diff --git a/pkg/antctl/output/output.go b/pkg/antctl/output/output.go index 34bacbd03d6..4a41369da48 100644 --- a/pkg/antctl/output/output.go +++ b/pkg/antctl/output/output.go @@ -21,7 +21,6 @@ import ( "io" "reflect" "sort" - "strconv" "strings" "text/tabwriter" @@ -322,7 +321,7 @@ func TableOutputForQueryEndpoint(obj interface{}, writer io.Writer) error { toStringRep := func(effectiveRules []endpointserver.Rule) [][]string { ruleStrings := make([][]string, 0) for _, rule := range effectiveRules { - ruleStrings = append(ruleStrings, []string{rule.PolicyRef.Name, rule.PolicyRef.Namespace, strconv.Itoa(rule.RuleIndex), string(rule.PolicyRef.UID)}) + ruleStrings = append(ruleStrings, []string{rule.PolicyRef.Name, rule.PolicyRef.Namespace, fmt.Sprint(rule.RuleIndex), string(rule.PolicyRef.UID)}) } return ruleStrings } diff --git a/pkg/antctl/transform/networkpolicy/response.go b/pkg/antctl/transform/networkpolicy/response.go index 94b59381502..a32d6d6104d 100644 --- a/pkg/antctl/transform/networkpolicy/response.go +++ b/pkg/antctl/transform/networkpolicy/response.go @@ -180,20 +180,25 @@ func EvaluationTransform(reader io.Reader, _ bool, _ map[string]string) (interfa var _ common.TableOutput = new(EvaluationResponse) func (r EvaluationResponse) GetTableHeader() []string { - return []string{"NAME", "NAMESPACE", "POLICY-TYPE", "RULE-INDEX", "DIRECTION"} + return []string{"NAME", "NAMESPACE", "POLICY-TYPE", "RULE-INDEX", "DIRECTION", "ACTION"} } func (r EvaluationResponse) GetTableRow(_ int) []string { if r.NetworkPolicyEvaluation != nil && r.Response != nil { + action := "" + if r.Response.Rule.Action != nil { + action = string(*r.Response.Rule.Action) + } return []string{ r.Response.NetworkPolicy.Name, r.Response.NetworkPolicy.Namespace, string(r.Response.NetworkPolicy.Type), common.Int32ToString(r.Response.RuleIndex), string(r.Response.Rule.Direction), + action, } } - return make([]string, 5) + return make([]string, len(r.GetTableHeader())) } func (r EvaluationResponse) SortRows() bool { diff --git a/pkg/antctl/transform/networkpolicy/response_test.go b/pkg/antctl/transform/networkpolicy/response_test.go index 728185000da..57bfff5e76d 100644 --- a/pkg/antctl/transform/networkpolicy/response_test.go +++ b/pkg/antctl/transform/networkpolicy/response_test.go @@ -15,6 +15,8 @@ package networkpolicy import ( + "fmt" + "math" "testing" "github.com/stretchr/testify/assert" @@ -23,6 +25,7 @@ import ( "k8s.io/utils/pointer" cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2" + crdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1" ) func TestListTransform(t *testing.T) { @@ -176,17 +179,61 @@ func TestListTransform(t *testing.T) { func TestEvaluationResponseTransform(t *testing.T) { test := EvaluationResponse{&cpv1beta.NetworkPolicyEvaluation{}} - assert.Equal(t, []string{"NAME", "NAMESPACE", "POLICY-TYPE", "RULE-INDEX", "DIRECTION"}, test.GetTableHeader()) + assert.Equal(t, []string{"NAME", "NAMESPACE", "POLICY-TYPE", "RULE-INDEX", "DIRECTION", "ACTION"}, test.GetTableHeader()) assert.False(t, test.SortRows()) - assert.Equal(t, []string{"", "", "", "", ""}, test.GetTableRow(32)) - test.Response = &cpv1beta.NetworkPolicyEvaluationResponse{ - NetworkPolicy: cpv1beta.NetworkPolicyReference{ - Type: cpv1beta.K8sNetworkPolicy, - Namespace: "ns", - Name: "testName", - }, - RuleIndex: 10, - Rule: cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn}, + assert.Equal(t, []string{"", "", "", "", "", ""}, test.GetTableRow(32)) + testDropAction, testIsolationAction := crdv1beta1.RuleActionDrop, crdv1beta1.RuleActionIsolation + + tests := []struct { + name string + testResponse *cpv1beta.NetworkPolicyEvaluationResponse + expectedOutput []string + }{ + { + name: "k8s rule", + testResponse: &cpv1beta.NetworkPolicyEvaluationResponse{ + NetworkPolicy: cpv1beta.NetworkPolicyReference{ + Type: cpv1beta.K8sNetworkPolicy, + Namespace: "ns", + Name: "testK8s", + }, + RuleIndex: 10, + Rule: cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn}, + }, + expectedOutput: []string{"testK8s", "ns", "K8sNetworkPolicy", "10", "In", ""}, + }, + { + name: "anp rule", + testResponse: &cpv1beta.NetworkPolicyEvaluationResponse{ + NetworkPolicy: cpv1beta.NetworkPolicyReference{ + Type: cpv1beta.AntreaNetworkPolicy, + Namespace: "ns", + Name: "testANP", + }, + RuleIndex: 10, + Rule: cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn, Action: &testDropAction}, + }, + expectedOutput: []string{"testANP", "ns", "AntreaNetworkPolicy", "10", "In", "Drop"}, + }, + { + name: "k8s default isolation", + testResponse: &cpv1beta.NetworkPolicyEvaluationResponse{ + NetworkPolicy: cpv1beta.NetworkPolicyReference{ + Type: cpv1beta.K8sNetworkPolicy, + Namespace: "ns", + Name: "testK8s", + }, + RuleIndex: math.MaxInt32, + Rule: cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn, Action: &testIsolationAction}, + }, + expectedOutput: []string{"testK8s", "ns", "K8sNetworkPolicy", fmt.Sprint(math.MaxInt32), "In", "Isolation"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + test.Response = tt.testResponse + assert.Equal(t, tt.expectedOutput, test.GetTableRow(32)) + }) } - assert.Equal(t, []string{"testName", "ns", "K8sNetworkPolicy", "10", "In"}, test.GetTableRow(32)) } diff --git a/pkg/apis/crd/v1beta1/types.go b/pkg/apis/crd/v1beta1/types.go index 46c1280d883..748b42dd44e 100644 --- a/pkg/apis/crd/v1beta1/types.go +++ b/pkg/apis/crd/v1beta1/types.go @@ -692,6 +692,9 @@ const ( // RuleActionReject indicates that the traffic matching the rule must be rejected and the // client will receive a response. RuleActionReject RuleAction = "Reject" + // RuleActionIsolation indicates that the traffic matching the rule should be + // affected by Kubernetes NetworkPolicy default isolation. + RuleActionIsolation RuleAction = "Isolation" IGMPQuery int32 = 0x11 IGMPReportV1 int32 = 0x12 diff --git a/pkg/apiserver/handlers/endpoint/handler.go b/pkg/apiserver/handlers/endpoint/handler.go index 41bcd949027..4389a61b228 100644 --- a/pkg/apiserver/handlers/endpoint/handler.go +++ b/pkg/apiserver/handlers/endpoint/handler.go @@ -31,7 +31,7 @@ type EndpointQueryResponse struct { type Rule struct { PolicyRef v1beta2.NetworkPolicyReference `json:"policyref,omitempty"` Direction v1beta2.Direction `json:"direction,omitempty"` - RuleIndex int `json:"ruleindex,omitempty"` + RuleIndex int32 `json:"ruleindex,omitempty"` } type Endpoint struct { diff --git a/pkg/controller/networkpolicy/endpoint_querier.go b/pkg/controller/networkpolicy/endpoint_querier.go index 5ee46c69328..eaacd8f547f 100644 --- a/pkg/controller/networkpolicy/endpoint_querier.go +++ b/pkg/controller/networkpolicy/endpoint_querier.go @@ -146,7 +146,7 @@ func (eq *EndpointQuerierImpl) QueryNetworkPolicyRules(namespace, podName string return nil, err } for _, policy := range policies { - egressIndex, ingressIndex := 0, 0 + egressIndex, ingressIndex := int32(0), int32(0) for _, rule := range policy.(*antreatypes.NetworkPolicy).Rules { for _, addressGroupTrial := range rule.To.AddressGroups { if addressGroupTrial == string(addressGroup.(*antreatypes.AddressGroup).UID) { @@ -185,17 +185,18 @@ func (eq *EndpointQuerierImpl) QueryNetworkPolicyRules(namespace, podName string func processEndpointAppliedRules(appliedPolicies []*antreatypes.NetworkPolicy, isSourceEndpoint bool) (sets.Set[types.UID], []*antreatypes.RuleInfo) { policyUIDs := sets.New[types.UID]() isolationRules := make([]*antreatypes.RuleInfo, 0) + isolationAction := crdv1beta1.RuleActionIsolation for _, internalPolicy := range appliedPolicies { policyUIDs.Insert(internalPolicy.SourceRef.UID) if internalPolicy.SourceRef.Type == controlplane.K8sNetworkPolicy { // check if the Kubernetes NetworkPolicy creates ingress or egress isolationRules for _, rule := range internalPolicy.Rules { if rule.Direction == controlplane.DirectionIn && !isSourceEndpoint { - isolationRules = append(isolationRules, &antreatypes.RuleInfo{Policy: internalPolicy, Index: math.MaxInt, - Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) + isolationRules = append(isolationRules, &antreatypes.RuleInfo{Policy: internalPolicy, Index: math.MaxInt32, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: &isolationAction}}) } else if rule.Direction == controlplane.DirectionOut && isSourceEndpoint { - isolationRules = append(isolationRules, &antreatypes.RuleInfo{Policy: internalPolicy, Index: math.MaxInt, - Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}}) + isolationRules = append(isolationRules, &antreatypes.RuleInfo{Policy: internalPolicy, Index: math.MaxInt32, + Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: &isolationAction}}) } } } diff --git a/pkg/controller/networkpolicy/endpoint_querier_test.go b/pkg/controller/networkpolicy/endpoint_querier_test.go index f4994cccc2b..5d3518dafb2 100644 --- a/pkg/controller/networkpolicy/endpoint_querier_test.go +++ b/pkg/controller/networkpolicy/endpoint_querier_test.go @@ -16,6 +16,7 @@ package networkpolicy import ( "fmt" + "math" "testing" "time" @@ -394,7 +395,7 @@ func TestQueryNetworkPolicyEvaluation(t *testing.T) { for i := 0; i < len(policy.Rules); i++ { ruleInfoMatches[i] = &antreatypes.RuleInfo{ Policy: policy, - Index: i, + Index: int32(i), Rule: &controlplane.NetworkPolicyRule{Direction: policy.Rules[i].Direction, Name: policy.Rules[i].Name, Action: policy.Rules[i].Action}, } } @@ -528,8 +529,8 @@ func TestQueryNetworkPolicyEvaluation(t *testing.T) { }, expectedResult: &controlplane.NetworkPolicyEvaluationResponse{ NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy111", UID: uid1}, - RuleIndex: -1, - Rule: controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0"}, + RuleIndex: math.MaxInt32, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionOut, Name: "Policy111Rule0", Action: &isolationAction}, }, }, { @@ -541,8 +542,8 @@ func TestQueryNetworkPolicyEvaluation(t *testing.T) { }, expectedResult: &controlplane.NetworkPolicyEvaluationResponse{ NetworkPolicy: controlplane.NetworkPolicyReference{Type: controlplane.K8sNetworkPolicy, Namespace: namespace, Name: "Policy222", UID: uid2}, - RuleIndex: -1, - Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0"}, + RuleIndex: math.MaxInt32, + Rule: controlplane.RuleRef{Direction: controlplane.DirectionIn, Name: "Policy222Rule0", Action: &isolationAction}, }, }, { diff --git a/pkg/controller/networkpolicy/validate_test.go b/pkg/controller/networkpolicy/validate_test.go index 43b20fe13ca..dc015b65e61 100644 --- a/pkg/controller/networkpolicy/validate_test.go +++ b/pkg/controller/networkpolicy/validate_test.go @@ -31,12 +31,13 @@ import ( ) var ( - query = crdv1beta1.IGMPQuery - report = crdv1beta1.IGMPReportV1 - allowAction = crdv1beta1.RuleActionAllow - dropAction = crdv1beta1.RuleActionDrop - passAction = crdv1beta1.RuleActionPass - portNum80 = int32(80) + query = crdv1beta1.IGMPQuery + report = crdv1beta1.IGMPReportV1 + allowAction = crdv1beta1.RuleActionAllow + dropAction = crdv1beta1.RuleActionDrop + passAction = crdv1beta1.RuleActionPass + isolationAction = crdv1beta1.RuleActionIsolation + portNum80 = int32(80) ) func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { diff --git a/pkg/controller/types/networkpolicy.go b/pkg/controller/types/networkpolicy.go index 86ca232ae2a..1f99d246f8a 100644 --- a/pkg/controller/types/networkpolicy.go +++ b/pkg/controller/types/networkpolicy.go @@ -139,7 +139,7 @@ func (p *NetworkPolicy) GetAppliedToGroups() sets.Set[string] { // corresponding ingress/egress rules, and the original rule info. type RuleInfo struct { Policy *NetworkPolicy - Index int + Index int32 Rule *controlplane.NetworkPolicyRule }