Add support for HostNetworkPolicy

Signed-off-by: Hongliang Liu <lhongliang@vmware.com>

build/charts/antrea/conf/antrea-agent.conf

@@ -79,6 +79,9 @@ featureGates:
 # Enable Egress traffic shaping.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "EgressTrafficShaping" "default" false) }}
 
+# Enable users to protect their Kubernetes Node.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "HostNetworkPolicy" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}

build/yamls/antrea-aks.yml

@@ -5574,6 +5574,9 @@ data:
     # Enable Egress traffic shaping.
     #  EgressTrafficShaping: false
 
+    # Enable users to protect their Kubernetes Node.
+    #  HostNetworkPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -6866,7 +6869,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: f27020b859ba443bfbf88673e95e57fadc74ae9c225f2c97aa7640b342695180
       labels:
         app: antrea
         component: antrea-agent
@@ -7107,7 +7110,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: f27020b859ba443bfbf88673e95e57fadc74ae9c225f2c97aa7640b342695180
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -5574,6 +5574,9 @@ data:
     # Enable Egress traffic shaping.
     #  EgressTrafficShaping: false
 
+    # Enable users to protect their Kubernetes Node.
+    #  HostNetworkPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -6866,7 +6869,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: f27020b859ba443bfbf88673e95e57fadc74ae9c225f2c97aa7640b342695180
       labels:
         app: antrea
         component: antrea-agent
@@ -7108,7 +7111,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: f27020b859ba443bfbf88673e95e57fadc74ae9c225f2c97aa7640b342695180
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -5574,6 +5574,9 @@ data:
     # Enable Egress traffic shaping.
     #  EgressTrafficShaping: false
 
+    # Enable users to protect their Kubernetes Node.
+    #  HostNetworkPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -6866,7 +6869,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 3b1758664de8044af1aa7454c64bd1a4911750e562e1ae9375c9c16a335a469d
+        checksum/config: 6e7d2494e5a3e1996e2f6ca1465455d97af508cf61f52923d9d6e7aaf54d4bf1
       labels:
         app: antrea
         component: antrea-agent
@@ -7105,7 +7108,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 3b1758664de8044af1aa7454c64bd1a4911750e562e1ae9375c9c16a335a469d
+        checksum/config: 6e7d2494e5a3e1996e2f6ca1465455d97af508cf61f52923d9d6e7aaf54d4bf1
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -5587,6 +5587,9 @@ data:
     # Enable Egress traffic shaping.
     #  EgressTrafficShaping: false
 
+    # Enable users to protect their Kubernetes Node.
+    #  HostNetworkPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -6879,7 +6882,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a34de3efa658ac40c9bde28e08832dd897259fdcf639beab9d4e47531d7da948
+        checksum/config: 04bd3dcf4d5a4b03dadcf85a0f2c242aa8a6a9b6debdcdc65c1d7cf5a7d5220f
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -7164,7 +7167,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a34de3efa658ac40c9bde28e08832dd897259fdcf639beab9d4e47531d7da948
+        checksum/config: 04bd3dcf4d5a4b03dadcf85a0f2c242aa8a6a9b6debdcdc65c1d7cf5a7d5220f
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-windows-containerd-with-ovs.yml

@@ -293,7 +293,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/agent-windows: 9580d68fcd452c53eb53272cc077b07295505b7209185d3e36619fb2f02fb935
+        checksum/agent-windows: bb43d8d5840ffd71ff946d44052fefc5bd88ca5ad58ac5048d85a5cf26a7ef13
         checksum/windows-config: 6ff4f8bd0b310ebe4d4612bdd9697ffb3d79e0e0eab3936420417dd5a8fc128d
         microsoft.com/hostprocess-inherit-user: "true"
       labels:

build/yamls/antrea-windows-containerd.yml

@@ -229,7 +229,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/agent-windows: 7749579c82f76822f449f6d6f765f07486310e8cd21cb117c8349ad1e118788b
+        checksum/agent-windows: 542068477bbe94774e38a839710706f2d0705ecc7f1ab9aa1a1cf3e46eb73afb
         checksum/windows-config: 6ff4f8bd0b310ebe4d4612bdd9697ffb3d79e0e0eab3936420417dd5a8fc128d
         microsoft.com/hostprocess-inherit-user: "true"
       labels:

build/yamls/antrea.yml

@@ -5574,6 +5574,9 @@ data:
     # Enable Egress traffic shaping.
     #  EgressTrafficShaping: false
 
+    # Enable users to protect their Kubernetes Node.
+    #  HostNetworkPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -6866,7 +6869,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: aa947bf5c403412b9c8cfcbcc335659992f19bd428886e80f43bafa052bac1e6
+        checksum/config: aee5243d7649345d098be8bd43257c2e48cefa251ed4f82a8c4b3190fdda0885
       labels:
         app: antrea
         component: antrea-agent
@@ -7105,7 +7108,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: aa947bf5c403412b9c8cfcbcc335659992f19bd428886e80f43bafa052bac1e6
+        checksum/config: aee5243d7649345d098be8bd43257c2e48cefa251ed4f82a8c4b3190fdda0885
       labels:
         app: antrea
         component: antrea-controller

cmd/antrea-agent/agent.go

@@ -138,6 +138,7 @@ func run(o *Options) error {
 	enableAntreaIPAM := features.DefaultFeatureGate.Enabled(features.AntreaIPAM)
 	enableBridgingMode := enableAntreaIPAM && o.config.EnableBridgingMode
 	l7NetworkPolicyEnabled := features.DefaultFeatureGate.Enabled(features.L7NetworkPolicy)
+	hostNetworkPolicyEnabled := features.DefaultFeatureGate.Enabled(features.HostNetworkPolicy)
 	enableMulticlusterGW := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableGateway
 	enableMulticlusterNP := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableStretchedNetworkPolicy
 	enableFlowExporter := features.DefaultFeatureGate.Enabled(features.FlowExporter) && o.config.FlowExporter.Enable
@@ -217,7 +218,7 @@ func run(o *Options) error {
 	egressConfig := &config.EgressConfig{
 		ExceptCIDRs: exceptCIDRs,
 	}
-	routeClient, err := route.NewClient(networkConfig, o.config.NoSNAT, o.config.AntreaProxy.ProxyAll, connectUplinkToBridge, multicastEnabled, serviceCIDRProvider)
+	routeClient, err := route.NewClient(networkConfig, o.config.NoSNAT, o.config.AntreaProxy.ProxyAll, connectUplinkToBridge, hostNetworkPolicyEnabled, multicastEnabled, serviceCIDRProvider)
 	if err != nil {
 		return fmt.Errorf("error creating route client: %v", err)
 	}
@@ -280,7 +281,7 @@ func run(o *Options) error {
 		o.config.ExternalNode.ExternalNodeNamespace,
 		connectUplinkToBridge,
 		o.enableAntreaProxy,
-		l7NetworkPolicyEnabled)
+		hostNetworkPolicyEnabled)
 	err = agentInitializer.Initialize()
 	if err != nil {
 		return fmt.Errorf("error initializing agent: %v", err)
@@ -469,6 +470,7 @@ func run(o *Options) error {
 		groupIDUpdates,
 		antreaPolicyEnabled,
 		l7NetworkPolicyEnabled,
+		hostNetworkPolicyEnabled,
 		o.enableAntreaProxy,
 		statusManagerEnabled,
 		multicastEnabled,

docs/feature-gates.md

@@ -56,6 +56,7 @@ edit the Agent configuration in the
 | `L7NetworkPolicy`             | Agent + Controller | `false` | Alpha | v1.10         | N/A          | N/A        | Yes                |                                               |
 | `AdminNetworkPolicy`          | Controller         | `false` | Alpha | v1.13         | N/A          | N/A        | Yes                |                                               |
 | `EgressTrafficShaping`        | Agent              | `false` | Alpha | v1.14         | N/A          | N/A        | Yes                | OVS meters should be supported                |
+| `HostNetworkPolicy`           | Agent + Controller | `false` | Alpha | v1.15         | N/A          | N/A        | Yes                |                                               |
 
 ## Description and Requirements of Features
 
@@ -404,6 +405,14 @@ this [document](antrea-l7-network-policy.md#prerequisites) for more information
 The `AdminNetworkPolicy` API (which currently includes the AdminNetworkPolicy and BaselineAdminNetworkPolicy objects)
 complements the Antrea-native policies and help cluster administrators to set security postures in a portable manner.
 
+### HostNetworkPolicy
+
+`HostNetworkPolicy` enables users to protect their Kubernetes Nodes.
+
+#### Requirements for this Feature
+
+This feature is currently only supported for Nodes running Linux.
+
 ### EgressTrafficShaping
 
 The `EgressTrafficShaping` feature gate of Antrea Agent enables traffic shaping of Egress, which could limit the

pkg/agent/config/node_config.go

@@ -50,6 +50,12 @@ const (
 	L7NetworkPolicyReturnPortName = "antrea-l7-tap1"
 )
 
+const (
+	HostNetworkPolicyIngressRulesChain        = "ANTREA-INGRESS-RULES"
+	HostNetworkPolicyDefaultIngressRulesChain = "ANTREA-DEFAULT-INGRESS-RULES"
+	HostNetworkPolicyEgressRulesChain         = "ANTREA-EGRESS-RULES"
+)
+
 var (
 	// VirtualServiceIPv4 or VirtualServiceIPv6 is used in the following scenarios:
 	// - The IP is used to perform SNAT for packets of Service sourced from Antrea gateway and destined for external

pkg/agent/controller/networkpolicy/cache.go

@@ -39,7 +39,7 @@ import (
 )
 
 const (
-	RuleIDLength                  = 16
+	ruleIDLength                  = 16
 	appliedToGroupIndex           = "appliedToGroup"
 	addressGroupIndex             = "addressGroup"
 	policyIndex                   = "policy"
@@ -48,7 +48,7 @@ const (
 )
 
 // rule is the struct stored in ruleCache, it contains necessary information
-// to construct a complete rule that can be used by reconciler to enforce.
+// to construct a complete rule that can be used by podReconciler to enforce.
 // The K8s NetworkPolicy object doesn't provide ID for its rule, here we
 // calculate an ID based on the rule's fields. That means:
 //  1. If a rule's selector/services/direction changes, it becomes "another" rule.
@@ -137,11 +137,11 @@ func hashRule(r *rule) string {
 	b, _ := json.Marshal(r)
 	hash.Write(b)
 	hashValue := hex.EncodeToString(hash.Sum(nil))
-	return hashValue[:RuleIDLength]
+	return hashValue[:ruleIDLength]
 }
 
 // CompletedRule contains IPAddresses and Pods flattened from AddressGroups and AppliedToGroups.
-// It's the struct used by reconciler.
+// It's the struct used by podReconciler.
 type CompletedRule struct {
 	*rule
 	// Source GroupMembers of this rule, can't coexist with ToAddresses.
@@ -182,8 +182,19 @@ func (r *CompletedRule) isIGMPEgressPolicyRule() bool {
 	return false
 }
 
+func (r *CompletedRule) isHostNetworkPolicyRule(nodeName string) bool {
+	var targets []*v1beta.GroupMember
+	for _, gm := range r.TargetMembers {
+		targets = append(targets, gm)
+	}
+	if len(targets) == 1 && targets[0].Node != nil && targets[0].Node.Name == nodeName {
+		return true
+	}
+	return false
+}
+
 // ruleCache caches Antrea AddressGroups, AppliedToGroups and NetworkPolicies,
-// can construct complete rules that can be used by reconciler to enforce.
+// can construct complete rules that can be used by podReconciler to enforce.
 type ruleCache struct {
 	appliedToSetLock sync.RWMutex
 	// appliedToSetByGroup stores the AppliedToGroup members.

pkg/agent/controller/networkpolicy/fqdn.go

@@ -93,7 +93,7 @@ type subscriber struct {
 }
 
 // ruleRealizationUpdate is a rule realization result reported by policy
-// rule reconciler.
+// rule podReconciler.
 type ruleRealizationUpdate struct {
 	ruleId string
 	err    error
@@ -103,7 +103,7 @@ type ruleRealizationUpdate struct {
 // applied to workloads on this Node.
 type ruleSyncTracker struct {
 	mutex sync.RWMutex
-	// updateCh is the channel used by the rule reconciler to report rule realization status.
+	// updateCh is the channel used by the rule podReconciler to report rule realization status.
 	updateCh chan ruleRealizationUpdate
 	// ruleToSubscribers keeps track of the subscribers that are currently subscribed
 	// to each dirty rule. Once an update of the rule realization status is received,
@@ -575,7 +575,7 @@ func (rst *ruleSyncTracker) Run(stopCh <-chan struct{}) {
 	}
 }
 
-// notifyRuleUpdate is an interface for the reconciler to notify the ruleSyncTracker of a
+// notifyRuleUpdate is an interface for the podReconciler to notify the ruleSyncTracker of a
 // rule realization status.
 func (f *fqdnController) notifyRuleUpdate(ruleID string, err error) {
 	f.ruleSyncTracker.updateCh <- ruleRealizationUpdate{ruleID, err}