K8s Network policy Support

g1rana commented 6 years ago

Description of the changes

This is feature commit to support K8s Network Policy at contiv. Using feature, Contiv will support K8s Ingress Network Policy however egress policy support comes in future code commit

Type of fix: New feature

Fixes #1089

Please describe:

changes made in the Pull request
type of testing done (both manual and automated)
Manual Testing : = Create k8s Network Policy without configuring Pods cat network-policy.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector: matchLabels: app: nginx ingress:
- from:
- podSelector: matchLabels: app: myapp

kubectl get netpol

NAME POD-SELECTOR AGE access-nginx app=nginx 6m

Contiv system after k8s policy: netctl group ls Tenant Group Network IP Pool CfgdTag Policies Network profile

default default default-net default default-group default-net ingress-policy,access-nginx
Bringup Ingress policy Pod and Src Pods :kubectl create -f nginx-deployment.yaml : kubectl create -f apod.yaml

kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE apod 1/1 Running 0 2m 10.233.64.8 k8s1 nginx-deployment-431080787-6b6zh 1/1 Running 0 2m 10.233.64.7 k8s1 nginx-deployment-431080787-9d949 1/1 Running 0 2m 10.233.64.6 k8s1

netctl policy rule-ls access-nginx Incoming Rules: Rule Priority From EndpointGroup From Network From IpAddress TO IpAddress Protocol Port Action

access-nginx-10.233.64.6-10.233.64.8 2 10.233.64.8 10.233.64.6 0 allow access-nginx-10.233.64.7-10.233.64.8 2 10.233.64.8 10.233.64.7 0 allow Outgoing Rules: Rule Priority To EndpointGroup To Network To IpAddress Protocol Port Action

====

[x] Tests = Only for Ingress K8s Network policy
1. Create Network Policy resource before configuring any policy pods configuration ;
  - Result : make sure K8s policy object created in K8s and contiv system
2. Create Network policy after configuring Policy Pods without policy Label .
  - Result : make sure only K8s policy object create but no policy configured in contiv system
3. Create Network Policy after configuring Policy Pods with policy Label .
  - Result : Make sure K8s Policy object and its policy get programmed in Contiv system verify it by "nlicyetctl policy rule-ls
4. Add more Pods In existing policy on Ingress policy Src side .
  - Result : More Policy rules should be added in contiv system
5. Add more Pods in existing policy on Policy . destination side.
Result : more policy rules should show up in contiv system
1. Repeat test-4 and 5 by with Pod deletio operation
2. delete network-policy
  - Result: Policy object should be deleted from both K8s and contiv system
3. Update Policy Pod information in existing Policy . -Result : Make sure update policy rules programmed in contiv system
[ ] Documentation

g1rana commented 6 years ago

@eng-contiv

lihezhong93 commented 6 years ago

After creating EPG, are the spec pods updated to belong to this EPG? If not,will the flow table of ovs install this policy?

contiv / netplugin