Skip to content

Add Except for Antrea-native ipBlock#6658

Merged
antoninbas merged 2 commits into
antrea-io:mainfrom
Dyanngg:add-ipblock-except-antrea
Oct 9, 2024
Merged

Add Except for Antrea-native ipBlock#6658
antoninbas merged 2 commits into
antrea-io:mainfrom
Dyanngg:add-ipblock-except-antrea

Conversation

@Dyanngg
Copy link
Copy Markdown
Contributor

@Dyanngg Dyanngg commented Sep 9, 2024
edited
Loading

Fixes #6428

This PR adds an "except" field for all ipBlocks in Antrea-native policies and groups. Users can exclude certain CIDRs from the ipBlock.cidr in all resources that support ipBlocks, including AntreaClusterNetworkPolicy, AntreaNetworkPolicy, ClusterGroup and Group. Group membership and IP association query logic are also updated to accommodate this change. Documentation will follow in a separate PR.

@Dyanngg Dyanngg force-pushed the add-ipblock-except-antrea branch 4 times, most recently from c840536 to cd59fed Compare September 10, 2024 02:28
@Dyanngg Dyanngg changed the title [WIP] Add Except for Antrea-native policy ipBlock Add Except for Antrea-native ipBlock Sep 11, 2024
@Dyanngg Dyanngg force-pushed the add-ipblock-except-antrea branch 2 times, most recently from cc5df40 to 1153d8c Compare September 11, 2024 18:18
@Dyanngg Dyanngg added this to the Antrea v2.2 release milestone Sep 11, 2024
@Dyanngg Dyanngg added the area/network-policy Issues or PRs related to network policies. label Sep 11, 2024
antoninbas
antoninbas reviewed Sep 11, 2024
View reviewed changes
Comment thread pkg/controller/networkpolicy/clustergroup.go
Comment thread pkg/controller/networkpolicy/clustergroup.go
@Dyanngg Dyanngg force-pushed the add-ipblock-except-antrea branch from 1153d8c to 413edae Compare September 12, 2024 17:51
@Dyanngg Dyanngg mentioned this pull request Sep 17, 2024
Merged
@antoninbas antoninbas added action/release-note Indicates a PR that should be included in release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Sep 23, 2024
antoninbas
antoninbas reviewed Sep 23, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few minor comments, functionality wise it seems fine to me

hopefully @tnqn and @qiyueyao have time to take a quick look as well

Comment thread pkg/controller/networkpolicy/clustergroup.go
Comment thread pkg/controller/networkpolicy/crd_utils.go
Comment thread pkg/controller/networkpolicy/clustergroup_test.go
Comment thread pkg/controller/networkpolicy/validate.go
Comment on lines +759 to +761
if ipb.CIDR == "" {
return "field 'cidr' is required in an ipBlock", false
}
Copy link
Copy Markdown
Contributor

@antoninbas antoninbas Sep 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can keep this, but I assume this is guaranteed by the OpenAPI spec?

Copy link
Copy Markdown
Contributor Author

@Dyanngg Dyanngg Sep 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it should already be guaranteed by openAPI, just trying to keep it on par with https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/networking/validation/validation.go#L219

Comment thread pkg/controller/networkpolicy/validate_test.go
Comment thread test/e2e/antreapolicy_test.go Outdated
Comment thread test/e2e/antreapolicy_test.go Outdated
Comment thread test/e2e/antreapolicy_test.go Outdated
Comment thread test/e2e/antreapolicy_test.go Outdated
Comment thread test/e2e/antreapolicy_test.go Outdated
@Dyanngg
Add Except for Antrea-native policy ipBlock
4ee3365 
Signed-off-by: Dyanngg <dingyang@vmware.com>
@Dyanngg
Address comments
1a0c157 
Signed-off-by: Dyanngg <dingyang@vmware.com>
@Dyanngg Dyanngg force-pushed the add-ipblock-except-antrea branch from 413edae to 1a0c157 Compare September 26, 2024 17:15
@Dyanngg Dyanngg requested a review from antoninbas September 26, 2024 17:20
antoninbas
antoninbas approved these changes Sep 26, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tnqn
tnqn reviewed Sep 27, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one question

Comment thread pkg/controller/networkpolicy/validate.go
Comment on lines +1078 to +1080
if multicast && unicast {
return "can not set multicast groupAddress together with unicast ip address", false
}
Copy link
Copy Markdown
Member

@tnqn tnqn Sep 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will multicast NetworkPolicy support the except field?

Copy link
Copy Markdown
Contributor Author

@Dyanngg Dyanngg Sep 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is obviously not supported for IGMP rules since the addresses you would specify in the protocol is not a CIDR to begin with. In terms of "dropping udp egress to a multicast CIDR", I would say yes, since the CIDR subtraction logic will be the same for regular and multicast IP addresses

@Dyanngg
Copy link
Copy Markdown
Contributor Author

Dyanngg commented Sep 27, 2024

/test-all

@antoninbas
Copy link
Copy Markdown
Contributor

antoninbas commented Oct 7, 2024

/test-conformance

@Dyanngg
Copy link
Copy Markdown
Contributor Author

Dyanngg commented Oct 8, 2024

/test-networkpolicy /test-e2e /test-all-features-conformance

@Dyanngg
Copy link
Copy Markdown
Contributor Author

Dyanngg commented Oct 9, 2024

/test-conformance

@antoninbas
Copy link
Copy Markdown
Contributor

antoninbas commented Oct 9, 2024

/test-kind-e2e

@antoninbas
Copy link
Copy Markdown
Contributor

antoninbas commented Oct 9, 2024

antrea-kind-e2e-for-pull-request is broken at the moment (nothing to do with this PR)

@antoninbas antoninbas merged commit d9e37f7 into antrea-io:main Oct 9, 2024
hangyan pushed a commit to hangyan/antrea that referenced this pull request Oct 29, 2024
@Dyanngg @hangyan
Add Except for Antrea-native ipBlock (antrea-io#6658)
0d094a5 
Fixes antrea-io#6428

This PR adds an "except" field for all ipBlocks in Antrea-native
policies and groups. Users can exclude certain CIDRs from the
ipBlock.cidr in all resources that support ipBlocks, including
AntreaClusterNetworkPolicy, AntreaNetworkPolicy, ClusterGroup and
Group. Group membership and IP association query logic are also updated
to accommodate this change. Documentation will follow in a separate PR.

Signed-off-by: Dyanngg <dingyang@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@antoninbas antoninbas antoninbas approved these changes

@tnqn tnqn tnqn approved these changes

@qiyueyao qiyueyao Awaiting requested review from qiyueyao

Assignees

No one assigned

Labels

action/release-note Indicates a PR that should be included in release notes. area/network-policy Issues or PRs related to network policies. kind/feature Categorizes issue or PR as related to a new feature.

Projects

None yet

Milestone

Antrea v2.2 release

Development

Successfully merging this pull request may close these issues.

add except to ipBlock

3 participants

@Dyanngg @antoninbas @tnqn