}, nil) - builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") reachability := NewReachability(allPods, true) @@ -951,7 +1015,7 @@ func testANPBasic(t *testing.T) { "Port 80", reachability, []metav1.Object{builder.Get()}, - 80, + []int{80}, 0, }, } @@ -966,7 +1030,7 @@ func testANPBasic(t *testing.T) { "Port 80", reachability, []metav1.Object{builder.Get(), k8sNPBuilder.Get()}, - 80, + []int{80}, 0, }, } @@ -980,18 +1044,18 @@ func testANPBasic(t *testing.T) { // testAuditLoggingBasic tests that a audit log is generated when egress drop applied func testAuditLoggingBasic(t *testing.T, data *TestData) { builder := &ClusterNetworkPolicySpecBuilder{} - builder = builder.SetName("test-log-cnp-deny"). + builder = builder.SetName("test-log-acnp-deny"). SetPriority(1.0). SetAppliedToGroup(map[string]string{"pod": "a"}, map[string]string{"ns": "x"}, nil, nil) - builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"ns": "z"}, + builder.AddEgress(v1.ProtocolTCP, &p80, nil, nil, nil, nil, map[string]string{"ns": "z"}, nil, nil, nil, secv1alpha1.RuleActionDrop, "") builder.AddEgressLogging() - _, err := k8sUtils.CreateOrUpdateCNP(builder.Get()) + _, err := k8sUtils.CreateOrUpdateACNP(builder.Get()) failOnError(err, t) time.Sleep(networkPolicyDelay) - // generate some traffic that will be dropped by test-log-cnp-deny + // generate some traffic that will be dropped by test-log-acnp-deny k8sUtils.Probe("x", "a", "z", "a", p80) k8sUtils.Probe("x", "a", "z", "b", p80) k8sUtils.Probe("x", "a", "z", "c", p80) @@ -1009,7 +1073,7 @@ func testAuditLoggingBasic(t *testing.T, data *TestData) { if err != nil || stderr != "" { t.Errorf("error occurred when inspecting the audit log file. err: %v, stderr: %v", err, stderr) } - assert.Equalf(t, true, strings.Contains(stdout, "test-log-cnp-deny"), "audit log does not contain entries for test-log-cnp-deny") + assert.Equalf(t, true, strings.Contains(stdout, "test-log-acnp-deny"), "audit log does not contain entries for test-log-acnp-deny") destinations := []string{"z/a", "z/b", "z/c"} srcIP, _ := podIPs["x/a"] @@ -1019,7 +1083,7 @@ func testAuditLoggingBasic(t *testing.T, data *TestData) { pattern := `Drop [0-9]+ SRC: ` + srcIP + ` DEST: ` + dstIP assert.Regexp(t, pattern, stdout, "audit log does not contain expected entry for x/a to %s", d) } - failOnError(k8sUtils.CleanCNPs(), t) + failOnError(k8sUtils.CleanACNPs(), t) } func testAppliedToPerRule(t *testing.T) { @@ -1027,9 +1091,9 @@ func testAppliedToPerRule(t *testing.T) { builder = builder.SetName("y", "np1").SetPriority(1.0) anpATGrp1 := ANPRuleAppliedToSpec{PodSelector: map[string]string{"pod": "a"}, PodSelectorMatchExp: nil} anpATGrp2 := ANPRuleAppliedToSpec{PodSelector: map[string]string{"pod": "b"}, PodSelectorMatchExp: nil} - builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, []ANPRuleAppliedToSpec{anpATGrp1}, secv1alpha1.RuleActionDrop, "") - builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"}, + builder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"}, nil, nil, []ANPRuleAppliedToSpec{anpATGrp2}, secv1alpha1.RuleActionDrop, "") reachability := NewReachability(allPods, true) @@ -1040,7 +1104,7 @@ func testAppliedToPerRule(t *testing.T) { "Port 80", reachability, []metav1.Object{builder.Get()}, - 80, + []int{80}, 0, }, } @@ -1051,9 +1115,9 @@ func testAppliedToPerRule(t *testing.T) { cnpATGrp2 := ACNPRuleAppliedToSpec{ PodSelector: map[string]string{"pod": "b"}, NSSelector: map[string]string{"ns": "y"}, PodSelectorMatchExp: nil, NSSelectorMatchExp: nil} - builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, []ACNPRuleAppliedToSpec{cnpATGrp1}, secv1alpha1.RuleActionDrop, "") - builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"}, + builder2.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "z"}, nil, nil, []ACNPRuleAppliedToSpec{cnpATGrp2}, secv1alpha1.RuleActionDrop, "") reachability2 := NewReachability(allPods, true) @@ -1066,7 +1130,7 @@ func testAppliedToPerRule(t *testing.T) { "Port 80", reachability2, []metav1.Object{builder2.Get()}, - 80, + []int{80}, 0, }, } @@ -1083,7 +1147,7 @@ func executeTests(t *testing.T, testList []*TestCase) { for _, testCase := range testList { log.Infof("running test case %s", testCase.Name) log.Debugf("cleaning-up previous policies and sleeping for %v", networkPolicyDelay) - failOnError(k8sUtils.CleanCNPs(), t) + failOnError(k8sUtils.CleanACNPs(), t) failOnError(k8sUtils.CleanANPs(namespaces), t) time.Sleep(networkPolicyDelay) for _, step := range testCase.Steps { @@ -1091,7 +1155,9 @@ func executeTests(t *testing.T, testList []*TestCase) { applyPolicies(t, step) reachability := step.Reachability start := time.Now() - k8sUtils.Validate(allPods, reachability, step.Port) + for _, port := range step.Port { + k8sUtils.Validate(allPods, reachability, port) + } step.Duration = time.Now().Sub(start) reachability.PrintSummary(true, true, true) @@ -1106,9 +1172,9 @@ func executeTests(t *testing.T, testList []*TestCase) { func applyPolicies(t *testing.T, step *TestStep) { for _, np := range step.Policies { - if cnp, ok := np.(*secv1alpha1.ClusterNetworkPolicy); ok { - log.Debugf("creating CNP %v", cnp.Name) - _, err := k8sUtils.CreateOrUpdateCNP(cnp) + if acnp, ok := np.(*secv1alpha1.ClusterNetworkPolicy); ok { + log.Debugf("creating ACNP %v", acnp.Name) + _, err := k8sUtils.CreateOrUpdateACNP(acnp) failOnError(err, t) } else if anp, ok := np.(*secv1alpha1.NetworkPolicy); ok { log.Debugf("creating ANP %v in namespace %v", anp.Name, anp.Namespace) @@ -1192,24 +1258,27 @@ func TestAntreaPolicy(t *testing.T) { t.Run("TestGroupDefaultDENY", func(t *testing.T) { // testcases below require default deny k8s NetworkPolicies to work applyDefaultDenyToAllNamespaces(k8sUtils, namespaces) - t.Run("Case=CNPAllowXBtoA", func(t *testing.T) { testCNPAllowXBtoA(t) }) - t.Run("Case=CNPAllowXBtoYA", func(t *testing.T) { testCNPAllowXBtoYA(t) }) - t.Run("Case=CNPPriorityOverrideDefaultDeny", func(t *testing.T) { testCNPPriorityOverrideDefaultDeny(t) }) + t.Run("Case=ACNPAllowXBtoA", func(t *testing.T) { testACNPAllowXBtoA(t) }) + t.Run("Case=ACNPAllowXBtoYA", func(t *testing.T) { testACNPAllowXBtoYA(t) }) + t.Run("Case=ACNPPriorityOverrideDefaultDeny", func(t *testing.T) { testACNPPriorityOverrideDefaultDeny(t) }) cleanupDefaultDenyNPs(k8sUtils, namespaces) }) t.Run("TestGroupNoK8sNP", func(t *testing.T) { // testcases below do not depend on underlying k8s NetworkPolicies - t.Run("Case=CNPAllowNoDefaultIsolation", func(t *testing.T) { testCNPAllowNoDefaultIsolation(t) }) - t.Run("Case=CNPDropEgress", func(t *testing.T) { testCNPDropEgress(t) }) - t.Run("Case=CNPBaselinePolicy", func(t *testing.T) { testBaselineNamespaceIsolation(t) }) - t.Run("Case=CNPPrioirtyOverride", func(t *testing.T) { testCNPPriorityOverride(t) }) - t.Run("Case=CNPTierOverride", func(t *testing.T) { testCNPTierOverride(t) }) - t.Run("Case=CNPCustomTiers", func(t *testing.T) { testCNPCustomTiers(t) }) - t.Run("Case=CNPPriorityConflictingRule", func(t *testing.T) { testCNPPriorityConflictingRule(t) }) - t.Run("Case=CNPRulePriority", func(t *testing.T) { testCNPRulePrioirty(t) }) + t.Run("Case=ACNPAllowNoDefaultIsolation", func(t *testing.T) { testACNPAllowNoDefaultIsolation(t) }) + t.Run("Case=ACNPDropEgress", func(t *testing.T) { testACNPDropEgress(t) }) + t.Run("Case=ACNPPortRange", func(t *testing.T) { testACNPPortRange(t) }) + t.Run("Case=ACNPBaselinePolicy", func(t *testing.T) { testBaselineNamespaceIsolation(t) }) + t.Run("Case=ACNPPrioirtyOverride", func(t *testing.T) { testACNPPriorityOverride(t) }) + t.Run("Case=ACNPTierOverride", func(t *testing.T) { testACNPTierOverride(t) }) + t.Run("Case=ACNPCustomTiers", func(t *testing.T) { testACNPCustomTiers(t) }) + t.Run("Case=ACNPPriorityConflictingRule", func(t *testing.T) { testACNPPriorityConflictingRule(t) }) + t.Run("Case=ACNPRulePriority", func(t *testing.T) { testACNPRulePrioirty(t) }) + t.Run("Case=ANPPortRange", func(t *testing.T) { testANPPortRange(t) }) t.Run("Case=ANPBasic", func(t *testing.T) { testANPBasic(t) }) t.Run("Case=AppliedToPerRule", func(t *testing.T) { testAppliedToPerRule(t) }) + }) // print results for reachability tests printResults() @@ -1237,7 +1306,7 @@ func TestAntreaPolicyStatus(t *testing.T) { anpBuilder = anpBuilder.SetName(testNamespace, "anp-applied-to-two-nodes"). SetPriority(1.0). SetAppliedToGroup(map[string]string{"app": "nginx"}, nil) - anpBuilder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + anpBuilder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") anp := anpBuilder.Get() log.Debugf("creating ANP %v", anp.Name) @@ -1245,17 +1314,17 @@ func TestAntreaPolicyStatus(t *testing.T) { assert.NoError(t, err) defer data.securityClient.NetworkPolicies(anp.Namespace).Delete(context.TODO(), anp.Name, metav1.DeleteOptions{}) - cnpBuilder := &ClusterNetworkPolicySpecBuilder{} - cnpBuilder = cnpBuilder.SetName("cnp-applied-to-two-nodes"). + acnpBuilder := &ClusterNetworkPolicySpecBuilder{} + acnpBuilder = acnpBuilder.SetName("acnp-applied-to-two-nodes"). SetPriority(1.0). SetAppliedToGroup(map[string]string{"app": "nginx"}, nil, nil, nil) - cnpBuilder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, + acnpBuilder.AddIngress(v1.ProtocolTCP, &p80, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": "x"}, nil, nil, nil, secv1alpha1.RuleActionAllow, "") - cnp := cnpBuilder.Get() - log.Debugf("creating CNP %v", cnp.Name) - _, err = data.securityClient.ClusterNetworkPolicies().Create(context.TODO(), cnp, metav1.CreateOptions{}) + acnp := acnpBuilder.Get() + log.Debugf("creating ACNP %v", acnp.Name) + _, err = data.securityClient.ClusterNetworkPolicies().Create(context.TODO(), acnp, metav1.CreateOptions{}) assert.NoError(t, err) - defer data.securityClient.ClusterNetworkPolicies().Delete(context.TODO(), cnp.Name, metav1.DeleteOptions{}) + defer data.securityClient.ClusterNetworkPolicies().Delete(context.TODO(), acnp.Name, metav1.DeleteOptions{}) expectedStatus := secv1alpha1.NetworkPolicyStatus{ Phase: secv1alpha1.NetworkPolicyRealized, @@ -1272,7 +1341,7 @@ func TestAntreaPolicyStatus(t *testing.T) { }) assert.NoError(t, err, "Antrea NetworkPolicy failed to reach expected status") err = wait.Poll(100*time.Millisecond, 3*time.Second, func() (bool, error) { - anp, err := data.securityClient.ClusterNetworkPolicies().Get(context.TODO(), cnp.Name, metav1.GetOptions{}) + anp, err := data.securityClient.ClusterNetworkPolicies().Get(context.TODO(), acnp.Name, metav1.GetOptions{}) if err != nil { return false, err } diff --git a/test/e2e/k8s_util.go b/test/e2e/k8s_util.go index 62554380a1b..6fcffbfc87e 100644 --- a/test/e2e/k8s_util.go +++ b/test/e2e/k8s_util.go @@ -185,7 +185,14 @@ func (k *KubernetesUtils) CreateOrUpdateDeployment(ns, deploymentName string, re Spec: v1.PodSpec{ TerminationGracePeriodSeconds: &zero, Containers: []v1.Container{ - makeContainerSpec(80), makeContainerSpec(81), + makeContainerSpec(80), + makeContainerSpec(81), + makeContainerSpec(8080), + makeContainerSpec(8081), + makeContainerSpec(8082), + makeContainerSpec(8083), + makeContainerSpec(8084), + makeContainerSpec(8085), }, }, }, @@ -280,8 +287,8 @@ func (k *KubernetesUtils) UpdateTier(tier *secv1alpha1.Tier) (*secv1alpha1.Tier, return updatedTier, err } -// CleanCNPs is a convenience function for deleting AntreaClusterNetworkPolicies before startup of any new test. -func (k *KubernetesUtils) CleanCNPs() error { +// CleanACNPs is a convenience function for deleting AntreaClusterNetworkPolicies before startup of any new test. +func (k *KubernetesUtils) CleanACNPs() error { l, err := k.securityClient.ClusterNetworkPolicies().List(context.TODO(), metav1.ListOptions{}) if err != nil { return errors.Wrapf(err, "unable to list AntreaClusterNetworkPolicies") @@ -296,8 +303,8 @@ func (k *KubernetesUtils) CleanCNPs() error { return nil } -// CreateOrUpdateCNP is a convenience function for updating/creating AntreaClusterNetworkPolicies. -func (k *KubernetesUtils) CreateOrUpdateCNP(cnp *secv1alpha1.ClusterNetworkPolicy) (*secv1alpha1.ClusterNetworkPolicy, error) { +// CreateOrUpdateACNP is a convenience function for updating/creating AntreaClusterNetworkPolicies. +func (k *KubernetesUtils) CreateOrUpdateACNP(cnp *secv1alpha1.ClusterNetworkPolicy) (*secv1alpha1.ClusterNetworkPolicy, error) { log.Infof("creating/updating ClusterNetworkPolicy %s", cnp.Name) cnpReturned, err := k.securityClient.ClusterNetworkPolicies().Get(context.TODO(), cnp.Name, metav1.GetOptions{}) if err != nil { @@ -333,7 +340,7 @@ func (k *KubernetesUtils) CleanANPs(namespaces []string) error { return nil } -// CreateOrUpdateCNP is a convenience function for updating/creating Antrea NetworkPolicies. +// CreateOrUpdateANP is a convenience function for updating/creating Antrea NetworkPolicies. func (k *KubernetesUtils) CreateOrUpdateANP(anp *secv1alpha1.NetworkPolicy) (*secv1alpha1.NetworkPolicy, error) { log.Infof("creating/updating Antrea NetworkPolicy %s", anp.Name) cnpReturned, err := k.securityClient.NetworkPolicies(anp.Namespace).Get(context.TODO(), anp.Name, metav1.GetOptions{}) @@ -379,12 +386,15 @@ func (k *KubernetesUtils) waitForPodInNamespace(ns string, pod string) (*string, func (k *KubernetesUtils) waitForHTTPServers(allPods []Pod) error { const maxTries = 10 const sleepInterval = 1 * time.Second - log.Infof("waiting for HTTP servers (ports 80 and 81) to become ready") + log.Infof("waiting for HTTP servers (ports 80, 81 and 8080:8085) to become ready") var wrong int for i := 0; i < maxTries; i++ { reachability := NewReachability(allPods, true) k.Validate(allPods, reachability, 80) k.Validate(allPods, reachability, 81) + for j := 8080; j < 8086; j++ { + k.Validate(allPods, reachability, j) + } _, wrong, _ = reachability.Summary() if wrong == 0 { log.Infof("all HTTP servers are ready") @@ -467,7 +477,7 @@ func (k *KubernetesUtils) Bootstrap(namespaces, pods []string) (*map[string]stri } func (k *KubernetesUtils) Cleanup(namespaces []string) error { - if err := k.CleanCNPs(); err != nil { + if err := k.CleanACNPs(); err != nil { return err } for _, ns := range namespaces { diff --git a/test/e2e/utils/anpspecbuilder.go b/test/e2e/utils/anpspecbuilder.go index 24f96ebaafb..a092dd264ad 100644 --- a/test/e2e/utils/anpspecbuilder.go +++ b/test/e2e/utils/anpspecbuilder.go @@ -94,7 +94,7 @@ func (b *AntreaNetworkPolicySpecBuilder) SetAppliedToGroup(podSelector map[strin } func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, - port *int, portName *string, cidr *string, + port *int, portName *string, endPort *int32, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, ruleAppliedToSpecs []ANPRuleAppliedToSpec, action secv1alpha1.RuleAction, name string) *AntreaNetworkPolicySpecBuilder { @@ -154,22 +154,24 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, if port != nil && portName != nil { panic("specify portname or port, not both") } - if port != nil { + if portName != nil { ports = []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr.IntOrString{IntVal: int32(*port)}, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: *portName}, Protocol: &protoc, }, } } - if portName != nil { + if port != nil { ports = []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr.IntOrString{Type: intstr.String, StrVal: *portName}, + Port: &intstr.IntOrString{IntVal: int32(*port)}, + EndPort: endPort, Protocol: &protoc, }, } } + newRule := secv1alpha1.Rule{ From: policyPeer, Ports: ports, @@ -182,7 +184,7 @@ func (b *AntreaNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, } func (b *AntreaNetworkPolicySpecBuilder) AddEgress(protoc v1.Protocol, - port *int, portName *string, cidr *string, + port *int, portName *string, endPort *int32, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, ruleAppliedToSpecs []ANPRuleAppliedToSpec, action secv1alpha1.RuleAction, name string) *AntreaNetworkPolicySpecBuilder { @@ -190,7 +192,7 @@ func (b *AntreaNetworkPolicySpecBuilder) AddEgress(protoc v1.Protocol, // For simplicity, we just reuse the Ingress code here. The underlying data model for ingress/egress is identical // With the exception of calling the rule `To` vs. `From`. c := &AntreaNetworkPolicySpecBuilder{} - c.AddIngress(protoc, port, portName, cidr, podSelector, nsSelector, + c.AddIngress(protoc, port, portName, endPort, cidr, podSelector, nsSelector, podSelectorMatchExp, nsSelectorMatchExp, ruleAppliedToSpecs, action, name) theRule := c.Get().Spec.Ingress[0] diff --git a/test/e2e/utils/cnpspecbuilder.go b/test/e2e/utils/cnpspecbuilder.go index badbf9e8178..5d41d8d6acd 100644 --- a/test/e2e/utils/cnpspecbuilder.go +++ b/test/e2e/utils/cnpspecbuilder.go @@ -115,7 +115,7 @@ func (b *ClusterNetworkPolicySpecBuilder) SetAppliedToGroup(podSelector map[stri } func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, - port *int, portName *string, cidr *string, + port *int, portName *string, endPort *int32, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, ruleAppliedToSpecs []ACNPRuleAppliedToSpec, action secv1alpha1.RuleAction, name string) *ClusterNetworkPolicySpecBuilder { @@ -175,22 +175,24 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, if port != nil && portName != nil { panic("specify portname or port, not both") } - if port != nil { + if portName != nil { ports = []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr.IntOrString{IntVal: int32(*port)}, + Port: &intstr.IntOrString{Type: intstr.String, StrVal: *portName}, Protocol: &protoc, }, } } - if portName != nil { + if port != nil { ports = []secv1alpha1.NetworkPolicyPort{ { - Port: &intstr.IntOrString{Type: intstr.String, StrVal: *portName}, + Port: &intstr.IntOrString{IntVal: int32(*port)}, + EndPort: endPort, Protocol: &protoc, }, } } + newRule := secv1alpha1.Rule{ From: policyPeer, Ports: ports, @@ -203,7 +205,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddIngress(protoc v1.Protocol, } func (b *ClusterNetworkPolicySpecBuilder) AddEgress(protoc v1.Protocol, - port *int, portName *string, cidr *string, + port *int, portName *string, endPort *int32, cidr *string, podSelector map[string]string, nsSelector map[string]string, podSelectorMatchExp *[]metav1.LabelSelectorRequirement, nsSelectorMatchExp *[]metav1.LabelSelectorRequirement, ruleAppliedToSpecs []ACNPRuleAppliedToSpec, action secv1alpha1.RuleAction, name string) *ClusterNetworkPolicySpecBuilder { @@ -211,7 +213,7 @@ func (b *ClusterNetworkPolicySpecBuilder) AddEgress(protoc v1.Protocol, // For simplicity, we just reuse the Ingress code here. The underlying data model for ingress/egress is identical // With the exception of calling the rule `To` vs. `From`. c := &ClusterNetworkPolicySpecBuilder{} - c.AddIngress(protoc, port, portName, cidr, podSelector, nsSelector, + c.AddIngress(protoc, port, portName, endPort, cidr, podSelector, nsSelector, podSelectorMatchExp, nsSelectorMatchExp, ruleAppliedToSpecs, action, name) theRule := c.Get().Spec.Ingress[0] diff --git a/third_party/networkpolicy/port_range.go b/third_party/networkpolicy/port_range.go new file mode 100644 index 00000000000..37c6d2b14f3 --- /dev/null +++ b/third_party/networkpolicy/port_range.go @@ -0,0 +1,132 @@ +// Copyright 2017 DigitalOcean. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// This whole file is from +// https://github.com/digitalocean/go-openvswitch/blob/master/ovs/portrange.go +package networkpolicy + +import ( + "errors" + "math" +) + +var ( + // ErrInvalidPortRange is returned when there's a port range that invalid. + ErrInvalidPortRange = errors.New("invalid port range") +) + +// An PortRange represents a range of ports expressed in 16 bit integers. The start and +// end values of this range are inclusive. +type PortRange struct { + Start uint16 + End uint16 +} + +// A BitRange is a representation of a range of values from base value with a bitmask +// applied. +type BitRange struct { + Value uint16 + Mask uint16 +} + +// BitwiseMatch returns an array of BitRanges that represent the range of integers +// in the PortRange. +func (r *PortRange) BitwiseMatch() ([]BitRange, error) { + if r.Start <= 0 || r.End <= 0 { + return nil, ErrInvalidPortRange + } + if r.Start > r.End { + return nil, ErrInvalidPortRange + } + + if r.Start == r.End { + return []BitRange{ + {Value: r.Start, Mask: 0xffff}, + }, nil + } + + bitRanges := []BitRange{} + + // Find the largest window we can get on a binary boundary + window := (r.End - r.Start) + 1 + bitLength := uint(math.Floor(math.Log2(float64(window)))) + + rangeStart, rangeEnd := getRange(r.End, bitLength) + + // Decrement our mask until we fit inside the range we want from a binary boundary. + for rangeEnd > r.End { + bitLength-- + rangeStart, rangeEnd = getRange(r.End, bitLength) + } + + current := BitRange{ + Value: rangeStart, + Mask: getMask(bitLength), + } + + // The range we picked out was from the middle of our set, so we'll need to recurse on + // the remaining values for anything less than or greater than the current + // range. + + if r.Start != rangeStart { + leftRemainder := PortRange{ + Start: r.Start, + End: rangeStart - 1, + } + + leftRemainingBitRanges, err := leftRemainder.BitwiseMatch() + if err != nil { + return nil, err + } + + bitRanges = append(bitRanges, leftRemainingBitRanges...) + } + + // We append our current range here, so we're ordered properly. + bitRanges = append(bitRanges, current) + + if r.End != rangeEnd { + rightRemainder := PortRange{ + Start: rangeEnd + 1, + End: r.End, + } + + rightRemainingBitRanges, err := rightRemainder.BitwiseMatch() + if err != nil { + return nil, err + } + + bitRanges = append(bitRanges, rightRemainingBitRanges...) + } + + return bitRanges, nil +} + +func getMask(bitLength uint) uint16 { + // All 1s for everything that doesn't change in the range + return math.MaxUint16 ^ uint16((1<