Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add NetworkPolicy type and controller #289

Merged
merged 6 commits into from
Jun 20, 2024
Merged

Add NetworkPolicy type and controller #289

merged 6 commits into from
Jun 20, 2024

Conversation

sujeet01
Copy link
Contributor

@sujeet01 sujeet01 commented Apr 19, 2024
edited
Loading

  • Define NetworkPolicy and NetworkPolicyRule types, with code generation
  • Enhance apinet nic to inherit labels from ironcore nic
  • Add NetworkPolicy controller
  • Implement FirewallRules enforcement in metalnetNic
  • Fix duplicate make target
  • Add tests

Fixes #275

@github-actions github-actions bot added documentation Improvements or additions to documentation enhancement New feature or request size/XXL labels Apr 19, 2024
@sujeet01 sujeet01 force-pushed the feature/network-policy branch 5 times, most recently from 8fed26b to 4492775 Compare April 22, 2024 16:36
@sujeet01 sujeet01 marked this pull request as ready for review April 22, 2024 16:46
@sujeet01 sujeet01 requested a review from a team as a code owner April 22, 2024 16:46
@Rohit-0505 Rohit-0505 force-pushed the feature/network-policy branch from 4492775 to 363d219 Compare April 23, 2024 05:08
@sujeet01 sujeet01 force-pushed the feature/network-policy branch 2 times, most recently from bdbc2a6 to 796b8bb Compare April 24, 2024 09:17
afritzler
afritzler requested changes Apr 28, 2024
View reviewed changes
Copy link
Member

@afritzler afritzler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some initial thoughts after the first review:

  • We need to review the details of the NetworkPolicy spec and sub types
  • Validation needs to be revisited for mandatory fields

This is just the first review. I need to do some end to end testing on my side first in order to give a conclusive feedback.

api/core/v1alpha1/networkpolicyrule_types.go Show resolved Hide resolved
api/core/v1alpha1/networkpolicyrule_types.go Outdated Show resolved Hide resolved
apinetlet/controllers/networkpolicy_controller.go Outdated Show resolved Hide resolved
apinetlet/controllers/networkpolicy_controller.go Outdated Show resolved Hide resolved
apinetlet/controllers/networkpolicy_controller.go Show resolved Hide resolved
apinetlet/controllers/networkpolicy_controller.go Show resolved Hide resolved
apinetlet/controllers/networkpolicy_controller.go Outdated Show resolved Hide resolved
apinetlet/controllers/networkpolicy_controller.go Outdated Show resolved Hide resolved
@sujeet01 sujeet01 force-pushed the feature/network-policy branch from 9b96879 to 11e6108 Compare May 24, 2024 09:51
@afritzler afritzler changed the title Implement NetworkPolicy controller with firewall rules enforcement Add NetworkPolicy type and controller May 24, 2024
lukasfrank
lukasfrank reviewed Jun 3, 2024
View reviewed changes
api/core/v1alpha1/networkpolicyrule_types.go
// TargetNetworkInterface is the target of the network policy.
type TargetNetworkInterface struct {
// IP is the IP address of the target network interface.
IP net.IP `json:"ip"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intended that we currently only support IPv4?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently we're supporting both and net.IP supports both IPv4 and IPv6 right?

afritzler
afritzler requested changes Jun 18, 2024
View reviewed changes
metalnetlet/controllers/networkinterface_controller.go Outdated
Direction: direction,
Action: metalnetv1alpha1.FirewallRuleActionAccept,
Priority: priority,
IpFamily: corev1.IPv4Protocol, //TODO: later support for IPv6
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we derive the IPFamily from the ironcore-net Rule object instead of pinning it to IPv4?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, derived IPFamily from Prefix.

@sujeet01 sujeet01 force-pushed the feature/network-policy branch 3 times, most recently from 16778ca to ec2a5c8 Compare June 19, 2024 09:18
@sujeet01 sujeet01 force-pushed the feature/network-policy branch from ec2a5c8 to 3002635 Compare June 19, 2024 09:30
@afritzler afritzler merged commit 71427e0 into main Jun 20, 2024
11 checks passed
@afritzler afritzler deleted the feature/network-policy branch June 20, 2024 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukasfrank lukasfrank lukasfrank left review comments

@afritzler afritzler afritzler approved these changes

Assignees

@sujeet01 sujeet01

@Rohit-0505 Rohit-0505

Labels
documentation Improvements or additions to documentation enhancement New feature or request ok-to-image size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Network Policy Enforcement
4 participants
@sujeet01 @afritzler @lukasfrank @Rohit-0505