-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Antrea NetworkPolicy in Traceflow #1361
Conversation
Thanks for your PR. The following commands are available:
|
Codecov Report
@@ Coverage Diff @@
## master #1361 +/- ##
===========================================
- Coverage 67.58% 54.56% -13.02%
===========================================
Files 169 135 -34
Lines 13465 12508 -957
===========================================
- Hits 9100 6825 -2275
- Misses 3420 5046 +1626
+ Partials 945 637 -308
Flags with carried forward coverage won't be shown. Click here to find out more.
|
6df090b
to
31f5a8a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
f89af55
to
3598594
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change LGTM. But hope @wenyingd can review too.
9a0806b
to
b81e642
Compare
@@ -738,6 +738,7 @@ func (c *client) InstallTraceflowFlows(dataplaneTag uint8) error { | |||
flows := []binding.Flow{} | |||
c.conjMatchFlowLock.Lock() | |||
defer c.conjMatchFlowLock.Unlock() | |||
// Copy default drop rules | |||
for _, ctx := range c.globalConjMatchFlowCache { | |||
if ctx.dropFlow != nil { | |||
flows = append( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having discussion with @weiqiangt , after metric flow is introduced, the actual "drop" action should happen in the XgressMetricTable, so I think we could add traceflow only in XgressMetricTable with the flow having "dropFlag". Otherwise, the flow in the default drop table is useless.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think over, as metricflow doesn't record from which policy table the packet is resubmitted in, does it affect the result of Traceflow? I mean we actually want to report that the packet is dropped by K8s Policy Rule or Antrea Policy Rule, but it seems the current implementation would report the packet is dropped by MetricTable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will the K8s NetworkPolicy use default drop table?
I think Traceflow need to mock all NetworkPolicy flows with "drop" action, including default drop flow for K8s NetworkPolicy and XgressMetricTable for Antrea NetworkPolicy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can identify this by the prefix in networkPolicy property. This function is added by @tnqn
Here is my test result:
status:
phase: Succeeded
results:
- node: gran-k8s0-2
observations:
- action: Forwarded
component: SpoofGuard
- action: Forwarded
component: NetworkPolicy
componentInfo: EgressRule
networkPolicy: AntreaNetworkPolicy:default/test-anp
- action: Dropped
component: NetworkPolicy
componentInfo: IngressMetric
networkPolicy: AntreaNetworkPolicy:default/test-anp
timestamp: 1603965404
9ee4873
to
0bdc543
Compare
can we target this for 0.11 release? |
Yes, this is for 0.11 release. |
Thanks for your PR. The following commands are available:
|
d8065ef
to
a653390
Compare
/test-all |
This PR added 3 major changes:
This PR closes #1225