26 Commits

Author SHA1 Message Date
Murali Reddy
7777b9a825
use Spec.PolicyTypes for the type of network policy (#883) 2020-04-23 08:19:26 +05:30
Filinto Duran
3e67159579
Update selectors to allow matchexpressions as well as matlabels (#881)
--------------------------------------------
Copyright: Sony Interactive Entertainment Inc.

Co-authored-by: Author Name <Filinto.Duran@sony.com>
2020-04-21 16:17:00 +05:30
Murali Reddy
b5e9bd3069
intercept pod egress traffic going through the OUTPUT chain of filter table and run through the (#875)
network policies.

Fixes #609
2020-04-15 16:34:25 +05:30
Murali Reddy
4c764f5486
handle DeletedFinalStateUnknown objects in DeleteFunc handlers (#856)
* in DeleteFunc handlers across the controllers  handle the case where received object can be of
type DeletedFinalStateUnknown

fixes one of the symptoms (panic on receiving DeletedFinalStateUnknown objects) reported in #712

* address review comments
2020-04-13 15:57:14 +05:30
Aaron U'Ren
19e563701e
switch --set to less ambiguous --match-set (#874)
While --set is still ambiguous it can clash with other module options,
so it is better to be more specific and use the --match-set option. This
also more closely aligns with all other areas of the code that already
use --match-set.

From iptables-extensions man page:
The option --match-set can be replaced by --set if that does not clash
with an option of other extensions.
2020-04-13 15:34:33 +05:30
Boris Djurdjevic
8bcd166c4c Fix connection resets during firewall sync (#807)
For very busy tcp connections there is a small possibility to receive
a TCP RST during the iptables sync.

A default `REJECT` rule is chronologically added before the allow-`RELATED,ESTABLISHED` rule for ingress and
egress connections.
In between of the creation of these two rules a connection reset can happen for already established connections.

This commits swaps the order of rule insertion.
2019-12-09 21:37:27 +05:30
Jérôme Poulin
94fd7b6d74 Send heartbeats during NetworkPolicy and NetworkService sync. (#741)
In reference to issue #725, we modified kube-router to send
heartbeats before starting policy sync to prevent missing
heartbeats while running iptables commands.

Signed-off-by: Jérôme Poulin <jeromepoulin@gmail.com>
2019-06-24 17:03:03 +05:30
Jimmy Zhang
736757d942 Support named port of network policy (#679)
* support named port of network policy

* gofmt
2019-04-20 23:57:25 +05:30
Lucas Mundim
00824cd84b Fix typo (#661) 2019-02-09 10:17:09 +05:30
Murali Reddy
62d0e866ad
handle network policies with named ports gracefully (#648) 2019-01-28 16:22:09 +05:30
Jimmy Zhang
f07ec53589 avoid duplicate peer pods in npc rules variables (#634) 2019-01-24 12:37:34 +05:30
Adam Finn Tulinius
11ae253f12 Validate the presence of port definitions before attempting to access (#643)
This fixes #642, which causes kube-router to crash on valid network
policies, and also implements support for ingress and egress rules
without a port specified.
2019-01-21 11:10:57 +05:30
Joakim Karlsson
e5d599b14c
Roffe/metrics polish (#595)
* update metrics docs & dashboard
* renamed `namespace` label to `svc_namespace` for service metrics as it would be overwritten by most Prometheus setups
* Made histograms for all the controller sync times for better visualization
* added `controller_routes_sync_time`, `controller_bgp_advertisements_sent` & `controller_policy_chains_sync_time` metrics
2018-12-07 16:22:41 +01:00
Jimmy Zhang
a47e0f4541 Add support for 'except' feature of network policy rule (#543)
* add support for 'except' feature in NPC

* support CIDR with zero prefix size in NPC
2018-10-03 12:50:37 +05:30
Lars Ekman
05907d8def Ipv6; Support ipset with "family inet6" (#538)
* Ipv6; Support ipset with "family inet6"

* Removed unnecessary comment
2018-09-23 12:42:52 +05:30
Jimmy Zhang
cadba6c863 Use ipset to manage multiple CIDRs in a network policy rule (#529)
* using ipset to manage multiple src CIDRs

* using ipset to manage multiple dst CIDRs

* soft-code the prefix of iptables chain name and ipset name

* gofmt
2018-09-18 18:31:28 +05:30
Jimmy Zhang
1b7ae13e2c make the comments of the iptables rules more accurate and reasonable (#527) 2018-09-10 23:36:00 +05:30
Jimmy Zhang
8bed56fb49 processing k8s version for NPC (#488) 2018-07-27 11:03:40 +05:30
Johan Thomsen
57f4eea2f4 Implemented the use of both namespaceSelector and podSelector in network policy peers (#475) (#479)
* Moved code for evaluation of policy peers into separate func to avoid code duplication

* Ensured fallback to policy namespace, if namespaceSelector is not set
2018-07-09 03:05:04 +00:00
Johan Thomsen
9934119955 Fix nwplcy re-sync issue (#477) (#478)
* use strconv for converting int64 to string

* change order of pod-fw sync, chain items has to be added before jumping to the chain starts

* added logging of syncversion, decreased logging verbosity+severity for planned chain cleanups
2018-07-04 10:58:03 +00:00
Johan Thomsen
58da2d412d Fix for network policy connection refused issue (#461) (#471)
* Instead of clearing the iptables firewall chains for each resync, new chains are now generated side-by-side with the existing ones.

* Chain naming now has an addition component, version, which ensures chain name uniqueness.

* Existing cleanup procedure for stale iptables rules will handle garbage collection of unused chains.
2018-06-21 16:39:24 +05:30
Andor Uhlár
7c21815b43 Report delay metrics as seconds, not nanos (#465)
* Report delay metrics as seconds, not nanos
* "ns" -> "s" labels in example dashboard
2018-06-13 16:29:41 +02:00
Murali Reddy
327a46d5ba
fix race condition issues with health checks (#460)
* fix race condition issues with health checks

* better log meesage when skipping heartbeat
2018-06-07 17:29:19 +05:30
Murali Reddy
5c6a24d4d6
Fix NPE when performing cleanup() (#458)
* Fix NPE when performing cleanup()

* update cleanup documentaion
2018-06-05 01:05:34 +07:00
Murali Reddy
09b2f13e13
fix the wrong lister used (#422) 2018-05-04 18:04:57 +05:30
Murali Reddy
05bec8b385
break controller package to independent packages (#405) 2018-04-22 13:25:58 +00:00