documentation

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
antrea-io · Jul 27, 2022 · a45eaf7 · a45eaf7
1 parent eec0aa5
commit a45eaf7
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 7 deletions.
diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md
@@ -647,6 +647,25 @@ The rules are logged in the following format:
     2021/06/24 23:56:41.346165 AntreaPolicyEgressRule AntreaNetworkPolicy:default/test-anp Drop 44900 10.10.1.65 35402 10.0.0.5 80 TCP 60 [3 packets in 1.011379442s]
 ```
 
+Kubernetes Network Policies can also be audited using Antrea logging to the same file
+(`/var/log/antrea/networkpolicy/np.log`). Set the Namespace Annotations to
+`policy.antrea.io/enable-np-logging: "true"`, then all the rules of Kubernetes
+Network Policies in this Namespace will be processed similar to setting their
+`enableLogging` field to true. Packet of any connection that matches the rules
+will be logged with Kubernetes Network Policy reference, but packets dropped by
+implicit default drop will only be logged with consistent name `K8sNetworkPolicy`
+for reference. The rules are logged in the following format:
+
+```text
+    <yyyy/mm/dd> <time> <ovs-table-name> <k8s-network-policy-reference> Allow <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length>
+    Default dropped traffic:
+    <yyyy/mm/dd> <time> <ovs-table-name> K8sNetworkPolicy Drop -1 <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> [<num of packets> packets in <duplicate duration>]
+
+    Example:
+    2022/07/26 06:55:56.170456 IngressRule K8sNetworkPolicy:default/test-np-log Allow 190 10.10.1.82 49518 10.10.1.84 80 TCP 60
+    2022/07/26 06:55:57.142206 IngressDefaultRule K8sNetworkPolicy Drop -1 10.10.1.83 38608 10.10.1.84 80 TCP 60
+```
+
 Fluentd can be used to assist with collecting and analyzing the logs. Refer to the
 [Fluentd cookbook](cookbooks/fluentd) for documentation.
 

diff --git a/pkg/agent/openflow/network_policy.go b/pkg/agent/openflow/network_policy.go
@@ -1076,7 +1076,7 @@ func (f *featureNetworkPolicy) addRuleToConjunctiveMatch(conj *policyRuleConjunc
 		for _, eachService := range rule.Service {
 			matches := generateServiceConjMatches(conj.serviceClause.ruleTable.GetID(), eachService, rule.Priority, f.ipProtocols, false)
 			for _, match := range matches {
-				f.addActionToConjunctiveMatch(conj.serviceClause, match, rule.EnableLogging)
+				f.addActionToConjunctiveMatch(conj.serviceClause, match, false)
 			}
 		}
 	}

diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go
@@ -231,9 +231,9 @@ func newClientset(objects ...runtime.Object) *fake.Clientset {
 	return client
 }
 
-type mockNamespaceAnnotationLog struct{}
+type mockNamespaceListerWithLogAnnotation struct{}
 
-func (s *mockNamespaceAnnotationLog) List(selector labels.Selector) (ret []*corev1.Namespace, err error) {
+func (s *mockNamespaceListerWithLogAnnotation) List(selector labels.Selector) (ret []*corev1.Namespace, err error) {
 	testNamespace := &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:   corev1.NamespaceDefault,
@@ -244,7 +244,7 @@ func (s *mockNamespaceAnnotationLog) List(selector labels.Selector) (ret []*core
 	return []*corev1.Namespace{testNamespace}, nil
 }
 
-func (s *mockNamespaceAnnotationLog) Get(name string) (*corev1.Namespace, error) {
+func (s *mockNamespaceListerWithLogAnnotation) Get(name string) (*corev1.Namespace, error) {
 	testNamespace := &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:   corev1.NamespaceDefault,
@@ -2823,7 +2823,7 @@ func TestProcessNetworkPolicyLogging(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			_, c := newController()
 			// Replace with custom lister that returns Namespace with logging Annotation.
-			c.namespaceLister = &mockNamespaceAnnotationLog{}
+			c.namespaceLister = &mockNamespaceListerWithLogAnnotation{}
 
 			if actualPolicy := c.processNetworkPolicy(tt.inputPolicy); !reflect.DeepEqual(actualPolicy, tt.expectedPolicy) {
 				t.Errorf("processNetworkPolicy() got %v, want %v", actualPolicy, tt.expectedPolicy)

diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -15,7 +15,6 @@
 package e2e
 
 import (
-	"antrea.io/antrea/pkg/controller/networkpolicy"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -41,6 +40,7 @@ import (
 	crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1"
 	crdv1alpha2 "antrea.io/antrea/pkg/apis/crd/v1alpha2"
 	crdv1alpha3 "antrea.io/antrea/pkg/apis/crd/v1alpha3"
+	"antrea.io/antrea/pkg/controller/networkpolicy"
 	"antrea.io/antrea/pkg/features"
 	. "antrea.io/antrea/test/e2e/utils"
 )
@@ -2123,6 +2123,7 @@ func testAuditLoggingEnableNP(t *testing.T, data *TestData) {
 		t.Errorf("Error when polling audit log files for required entries: %v", err)
 	}
 	failOnError(k8sUtils.DeleteNetworkPolicy(namespaces["x"], "allow-x-b-to-x-a"), t)
+	data.updateNamespaceWithAnnotations(namespaces["x"], map[string]string{})
 }
 
 func testAppliedToPerRule(t *testing.T) {
@@ -3568,7 +3569,6 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=AuditLoggingBasic", func(t *testing.T) { testAuditLoggingBasic(t, data) })
 		t.Run("Case=AuditLoggingEnableNP", func(t *testing.T) { testAuditLoggingEnableNP(t, data) })
 	})
-	printResults()
 
 	t.Run("TestMulticastNP", func(t *testing.T) {
 		skipIfMulticastDisabled(t)