L7NetworkPolicy Controller

Add support for passing L7Protocols to agent when processing ACNP and ANP.
Add validation for Antrea native policy for L7Protocols (HTTP only) to be used with Ports/Protocols,
only supports Allow, and not used with toServices.
Add UT.

Signed-off-by: Qiyue Yao <yaoq@vmware.com>

pkg/controller/networkpolicy/antreanetworkpolicy.go

@@ -107,6 +107,7 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.Net
 			Priority:        int32(idx),
 			EnableLogging:   ingressRule.EnableLogging,
 			AppliedToGroups: getAppliedToGroupNames(atgs),
+			L7Protocols:     toAntreaL7ProtocolsForCRD(ingressRule.L7Protocols),
 		})
 	}
 	// Compute NetworkPolicyRule for Egress Rule.
@@ -133,6 +134,7 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.Net
 			Priority:        int32(idx),
 			EnableLogging:   egressRule.EnableLogging,
 			AppliedToGroups: getAppliedToGroupNames(atgs),
+			L7Protocols:     toAntreaL7ProtocolsForCRD(egressRule.L7Protocols),
 		})
 	}
 	tierPriority := n.getTierPriority(np.Spec.Tier)

pkg/controller/networkpolicy/antreanetworkpolicy_test.go

@@ -569,6 +569,56 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 			expectedAppliedToGroups: 1,
 			expectedAddressGroups:   1,
 		},
+		{
+			name: "with-l7Protocol",
+			inputPolicy: &crdv1alpha1.NetworkPolicy{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns8", Name: "npH", UID: "uidH"},
+				Spec: crdv1alpha1.NetworkPolicySpec{
+					AppliedTo: []crdv1alpha1.AppliedTo{
+						{PodSelector: &selectorA},
+					},
+					Priority: p10,
+					Ingress: []crdv1alpha1.Rule{
+						{
+							L7Protocols: []crdv1alpha1.L7Protocol{{HTTP: &crdv1alpha1.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}},
+							From: []crdv1alpha1.NetworkPolicyPeer{
+								{
+									PodSelector:       &selectorB,
+									NamespaceSelector: &selectorC,
+								},
+							},
+							Action: &allowAction,
+						},
+					},
+				},
+			},
+			expectedPolicy: &antreatypes.NetworkPolicy{
+				UID:  "uidH",
+				Name: "uidH",
+				SourceRef: &controlplane.NetworkPolicyReference{
+					Type:      controlplane.AntreaNetworkPolicy,
+					Namespace: "ns8",
+					Name:      "npH",
+					UID:       "uidH",
+				},
+				Priority:     &p10,
+				TierPriority: &DefaultTierPriority,
+				Rules: []controlplane.NetworkPolicyRule{
+					{
+						Direction: controlplane.DirectionIn,
+						From: controlplane.NetworkPolicyPeer{
+							AddressGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("", &selectorB, &selectorC, nil, nil).NormalizedName)},
+						},
+						L7Protocols: []controlplane.L7Protocol{{HTTP: &controlplane.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}},
+						Priority:    0,
+						Action:      &allowAction,
+					},
+				},
+				AppliedToGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("ns8", &selectorA, nil, nil, nil).NormalizedName)},
+			},
+			expectedAppliedToGroups: 1,
+			expectedAddressGroups:   1,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/controller/networkpolicy/clusternetworkpolicy.go

@@ -371,6 +371,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C
 					Priority:        int32(idx),
 					EnableLogging:   cnpRule.EnableLogging,
 					AppliedToGroups: getAppliedToGroupNames(ruleAppliedTos),
+					L7Protocols:     toAntreaL7ProtocolsForCRD(cnpRule.L7Protocols),
 				}
 				if dir == controlplane.DirectionIn {
 					rule.From = *peer

pkg/controller/networkpolicy/clusternetworkpolicy_test.go

@@ -383,6 +383,54 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 			expectedAppliedToGroups: 1,
 			expectedAddressGroups:   1,
 		},
+		{
+			name: "with-l7Protocol",
+			inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "", Name: "cnpE", UID: "uidE"},
+				Spec: crdv1alpha1.ClusterNetworkPolicySpec{
+					AppliedTo: []crdv1alpha1.AppliedTo{
+						{PodSelector: &selectorA},
+					},
+					Priority: p10,
+					Ingress: []crdv1alpha1.Rule{
+						{
+							L7Protocols: []crdv1alpha1.L7Protocol{{HTTP: &crdv1alpha1.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}},
+							From: []crdv1alpha1.NetworkPolicyPeer{
+								{
+									PodSelector: &selectorB,
+								},
+							},
+							Action: &allowAction,
+						},
+					},
+				},
+			},
+			expectedPolicy: &antreatypes.NetworkPolicy{
+				UID:  "uidE",
+				Name: "uidE",
+				SourceRef: &controlplane.NetworkPolicyReference{
+					Type: controlplane.AntreaClusterNetworkPolicy,
+					Name: "cnpE",
+					UID:  "uidE",
+				},
+				Priority:     &p10,
+				TierPriority: &DefaultTierPriority,
+				Rules: []controlplane.NetworkPolicyRule{
+					{
+						Direction: controlplane.DirectionIn,
+						From: controlplane.NetworkPolicyPeer{
+							AddressGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("", &selectorB, nil, nil, nil).NormalizedName)},
+						},
+						L7Protocols: []controlplane.L7Protocol{{HTTP: &controlplane.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}}},
+						Priority:    0,
+						Action:      &allowAction,
+					},
+				},
+				AppliedToGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("", &selectorA, nil, nil, nil).NormalizedName)},
+			},
+			expectedAppliedToGroups: 1,
+			expectedAddressGroups:   1,
+		},
 		{
 			name: "appliedTo-per-rule",
 			inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{

pkg/controller/networkpolicy/crd_utils.go

@@ -108,6 +108,18 @@ func toAntreaServicesForCRD(npPorts []v1alpha1.NetworkPolicyPort, npProtocols []
 	return antreaServices, namedPortExists
 }
 
+// toAntreaL7ProtocolsForCRD converts a slice of v1alpha1.L7Protocol objects to
+// a slice of Antrea L7Protocol objects.
+func toAntreaL7ProtocolsForCRD(l7Protocols []v1alpha1.L7Protocol) []controlplane.L7Protocol {
+	var antreaL7Protocols []controlplane.L7Protocol
+	for _, l7p := range l7Protocols {
+		antreaL7Protocols = append(antreaL7Protocols, controlplane.L7Protocol{
+			HTTP: (*controlplane.HTTPProtocol)(l7p.HTTP),
+		})
+	}
+	return antreaL7Protocols
+}
+
 // toAntreaIPBlockForCRD converts a v1alpha1.IPBlock to an Antrea IPBlock.
 func toAntreaIPBlockForCRD(ipBlock *v1alpha1.IPBlock) (*controlplane.IPBlock, error) {
 	// Convert the allowed IPBlock to networkpolicy.IPNet.

pkg/controller/networkpolicy/crd_utils_test.go

@@ -206,6 +206,26 @@ func TestToAntreaServicesForCRD(t *testing.T) {
 	}
 }
 
+func TestToAntreaL7ProtocolsForCRD(t *testing.T) {
+	tables := []struct {
+		l7Protocol []crdv1alpha1.L7Protocol
+		expValue   []controlplane.L7Protocol
+	}{
+		{
+			[]crdv1alpha1.L7Protocol{
+				{HTTP: &crdv1alpha1.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}},
+			},
+			[]controlplane.L7Protocol{
+				{HTTP: &controlplane.HTTPProtocol{Host: "test.com", Method: "GET", Path: "/admin"}},
+			},
+		},
+	}
+	for _, table := range tables {
+		gotValue := toAntreaL7ProtocolsForCRD(table.l7Protocol)
+		assert.Equal(t, table.expValue, gotValue)
+	}
+}
+
 func TestToAntreaIPBlockForCRD(t *testing.T) {
 	expIPNet := controlplane.IPNet{
 		IP:           ipStrToIPAddress("10.0.0.0"),

pkg/controller/networkpolicy/validate.go

@@ -25,6 +25,7 @@ import (
 
 	admv1 "k8s.io/api/admission/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -448,6 +449,10 @@ func (v *antreaPolicyValidator) createValidate(curObj interface{}, userInfo auth
 	if !allowed {
 		return reason, allowed
 	}
+	reason, allowed = v.validateL7Protocols(ingress, egress)
+	if !allowed {
+		return reason, allowed
+	}
 	if err := v.validatePort(ingress, egress); err != nil {
 		return err.Error(), false
 	}
@@ -760,6 +765,39 @@ func (v *antreaPolicyValidator) validateMulticastIGMP(ingressRules, egressRules
 	return "", true
 }
 
+// validateL7Protocols validates the L7Protocols field set in Antrea-native policy
+// rules are valid, and compatible with the ports or protocols fields.
+func (v *antreaPolicyValidator) validateL7Protocols(ingressRules, egressRules []crdv1alpha1.Rule) (string, bool) {
+	for _, r := range append(ingressRules, egressRules...) {
+		if len(r.L7Protocols) == 0 {
+			continue
+		}
+		if *r.Action != crdv1alpha1.RuleActionAllow {
+			return "layer 7 protocols only support Allow", false
+		}
+		if len(r.ToServices) != 0 {
+			return "layer 7 protocols can not be used with toServices", false
+		}
+		haveHTTP := false
+		for _, p := range r.L7Protocols {
+			if p.HTTP != nil {
+				haveHTTP = true
+			}
+		}
+		for _, port := range r.Ports {
+			if haveHTTP && (port.Protocol != nil && *port.Protocol != v1.ProtocolTCP) {
+				return "HTTP protocol can only be used when layer 4 protocol is TCP or unset", false
+			}
+		}
+		for _, protocol := range r.Protocols {
+			if haveHTTP && (protocol.IGMP != nil || protocol.ICMP != nil) {
+				return "HTTP protocol can not be used with protocol IGMP or ICMP", false
+			}
+		}
+	}
+	return "", true
+}
+
 // validateFQDNSelectors validates the toFQDN field set in Antrea-native policy egress rules are valid.
 func (v *antreaPolicyValidator) validateFQDNSelectors(egressRules []crdv1alpha1.Rule) (string, bool) {
 	for _, r := range egressRules {
@@ -814,6 +852,10 @@ func (v *antreaPolicyValidator) updateValidate(curObj, oldObj interface{}, userI
 	if !allowed {
 		return reason, allowed
 	}
+	reason, allowed = v.validateL7Protocols(ingress, egress)
+	if !allowed {
+		return reason, allowed
+	}
 	if err := v.validatePort(ingress, egress); err != nil {
 		return err.Error(), false
 	}