Add IP Group association query API (#4807)

This commit adds a new ipgroupassociation API type for querying the
Antrea Group/ClusterGroups that an IP is associated with.
Possible scenarios include:

- IP is assigned to a Pod, in which case the groups that select the
  Pod as member will be returned
- IP appears in an ExternalEntity's endpoints, in which case the
  groups that select the ExternalEntity as member will be returned
- IP is part of an IPBlock that defines the Group/ClusterGroup, in
  which case the group will be returned.
  (Note that 1 and 3 can simultaneously be true, so as 2 and 3)

Below are examples of how this API can be consumed:

- Through kubectl proxy (i.e. curl 127.0.0.1:8001/apis/controlplane
  .antrea.io/v1beta2/ipgroupassociations/10.10.0.1)
- Through the IPGroupAssociations clientset provided under
  controlplane/v1beta2

Signed-off-by: Dyanngg <dingyang@vmware.com>

cmd/antrea-controller/controller.go

@@ -30,6 +30,7 @@ import (
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/client-go/informers"
 	csrinformers "k8s.io/client-go/informers/certificates/v1"
+	coreinformers "k8s.io/client-go/informers/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	csrlisters "k8s.io/client-go/listers/certificates/v1"
 	"k8s.io/client-go/tools/cache"
@@ -44,6 +45,7 @@ import (
 	"antrea.io/antrea/pkg/apiserver/openapi"
 	"antrea.io/antrea/pkg/apiserver/storage"
 	crdinformers "antrea.io/antrea/pkg/client/informers/externalversions"
+	crdv1a2informers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha2"
 	"antrea.io/antrea/pkg/clusteridentity"
 	"antrea.io/antrea/pkg/controller/certificatesigningrequest"
 	"antrea.io/antrea/pkg/controller/egress"
@@ -140,6 +142,14 @@ func run(o *Options) error {
 	externalIPPoolInformer := crdInformerFactory.Crd().V1alpha2().ExternalIPPools()
 	externalNodeInformer := crdInformerFactory.Crd().V1alpha1().ExternalNodes()
 
+	// Add IP-Pod index. Each Pod has no more than 2 IPs, the extra overhead is constant and acceptable.
+	// @tnqn evaluated the performance without/with IP index is 3us vs 4us per pod, i.e. 300ms vs 400ms for 100k Pods.
+	podInformer.Informer().AddIndexers(cache.Indexers{grouping.PodIPsIndex: grouping.PodIPsIndexFunc})
+
+	if features.DefaultFeatureGate.Enabled(features.AntreaPolicy) {
+		eeInformer.Informer().AddIndexers(cache.Indexers{grouping.ExternalEntityIPsIndex: grouping.ExternalEntityIPsIndexFunc})
+	}
+
 	clusterIdentityAllocator := clusteridentity.NewClusterIdentityAllocator(
 		env.GetAntreaNamespace(),
 		clusteridentity.DefaultClusterIdentityConfigMapName,
@@ -267,9 +277,10 @@ func run(o *Options) error {
 		addressGroupStore,
 		appliedToGroupStore,
 		networkPolicyStore,
-		groupStore,
 		egressGroupStore,
 		bundleCollectionStore,
+		podInformer,
+		eeInformer,
 		controllerQuerier,
 		endpointQuerier,
 		networkPolicyController,
@@ -451,9 +462,10 @@ func createAPIServerConfig(kubeconfig string,
 	addressGroupStore storage.Interface,
 	appliedToGroupStore storage.Interface,
 	networkPolicyStore storage.Interface,
-	groupStore storage.Interface,
 	egressGroupStore storage.Interface,
 	supportBundleCollectionStore storage.Interface,
+	podInformer coreinformers.PodInformer,
+	eeInformer crdv1a2informers.ExternalEntityInformer,
 	controllerQuerier querier.ControllerQuerier,
 	endpointQuerier networkpolicy.EndpointQuerier,
 	npController *networkpolicy.NetworkPolicyController,
@@ -516,9 +528,10 @@ func createAPIServerConfig(kubeconfig string,
 		addressGroupStore,
 		appliedToGroupStore,
 		networkPolicyStore,
-		groupStore,
 		egressGroupStore,
 		supportBundleCollectionStore,
+		podInformer,
+		eeInformer,
 		caCertController,
 		statsAggregator,
 		controllerQuerier,

pkg/apis/controlplane/register.go

@@ -58,6 +58,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ClusterGroupMembers{},
 		&PaginationGetOptions{},
 		&GroupAssociation{},
+		&IPGroupAssociation{},
 		&EgressGroup{},
 		&EgressGroupPatch{},
 		&EgressGroupList{},

pkg/apis/controlplane/types.go

@@ -439,6 +439,17 @@ type GroupAssociation struct {
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
+// IPGroupAssociation is a list of GroupReferences for responses to IP association queries.
+type IPGroupAssociation struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+	// AssociatedGroups is a list of GroupReferences that is associated with the
+	// IP address being queried.
+	AssociatedGroups []GroupReference
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
 type EgressGroup struct {
 	metav1.TypeMeta
 	metav1.ObjectMeta

pkg/apis/controlplane/v1beta2/register.go

@@ -73,6 +73,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ClusterGroupMembers{},
 		&PaginationGetOptions{},
 		&GroupAssociation{},
+		&IPGroupAssociation{},
 		&EgressGroup{},
 		&EgressGroupPatch{},
 		&EgressGroupList{},

pkg/apis/controlplane/v1beta2/types.go

@@ -440,6 +440,19 @@ type GroupAssociation struct {
 	AssociatedGroups []GroupReference `json:"associatedGroups" protobuf:"bytes,2,rep,name=associatedGroups"`
 }
 
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:onlyVerbs=get
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type IPGroupAssociation struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	// AssociatedGroups is a list of GroupReferences that is associated with the
+	// IP address being queried.
+	AssociatedGroups []GroupReference `json:"associatedGroups" protobuf:"bytes,2,rep,name=associatedGroups"`
+}
+
 // +genclient
 // +genclient:nonNamespaced
 // +genclient:onlyVerbs=list,get,watch

pkg/apiserver/apiserver.go

@@ -26,6 +26,7 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/client-go/informers"
+	coreinformers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
 	"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
@@ -48,6 +49,7 @@ import (
 	"antrea.io/antrea/pkg/apiserver/registry/networkpolicy/appliedtogroup"
 	"antrea.io/antrea/pkg/apiserver/registry/networkpolicy/clustergroupmember"
 	"antrea.io/antrea/pkg/apiserver/registry/networkpolicy/groupassociation"
+	"antrea.io/antrea/pkg/apiserver/registry/networkpolicy/ipgroupassociation"
 	"antrea.io/antrea/pkg/apiserver/registry/networkpolicy/networkpolicy"
 	"antrea.io/antrea/pkg/apiserver/registry/stats/antreaclusternetworkpolicystats"
 	"antrea.io/antrea/pkg/apiserver/registry/stats/antreanetworkpolicystats"
@@ -56,6 +58,7 @@ import (
 	"antrea.io/antrea/pkg/apiserver/registry/system/controllerinfo"
 	"antrea.io/antrea/pkg/apiserver/registry/system/supportbundle"
 	"antrea.io/antrea/pkg/apiserver/storage"
+	crdv1a2informers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha2"
 	"antrea.io/antrea/pkg/controller/egress"
 	"antrea.io/antrea/pkg/controller/externalippool"
 	"antrea.io/antrea/pkg/controller/ipam"
@@ -96,6 +99,8 @@ type ExtraConfig struct {
 	networkPolicyStore            storage.Interface
 	egressGroupStore              storage.Interface
 	bundleCollectionStore         storage.Interface
+	podInformer                   coreinformers.PodInformer
+	eeInformer                    crdv1a2informers.ExternalEntityInformer
 	controllerQuerier             querier.ControllerQuerier
 	endpointQuerier               controllernetworkpolicy.EndpointQuerier
 	networkPolicyController       *controllernetworkpolicy.NetworkPolicyController
@@ -137,7 +142,9 @@ type completedConfig struct {
 func NewConfig(
 	genericConfig *genericapiserver.Config,
 	k8sClient kubernetes.Interface,
-	addressGroupStore, appliedToGroupStore, networkPolicyStore, groupStore, egressGroupStore, supportBundleCollectionStore storage.Interface,
+	addressGroupStore, appliedToGroupStore, networkPolicyStore, egressGroupStore, supportBundleCollectionStore storage.Interface,
+	podInformer coreinformers.PodInformer,
+	eeInformer crdv1a2informers.ExternalEntityInformer,
 	caCertController *certificate.CACertController,
 	statsAggregator *stats.Aggregator,
 	controllerQuerier querier.ControllerQuerier,
@@ -155,6 +162,8 @@ func NewConfig(
 			networkPolicyStore:            networkPolicyStore,
 			egressGroupStore:              egressGroupStore,
 			bundleCollectionStore:         supportBundleCollectionStore,
+			podInformer:                   podInformer,
+			eeInformer:                    eeInformer,
 			caCertController:              caCertController,
 			statsAggregator:               statsAggregator,
 			controllerQuerier:             controllerQuerier,
@@ -178,6 +187,7 @@ func installAPIGroup(s *APIServer, c completedConfig) error {
 	networkPolicyStatusStorage := networkpolicy.NewStatusREST(c.extraConfig.networkPolicyStatusController)
 	clusterGroupMembershipStorage := clustergroupmember.NewREST(c.extraConfig.networkPolicyController)
 	groupAssociationStorage := groupassociation.NewREST(c.extraConfig.networkPolicyController)
+	ipGroupAssociationStorage := ipgroupassociation.NewREST(c.extraConfig.podInformer, c.extraConfig.eeInformer, c.extraConfig.networkPolicyController, c.extraConfig.networkPolicyController)
 	nodeStatsSummaryStorage := nodestatssummary.NewREST(c.extraConfig.statsAggregator)
 	egressGroupStorage := egressgroup.NewREST(c.extraConfig.egressGroupStore)
 	bundleCollectionStorage := supportbundlecollection.NewREST(c.extraConfig.bundleCollectionStore)
@@ -190,6 +200,7 @@ func installAPIGroup(s *APIServer, c completedConfig) error {
 	cpv1beta2Storage["networkpolicies/status"] = networkPolicyStatusStorage
 	cpv1beta2Storage["nodestatssummaries"] = nodeStatsSummaryStorage
 	cpv1beta2Storage["groupassociations"] = groupAssociationStorage
+	cpv1beta2Storage["ipgroupassociations"] = ipGroupAssociationStorage
 	cpv1beta2Storage["clustergroupmembers"] = clusterGroupMembershipStorage
 	cpv1beta2Storage["egressgroups"] = egressGroupStorage
 	cpv1beta2Storage["supportbundlecollections"] = bundleCollectionStorage