Support Antrea NetworkPolicy in Traceflow

[gran-vmv]

This PR added 3 major changes:

1. Mirror existing Antrea NetworkPolicy drop flows with action=controller when running TF
2. Collect drop table and rule when PacketIn
3. Add dropFlag into ofFlow struct to identify if the flow contains drop action

This PR closes #1225

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

[codecov-io]

Codecov Report

Merging #1361 (d3ec61b) into master (d1e0624) will decrease coverage by 13.01%.
The diff coverage is 71.42%.

@@             Coverage Diff             @@
##           master    #1361       +/-   ##
===========================================
- Coverage   67.58%   54.56%   -13.02%     
===========================================
  Files         169      135       -34     
  Lines       13465    12508      -957     
===========================================
- Hits         9100     6825     -2275     
- Misses       3420     5046     +1626     
+ Partials      945      637      -308     

Flag	Coverage Δ
integration-tests	45.64% <31.25%> (-0.09%)	⬇️
kind-e2e-tests	?
unit-tests	41.38% <63.26%> (-0.37%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/controller/traceflow/packetin.go	12.33% <57.57%> (-51.85%)	⬇️
pkg/agent/openflow/client.go	52.09% <100.00%> (-16.01%)	⬇️
pkg/ovs/openflow/ofctrl_action.go	91.30% <100.00%> (+0.08%)	⬆️
pkg/ovs/openflow/ofctrl_flow.go	75.00% <100.00%> (+5.18%)	⬆️
pkg/agent/agent_linux.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/apis/controlplane/helper.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/apis/controlplane/v1beta2/helper.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/agent/proxy/types/groupcounter.go	0.00% <0.00%> (-95.00%)	⬇️
pkg/controller/networkpolicy/tier.go	0.00% <0.00%> (-90.00%)	⬇️
pkg/apis/controlplane/register.go	0.00% <0.00%> (-85.72%)	⬇️
... and 108 more

[jianjuns]

LGTM

[jianjuns]

The change LGTM. But hope @wenyingd can review too.

[wenyingd]

Having discussion with @weiqiangt , after metric flow is introduced, the actual "drop" action should happen in the XgressMetricTable, so I think we could add traceflow only in XgressMetricTable with the flow having "dropFlag". Otherwise, the flow in the default drop table is useless.

[wenyingd]

Think over, as metricflow doesn't record from which policy table the packet is resubmitted in, does it affect the result of Traceflow? I mean we actually want to report that the packet is dropped by K8s Policy Rule or Antrea Policy Rule, but it seems the current implementation would report the packet is dropped by MetricTable

[gran-vmv]

Will the K8s NetworkPolicy use default drop table?
I think Traceflow need to mock all NetworkPolicy flows with "drop" action, including default drop flow for K8s NetworkPolicy and XgressMetricTable for Antrea NetworkPolicy.

[gran-vmv]

We can identify this by the prefix in networkPolicy property. This function is added by @tnqn
Here is my test result:

  status:
    phase: Succeeded
    results:
    - node: gran-k8s0-2
      observations:
      - action: Forwarded
        component: SpoofGuard
      - action: Forwarded
        component: NetworkPolicy
        componentInfo: EgressRule
        networkPolicy: AntreaNetworkPolicy:default/test-anp
      - action: Dropped
        component: NetworkPolicy
        componentInfo: IngressMetric
        networkPolicy: AntreaNetworkPolicy:default/test-anp
      timestamp: 1603965404

[abhiraut]

can we target this for 0.11 release?

[gran-vmv]

can we target this for 0.11 release?

Yes, this is for 0.11 release.

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-all-features-conformance: to trigger conformance tests with all alpha features enabled.
• /skip-all-features-conformance: to skip conformance tests with all alpha features enabled.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

[gran-vmv]

/test-all