From 8a2783a33c84283498894dd867da30cf20e932fd Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 18 Dec 2024 17:25:42 -0800 Subject: [PATCH 01/15] updated CNS for adding default deny acl's --- cns/NetworkContainerContract.go | 3 ++ cns/middlewares/k8sSwiftV2.go | 37 +++++++++++--- cns/middlewares/k8sSwiftV2_linux.go | 4 ++ cns/middlewares/k8sSwiftV2_linux_test.go | 14 +++--- cns/middlewares/k8sSwiftV2_windows.go | 64 ++++++++++++++++++++++++ 5 files changed, 107 insertions(+), 15 deletions(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 394f871f09..18829c3f8b 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -7,6 +7,7 @@ import ( "strconv" "strings" + "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns/types" "github.com/Azure/azure-container-networking/crd/nodenetworkconfig/api/v1alpha" "github.com/google/uuid" @@ -503,6 +504,8 @@ type PodIpInfo struct { Routes []Route // PnpId is set for backend interfaces, Pnp Id identifies VF. Plug and play id(pnp) is also called as PCI ID PnPID string + // Defauly Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes + DefaultDenyACL []cni.KVPair } type HostIPInfo struct { diff --git a/cns/middlewares/k8sSwiftV2.go b/cns/middlewares/k8sSwiftV2.go index a11290c205..2cb9937d88 100644 --- a/cns/middlewares/k8sSwiftV2.go +++ b/cns/middlewares/k8sSwiftV2.go @@ -40,7 +40,9 @@ var _ cns.IPConfigsHandlerMiddleware = (*K8sSWIFTv2Middleware)(nil) // and release IP configs handlers. func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, failureHandler cns.IPConfigsHandlerFunc) cns.IPConfigsHandlerFunc { return func(ctx context.Context, req cns.IPConfigsRequest) (*cns.IPConfigsResponse, error) { - podInfo, respCode, message := k.validateIPConfigsRequest(ctx, &req) + podInfo, respCode, message, defaultDenyACLbool := k.validateIPConfigsRequest(ctx, &req) + + logger.Printf("defaultDenyACLbool value is: %v", defaultDenyACLbool) if respCode != types.Success { return &cns.IPConfigsResponse{ @@ -55,6 +57,19 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa if !req.SecondaryInterfacesExist { return ipConfigsResp, err } + + // ipConfigsResp has infra IP configs -> if defaultDenyACLbool is enabled, add the default deny acl's pn the infra IP configs + for i := range ipConfigsResp.PodIPInfo { + ipInfo := &ipConfigsResp.PodIPInfo[i] + // there will be no pod connectivity to and from those pods + if defaultDenyACLbool { + err = addDefaultDenyACL(ipInfo) + if err != nil { + logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err) + } + } + } + // If the pod is v2, get the infra IP configs from the handler first and then add the SWIFTv2 IP config defer func() { // Release the default IP config if there is an error @@ -102,19 +117,21 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa // validateIPConfigsRequest validates if pod is multitenant by checking the pod labels, used in SWIFT V2 AKS scenario. // nolint -func (k *K8sSWIFTv2Middleware) validateIPConfigsRequest(ctx context.Context, req *cns.IPConfigsRequest) (podInfo cns.PodInfo, respCode types.ResponseCode, message string) { +func (k *K8sSWIFTv2Middleware) validateIPConfigsRequest(ctx context.Context, req *cns.IPConfigsRequest) (podInfo cns.PodInfo, respCode types.ResponseCode, message string, defaultDenyACL bool) { + defaultDenyACLbool := false + // Retrieve the pod from the cluster podInfo, err := cns.UnmarshalPodInfo(req.OrchestratorContext) if err != nil { errBuf := errors.Wrapf(err, "failed to unmarshalling pod info from ipconfigs request %+v", req) - return nil, types.UnexpectedError, errBuf.Error() + return nil, types.UnexpectedError, errBuf.Error(), defaultDenyACLbool } logger.Printf("[SWIFTv2Middleware] validate ipconfigs request for pod %s", podInfo.Name()) podNamespacedName := k8stypes.NamespacedName{Namespace: podInfo.Namespace(), Name: podInfo.Name()} pod := v1.Pod{} if err := k.Cli.Get(ctx, podNamespacedName, &pod); err != nil { errBuf := errors.Wrapf(err, "failed to get pod %+v", podNamespacedName) - return nil, types.UnexpectedError, errBuf.Error() + return nil, types.UnexpectedError, errBuf.Error(), defaultDenyACLbool } // check the pod labels for Swift V2, set the request's SecondaryInterfaceSet flag to true and check if its MTPNC CRD is ready @@ -126,12 +143,16 @@ func (k *K8sSWIFTv2Middleware) validateIPConfigsRequest(ctx context.Context, req mtpnc := v1alpha1.MultitenantPodNetworkConfig{} mtpncNamespacedName := k8stypes.NamespacedName{Namespace: podInfo.Namespace(), Name: podInfo.Name()} if err := k.Cli.Get(ctx, mtpncNamespacedName, &mtpnc); err != nil { - return nil, types.UnexpectedError, fmt.Errorf("failed to get pod's mtpnc from cache : %w", err).Error() + return nil, types.UnexpectedError, fmt.Errorf("failed to get pod's mtpnc from cache : %w", err).Error(), defaultDenyACLbool } // Check if the MTPNC CRD is ready. If one of the fields is empty, return error if !mtpnc.IsReady() { - return nil, types.UnexpectedError, errMTPNCNotReady.Error() + return nil, types.UnexpectedError, errMTPNCNotReady.Error(), defaultDenyACLbool } + + // copying defaultDenyACL bool from mtpnc + defaultDenyACLbool = mtpnc.Status.DefaultDenyACL + // If primary Ip is set in status field, it indicates the presence of secondary interfaces if mtpnc.Status.PrimaryIP != "" { req.SecondaryInterfacesExist = true @@ -140,7 +161,7 @@ func (k *K8sSWIFTv2Middleware) validateIPConfigsRequest(ctx context.Context, req for _, interfaceInfo := range interfaceInfos { if interfaceInfo.DeviceType == v1alpha1.DeviceTypeInfiniBandNIC { if interfaceInfo.MacAddress == "" || interfaceInfo.NCID == "" { - return nil, types.UnexpectedError, errMTPNCNotReady.Error() + return nil, types.UnexpectedError, errMTPNCNotReady.Error(), defaultDenyACLbool } req.BackendInterfaceExist = true req.BackendInterfaceMacAddresses = append(req.BackendInterfaceMacAddresses, interfaceInfo.MacAddress) @@ -154,7 +175,7 @@ func (k *K8sSWIFTv2Middleware) validateIPConfigsRequest(ctx context.Context, req logger.Printf("[SWIFTv2Middleware] pod %s has secondary interface : %v", podInfo.Name(), req.SecondaryInterfacesExist) logger.Printf("[SWIFTv2Middleware] pod %s has backend interface : %v", podInfo.Name(), req.BackendInterfaceExist) // retrieve podinfo from orchestrator context - return podInfo, types.Success, "" + return podInfo, types.Success, "", defaultDenyACLbool } // getIPConfig returns the pod's SWIFT V2 IP configuration. diff --git a/cns/middlewares/k8sSwiftV2_linux.go b/cns/middlewares/k8sSwiftV2_linux.go index e9a93de0e2..99b8ae7846 100644 --- a/cns/middlewares/k8sSwiftV2_linux.go +++ b/cns/middlewares/k8sSwiftV2_linux.go @@ -103,3 +103,7 @@ func (k *K8sSWIFTv2Middleware) assignSubnetPrefixLengthFields(_ *cns.PodIpInfo, } func (k *K8sSWIFTv2Middleware) addDefaultRoute(*cns.PodIpInfo, string) {} + +func addDefaultDenyACL(_ *cns.PodIpInfo) error { + return nil +} diff --git a/cns/middlewares/k8sSwiftV2_linux_test.go b/cns/middlewares/k8sSwiftV2_linux_test.go index 76be6b2149..8d42f8cfe1 100644 --- a/cns/middlewares/k8sSwiftV2_linux_test.go +++ b/cns/middlewares/k8sSwiftV2_linux_test.go @@ -144,7 +144,7 @@ func TestValidateMultitenantIPConfigsRequestSuccess(t *testing.T) { happyReq.OrchestratorContext = b happyReq.SecondaryInterfacesExist = false - _, respCode, err := middleware.validateIPConfigsRequest(context.TODO(), happyReq) + _, respCode, err, _ := middleware.validateIPConfigsRequest(context.TODO(), happyReq) assert.Equal(t, err, "") assert.Equal(t, respCode, types.Success) assert.Equal(t, happyReq.SecondaryInterfacesExist, true) @@ -158,7 +158,7 @@ func TestValidateMultitenantIPConfigsRequestSuccess(t *testing.T) { happyReq2.OrchestratorContext = b happyReq2.SecondaryInterfacesExist = false - _, respCode, err = middleware.validateIPConfigsRequest(context.TODO(), happyReq2) + _, respCode, err, _ = middleware.validateIPConfigsRequest(context.TODO(), happyReq2) assert.Equal(t, err, "") assert.Equal(t, respCode, types.Success) assert.Equal(t, happyReq.SecondaryInterfacesExist, true) @@ -172,7 +172,7 @@ func TestValidateMultitenantIPConfigsRequestSuccess(t *testing.T) { happyReq3.OrchestratorContext = b happyReq3.SecondaryInterfacesExist = false - _, respCode, err = middleware.validateIPConfigsRequest(context.TODO(), happyReq3) + _, respCode, err, _ = middleware.validateIPConfigsRequest(context.TODO(), happyReq3) assert.Equal(t, err, "") assert.Equal(t, respCode, types.Success) assert.Equal(t, happyReq3.SecondaryInterfacesExist, false) @@ -188,7 +188,7 @@ func TestValidateMultitenantIPConfigsRequestFailure(t *testing.T) { InfraContainerID: testPod1Info.InfraContainerID(), } failReq.OrchestratorContext = []byte("invalid") - _, respCode, _ := middleware.validateIPConfigsRequest(context.TODO(), failReq) + _, respCode, _, _ := middleware.validateIPConfigsRequest(context.TODO(), failReq) assert.Equal(t, respCode, types.UnexpectedError) // Pod doesn't exist in cache test @@ -198,19 +198,19 @@ func TestValidateMultitenantIPConfigsRequestFailure(t *testing.T) { } b, _ := testPod2Info.OrchestratorContext() failReq.OrchestratorContext = b - _, respCode, _ = middleware.validateIPConfigsRequest(context.TODO(), failReq) + _, respCode, _, _ = middleware.validateIPConfigsRequest(context.TODO(), failReq) assert.Equal(t, respCode, types.UnexpectedError) // Failed to get MTPNC b, _ = testPod3Info.OrchestratorContext() failReq.OrchestratorContext = b - _, respCode, _ = middleware.validateIPConfigsRequest(context.TODO(), failReq) + _, respCode, _, _ = middleware.validateIPConfigsRequest(context.TODO(), failReq) assert.Equal(t, respCode, types.UnexpectedError) // MTPNC not ready b, _ = testPod4Info.OrchestratorContext() failReq.OrchestratorContext = b - _, respCode, _ = middleware.validateIPConfigsRequest(context.TODO(), failReq) + _, respCode, _, _ = middleware.validateIPConfigsRequest(context.TODO(), failReq) assert.Equal(t, respCode, types.UnexpectedError) } diff --git a/cns/middlewares/k8sSwiftV2_windows.go b/cns/middlewares/k8sSwiftV2_windows.go index 2be2fbd1df..64c9bd02c9 100644 --- a/cns/middlewares/k8sSwiftV2_windows.go +++ b/cns/middlewares/k8sSwiftV2_windows.go @@ -1,9 +1,14 @@ package middlewares import ( + "encoding/json" + + "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" + "github.com/Azure/azure-container-networking/cns/logger" "github.com/Azure/azure-container-networking/cns/middlewares/utils" "github.com/Azure/azure-container-networking/crd/multitenancy/api/v1alpha1" + "github.com/Microsoft/hcsshim/hcn" "github.com/pkg/errors" ) @@ -58,3 +63,62 @@ func (k *K8sSWIFTv2Middleware) addDefaultRoute(podIPInfo *cns.PodIpInfo, gwIP st } podIPInfo.Routes = append(podIPInfo.Routes, route) } + +// append the default deny acl's to the list defaultDenyACL field in podIpInfo +func addDefaultDenyACL(podIpInfo *cns.PodIpInfo) error { + blockEgressACL, err := getDefaultDenyACLPolicy(hcn.DirectionTypeOut) + if err != nil { + return errors.Wrap(err, "Failed to create default deny ACL policy egress") + } + + blockIngressACL, err := getDefaultDenyACLPolicy(hcn.DirectionTypeIn) + if err != nil { + return errors.Wrap(err, "Failed to create default deny ACL policy ingress") + } + + additionalArgs := []cni.KVPair{ + { + Name: "EndpointPolicy", + Value: blockEgressACL, + }, + { + Name: "EndpointPolicy", + Value: blockIngressACL, + }, + } + + podIpInfo.DefaultDenyACL = append(podIpInfo.DefaultDenyACL, additionalArgs...) + + logger.Printf("The length of podIpInfo.DefaultDenyACL is: %v", len(podIpInfo.DefaultDenyACL)) + + return nil +} + +// create the default deny acl's that need to be added to the list defaultDenyACL field in podIpInfo +func getDefaultDenyACLPolicy(direction hcn.DirectionType) ([]byte, error) { + const DefaultDenyPriority = 10000 + const policyType = "ACL" + type DefaultDenyACL struct { + Type string `json:"Type"` + Action hcn.ActionType `json:"Action"` + Direction hcn.DirectionType `json:"Direction"` + Priority int `json:"Priority"` + } + + denyACL := DefaultDenyACL{ + Type: policyType, + Action: hcn.ActionTypeBlock, + Direction: direction, + Priority: DefaultDenyPriority, + } + + denyACLJSON, err := json.Marshal(denyACL) + + logger.Printf("ACL Created for direction %s is : %s", direction, denyACLJSON) + + if err != nil { + return nil, errors.Wrap(err, "error marshalling default deny policy to json") + } + + return denyACLJSON, nil +} From 0ad9230acc964040136b8e0061f2e1dc3bf9a653 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Fri, 20 Dec 2024 01:02:08 -0800 Subject: [PATCH 02/15] added infra nic change --- cns/middlewares/k8sSwiftV2.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cns/middlewares/k8sSwiftV2.go b/cns/middlewares/k8sSwiftV2.go index 2cb9937d88..881c6f8ec5 100644 --- a/cns/middlewares/k8sSwiftV2.go +++ b/cns/middlewares/k8sSwiftV2.go @@ -62,7 +62,7 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa for i := range ipConfigsResp.PodIPInfo { ipInfo := &ipConfigsResp.PodIPInfo[i] // there will be no pod connectivity to and from those pods - if defaultDenyACLbool { + if defaultDenyACLbool && ipInfo.NICType == cns.InfraNIC { err = addDefaultDenyACL(ipInfo) if err != nil { logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err) From b4534d4dd9e26186dd2ae1acb0f03d25235e0b90 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Fri, 20 Dec 2024 16:45:08 -0800 Subject: [PATCH 03/15] added unit tests --- cns/middlewares/k8sSwiftV2_windows.go | 5 -- cns/middlewares/k8sSwiftV2_windows_test.go | 73 ++++++++++++++++++++++ 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/cns/middlewares/k8sSwiftV2_windows.go b/cns/middlewares/k8sSwiftV2_windows.go index 64c9bd02c9..545b1ffd8f 100644 --- a/cns/middlewares/k8sSwiftV2_windows.go +++ b/cns/middlewares/k8sSwiftV2_windows.go @@ -5,7 +5,6 @@ import ( "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" - "github.com/Azure/azure-container-networking/cns/logger" "github.com/Azure/azure-container-networking/cns/middlewares/utils" "github.com/Azure/azure-container-networking/crd/multitenancy/api/v1alpha1" "github.com/Microsoft/hcsshim/hcn" @@ -89,8 +88,6 @@ func addDefaultDenyACL(podIpInfo *cns.PodIpInfo) error { podIpInfo.DefaultDenyACL = append(podIpInfo.DefaultDenyACL, additionalArgs...) - logger.Printf("The length of podIpInfo.DefaultDenyACL is: %v", len(podIpInfo.DefaultDenyACL)) - return nil } @@ -114,8 +111,6 @@ func getDefaultDenyACLPolicy(direction hcn.DirectionType) ([]byte, error) { denyACLJSON, err := json.Marshal(denyACL) - logger.Printf("ACL Created for direction %s is : %s", direction, denyACLJSON) - if err != nil { return nil, errors.Wrap(err, "error marshalling default deny policy to json") } diff --git a/cns/middlewares/k8sSwiftV2_windows_test.go b/cns/middlewares/k8sSwiftV2_windows_test.go index dab24685f9..2eb9ccd61f 100644 --- a/cns/middlewares/k8sSwiftV2_windows_test.go +++ b/cns/middlewares/k8sSwiftV2_windows_test.go @@ -1,12 +1,15 @@ package middlewares import ( + "encoding/json" "reflect" "testing" + "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" "github.com/Azure/azure-container-networking/cns/middlewares/mock" "github.com/Azure/azure-container-networking/crd/multitenancy/api/v1alpha1" + "github.com/stretchr/testify/require" "gotest.tools/v3/assert" ) @@ -100,3 +103,73 @@ func TestAddDefaultRoute(t *testing.T) { t.Errorf("got '%+v', expected '%+v'", ipInfo.Routes, expectedRoutes) } } + +func TestAddDefaultDenyACL(t *testing.T) { + valueOut := []byte(`{ + "Type": "ACL", + "Action": "Block", + "Direction": "Out", + "Priority": 10000 + }`) + + valueIn := []byte(`{ + "Type": "ACL", + "Action": "Block", + "Direction": "In", + "Priority": 10000 + }`) + + expectedDefaultDenyACL := []cni.KVPair{ + { + Name: "EndpointPolicy", + Value: valueOut, + }, + { + Name: "EndpointPolicy", + Value: valueIn, + }, + } + + podIPInfo := cns.PodIpInfo{ + PodIPConfig: cns.IPSubnet{ + IPAddress: "20.240.1.242", + PrefixLength: 32, + }, + NICType: cns.DelegatedVMNIC, + MacAddress: "12:34:56:78:9a:bc", + } + + err := addDefaultDenyACL(&podIPInfo) + assert.Equal(t, err, nil) + + // Normalize both slices so there is no extra spacing, new lines, etc + normalizedExpected := normalizeKVPairs(t, expectedDefaultDenyACL) + normalizedActual := normalizeKVPairs(t, podIPInfo.DefaultDenyACL) + if !reflect.DeepEqual(normalizedExpected, normalizedActual) { + t.Errorf("got '%+v', expected '%+v'", podIPInfo.DefaultDenyACL, expectedDefaultDenyACL) + } +} + +// normalizeKVPairs normalizes the JSON values in the KV pairs by unmarshaling them into a map, then marshaling them back to compact JSON to remove any extra space, new lines, etc +func normalizeKVPairs(t *testing.T, kvPairs []cni.KVPair) []cni.KVPair { + normalized := make([]cni.KVPair, len(kvPairs)) + + for i, kv := range kvPairs { + var unmarshaledValue map[string]interface{} + // Unmarshal the Value into a map + err := json.Unmarshal(kv.Value, &unmarshaledValue) + require.NoError(t, err, "Failed to unmarshal JSON value") + + // Marshal it back to compact JSON + normalizedValue, err := json.Marshal(unmarshaledValue) + require.NoError(t, err, "Failed to re-marshal JSON value") + + // Replace Value with the normalized compact JSON + normalized[i] = cni.KVPair{ + Name: kv.Name, + Value: normalizedValue, + } + } + + return normalized +} From ed09360fc722d8afe90e7bedc6d356e02e0e121b Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 13:34:14 -0800 Subject: [PATCH 04/15] resolved pr comments --- cns/middlewares/k8sSwiftV2.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cns/middlewares/k8sSwiftV2.go b/cns/middlewares/k8sSwiftV2.go index 881c6f8ec5..e97f683c63 100644 --- a/cns/middlewares/k8sSwiftV2.go +++ b/cns/middlewares/k8sSwiftV2.go @@ -59,14 +59,14 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa } // ipConfigsResp has infra IP configs -> if defaultDenyACLbool is enabled, add the default deny acl's pn the infra IP configs - for i := range ipConfigsResp.PodIPInfo { - ipInfo := &ipConfigsResp.PodIPInfo[i] + for _, ipInfo := range ipConfigsResp.PodIPInfo { // there will be no pod connectivity to and from those pods if defaultDenyACLbool && ipInfo.NICType == cns.InfraNIC { - err = addDefaultDenyACL(ipInfo) + err = addDefaultDenyACL(&ipInfo) if err != nil { logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err) } + break } } From baf31a3dec6a52fde5f577fe3072962f63b772d7 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 14:29:03 -0800 Subject: [PATCH 05/15] updating to fix github checks --- cns/middlewares/k8sSwiftV2.go | 5 +++-- cns/middlewares/k8sSwiftV2_windows.go | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/cns/middlewares/k8sSwiftV2.go b/cns/middlewares/k8sSwiftV2.go index e97f683c63..e82755152e 100644 --- a/cns/middlewares/k8sSwiftV2.go +++ b/cns/middlewares/k8sSwiftV2.go @@ -59,10 +59,11 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa } // ipConfigsResp has infra IP configs -> if defaultDenyACLbool is enabled, add the default deny acl's pn the infra IP configs - for _, ipInfo := range ipConfigsResp.PodIPInfo { + for i := range ipConfigsResp.PodIPInfo { + ipInfo := &ipConfigsResp.PodIPInfo[i] // there will be no pod connectivity to and from those pods if defaultDenyACLbool && ipInfo.NICType == cns.InfraNIC { - err = addDefaultDenyACL(&ipInfo) + err = addDefaultDenyACL(ipInfo) if err != nil { logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err) } diff --git a/cns/middlewares/k8sSwiftV2_windows.go b/cns/middlewares/k8sSwiftV2_windows.go index 545b1ffd8f..cf670fa3c0 100644 --- a/cns/middlewares/k8sSwiftV2_windows.go +++ b/cns/middlewares/k8sSwiftV2_windows.go @@ -64,7 +64,7 @@ func (k *K8sSWIFTv2Middleware) addDefaultRoute(podIPInfo *cns.PodIpInfo, gwIP st } // append the default deny acl's to the list defaultDenyACL field in podIpInfo -func addDefaultDenyACL(podIpInfo *cns.PodIpInfo) error { +func addDefaultDenyACL(podIPInfo *cns.PodIpInfo) error { blockEgressACL, err := getDefaultDenyACLPolicy(hcn.DirectionTypeOut) if err != nil { return errors.Wrap(err, "Failed to create default deny ACL policy egress") @@ -86,7 +86,7 @@ func addDefaultDenyACL(podIpInfo *cns.PodIpInfo) error { }, } - podIpInfo.DefaultDenyACL = append(podIpInfo.DefaultDenyACL, additionalArgs...) + podIPInfo.DefaultDenyACL = append(podIPInfo.DefaultDenyACL, additionalArgs...) return nil } From d531de8d5fe822ee0e9869301d4bba76d71f44da Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 14:44:08 -0800 Subject: [PATCH 06/15] added logging lines --- cns/middlewares/k8sSwiftV2.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cns/middlewares/k8sSwiftV2.go b/cns/middlewares/k8sSwiftV2.go index e82755152e..8122fecc97 100644 --- a/cns/middlewares/k8sSwiftV2.go +++ b/cns/middlewares/k8sSwiftV2.go @@ -62,7 +62,9 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa for i := range ipConfigsResp.PodIPInfo { ipInfo := &ipConfigsResp.PodIPInfo[i] // there will be no pod connectivity to and from those pods + logger.Printf("type of nic is %s", string(ipInfo.NICType)) if defaultDenyACLbool && ipInfo.NICType == cns.InfraNIC { + logger.Printf("adding default deny acl's") err = addDefaultDenyACL(ipInfo) if err != nil { logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err) From b234290b3615517040b64f924e05d881299c9e3f Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 23 Dec 2024 15:15:55 -0800 Subject: [PATCH 07/15] removing unnecessary logging lines --- cns/middlewares/k8sSwiftV2.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/cns/middlewares/k8sSwiftV2.go b/cns/middlewares/k8sSwiftV2.go index 8122fecc97..e82755152e 100644 --- a/cns/middlewares/k8sSwiftV2.go +++ b/cns/middlewares/k8sSwiftV2.go @@ -62,9 +62,7 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa for i := range ipConfigsResp.PodIPInfo { ipInfo := &ipConfigsResp.PodIPInfo[i] // there will be no pod connectivity to and from those pods - logger.Printf("type of nic is %s", string(ipInfo.NICType)) if defaultDenyACLbool && ipInfo.NICType == cns.InfraNIC { - logger.Printf("adding default deny acl's") err = addDefaultDenyACL(ipInfo) if err != nil { logger.Errorf("failed to add default deny acl's for pod %v with err %v", podInfo.Name(), err) From 5187545884f11dbd26237b1ea0a77f5d278353ac Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 6 Jan 2025 14:40:36 -0800 Subject: [PATCH 08/15] removed cni circular dependency --- cni/netconfig.go | 11 +++-------- cni/network/network_windows_test.go | 3 ++- cns/NetworkContainerContract.go | 4 ++-- cns/middlewares/k8sSwiftV2_windows.go | 4 ++-- cns/middlewares/k8sSwiftV2_windows_test.go | 10 +++++----- common/config.go | 10 ++++++++++ 6 files changed, 24 insertions(+), 18 deletions(-) diff --git a/cni/netconfig.go b/cni/netconfig.go index c7e0c0ca7e..68d5cd775e 100644 --- a/cni/netconfig.go +++ b/cni/netconfig.go @@ -7,6 +7,7 @@ import ( "encoding/json" "strings" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/network/policy" cniTypes "github.com/containernetworking/cni/pkg/types" ) @@ -15,12 +16,6 @@ const ( PolicyStr string = "Policy" ) -// KVPair represents a K-V pair of a json object. -type KVPair struct { - Name string `json:"name"` - Value json.RawMessage `json:"value"` -} - type PortMapping struct { HostPort int `json:"hostPort"` ContainerPort int `json:"containerPort"` @@ -78,7 +73,7 @@ type NetworkConfig struct { DNS cniTypes.DNS `json:"dns,omitempty"` RuntimeConfig RuntimeConfig `json:"runtimeConfig,omitempty"` WindowsSettings WindowsSettings `json:"windowsSettings,omitempty"` - AdditionalArgs []KVPair `json:"AdditionalArgs,omitempty"` + AdditionalArgs []acn.KVPair `json:"AdditionalArgs,omitempty"` } type WindowsSettings struct { @@ -121,7 +116,7 @@ func ParseNetworkConfig(b []byte) (*NetworkConfig, error) { } // GetPoliciesFromNwCfg returns network policies from network config. -func GetPoliciesFromNwCfg(kvp []KVPair) []policy.Policy { +func GetPoliciesFromNwCfg(kvp []acn.KVPair) []policy.Policy { var policies []policy.Policy for _, pair := range kvp { if strings.Contains(pair.Name, PolicyStr) { diff --git a/cni/network/network_windows_test.go b/cni/network/network_windows_test.go index 9da54a4ca4..39da4bd414 100644 --- a/cni/network/network_windows_test.go +++ b/cni/network/network_windows_test.go @@ -12,6 +12,7 @@ import ( "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/network" "github.com/Azure/azure-container-networking/network/hnswrapper" "github.com/Azure/azure-container-networking/network/policy" @@ -941,7 +942,7 @@ func TestPluginWindowsAdd(t *testing.T) { EnableExactMatchForPodName: true, Master: "eth0", // these are added to test that policies propagate to endpoint info - AdditionalArgs: []cni.KVPair{ + AdditionalArgs: []acn.KVPair{ { Name: "EndpointPolicy", Value: GetRawOutBoundNATPolicy(), diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 18829c3f8b..72ab3f0b2e 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -7,8 +7,8 @@ import ( "strconv" "strings" - "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns/types" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/crd/nodenetworkconfig/api/v1alpha" "github.com/google/uuid" "github.com/pkg/errors" @@ -505,7 +505,7 @@ type PodIpInfo struct { // PnpId is set for backend interfaces, Pnp Id identifies VF. Plug and play id(pnp) is also called as PCI ID PnPID string // Defauly Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes - DefaultDenyACL []cni.KVPair + DefaultDenyACL []acn.KVPair } type HostIPInfo struct { diff --git a/cns/middlewares/k8sSwiftV2_windows.go b/cns/middlewares/k8sSwiftV2_windows.go index cf670fa3c0..01f21250f8 100644 --- a/cns/middlewares/k8sSwiftV2_windows.go +++ b/cns/middlewares/k8sSwiftV2_windows.go @@ -3,9 +3,9 @@ package middlewares import ( "encoding/json" - "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" "github.com/Azure/azure-container-networking/cns/middlewares/utils" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/crd/multitenancy/api/v1alpha1" "github.com/Microsoft/hcsshim/hcn" "github.com/pkg/errors" @@ -75,7 +75,7 @@ func addDefaultDenyACL(podIPInfo *cns.PodIpInfo) error { return errors.Wrap(err, "Failed to create default deny ACL policy ingress") } - additionalArgs := []cni.KVPair{ + additionalArgs := []acn.KVPair{ { Name: "EndpointPolicy", Value: blockEgressACL, diff --git a/cns/middlewares/k8sSwiftV2_windows_test.go b/cns/middlewares/k8sSwiftV2_windows_test.go index 2eb9ccd61f..324b46f279 100644 --- a/cns/middlewares/k8sSwiftV2_windows_test.go +++ b/cns/middlewares/k8sSwiftV2_windows_test.go @@ -5,9 +5,9 @@ import ( "reflect" "testing" - "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" "github.com/Azure/azure-container-networking/cns/middlewares/mock" + acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/crd/multitenancy/api/v1alpha1" "github.com/stretchr/testify/require" "gotest.tools/v3/assert" @@ -119,7 +119,7 @@ func TestAddDefaultDenyACL(t *testing.T) { "Priority": 10000 }`) - expectedDefaultDenyACL := []cni.KVPair{ + expectedDefaultDenyACL := []acn.KVPair{ { Name: "EndpointPolicy", Value: valueOut, @@ -151,8 +151,8 @@ func TestAddDefaultDenyACL(t *testing.T) { } // normalizeKVPairs normalizes the JSON values in the KV pairs by unmarshaling them into a map, then marshaling them back to compact JSON to remove any extra space, new lines, etc -func normalizeKVPairs(t *testing.T, kvPairs []cni.KVPair) []cni.KVPair { - normalized := make([]cni.KVPair, len(kvPairs)) +func normalizeKVPairs(t *testing.T, kvPairs []acn.KVPair) []acn.KVPair { + normalized := make([]acn.KVPair, len(kvPairs)) for i, kv := range kvPairs { var unmarshaledValue map[string]interface{} @@ -165,7 +165,7 @@ func normalizeKVPairs(t *testing.T, kvPairs []cni.KVPair) []cni.KVPair { require.NoError(t, err, "Failed to re-marshal JSON value") // Replace Value with the normalized compact JSON - normalized[i] = cni.KVPair{ + normalized[i] = acn.KVPair{ Name: kv.Name, Value: normalizedValue, } diff --git a/common/config.go b/common/config.go index 3434c2e2e1..96f7eb870f 100644 --- a/common/config.go +++ b/common/config.go @@ -3,6 +3,10 @@ package common +import ( + "encoding/json" +) + // Command line options. const ( // Operating environment. @@ -146,3 +150,9 @@ const ( // OptCNIConflistScenarioAlias "shorthand" for the cni conflist scenairo, see above OptCNIConflistScenarioAlias = "cniconflistscenario" ) + +// KVPair represents a K-V pair of a json object. +type KVPair struct { + Name string `json:"name"` + Value json.RawMessage `json:"value"` +} From e89f70f052eee64968e92f6654aaa19c8a2862ab Mon Sep 17 00:00:00 2001 From: rejain456 Date: Mon, 6 Jan 2025 15:02:49 -0800 Subject: [PATCH 09/15] switch from having consts to making them inline --- cns/middlewares/k8sSwiftV2_windows.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cns/middlewares/k8sSwiftV2_windows.go b/cns/middlewares/k8sSwiftV2_windows.go index 01f21250f8..6aff92ef6e 100644 --- a/cns/middlewares/k8sSwiftV2_windows.go +++ b/cns/middlewares/k8sSwiftV2_windows.go @@ -93,8 +93,6 @@ func addDefaultDenyACL(podIPInfo *cns.PodIpInfo) error { // create the default deny acl's that need to be added to the list defaultDenyACL field in podIpInfo func getDefaultDenyACLPolicy(direction hcn.DirectionType) ([]byte, error) { - const DefaultDenyPriority = 10000 - const policyType = "ACL" type DefaultDenyACL struct { Type string `json:"Type"` Action hcn.ActionType `json:"Action"` @@ -103,10 +101,10 @@ func getDefaultDenyACLPolicy(direction hcn.DirectionType) ([]byte, error) { } denyACL := DefaultDenyACL{ - Type: policyType, + Type: "ACL", // policy type is ACL Action: hcn.ActionTypeBlock, Direction: direction, - Priority: DefaultDenyPriority, + Priority: 10_000, // default deny priority will be 10_000 } denyACLJSON, err := json.Marshal(denyACL) From a56b665597185ca06462416b79890ca731d98874 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 8 Jan 2025 18:56:42 -0800 Subject: [PATCH 10/15] cns changes based on update to network container contrac --- cni/netconfig.go | 10 +++++++--- cni/network/network_windows_test.go | 3 +-- cns/NetworkContainerContract.go | 6 +++--- cns/middlewares/k8sSwiftV2_windows.go | 14 +++++++------- cns/middlewares/k8sSwiftV2_windows_test.go | 7 ++++--- common/config.go | 10 ---------- 6 files changed, 22 insertions(+), 28 deletions(-) diff --git a/cni/netconfig.go b/cni/netconfig.go index 68d5cd775e..5e26e63f0c 100644 --- a/cni/netconfig.go +++ b/cni/netconfig.go @@ -7,7 +7,6 @@ import ( "encoding/json" "strings" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/network/policy" cniTypes "github.com/containernetworking/cni/pkg/types" ) @@ -16,6 +15,11 @@ const ( PolicyStr string = "Policy" ) +type KVPair struct { + Name string `json:"name"` + Value json.RawMessage `json:"value"` +} + type PortMapping struct { HostPort int `json:"hostPort"` ContainerPort int `json:"containerPort"` @@ -73,7 +77,7 @@ type NetworkConfig struct { DNS cniTypes.DNS `json:"dns,omitempty"` RuntimeConfig RuntimeConfig `json:"runtimeConfig,omitempty"` WindowsSettings WindowsSettings `json:"windowsSettings,omitempty"` - AdditionalArgs []acn.KVPair `json:"AdditionalArgs,omitempty"` + AdditionalArgs []KVPair `json:"AdditionalArgs,omitempty"` } type WindowsSettings struct { @@ -116,7 +120,7 @@ func ParseNetworkConfig(b []byte) (*NetworkConfig, error) { } // GetPoliciesFromNwCfg returns network policies from network config. -func GetPoliciesFromNwCfg(kvp []acn.KVPair) []policy.Policy { +func GetPoliciesFromNwCfg(kvp []KVPair) []policy.Policy { var policies []policy.Policy for _, pair := range kvp { if strings.Contains(pair.Name, PolicyStr) { diff --git a/cni/network/network_windows_test.go b/cni/network/network_windows_test.go index 39da4bd414..9da54a4ca4 100644 --- a/cni/network/network_windows_test.go +++ b/cni/network/network_windows_test.go @@ -12,7 +12,6 @@ import ( "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/network" "github.com/Azure/azure-container-networking/network/hnswrapper" "github.com/Azure/azure-container-networking/network/policy" @@ -942,7 +941,7 @@ func TestPluginWindowsAdd(t *testing.T) { EnableExactMatchForPodName: true, Master: "eth0", // these are added to test that policies propagate to endpoint info - AdditionalArgs: []acn.KVPair{ + AdditionalArgs: []cni.KVPair{ { Name: "EndpointPolicy", Value: GetRawOutBoundNATPolicy(), diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 72ab3f0b2e..ef2d887db8 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -8,8 +8,8 @@ import ( "strings" "github.com/Azure/azure-container-networking/cns/types" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/crd/nodenetworkconfig/api/v1alpha" + "github.com/Azure/azure-container-networking/network/policy" "github.com/google/uuid" "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" @@ -504,8 +504,8 @@ type PodIpInfo struct { Routes []Route // PnpId is set for backend interfaces, Pnp Id identifies VF. Plug and play id(pnp) is also called as PCI ID PnPID string - // Defauly Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes - DefaultDenyACL []acn.KVPair + // Default Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes + EdpointPolicies []policy.Policy } type HostIPInfo struct { diff --git a/cns/middlewares/k8sSwiftV2_windows.go b/cns/middlewares/k8sSwiftV2_windows.go index 6aff92ef6e..d0eec71ba3 100644 --- a/cns/middlewares/k8sSwiftV2_windows.go +++ b/cns/middlewares/k8sSwiftV2_windows.go @@ -5,8 +5,8 @@ import ( "github.com/Azure/azure-container-networking/cns" "github.com/Azure/azure-container-networking/cns/middlewares/utils" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/crd/multitenancy/api/v1alpha1" + "github.com/Azure/azure-container-networking/network/policy" "github.com/Microsoft/hcsshim/hcn" "github.com/pkg/errors" ) @@ -75,18 +75,18 @@ func addDefaultDenyACL(podIPInfo *cns.PodIpInfo) error { return errors.Wrap(err, "Failed to create default deny ACL policy ingress") } - additionalArgs := []acn.KVPair{ + additionalArgs := []policy.Policy{ { - Name: "EndpointPolicy", - Value: blockEgressACL, + Type: policy.ACLPolicy, + Data: blockEgressACL, }, { - Name: "EndpointPolicy", - Value: blockIngressACL, + Type: policy.ACLPolicy, + Data: blockIngressACL, }, } - podIPInfo.DefaultDenyACL = append(podIPInfo.DefaultDenyACL, additionalArgs...) + podIPInfo.EdpointPolicies = append(podIPInfo.EdpointPolicies, additionalArgs...) return nil } diff --git a/cns/middlewares/k8sSwiftV2_windows_test.go b/cns/middlewares/k8sSwiftV2_windows_test.go index 324b46f279..3d549319b6 100644 --- a/cns/middlewares/k8sSwiftV2_windows_test.go +++ b/cns/middlewares/k8sSwiftV2_windows_test.go @@ -5,6 +5,7 @@ import ( "reflect" "testing" + "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" "github.com/Azure/azure-container-networking/cns/middlewares/mock" acn "github.com/Azure/azure-container-networking/common" @@ -119,7 +120,7 @@ func TestAddDefaultDenyACL(t *testing.T) { "Priority": 10000 }`) - expectedDefaultDenyACL := []acn.KVPair{ + expectedDefaultDenyACL := []cni.KVPair{ { Name: "EndpointPolicy", Value: valueOut, @@ -151,8 +152,8 @@ func TestAddDefaultDenyACL(t *testing.T) { } // normalizeKVPairs normalizes the JSON values in the KV pairs by unmarshaling them into a map, then marshaling them back to compact JSON to remove any extra space, new lines, etc -func normalizeKVPairs(t *testing.T, kvPairs []acn.KVPair) []acn.KVPair { - normalized := make([]acn.KVPair, len(kvPairs)) +func normalizeKVPairs(t *testing.T, kvPairs []acn.KVPair) []cni.KVPair { + normalized := make([]cni.KVPair, len(kvPairs)) for i, kv := range kvPairs { var unmarshaledValue map[string]interface{} diff --git a/common/config.go b/common/config.go index 96f7eb870f..3434c2e2e1 100644 --- a/common/config.go +++ b/common/config.go @@ -3,10 +3,6 @@ package common -import ( - "encoding/json" -) - // Command line options. const ( // Operating environment. @@ -150,9 +146,3 @@ const ( // OptCNIConflistScenarioAlias "shorthand" for the cni conflist scenairo, see above OptCNIConflistScenarioAlias = "cniconflistscenario" ) - -// KVPair represents a K-V pair of a json object. -type KVPair struct { - Name string `json:"name"` - Value json.RawMessage `json:"value"` -} From 725d6cabc3b935f225b3db2ecda3a638162daa1c Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 8 Jan 2025 19:18:20 -0800 Subject: [PATCH 11/15] fixed spelling --- cns/NetworkContainerContract.go | 2 +- cns/middlewares/k8sSwiftV2_windows.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index ef2d887db8..c93187a0e2 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -505,7 +505,7 @@ type PodIpInfo struct { // PnpId is set for backend interfaces, Pnp Id identifies VF. Plug and play id(pnp) is also called as PCI ID PnPID string // Default Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes - EdpointPolicies []policy.Policy + EndpointPolicies []policy.Policy } type HostIPInfo struct { diff --git a/cns/middlewares/k8sSwiftV2_windows.go b/cns/middlewares/k8sSwiftV2_windows.go index d0eec71ba3..1f200ac259 100644 --- a/cns/middlewares/k8sSwiftV2_windows.go +++ b/cns/middlewares/k8sSwiftV2_windows.go @@ -86,7 +86,7 @@ func addDefaultDenyACL(podIPInfo *cns.PodIpInfo) error { }, } - podIPInfo.EdpointPolicies = append(podIPInfo.EdpointPolicies, additionalArgs...) + podIPInfo.EndpointPolicies = append(podIPInfo.EndpointPolicies, additionalArgs...) return nil } From 9d2ef054e485b7b43cde8da4b30e365d21b125e7 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 8 Jan 2025 19:24:38 -0800 Subject: [PATCH 12/15] updated unit test --- cns/middlewares/k8sSwiftV2_windows_test.go | 29 +++++++++++----------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/cns/middlewares/k8sSwiftV2_windows_test.go b/cns/middlewares/k8sSwiftV2_windows_test.go index 3d549319b6..5480815dce 100644 --- a/cns/middlewares/k8sSwiftV2_windows_test.go +++ b/cns/middlewares/k8sSwiftV2_windows_test.go @@ -5,11 +5,10 @@ import ( "reflect" "testing" - "github.com/Azure/azure-container-networking/cni" "github.com/Azure/azure-container-networking/cns" "github.com/Azure/azure-container-networking/cns/middlewares/mock" - acn "github.com/Azure/azure-container-networking/common" "github.com/Azure/azure-container-networking/crd/multitenancy/api/v1alpha1" + "github.com/Azure/azure-container-networking/network/policy" "github.com/stretchr/testify/require" "gotest.tools/v3/assert" ) @@ -120,14 +119,14 @@ func TestAddDefaultDenyACL(t *testing.T) { "Priority": 10000 }`) - expectedDefaultDenyACL := []cni.KVPair{ + expectedDefaultDenyACL := []policy.Policy{ { - Name: "EndpointPolicy", - Value: valueOut, + Type: policy.ACLPolicy, + Data: valueOut, }, { - Name: "EndpointPolicy", - Value: valueIn, + Type: policy.ACLPolicy, + Data: valueIn, }, } @@ -145,20 +144,20 @@ func TestAddDefaultDenyACL(t *testing.T) { // Normalize both slices so there is no extra spacing, new lines, etc normalizedExpected := normalizeKVPairs(t, expectedDefaultDenyACL) - normalizedActual := normalizeKVPairs(t, podIPInfo.DefaultDenyACL) + normalizedActual := normalizeKVPairs(t, podIPInfo.EndpointPolicies) if !reflect.DeepEqual(normalizedExpected, normalizedActual) { - t.Errorf("got '%+v', expected '%+v'", podIPInfo.DefaultDenyACL, expectedDefaultDenyACL) + t.Errorf("got '%+v', expected '%+v'", podIPInfo.EndpointPolicies, expectedDefaultDenyACL) } } // normalizeKVPairs normalizes the JSON values in the KV pairs by unmarshaling them into a map, then marshaling them back to compact JSON to remove any extra space, new lines, etc -func normalizeKVPairs(t *testing.T, kvPairs []acn.KVPair) []cni.KVPair { - normalized := make([]cni.KVPair, len(kvPairs)) +func normalizeKVPairs(t *testing.T, kvPairs []policy.Policy) []policy.Policy { + normalized := make([]policy.Policy, len(kvPairs)) for i, kv := range kvPairs { var unmarshaledValue map[string]interface{} // Unmarshal the Value into a map - err := json.Unmarshal(kv.Value, &unmarshaledValue) + err := json.Unmarshal(kv.Data, &unmarshaledValue) require.NoError(t, err, "Failed to unmarshal JSON value") // Marshal it back to compact JSON @@ -166,9 +165,9 @@ func normalizeKVPairs(t *testing.T, kvPairs []acn.KVPair) []cni.KVPair { require.NoError(t, err, "Failed to re-marshal JSON value") // Replace Value with the normalized compact JSON - normalized[i] = acn.KVPair{ - Name: kv.Name, - Value: normalizedValue, + normalized[i] = policy.Policy{ + Type: policy.ACLPolicy, + Data: normalizedValue, } } From 753852c83a8a36814430c4b31bdb34d87f697ef3 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 8 Jan 2025 19:28:40 -0800 Subject: [PATCH 13/15] updated test --- cns/middlewares/k8sSwiftV2_windows_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cns/middlewares/k8sSwiftV2_windows_test.go b/cns/middlewares/k8sSwiftV2_windows_test.go index 5480815dce..fb6ed62978 100644 --- a/cns/middlewares/k8sSwiftV2_windows_test.go +++ b/cns/middlewares/k8sSwiftV2_windows_test.go @@ -151,10 +151,10 @@ func TestAddDefaultDenyACL(t *testing.T) { } // normalizeKVPairs normalizes the JSON values in the KV pairs by unmarshaling them into a map, then marshaling them back to compact JSON to remove any extra space, new lines, etc -func normalizeKVPairs(t *testing.T, kvPairs []policy.Policy) []policy.Policy { - normalized := make([]policy.Policy, len(kvPairs)) +func normalizeKVPairs(t *testing.T, policies []policy.Policy) []policy.Policy { + normalized := make([]policy.Policy, len(policies)) - for i, kv := range kvPairs { + for i, kv := range policies { var unmarshaledValue map[string]interface{} // Unmarshal the Value into a map err := json.Unmarshal(kv.Data, &unmarshaledValue) From aa59a399683f0f7bca94d3a324297fdb19a02660 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 8 Jan 2025 19:38:34 -0800 Subject: [PATCH 14/15] reverted a comment --- cni/netconfig.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cni/netconfig.go b/cni/netconfig.go index 5e26e63f0c..c7e0c0ca7e 100644 --- a/cni/netconfig.go +++ b/cni/netconfig.go @@ -15,6 +15,7 @@ const ( PolicyStr string = "Policy" ) +// KVPair represents a K-V pair of a json object. type KVPair struct { Name string `json:"name"` Value json.RawMessage `json:"value"` From 82cfe55bd4e24b5923750e99ffcbf4e8693e6ea0 Mon Sep 17 00:00:00 2001 From: rejain456 Date: Wed, 8 Jan 2025 19:45:34 -0800 Subject: [PATCH 15/15] updated name of function --- cns/middlewares/k8sSwiftV2.go | 6 +++--- cns/middlewares/k8sSwiftV2_linux_test.go | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/cns/middlewares/k8sSwiftV2.go b/cns/middlewares/k8sSwiftV2.go index e82755152e..20e514c13a 100644 --- a/cns/middlewares/k8sSwiftV2.go +++ b/cns/middlewares/k8sSwiftV2.go @@ -40,7 +40,7 @@ var _ cns.IPConfigsHandlerMiddleware = (*K8sSWIFTv2Middleware)(nil) // and release IP configs handlers. func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, failureHandler cns.IPConfigsHandlerFunc) cns.IPConfigsHandlerFunc { return func(ctx context.Context, req cns.IPConfigsRequest) (*cns.IPConfigsResponse, error) { - podInfo, respCode, message, defaultDenyACLbool := k.validateIPConfigsRequest(ctx, &req) + podInfo, respCode, message, defaultDenyACLbool := k.GetPodInfoForIPConfigsRequest(ctx, &req) logger.Printf("defaultDenyACLbool value is: %v", defaultDenyACLbool) @@ -116,9 +116,9 @@ func (k *K8sSWIFTv2Middleware) IPConfigsRequestHandlerWrapper(defaultHandler, fa } } -// validateIPConfigsRequest validates if pod is multitenant by checking the pod labels, used in SWIFT V2 AKS scenario. +// GetPodInfoForIPConfigsRequest validates if pod is multitenant by checking the pod labels, used in SWIFT V2 AKS scenario. // nolint -func (k *K8sSWIFTv2Middleware) validateIPConfigsRequest(ctx context.Context, req *cns.IPConfigsRequest) (podInfo cns.PodInfo, respCode types.ResponseCode, message string, defaultDenyACL bool) { +func (k *K8sSWIFTv2Middleware) GetPodInfoForIPConfigsRequest(ctx context.Context, req *cns.IPConfigsRequest) (podInfo cns.PodInfo, respCode types.ResponseCode, message string, defaultDenyACL bool) { defaultDenyACLbool := false // Retrieve the pod from the cluster diff --git a/cns/middlewares/k8sSwiftV2_linux_test.go b/cns/middlewares/k8sSwiftV2_linux_test.go index 8d42f8cfe1..8bd0990728 100644 --- a/cns/middlewares/k8sSwiftV2_linux_test.go +++ b/cns/middlewares/k8sSwiftV2_linux_test.go @@ -144,7 +144,7 @@ func TestValidateMultitenantIPConfigsRequestSuccess(t *testing.T) { happyReq.OrchestratorContext = b happyReq.SecondaryInterfacesExist = false - _, respCode, err, _ := middleware.validateIPConfigsRequest(context.TODO(), happyReq) + _, respCode, err, _ := middleware.GetPodInfoForIPConfigsRequest(context.TODO(), happyReq) assert.Equal(t, err, "") assert.Equal(t, respCode, types.Success) assert.Equal(t, happyReq.SecondaryInterfacesExist, true) @@ -158,7 +158,7 @@ func TestValidateMultitenantIPConfigsRequestSuccess(t *testing.T) { happyReq2.OrchestratorContext = b happyReq2.SecondaryInterfacesExist = false - _, respCode, err, _ = middleware.validateIPConfigsRequest(context.TODO(), happyReq2) + _, respCode, err, _ = middleware.GetPodInfoForIPConfigsRequest(context.TODO(), happyReq2) assert.Equal(t, err, "") assert.Equal(t, respCode, types.Success) assert.Equal(t, happyReq.SecondaryInterfacesExist, true) @@ -172,7 +172,7 @@ func TestValidateMultitenantIPConfigsRequestSuccess(t *testing.T) { happyReq3.OrchestratorContext = b happyReq3.SecondaryInterfacesExist = false - _, respCode, err, _ = middleware.validateIPConfigsRequest(context.TODO(), happyReq3) + _, respCode, err, _ = middleware.GetPodInfoForIPConfigsRequest(context.TODO(), happyReq3) assert.Equal(t, err, "") assert.Equal(t, respCode, types.Success) assert.Equal(t, happyReq3.SecondaryInterfacesExist, false) @@ -188,7 +188,7 @@ func TestValidateMultitenantIPConfigsRequestFailure(t *testing.T) { InfraContainerID: testPod1Info.InfraContainerID(), } failReq.OrchestratorContext = []byte("invalid") - _, respCode, _, _ := middleware.validateIPConfigsRequest(context.TODO(), failReq) + _, respCode, _, _ := middleware.GetPodInfoForIPConfigsRequest(context.TODO(), failReq) assert.Equal(t, respCode, types.UnexpectedError) // Pod doesn't exist in cache test @@ -198,19 +198,19 @@ func TestValidateMultitenantIPConfigsRequestFailure(t *testing.T) { } b, _ := testPod2Info.OrchestratorContext() failReq.OrchestratorContext = b - _, respCode, _, _ = middleware.validateIPConfigsRequest(context.TODO(), failReq) + _, respCode, _, _ = middleware.GetPodInfoForIPConfigsRequest(context.TODO(), failReq) assert.Equal(t, respCode, types.UnexpectedError) // Failed to get MTPNC b, _ = testPod3Info.OrchestratorContext() failReq.OrchestratorContext = b - _, respCode, _, _ = middleware.validateIPConfigsRequest(context.TODO(), failReq) + _, respCode, _, _ = middleware.GetPodInfoForIPConfigsRequest(context.TODO(), failReq) assert.Equal(t, respCode, types.UnexpectedError) // MTPNC not ready b, _ = testPod4Info.OrchestratorContext() failReq.OrchestratorContext = b - _, respCode, _, _ = middleware.validateIPConfigsRequest(context.TODO(), failReq) + _, respCode, _, _ = middleware.GetPodInfoForIPConfigsRequest(context.TODO(), failReq) assert.Equal(t, respCode, types.UnexpectedError) }