Audit Logging support K8s Networkpolicy

[qiyueyao]

Previously audit logging only works for Antrea NetworkPolicy and ClusterNetworkPolicy when setting the enableLogging field in the rule. This PR is to address this issue.

Method overview of this PR is at this design doc.

To enable logging for K8s NetworkPolicy, set annotations in metadata for the Namespace as policy.antrea.io/enable-np-logging: "true". Then K8s NetworkPolicy applied to this Namespace will be logged in the directory /var/log/antrea/networkpolicy/np.log.

[codecov]

Codecov Report

Merging #4047 (dca7cee) into main (454df5d) will increase coverage by 3.89%.
The diff coverage is 70.54%.

❗ Current head dca7cee differs from pull request most recent head 6b8a815. Consider uploading reports for the commit 6b8a815 to get more accurate results

@@            Coverage Diff             @@
##             main    #4047      +/-   ##
==========================================
+ Coverage   64.25%   68.15%   +3.89%     
==========================================
  Files         294      297       +3     
  Lines       44805    45699     +894     
==========================================
+ Hits        28789    31145    +2356     
+ Misses      13687    12202    -1485     
- Partials     2329     2352      +23     

Flag	Coverage Δ		*Carryforward flag
e2e-tests	40.68% <58.75%> (?)
integration-tests	35.44% <42.46%> (?)		Carriedforward from 26ac871
kind-e2e-tests	51.08% <71.42%> (+0.79%)	⬆️	Carriedforward from 26ac871
unit-tests	44.37% <51.30%> (+0.04%)	⬆️	Carriedforward from 26ac871

*This pull request uses carry forward flags. Click here to find out more.

Impacted Files	Coverage Δ
multicluster/cmd/multicluster-controller/leader.go	0.00% <0.00%> (ø)
multicluster/cmd/multicluster-controller/member.go	0.00% <0.00%> (ø)
pkg/agent/openflow/client.go	70.30% <ø> (+4.26%)	⬆️
pkg/agent/controller/networkpolicy/reconciler.go	71.51% <16.66%> (ø)
...g/controller/networkpolicy/clusternetworkpolicy.go	61.85% <55.55%> (-6.33%)	⬇️
...uster/controllers/multicluster/stale_controller.go	69.09% <64.51%> (+17.37%)	⬆️
pkg/agent/openflow/network_policy.go	79.46% <88.57%> (+1.89%)	⬆️
...kg/agent/controller/networkpolicy/audit_logging.go	90.71% <90.00%> (+6.68%)	⬆️
...lers/multicluster/commonarea/remote_common_area.go	69.79% <100.00%> (+42.04%)	⬆️
pkg/agent/controller/networkpolicy/packetin.go	76.35% <100.00%> (+3.37%)	⬆️
... and 66 more

[qiyueyao]

Reviewers, there's a problem for the Namespace UPDATE event. When modifying the drop flow in an UPDATE event, we might need to compare the previous drop flow and the newly generated one to determine if a modification is necessary. Code here.
Currently the method is to always modify the drop flow due to lack of available information. If we want to compare the flows, we need to change the Flow struct to add useful methods, which involves much more changes to the OVS struct.
Any suggestions or thoughts? Thanks.

[tnqn]

please use structured logging for new logs, but here the error can be ignored, as this is in-memory operation, List call will never return an error.

[tnqn]

Calling the event handler directly would introduce another race condition similar to the ones I'm trying to fix via #4028:

1. updateNamespace gets NP from lister and calls updateNetworkPolicy
2. A NP update event updates NP in lister and triggers updateNetworkPolicy with new object
3. updateNetworkPolicy triggered in step 2 finished and updated internal NP
4. updateNetworkPolicy triggered in step 1 finished and overrided internal NP with a stale state

But I don't have a good solution to quickly fix it in this patch without refactoring the workflow like I did in #4028. Perhaps we could handle the annotation update case later and wait for #4028 refactoring the workflow first, or we would risky NetworkPolicies working in stale state.

[tnqn]

Reviewers, there's a problem for the Namespace UPDATE event. When modifying the drop flow in an UPDATE event, we might need to compare the previous drop flow and the newly generated one to determine if a modification is necessary. Code here. Currently the method is to always modify the drop flow due to lack of available information. If we want to compare the flows, we need to change the Flow struct to add useful methods, which involves much more changes to the OVS struct. Any suggestions or thoughts? Thanks.

If enableLogging changes, the ID of rule also changes, the original rule would be deleted and the new rule would be installed:

antrea/pkg/agent/controller/networkpolicy/cache.go

Lines 650 to 665 in 2a37aec

	rule := &rule{
	Direction: r.Direction,
	From: r.From,
	To: r.To,
	Services: r.Services,
	Action: r.Action,
	Priority: r.Priority,
	PolicyPriority: policy.Priority,
	TierPriority: policy.TierPriority,
	AppliedToGroups: appliedToGroups,
	Name: r.Name,
	PolicyUID: policy.UID,
	SourceRef: policy.SourceRef,
	EnableLogging: r.EnableLogging,
	}
	rule.ID = hashRule(rule)

So it's already handled. Otherwise current code won't work because reconciler doesn't call functions like AddPolicyRuleAddress for a previously install rule if there is no address change.

I guess Code is not needed?

[qiyueyao]

So it's already handled. Otherwise current code won't work because reconciler doesn't call functions like AddPolicyRuleAddress for a previously install rule if there is no address change.
I guess Code is not needed?

Probably I didn't express it clearly, for the flow generated by the rule directly, it indeed changes due to ruleID update, so the IngressRuleTable is updated correspondingly.
However, for K8s NetworkPolicies, the default drop flow in IngressDefaultTable would not update since address was not changed. The pathway is Reconcile->add->installOFRule->InstallPolicyRuleFlows->calculateMatchFlowChangesForRule, calculateChangesForRuleCreation->addAddrFlows->addConjunctiveMatchFlow. In this function, it searches for globalConjMatchFlowCache where the key only depends on tableID, priority and matchPairs, it does not depend on enableLogging.
I did some tests as well, Code here is the place to update default drop flow by K8s NP, but the problem remains whether to compare the flows so that we only update when it is necessary. If we need to compare but there is no easy way to modify Flow, then I believe the UPDATE event should be marked TODO, to be solved together with the race condition in a future PR. Thanks.

[tnqn]

@qiyueyao thanks for the explanation. Now I understand the problem is the dropFlow is not specific to a rule but specific to a match condition. Then does it work if we store enableLogging in conjMatchFlowContext and update the dropFlow when it changes?

[GraysonWu]

I think Quan's suggestion could work. Since we only use it for dropFlow, maybe name it as something like: dropFlowEnableLogging?

[qiyueyao]

Storing enableLogging in conjMatchFlowContext works, the latest commit updates that and is ready. Thanks!

[salv-orlando]

As a reader (a probably bad one :)) I understand that if an agent is restarted, users should not be updated the namespace logging annotation anymore.

If I am not mistaken, the concept to convey is that events where the namespace annotation is processed concurrently with the network policy, such as agent restart, might trigger a risk of having stale NetworkPolicy info realized. If my understanding is correct, we might consider a little rephrasing above.

[tnqn]

@salv-orlando The race condition was explained here: #4047 (comment). I think we should remove this restriction in this release. It would be a simple change after #4028 is merged. I was waiting for these feature PRs to be merged first, otherwise all of them need to address many conflicts caused by the refactoring by #4028

[jianjuns]

I do not get what exact issues can happen under what exact conditions either. Could you explain more? @qiyueyao

[jianjuns]

I guess we are talking about two issues here:

1. We do not handle annotation changes after a NetworkPolicies are created.
2. For agent restart (before? after? during?), users cannot change the Namespace annotation, otherwise we can run into some issues (but what issues? What does "working in a stale state means"?

[qiyueyao]

Discussed offline and opened follow up PR #4099.

[salv-orlando]

I assume this will also work if the namespace annotation is changed while the antrea agent is down, as this code will be invoked upon agent restart. Is that correct?

[qiyueyao]

Actually there is another pathway for agent restart BatchInstallPolicyRuleFlows -> addRuleToConjunctiveMatch -> addActionToConjunctiveMatch especially for batch install, which is triggered upon Antrea agent restart.

[tnqn]

It should not ignore the error since this access K8s API, which could fail because of several reasons, otherwise the following code would panic because ns is nil

[tnqn]

The returned error should checked

failOnError(data.updateNamespaceWithAnnotations(namespaces["x"], map[string]string{networkpolicy.EnableNPLoggingAnnotationKey: "true"}), t)

[qiyueyao]

Changed in follow up PR #4099.

[tnqn]

@salv-orlando The race condition was explained here: #4047 (comment). I think we should remove this restriction in this release. It would be a simple change after #4028 is merged. I was waiting for these feature PRs to be merged first, otherwise all of them need to address many conflicts caused by the refactoring by #4028

[tnqn]

/test-all

[tnqn]

Will merge the PR as is. We could improve the tests via separate PR

[tnqn]

@qiyueyao I had to rewrite the commit message and close the corresponding issue manually when merging the PR. Could you please write detailed commit message (and perhaps squash commits timely) for future PRs? If you prefer appending commits instead of force pushing, the first commit should have a proper commit message which could be used when merging.

The PR description and commit message should use the well known format to link the issue, like "Fixes #XXX", instead of a hyperlink "This PR is to address this issue", which couldn't close issue automatically. You could find more details here.