From 07604b78c79957fb54e0276e4cb4cdf1fea3c3fb Mon Sep 17 00:00:00 2001 From: Hang Yan Date: Sat, 14 Sep 2024 10:23:08 +0800 Subject: [PATCH] Add packetcapture feature Signed-off-by: Hang Yan --- build/charts/antrea/conf/antrea-agent.conf | 5 +- build/charts/antrea/crds/packetcapture.yaml | 198 ++++ .../antrea/templates/agent/clusterrole.yaml | 22 + build/yamls/antrea-aks.yml | 213 +++- build/yamls/antrea-crds.yml | 180 ++++ build/yamls/antrea-eks.yml | 213 +++- build/yamls/antrea-gke.yml | 213 +++- build/yamls/antrea-ipsec.yml | 213 +++- build/yamls/antrea.yml | 213 +++- ci/kind/test-e2e-kind.sh | 1 + cmd/antrea-agent/agent.go | 21 + docs/api.md | 1 + docs/feature-gates.md | 6 + docs/packetcapture-guide.md | 74 ++ go.mod | 1 + go.sum | 5 + hack/.notableofcontents | 1 + .../mocks/mock_controller_runtime_manager.go | 2 +- .../controller/networkpolicy/audit_logging.go | 8 +- .../controller/networkpolicy/packetin.go | 19 +- pkg/agent/controller/networkpolicy/reject.go | 4 +- .../packetcapture/packetcapture_controller.go | 747 +++++++++++++ .../packetcapture_controller_test.go | 991 ++++++++++++++++++ .../controller/packetcapture/packetin.go | 106 ++ .../controller/packetcapture/packetin_test.go | 266 +++++ pkg/agent/openflow/client.go | 34 + pkg/agent/openflow/client_test.go | 154 ++- pkg/agent/openflow/cookie/allocator.go | 3 + pkg/agent/openflow/fields.go | 3 + pkg/agent/openflow/framework.go | 15 + pkg/agent/openflow/packetcapture.go | 55 + pkg/agent/openflow/packetin.go | 2 + pkg/agent/openflow/pipeline.go | 253 ++++- pkg/agent/openflow/pipeline_test.go | 92 ++ pkg/agent/openflow/testing/mock_openflow.go | 28 + .../support_bundle_controller.go | 108 +- .../support_bundle_controller_test.go | 11 +- pkg/apis/crd/v1alpha1/register.go | 3 +- pkg/apis/crd/v1alpha1/types.go | 121 +++ .../crd/v1alpha1/zz_generated.deepcopy.go | 271 +++++ .../handlers/featuregates/handler_test.go | 1 + .../typed/crd/v1alpha1/crd_client.go | 5 + .../crd/v1alpha1/fake/fake_crd_client.go | 4 + .../crd/v1alpha1/fake/fake_packetcapture.go | 130 +++ .../typed/crd/v1alpha1/generated_expansion.go | 2 + .../typed/crd/v1alpha1/packetcapture.go | 182 ++++ .../crd/v1alpha1/interface.go | 7 + .../crd/v1alpha1/packetcapture.go | 87 ++ .../informers/externalversions/generic.go | 2 + .../crd/v1alpha1/expansion_generated.go | 4 + .../listers/crd/v1alpha1/packetcapture.go | 66 ++ .../supportbundlecollection/controller.go | 58 +- .../controller_test.go | 105 -- pkg/features/antrea_features.go | 7 + pkg/util/ftp/auth.go | 102 ++ pkg/util/ftp/auth_test.go | 183 ++++ pkg/util/ftp/ftp.go | 106 ++ pkg/util/ftp/ftp_test.go | 58 + test/e2e/framework.go | 4 +- test/e2e/packetcapture_test.go | 642 ++++++++++++ test/integration/agent/openflow_test.go | 20 +- 61 files changed, 6326 insertions(+), 325 deletions(-) create mode 100644 build/charts/antrea/crds/packetcapture.yaml create mode 100644 docs/packetcapture-guide.md create mode 100644 pkg/agent/controller/packetcapture/packetcapture_controller.go create mode 100644 pkg/agent/controller/packetcapture/packetcapture_controller_test.go create mode 100644 pkg/agent/controller/packetcapture/packetin.go create mode 100644 pkg/agent/controller/packetcapture/packetin_test.go create mode 100644 pkg/agent/openflow/packetcapture.go create mode 100644 pkg/client/clientset/versioned/typed/crd/v1alpha1/fake/fake_packetcapture.go create mode 100644 pkg/client/clientset/versioned/typed/crd/v1alpha1/packetcapture.go create mode 100644 pkg/client/informers/externalversions/crd/v1alpha1/packetcapture.go create mode 100644 pkg/client/listers/crd/v1alpha1/packetcapture.go create mode 100644 pkg/util/ftp/auth.go create mode 100644 pkg/util/ftp/auth_test.go create mode 100644 pkg/util/ftp/ftp.go create mode 100644 pkg/util/ftp/ftp_test.go create mode 100644 test/e2e/packetcapture_test.go diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf index 3d6dee19dbe..6bbe0824a23 100644 --- a/build/charts/antrea/conf/antrea-agent.conf +++ b/build/charts/antrea/conf/antrea-agent.conf @@ -24,9 +24,12 @@ featureGates: # be enabled, otherwise this flag will not take effect. {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "CleanupStaleUDPSvcConntrack" "default" true) }} -# Enable traceflow which provides packet tracing feature to diagnose network issue. +# Enable Traceflow which provides packet tracing feature to diagnose network issue. {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Traceflow" "default" true) }} +# Enable PacketCapture feature which supports capturing packets to diagnose network issues. +{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "PacketCapture" "default" false) }} + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodePortLocal" "default" true) }} diff --git a/build/charts/antrea/crds/packetcapture.yaml b/build/charts/antrea/crds/packetcapture.yaml new file mode 100644 index 00000000000..827e142a83e --- /dev/null +++ b/build/charts/antrea/crds/packetcapture.yaml @@ -0,0 +1,198 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: packetcaptures.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the PacketCapture. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - fileServer + - source + - captureConfig + - destination + anyOf: + - properties: + source: + required: [pod] + - properties: + destination: + required: [pod] + properties: + source: + type: object + nullable: true + oneOf: + - required: + - pod + - required: + - ip + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + nullable: true + oneOf: + - required: + - pod + - required: + - ip + - required: + - service + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + x-kubernetes-validations: + - rule: "(self.ipFamily == 'IPv4' && self.protocol != 'IPv6-ICMP' && self.protocol != 58) || (self.ipFamily == 'IPv6' && self.protocol != 'ICMP' && self.protocol != 1) " + message: "packet.ipFamily is incompatiable with packet.protocol" + properties: + ipFamily: + type: string + enum: [IPv4, IPv6] + default: IPv4 + protocol: + x-kubernetes-int-or-string: true + enum: [ICMP, TCP, UDP, IPv6-ICMP, 1, 6, 17, 58] + default: ICMP + transportHeader: + type: object + nullable: true + oneOf: + - required: + - tcp + - required: + - udp + properties: + udp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + tcp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + flags: + type: integer + minimum: 0 + maximum: 255 + timeout: + type: integer + minimum: 1 + maximum: 300 + default: 60 + captureConfig: + type: object + anyOf: + - properties: + firstN: + required: [number] + properties: + firstN: + type: object + properties: + number: + type: integer + format: int32 + fileServer: + type: object + properties: + url: + type: string + pattern: 's{0,1}ftps{0,1}:\/\/[\w-_./]+:\d+' + status: + type: object + properties: + reason: + type: string + phase: + type: string + startTime: + type: string + numCapturedPackets: + type: integer + packetsFileName: + type: string + + subresources: + status: {} + scope: Cluster + names: + plural: packetcaptures + singular: packetcapture + kind: PacketCapture + shortNames: + - pcap + diff --git a/build/charts/antrea/templates/agent/clusterrole.yaml b/build/charts/antrea/templates/agent/clusterrole.yaml index a2a74e45beb..f0810484241 100644 --- a/build/charts/antrea/templates/agent/clusterrole.yaml +++ b/build/charts/antrea/templates/agent/clusterrole.yaml @@ -39,6 +39,14 @@ rules: - pods/status verbs: - patch + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - antrea-packetcapture-fileserver-auth + verbs: + - get - apiGroups: - "" resources: @@ -160,6 +168,20 @@ rules: - patch - create - delete + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures/status + verbs: + - patch - apiGroups: - crd.antrea.io resources: diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index dc3588bd87f..181a827550e 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -2866,6 +2866,188 @@ spec: shortNames: - nlm +--- +# Source: antrea/crds/packetcapture.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: packetcaptures.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the PacketCapture. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - fileServer + - source + - captureConfig + - destination + anyOf: + - properties: + source: + required: [pod] + - properties: + destination: + required: [pod] + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + protocol: + type: integer + minimum: 0 + maximum: 255 + ipv6Header: + type: object + properties: + nextHeader: + type: integer + minimum: 0 + maximum: 65535 + transportHeader: + type: object + properties: + udp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + tcp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + flags: + type: integer + minimum: 0 + maximum: 255 + timeout: + type: integer + minimum: 1 + maximum: 300 + captureConfig: + type: object + anyOf: + - properties: + firstN: + required: [number] + properties: + firstN: + type: object + properties: + number: + type: integer + format: int32 + fileServer: + type: object + properties: + url: + type: string + pattern: 's{0,1}ftps{0,1}:\/\/[\w-_./]+:\d+' + status: + type: object + properties: + reason: + type: string + phase: + type: string + startTime: + type: string + numCapturedPackets: + type: integer + packetsFileName: + type: string + + subresources: + status: {} + scope: Cluster + names: + plural: packetcaptures + singular: packetcapture + kind: PacketCapture + shortNames: + - pcp + --- # Source: antrea/crds/supportbundlecollection.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3740,9 +3922,12 @@ data: # be enabled, otherwise this flag will not take effect. # CleanupStaleUDPSvcConntrack: true - # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Enable Traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true + # Enable PacketCapture feature which supports capturing packets to diagnose network issues. + # PacketCapture: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort # NodePortLocal: true @@ -4324,6 +4509,14 @@ rules: - pods/status verbs: - patch + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - antrea-packetcapture-fileserver-auth + verbs: + - get - apiGroups: - "" resources: @@ -4445,6 +4638,20 @@ rules: - patch - create - delete + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures/status + verbs: + - patch - apiGroups: - crd.antrea.io resources: @@ -5138,7 +5345,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 4325a243ab510df539883b6384a30cf8b04ff862796444a6c5c10999159479c5 + checksum/config: e2d1d8af083c88667ac4c22c87dea63e595b2f4f770190c32afb00c480440fe3 labels: app: antrea component: antrea-agent @@ -5376,7 +5583,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 4325a243ab510df539883b6384a30cf8b04ff862796444a6c5c10999159479c5 + checksum/config: e2d1d8af083c88667ac4c22c87dea63e595b2f4f770190c32afb00c480440fe3 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-crds.yml b/build/yamls/antrea-crds.yml index 7036bd85bbe..0bb11322eae 100644 --- a/build/yamls/antrea-crds.yml +++ b/build/yamls/antrea-crds.yml @@ -2843,6 +2843,186 @@ spec: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + name: packetcaptures.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the PacketCapture. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - fileServer + - source + - captureConfig + - destination + anyOf: + - properties: + source: + required: [pod] + - properties: + destination: + required: [pod] + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + protocol: + type: integer + minimum: 0 + maximum: 255 + ipv6Header: + type: object + properties: + nextHeader: + type: integer + minimum: 0 + maximum: 65535 + transportHeader: + type: object + properties: + udp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + tcp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + flags: + type: integer + minimum: 0 + maximum: 255 + timeout: + type: integer + minimum: 1 + maximum: 300 + captureConfig: + type: object + anyOf: + - properties: + firstN: + required: [number] + properties: + firstN: + type: object + properties: + number: + type: integer + format: int32 + fileServer: + type: object + properties: + url: + type: string + pattern: 's{0,1}ftps{0,1}:\/\/[\w-_./]+:\d+' + status: + type: object + properties: + reason: + type: string + phase: + type: string + startTime: + type: string + numCapturedPackets: + type: integer + packetsFileName: + type: string + + subresources: + status: {} + scope: Cluster + names: + plural: packetcaptures + singular: packetcapture + kind: PacketCapture + shortNames: + - pcp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: supportbundlecollections.crd.antrea.io spec: diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index ad84136fde0..914bee6ee9f 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -2866,6 +2866,188 @@ spec: shortNames: - nlm +--- +# Source: antrea/crds/packetcapture.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: packetcaptures.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the PacketCapture. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - fileServer + - source + - captureConfig + - destination + anyOf: + - properties: + source: + required: [pod] + - properties: + destination: + required: [pod] + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + protocol: + type: integer + minimum: 0 + maximum: 255 + ipv6Header: + type: object + properties: + nextHeader: + type: integer + minimum: 0 + maximum: 65535 + transportHeader: + type: object + properties: + udp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + tcp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + flags: + type: integer + minimum: 0 + maximum: 255 + timeout: + type: integer + minimum: 1 + maximum: 300 + captureConfig: + type: object + anyOf: + - properties: + firstN: + required: [number] + properties: + firstN: + type: object + properties: + number: + type: integer + format: int32 + fileServer: + type: object + properties: + url: + type: string + pattern: 's{0,1}ftps{0,1}:\/\/[\w-_./]+:\d+' + status: + type: object + properties: + reason: + type: string + phase: + type: string + startTime: + type: string + numCapturedPackets: + type: integer + packetsFileName: + type: string + + subresources: + status: {} + scope: Cluster + names: + plural: packetcaptures + singular: packetcapture + kind: PacketCapture + shortNames: + - pcp + --- # Source: antrea/crds/supportbundlecollection.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3740,9 +3922,12 @@ data: # be enabled, otherwise this flag will not take effect. # CleanupStaleUDPSvcConntrack: true - # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Enable Traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true + # Enable PacketCapture feature which supports capturing packets to diagnose network issues. + # PacketCapture: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort # NodePortLocal: true @@ -4324,6 +4509,14 @@ rules: - pods/status verbs: - patch + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - antrea-packetcapture-fileserver-auth + verbs: + - get - apiGroups: - "" resources: @@ -4445,6 +4638,20 @@ rules: - patch - create - delete + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures/status + verbs: + - patch - apiGroups: - crd.antrea.io resources: @@ -5138,7 +5345,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 4325a243ab510df539883b6384a30cf8b04ff862796444a6c5c10999159479c5 + checksum/config: e2d1d8af083c88667ac4c22c87dea63e595b2f4f770190c32afb00c480440fe3 labels: app: antrea component: antrea-agent @@ -5377,7 +5584,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 4325a243ab510df539883b6384a30cf8b04ff862796444a6c5c10999159479c5 + checksum/config: e2d1d8af083c88667ac4c22c87dea63e595b2f4f770190c32afb00c480440fe3 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 12b550e747b..037181f4a7d 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -2866,6 +2866,188 @@ spec: shortNames: - nlm +--- +# Source: antrea/crds/packetcapture.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: packetcaptures.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the PacketCapture. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - fileServer + - source + - captureConfig + - destination + anyOf: + - properties: + source: + required: [pod] + - properties: + destination: + required: [pod] + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + protocol: + type: integer + minimum: 0 + maximum: 255 + ipv6Header: + type: object + properties: + nextHeader: + type: integer + minimum: 0 + maximum: 65535 + transportHeader: + type: object + properties: + udp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + tcp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + flags: + type: integer + minimum: 0 + maximum: 255 + timeout: + type: integer + minimum: 1 + maximum: 300 + captureConfig: + type: object + anyOf: + - properties: + firstN: + required: [number] + properties: + firstN: + type: object + properties: + number: + type: integer + format: int32 + fileServer: + type: object + properties: + url: + type: string + pattern: 's{0,1}ftps{0,1}:\/\/[\w-_./]+:\d+' + status: + type: object + properties: + reason: + type: string + phase: + type: string + startTime: + type: string + numCapturedPackets: + type: integer + packetsFileName: + type: string + + subresources: + status: {} + scope: Cluster + names: + plural: packetcaptures + singular: packetcapture + kind: PacketCapture + shortNames: + - pcp + --- # Source: antrea/crds/supportbundlecollection.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3740,9 +3922,12 @@ data: # be enabled, otherwise this flag will not take effect. # CleanupStaleUDPSvcConntrack: true - # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Enable Traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true + # Enable PacketCapture feature which supports capturing packets to diagnose network issues. + # PacketCapture: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort # NodePortLocal: true @@ -4324,6 +4509,14 @@ rules: - pods/status verbs: - patch + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - antrea-packetcapture-fileserver-auth + verbs: + - get - apiGroups: - "" resources: @@ -4445,6 +4638,20 @@ rules: - patch - create - delete + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures/status + verbs: + - patch - apiGroups: - crd.antrea.io resources: @@ -5138,7 +5345,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: f5cf00de39a27790a7e158a3eca79123de415b3b09d389ac984b74027bbfaade + checksum/config: 7e42a403d388e2ed556d9b41f4af83917eadd0863d4e2bef67353f5adb2ef6c3 labels: app: antrea component: antrea-agent @@ -5374,7 +5581,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: f5cf00de39a27790a7e158a3eca79123de415b3b09d389ac984b74027bbfaade + checksum/config: 7e42a403d388e2ed556d9b41f4af83917eadd0863d4e2bef67353f5adb2ef6c3 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index b9fb72487d8..2188aa60cf1 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -2866,6 +2866,188 @@ spec: shortNames: - nlm +--- +# Source: antrea/crds/packetcapture.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: packetcaptures.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the PacketCapture. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - fileServer + - source + - captureConfig + - destination + anyOf: + - properties: + source: + required: [pod] + - properties: + destination: + required: [pod] + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + protocol: + type: integer + minimum: 0 + maximum: 255 + ipv6Header: + type: object + properties: + nextHeader: + type: integer + minimum: 0 + maximum: 65535 + transportHeader: + type: object + properties: + udp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + tcp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + flags: + type: integer + minimum: 0 + maximum: 255 + timeout: + type: integer + minimum: 1 + maximum: 300 + captureConfig: + type: object + anyOf: + - properties: + firstN: + required: [number] + properties: + firstN: + type: object + properties: + number: + type: integer + format: int32 + fileServer: + type: object + properties: + url: + type: string + pattern: 's{0,1}ftps{0,1}:\/\/[\w-_./]+:\d+' + status: + type: object + properties: + reason: + type: string + phase: + type: string + startTime: + type: string + numCapturedPackets: + type: integer + packetsFileName: + type: string + + subresources: + status: {} + scope: Cluster + names: + plural: packetcaptures + singular: packetcapture + kind: PacketCapture + shortNames: + - pcp + --- # Source: antrea/crds/supportbundlecollection.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3753,9 +3935,12 @@ data: # be enabled, otherwise this flag will not take effect. # CleanupStaleUDPSvcConntrack: true - # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Enable Traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true + # Enable PacketCapture feature which supports capturing packets to diagnose network issues. + # PacketCapture: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort # NodePortLocal: true @@ -4337,6 +4522,14 @@ rules: - pods/status verbs: - patch + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - antrea-packetcapture-fileserver-auth + verbs: + - get - apiGroups: - "" resources: @@ -4458,6 +4651,20 @@ rules: - patch - create - delete + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures/status + verbs: + - patch - apiGroups: - crd.antrea.io resources: @@ -5151,7 +5358,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 9e94f199d125877d889ba73e053c95b342e89323d0423cde074ae074df379494 + checksum/config: 7d8b0a065c3db85e34e127fdf38b820b32712657900e3f8fe2703d4310c40632 checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4 labels: app: antrea @@ -5433,7 +5640,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 9e94f199d125877d889ba73e053c95b342e89323d0423cde074ae074df379494 + checksum/config: 7d8b0a065c3db85e34e127fdf38b820b32712657900e3f8fe2703d4310c40632 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 13f314dd022..d3c0eaf76eb 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -2866,6 +2866,188 @@ spec: shortNames: - nlm +--- +# Source: antrea/crds/packetcapture.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: packetcaptures.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the PacketCapture. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - fileServer + - source + - captureConfig + - destination + anyOf: + - properties: + source: + required: [pod] + - properties: + destination: + required: [pod] + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + protocol: + type: integer + minimum: 0 + maximum: 255 + ipv6Header: + type: object + properties: + nextHeader: + type: integer + minimum: 0 + maximum: 65535 + transportHeader: + type: object + properties: + udp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + tcp: + type: object + properties: + srcPort: + type: integer + minimum: 1 + maximum: 65535 + dstPort: + type: integer + minimum: 1 + maximum: 65535 + flags: + type: integer + minimum: 0 + maximum: 255 + timeout: + type: integer + minimum: 1 + maximum: 300 + captureConfig: + type: object + anyOf: + - properties: + firstN: + required: [number] + properties: + firstN: + type: object + properties: + number: + type: integer + format: int32 + fileServer: + type: object + properties: + url: + type: string + pattern: 's{0,1}ftps{0,1}:\/\/[\w-_./]+:\d+' + status: + type: object + properties: + reason: + type: string + phase: + type: string + startTime: + type: string + numCapturedPackets: + type: integer + packetsFileName: + type: string + + subresources: + status: {} + scope: Cluster + names: + plural: packetcaptures + singular: packetcapture + kind: PacketCapture + shortNames: + - pcp + --- # Source: antrea/crds/supportbundlecollection.yaml apiVersion: apiextensions.k8s.io/v1 @@ -3740,9 +3922,12 @@ data: # be enabled, otherwise this flag will not take effect. # CleanupStaleUDPSvcConntrack: true - # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Enable Traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true + # Enable PacketCapture feature which supports capturing packets to diagnose network issues. + # PacketCapture: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort # NodePortLocal: true @@ -4324,6 +4509,14 @@ rules: - pods/status verbs: - patch + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - antrea-packetcapture-fileserver-auth + verbs: + - get - apiGroups: - "" resources: @@ -4445,6 +4638,20 @@ rules: - patch - create - delete + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - packetcaptures/status + verbs: + - patch - apiGroups: - crd.antrea.io resources: @@ -5138,7 +5345,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 8256bc0d365d60f16d0bdef14cf674be49d525ee1cd921e531f8bf7e521e1421 + checksum/config: 2b4d82bcb825d50926115bad2125097f85aed424bfc49147444314cad8b7826a labels: app: antrea component: antrea-agent @@ -5374,7 +5581,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 8256bc0d365d60f16d0bdef14cf674be49d525ee1cd921e531f8bf7e521e1421 + checksum/config: 2b4d82bcb825d50926115bad2125097f85aed424bfc49147444314cad8b7826a labels: app: antrea component: antrea-controller diff --git a/ci/kind/test-e2e-kind.sh b/ci/kind/test-e2e-kind.sh index 1e91c95c874..1b15a335eec 100755 --- a/ci/kind/test-e2e-kind.sh +++ b/ci/kind/test-e2e-kind.sh @@ -343,6 +343,7 @@ function run_test { export AGENT_IMG_NAME=${antrea_agent_image} export CONTROLLER_IMG_NAME=${antrea_controller_image} fi + if $coverage; then $YML_CMD --encap-mode $current_mode $manifest_args | docker exec -i kind-control-plane dd of=/root/antrea-coverage.yml $YML_CMD --ipsec $manifest_args | docker exec -i kind-control-plane dd of=/root/antrea-ipsec-coverage.yml diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go index 24740ec0f67..cce46553b3d 100644 --- a/cmd/antrea-agent/agent.go +++ b/cmd/antrea-agent/agent.go @@ -45,6 +45,7 @@ import ( "antrea.io/antrea/pkg/agent/controller/networkpolicy" "antrea.io/antrea/pkg/agent/controller/networkpolicy/l7engine" "antrea.io/antrea/pkg/agent/controller/noderoute" + "antrea.io/antrea/pkg/agent/controller/packetcapture" "antrea.io/antrea/pkg/agent/controller/serviceexternalip" "antrea.io/antrea/pkg/agent/controller/traceflow" "antrea.io/antrea/pkg/agent/controller/trafficcontrol" @@ -117,6 +118,7 @@ func run(o *Options) error { informerFactory := informers.NewSharedInformerFactoryWithOptions(k8sClient, informerDefaultResync, informers.WithTransform(k8s.NewTrimmer(k8s.TrimNode))) crdInformerFactory := crdinformers.NewSharedInformerFactoryWithOptions(crdClient, informerDefaultResync, crdinformers.WithTransform(k8s.NewTrimmer())) traceflowInformer := crdInformerFactory.Crd().V1beta1().Traceflows() + packetCaptureInformer := crdInformerFactory.Crd().V1alpha1().PacketCaptures() egressInformer := crdInformerFactory.Crd().V1beta1().Egresses() externalIPPoolInformer := crdInformerFactory.Crd().V1beta1().ExternalIPPools() trafficControlInformer := crdInformerFactory.Crd().V1alpha2().TrafficControls() @@ -189,6 +191,7 @@ func run(o *Options) error { enableMulticlusterGW, groupIDAllocator, *o.config.EnablePrometheusMetrics, + features.DefaultFeatureGate.Enabled(features.PacketCapture), o.config.PacketInRate, ) @@ -650,6 +653,20 @@ func run(o *Options) error { o.enableAntreaProxy) } + var packetCaptureController *packetcapture.Controller + if features.DefaultFeatureGate.Enabled(features.PacketCapture) { + packetCaptureController = packetcapture.NewPacketCaptureController( + k8sClient, + crdClient, + serviceInformer, + endpointsInformer, + packetCaptureInformer, + ofClient, + ifaceStore, + nodeConfig, + ) + } + if err := antreaClientProvider.RunOnce(); err != nil { return err } @@ -807,6 +824,10 @@ func run(o *Options) error { go traceflowController.Run(stopCh) } + if features.DefaultFeatureGate.Enabled(features.PacketCapture) { + go packetCaptureController.Run(stopCh) + } + if o.enableAntreaProxy { go proxier.GetProxyProvider().Run(stopCh) diff --git a/docs/api.md b/docs/api.md index 4547cb66738..5000c95aad9 100644 --- a/docs/api.md +++ b/docs/api.md @@ -40,6 +40,7 @@ These are the CRDs currently available in `crd.antrea.io`. | `Group` | v1beta1 | v1.13.0 | N/A | N/A | | `NetworkPolicy` | v1beta1 | v1.13.0 | N/A | N/A | | `NodeLatencyMonitor` | v1alpha1 | v2.1.0 | N/A | N/A | +| `PacketCapture` | v1alpha1 | v2.2 | N/A | N/A | | `SupportBundleCollection` | v1alpha1 | v1.10.0 | N/A | N/A | | `Tier` | v1beta1 | v1.13.0 | N/A | N/A | | `Traceflow` | v1beta1 | v1.13.0 | N/A | N/A | diff --git a/docs/feature-gates.md b/docs/feature-gates.md index 41da9eaac1a..e854254c810 100644 --- a/docs/feature-gates.md +++ b/docs/feature-gates.md @@ -62,6 +62,7 @@ edit the Agent configuration in the | `L7FlowExporter` | Agent | `false` | Alpha | v1.15 | N/A | N/A | Yes | | | `BGPPolicy` | Agent | `false` | Alpha | v2.1 | N/A | N/A | No | | | `NodeLatencyMonitor` | Agent | `false` | Alpha | v2.1 | N/A | N/A | No | | +| `PacketCapture` | Agent | `false` | Alpha | v2.0 | N/A | N/A | No | | ## Description and Requirements of Features @@ -531,3 +532,8 @@ experienced by Pod traffic. #### Requirements for this Feature - Linux Nodes only - the feature has not been tested on Windows Nodes yet. + +### PacketCapture + +`PacketCapture` allows user to capture live traffic packets from specified flow for further analyze. +Refer to this [document](packetcapture-guide.md) for more information. diff --git a/docs/packetcapture-guide.md b/docs/packetcapture-guide.md new file mode 100644 index 00000000000..008bd2b1a9b --- /dev/null +++ b/docs/packetcapture-guide.md @@ -0,0 +1,74 @@ +# Packet Capture User Guide + +Starting with Antrea v2.0, Antrea supports the packet capture feature for network diagnosis. +It can capture specified number of packets from real traffic and upload them to a +supported storage location. Users can create a PacketCapture CRD to trigger +packet capture on the target traffic flow. + +## Prerequisites + +The PacketCapture feature is disabled by default. If you +want to enable this feature, you need to set PacketCapture feature gate to true in +the `antrea-config` ConfigMap for `antrea-agent`. + +```yaml + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable PacketCapture feature which provides packets capture feature to diagnose network issue. + PacketCapture: false +``` + +## Start a new PacketCapture + +When starting a new packet capture, you can provide the following information to identify +the target flow: + +* Source Pod +* Destination Pod, Service or IP address +* Transport protocol (TCP/UDP/ICMP) +* Transport ports + +You can start a new packet capture by creating a PacketCapture CR using +`kubectl`. Before that, a `Secret` named `antrea-packetcapture-fileserver-auth` located in `kube-system` namespace +must exist and carry the auth information for the target file server. You can also create the secret using +`kubectl`: + +```bash +kubectl create secret generic antrea-packetcapture-fileserver-auth -n kube-system --from-literal=username='' --from-literal=password='' +``` + +And here is an example of `PacketCapture` CR: + +```yaml +apiVersion: crd.antrea.io/v1alpha1 +kind: PacketCapture +metadata: + name: pc-test +spec: + fileServer: + url: sftp://127.0.0.1:22/upload # define your own ftp url here. + timeout: 60 + captureConfig: + firstN: + number: 5 + source: + namespace: default + pod: frontend + destination: + namespace: default + pod: backend + # Destination can also be an IP address ('ip' field) or a Service name ('service' field); the 3 choices are mutually exclusive. + packet: + ipHeader: # If ipHeader/ipv6Header is not set, the default value is IPv4 + ICMP. + protocol: 6 # Protocol here can be 6 (TCP), 17 (UDP) or 1 (ICMP); default value is 1 (ICMP). + transportHeader: + tcp: + dstPort: 8080 # Destination port needs to be set when the protocol is TCP/UDP. +``` + +The CRD above starts a new packet capture from a Pod named `frontend` +to the port 8080 of a Pod named `backend` using TCP protocol. It will capture the first 5 packets +that meet this criterion and upload them to the specified file server. Users can download the +packet file from the ftp server and analyze its contents with network diagnose tools +like Wireshark or `tcpdump`. diff --git a/go.mod b/go.mod index 749f70da367..03bf24767e7 100644 --- a/go.mod +++ b/go.mod @@ -27,6 +27,7 @@ require ( github.com/go-logr/logr v1.4.2 github.com/gogo/protobuf v1.3.2 github.com/google/btree v1.1.3 + github.com/google/gopacket v1.1.19 github.com/google/uuid v1.6.0 github.com/hashicorp/memberlist v0.5.1 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.3.0 diff --git a/go.sum b/go.sum index 5f205a9fa28..6c64ff09d92 100644 --- a/go.sum +++ b/go.sum @@ -377,6 +377,8 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8= +github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k= @@ -861,6 +863,8 @@ golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -1018,6 +1022,7 @@ golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= diff --git a/hack/.notableofcontents b/hack/.notableofcontents index 476abf7da99..5b29b5dea1b 100644 --- a/hack/.notableofcontents +++ b/hack/.notableofcontents @@ -38,6 +38,7 @@ docs/noencap-hybrid-modes.md docs/octant-plugin-installation.md docs/os-issues.md docs/ovs-offload.md +docs/packetcapture-guide.md docs/prometheus-integration.md docs/secondary-network.md docs/security.md diff --git a/multicluster/test/mocks/mock_controller_runtime_manager.go b/multicluster/test/mocks/mock_controller_runtime_manager.go index b1af80f9eec..9c310a1ee1f 100644 --- a/multicluster/test/mocks/mock_controller_runtime_manager.go +++ b/multicluster/test/mocks/mock_controller_runtime_manager.go @@ -371,4 +371,4 @@ func (m *MockLeaderElectionRunnable) NeedLeaderElection() bool { func (mr *MockLeaderElectionRunnableMockRecorder) NeedLeaderElection() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NeedLeaderElection", reflect.TypeOf((*MockLeaderElectionRunnable)(nil).NeedLeaderElection)) -} \ No newline at end of file +} diff --git a/pkg/agent/controller/networkpolicy/audit_logging.go b/pkg/agent/controller/networkpolicy/audit_logging.go index 26dce3b746a..114e866fa9d 100644 --- a/pkg/agent/controller/networkpolicy/audit_logging.go +++ b/pkg/agent/controller/networkpolicy/audit_logging.go @@ -233,7 +233,7 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, packet *binding.Packet, c *Con // Get disposition Allow or Drop. match = getMatchRegField(matchers, openflow.APDispositionField) - disposition, err := getInfoInReg(match, openflow.APDispositionField.GetRange().ToNXRange()) + disposition, err := openflow.GetInfoInReg(match, openflow.APDispositionField.GetRange().ToNXRange()) if err != nil { return fmt.Errorf("received error while unloading disposition from reg: %v", err) } @@ -241,7 +241,7 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, packet *binding.Packet, c *Con // Get layer 7 NetworkPolicy redirect action, if traffic is redirected, disposition log should be overwritten. if match = getMatchRegField(matchers, openflow.L7NPRegField); match != nil { - l7NPRegVal, err := getInfoInReg(match, openflow.L7NPRegField.GetRange().ToNXRange()) + l7NPRegVal, err := openflow.GetInfoInReg(match, openflow.L7NPRegField.GetRange().ToNXRange()) if err != nil { return fmt.Errorf("received error while unloading l7 NP redirect value from reg: %v", err) } @@ -252,7 +252,7 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, packet *binding.Packet, c *Con // Get K8s default deny action, if traffic is default deny, no conjunction could be matched. if match = getMatchRegField(matchers, openflow.APDenyRegMark.GetField()); match != nil { - apDenyRegVal, err := getInfoInReg(match, openflow.APDenyRegMark.GetField().GetRange().ToNXRange()) + apDenyRegVal, err := openflow.GetInfoInReg(match, openflow.APDenyRegMark.GetField().GetRange().ToNXRange()) if err != nil { return fmt.Errorf("received error while unloading deny mark from reg: %v", err) } @@ -269,7 +269,7 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, packet *binding.Packet, c *Con match = getMatch(matchers, tableID, disposition) // Get NetworkPolicy full name and OF priority of the conjunction. - conjID, err := getInfoInReg(match, nil) + conjID, err := openflow.GetInfoInReg(match, nil) if err != nil { return fmt.Errorf("received error while unloading conjunction id from reg: %v", err) } diff --git a/pkg/agent/controller/networkpolicy/packetin.go b/pkg/agent/controller/networkpolicy/packetin.go index ac7de7f95ea..1c1fd2e7403 100644 --- a/pkg/agent/controller/networkpolicy/packetin.go +++ b/pkg/agent/controller/networkpolicy/packetin.go @@ -21,7 +21,6 @@ import ( "net/netip" "time" - "antrea.io/libOpenflow/openflow15" "antrea.io/ofnet/ofctrl" "github.com/vmware/go-ipfix/pkg/registry" "k8s.io/klog/v2" @@ -91,18 +90,6 @@ func getMatch(matchers *ofctrl.Matchers, tableID uint8, disposition uint32) *ofc return nil } -// getInfoInReg unloads and returns data stored in the match field. -func getInfoInReg(regMatch *ofctrl.MatchField, rng *openflow15.NXRange) (uint32, error) { - regValue, ok := regMatch.GetValue().(*ofctrl.NXRegister) - if !ok { - return 0, errors.New("register value cannot be retrieved") - } - if rng != nil { - return ofctrl.GetUint32ValueWithRange(regValue.Data, rng), nil - } - return regValue.Data, nil -} - func (c *Controller) storeDenyConnection(pktIn *ofctrl.PacketIn) error { packet, err := binding.ParsePacketIn(pktIn) if err != nil { @@ -147,7 +134,7 @@ func (c *Controller) storeDenyConnection(pktIn *ofctrl.PacketIn) error { tableID := getPacketInTableID(pktIn) // Get disposition Allow, Drop or Reject match = getMatchRegField(matchers, openflow.APDispositionField) - id, err := getInfoInReg(match, openflow.APDispositionField.GetRange().ToNXRange()) + id, err := openflow.GetInfoInReg(match, openflow.APDispositionField.GetRange().ToNXRange()) if err != nil { return fmt.Errorf("error when getting disposition from reg: %v", err) } @@ -156,7 +143,7 @@ func (c *Controller) storeDenyConnection(pktIn *ofctrl.PacketIn) error { // Set match to corresponding ingress/egress reg according to disposition match = getMatch(matchers, tableID, id) if match != nil { - ruleID, err := getInfoInReg(match, nil) + ruleID, err := openflow.GetInfoInReg(match, nil) if err != nil { return fmt.Errorf("error when obtaining rule id from reg: %v", err) } @@ -223,7 +210,7 @@ func getPacketInTableID(pktIn *ofctrl.PacketIn) uint8 { tableID := pktIn.TableId matchers := pktIn.GetMatches() if match := getMatchRegField(matchers, openflow.PacketInTableField); match != nil { - tableVal, err := getInfoInReg(match, openflow.PacketInTableField.GetRange().ToNXRange()) + tableVal, err := openflow.GetInfoInReg(match, openflow.PacketInTableField.GetRange().ToNXRange()) if err == nil { return uint8(tableVal) } else { diff --git a/pkg/agent/controller/networkpolicy/reject.go b/pkg/agent/controller/networkpolicy/reject.go index 75de5abd6b5..4c2fcc95635 100644 --- a/pkg/agent/controller/networkpolicy/reject.go +++ b/pkg/agent/controller/networkpolicy/reject.go @@ -142,7 +142,7 @@ func (c *Controller) rejectRequest(pktIn *ofctrl.PacketIn) error { if c.antreaProxyEnabled { matches := pktIn.GetMatches() if match := getMatchRegField(matches, openflow.ServiceEPStateField); match != nil { - svcEpstate, err := getInfoInReg(match, openflow.ServiceEPStateField.GetRange().ToNXRange()) + svcEpstate, err := openflow.GetInfoInReg(match, openflow.ServiceEPStateField.GetRange().ToNXRange()) if err != nil { return false } @@ -343,7 +343,7 @@ func parseFlexibleIPAMStatus(pktIn *ofctrl.PacketIn, nodeConfig *config.NodeConf // The generated reject packet should have same ctZone with the incoming packet, otherwise the conntrack cannot work properly. matches := pktIn.GetMatches() if match := getMatchRegField(matches, openflow.CtZoneField); match != nil { - ctZone, err = getInfoInReg(match, openflow.CtZoneField.GetRange().ToNXRange()) + ctZone, err = openflow.GetInfoInReg(match, openflow.CtZoneField.GetRange().ToNXRange()) if err != nil { return false, false, 0, err } diff --git a/pkg/agent/controller/packetcapture/packetcapture_controller.go b/pkg/agent/controller/packetcapture/packetcapture_controller.go new file mode 100644 index 00000000000..9257a70e9ea --- /dev/null +++ b/pkg/agent/controller/packetcapture/packetcapture_controller.go @@ -0,0 +1,747 @@ +// Copyright 2024 Antrea Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package packetcapture + +import ( + "context" + "encoding/json" + "errors" + "fmt" + "net" + "os" + "path/filepath" + "sync" + "time" + + "antrea.io/libOpenflow/protocol" + "github.com/google/gopacket/layers" + "github.com/google/gopacket/pcapgo" + "github.com/spf13/afero" + "golang.org/x/time/rate" + v1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/util/wait" + coreinformers "k8s.io/client-go/informers/core/v1" + clientset "k8s.io/client-go/kubernetes" + corelisters "k8s.io/client-go/listers/core/v1" + "k8s.io/client-go/tools/cache" + "k8s.io/client-go/util/workqueue" + "k8s.io/klog/v2" + + "antrea.io/antrea/pkg/agent/config" + "antrea.io/antrea/pkg/agent/interfacestore" + "antrea.io/antrea/pkg/agent/openflow" + "antrea.io/antrea/pkg/agent/util" + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + clientsetversioned "antrea.io/antrea/pkg/client/clientset/versioned" + crdinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha1" + crdlisters "antrea.io/antrea/pkg/client/listers/crd/v1alpha1" + binding "antrea.io/antrea/pkg/ovs/openflow" + "antrea.io/antrea/pkg/util/ftp" +) + +type StorageProtocolType string + +const ( + sftpProtocol StorageProtocolType = "sftp" +) + +const ( + controllerName = "AntreaAgentPacketCaptureController" + resyncPeriod time.Duration = 0 + + minRetryDelay = 5 * time.Second + maxRetryDelay = 300 * time.Second + + defaultWorkers = 4 + + // 4bits in ovs reg4 + minTagNum uint8 = 1 + maxTagNum uint8 = 15 + + // reason for timeout + captureTimeoutReason = "PacketCapture timeout" + defaultTimeoutDuration = time.Second * time.Duration(crdv1alpha1.DefaultPacketCaptureTimeout) + timeoutCheckInterval = 10 * time.Second + + captureStatusUpdatePeriod = 10 * time.Second + + // PacketCapture uses a dedicated secret object to store auth info for file server. + // #nosec G101 + fileServerAuthSecretName = "antrea-packetcapture-fileserver-auth" + fileServerAuthSecretNamespace = "kube-system" +) + +var ( + packetDirectory = getPacketDirectory() + defaultFS = afero.NewOsFs() +) + +func getPacketDirectory() string { + return filepath.Join(os.TempDir(), "antrea", "packetcapture", "packets") +} + +type packetCaptureState struct { + // name is the PacketCapture name + name string + // tag is a node scope unique id for the PacketCapture. It will be written into ovs reg and parsed in packetIn handler + // to match with existing PacketCapture. + tag uint8 + // shouldSyncPackets means this node will be responsible for doing the actual packet capture job. + shouldSyncPackets bool + // numCapturedPackets record how many packets has been captured. Due to the RateLimiter, + // this maybe not be realtime data. + numCapturedPackets int32 + // maxNumCapturedPackets is target number limit for our capture. If numCapturedPackets=maxNumCapturedPackets, means + // the PacketCapture is succeeded. + maxNumCapturedPackets int32 + // updateRateLimiter controls the frequency of the updates to PacketCapture status. + updateRateLimiter *rate.Limiter + // pcapngFile is the file object for the packet file. + pcapngFile afero.File + // pcapngWriter is the writer for the packet file. + pcapngWriter *pcapgo.NgWriter +} + +type Controller struct { + kubeClient clientset.Interface + crdClient clientsetversioned.Interface + serviceLister corelisters.ServiceLister + serviceListerSynced cache.InformerSynced + endpointLister corelisters.EndpointsLister + endpointSynced cache.InformerSynced + packetCaptureInformer crdinformers.PacketCaptureInformer + packetCaptureLister crdlisters.PacketCaptureLister + packetCaptureSynced cache.InformerSynced + ofClient openflow.Client + interfaceStore interfacestore.InterfaceStore + nodeConfig *config.NodeConfig + queue workqueue.RateLimitingInterface + runningPacketCapturesMutex sync.RWMutex + runningPacketCaptures map[uint8]*packetCaptureState + sftpUploader ftp.Uploader +} + +func NewPacketCaptureController( + kubeClient clientset.Interface, + crdClient clientsetversioned.Interface, + serviceInformer coreinformers.ServiceInformer, + endpointInformer coreinformers.EndpointsInformer, + packetCaptureInformer crdinformers.PacketCaptureInformer, + client openflow.Client, + interfaceStore interfacestore.InterfaceStore, + nodeConfig *config.NodeConfig, +) *Controller { + c := &Controller{ + kubeClient: kubeClient, + crdClient: crdClient, + packetCaptureInformer: packetCaptureInformer, + packetCaptureLister: packetCaptureInformer.Lister(), + packetCaptureSynced: packetCaptureInformer.Informer().HasSynced, + ofClient: client, + interfaceStore: interfaceStore, + nodeConfig: nodeConfig, + queue: workqueue.NewRateLimitingQueueWithConfig(workqueue.NewItemExponentialFailureRateLimiter(minRetryDelay, maxRetryDelay), + workqueue.RateLimitingQueueConfig{Name: "packetcapture"}), + runningPacketCaptures: make(map[uint8]*packetCaptureState), + sftpUploader: &ftp.SftpUploader{}, + } + + packetCaptureInformer.Informer().AddEventHandlerWithResyncPeriod(cache.ResourceEventHandlerFuncs{ + AddFunc: c.addPacketCapture, + UpdateFunc: c.updatePacketCapture, + DeleteFunc: c.deletePacketCapture, + }, resyncPeriod) + + c.ofClient.RegisterPacketInHandler(uint8(openflow.PacketInCategoryPacketCapture), c) + + c.serviceLister = serviceInformer.Lister() + c.serviceListerSynced = serviceInformer.Informer().HasSynced + c.endpointLister = endpointInformer.Lister() + c.endpointSynced = endpointInformer.Informer().HasSynced + return c +} + +func (c *Controller) enqueuePacketCapture(pc *crdv1alpha1.PacketCapture) { + c.queue.Add(pc.Name) +} + +// Run will create defaultWorkers workers (go routines) which will process the PacketCapture events from the +// workqueue. +func (c *Controller) Run(stopCh <-chan struct{}) { + defer c.queue.ShutDown() + + klog.InfoS("Starting packetcapture controller", "name", controllerName) + defer klog.InfoS("Shutting down packetcapture controller", "name", controllerName) + + cacheSynced := []cache.InformerSynced{c.packetCaptureSynced, c.serviceListerSynced, c.endpointSynced} + if !cache.WaitForNamedCacheSync(controllerName, stopCh, cacheSynced...) { + return + } + + // cleanup existing packets file first. successful PacketCapture will upload them to the target file server. + // others are useless once we restart the controller. + if err := defaultFS.RemoveAll(packetDirectory); err != nil { + klog.ErrorS(err, "Remove packets dir error", "directory", packetDirectory) + } + err := defaultFS.MkdirAll(packetDirectory, 0755) + if err != nil { + klog.ErrorS(err, "Couldn't create directory for storing captured packets", "directory", packetDirectory) + return + } + + go wait.Until(c.checkPacketCaptureTimeout, timeoutCheckInterval, stopCh) + + for i := 0; i < defaultWorkers; i++ { + go wait.Until(c.worker, time.Second, stopCh) + } + <-stopCh +} + +func (c *Controller) checkPacketCaptureTimeout() { + c.runningPacketCapturesMutex.RLock() + pcs := make([]string, 0, len(c.runningPacketCaptures)) + for _, pcState := range c.runningPacketCaptures { + pcs = append(pcs, pcState.name) + } + c.runningPacketCapturesMutex.RUnlock() + for _, pcName := range pcs { + // Re-post all running PacketCapture requests to the work queue to + // be processed and checked for timeout. + c.queue.Add(pcName) + } +} + +func (c *Controller) addPacketCapture(obj interface{}) { + pc := obj.(*crdv1alpha1.PacketCapture) + klog.InfoS("Processing PacketCapture ADD event", "name", pc.Name) + c.enqueuePacketCapture(pc) +} + +func (c *Controller) updatePacketCapture(_, obj interface{}) { + pc := obj.(*crdv1alpha1.PacketCapture) + klog.InfoS("Processing PacketCapture UPDATE event", "name", pc.Name) + c.enqueuePacketCapture(pc) +} + +func (c *Controller) deletePacketCapture(obj interface{}) { + pc := obj.(*crdv1alpha1.PacketCapture) + klog.InfoS("Processing PacketCapture DELETE event", "name", pc.Name) + err := deletePcapngFile(string(pc.UID)) + if err != nil { + klog.ErrorS(err, "Couldn't delete pcapng file") + } + c.enqueuePacketCapture(pc) +} + +func deletePcapngFile(uid string) error { + return defaultFS.Remove(uidToPath(uid)) +} + +func uidToPath(uid string) string { + return filepath.Join(packetDirectory, uid+".pcapng") +} + +func (c *Controller) worker() { + for c.processPacketCaptureItem() { + } +} + +func (c *Controller) processPacketCaptureItem() bool { + obj, quit := c.queue.Get() + if quit { + return false + } + + defer c.queue.Done(obj) + if key, ok := obj.(string); !ok { + c.queue.Forget(obj) + klog.ErrorS(nil, "Expected string in work queue but got non-string object", "obj", obj) + return true + } else if err := c.syncPacketCapture(key); err == nil { + c.queue.Forget(key) + } else { + klog.ErrorS(err, "Error syncing PacketCapture, exiting", "key", key) + } + return true +} + +func (c *Controller) cleanupPacketCapture(pcName string) { + pcState := c.deletePacketCaptureState(pcName) + if pcState != nil { + err := c.ofClient.UninstallPacketCaptureFlows(pcState.tag) + if err != nil { + klog.ErrorS(err, "Error cleaning up flows for PacketCapture", "name", pcName) + } + if pcState.pcapngFile != nil { + if err := pcState.pcapngFile.Close(); err != nil { + klog.ErrorS(err, "Error closing pcap file", "name", pcName) + } + } + } +} + +func (c *Controller) deletePacketCaptureState(pcName string) *packetCaptureState { + c.runningPacketCapturesMutex.Lock() + defer c.runningPacketCapturesMutex.Unlock() + + for tag, state := range c.runningPacketCaptures { + if state.name == pcName { + delete(c.runningPacketCaptures, tag) + return state + } + } + return nil +} + +func (c *Controller) startPacketCapture(pc *crdv1alpha1.PacketCapture, pcState *packetCaptureState) error { + var err error + defer func() { + if err != nil { + c.cleanupPacketCapture(pc.Name) + c.updatePacketCaptureStatus(pc, crdv1alpha1.PacketCaptureFailed, fmt.Sprintf("Node: %s, Error: %+v", c.nodeConfig.Name, err), 0) + + } + }() + receiverOnly := false + senderOnly := false + var pod, ns string + + if pc.Spec.Source.Pod != "" { + pod = pc.Spec.Source.Pod + ns = pc.Spec.Source.Namespace + if pc.Spec.Destination.Pod == "" { + senderOnly = true + } + } else { + pod = pc.Spec.Destination.Pod + ns = pc.Spec.Destination.Namespace + receiverOnly = true + } + + podInterfaces := c.interfaceStore.GetContainerInterfacesByPod(pod, ns) + pcState.shouldSyncPackets = len(podInterfaces) > 0 + if !pcState.shouldSyncPackets { + return nil + } + var packet, senderPacket *binding.Packet + var endpointPackets []binding.Packet + var ofPort uint32 + packet, err = c.preparePacket(pc, podInterfaces[0], receiverOnly) + if err != nil { + return err + } + ofPort = uint32(podInterfaces[0].OFPort) + senderPacket = packet + klog.V(2).InfoS("PacketCapture sender packet", "packet", *packet) + if senderOnly && pc.Spec.Destination.Service != "" { + endpointPackets, err = c.genEndpointMatchPackets(pc) + if err != nil { + return fmt.Errorf("couldn't generate endpoint match packets: %w", err) + } + } + + c.runningPacketCapturesMutex.Lock() + pcState.maxNumCapturedPackets = pc.Spec.CaptureConfig.FirstN.Number + var file afero.File + filePath := uidToPath(string(pc.UID)) + if _, err := os.Stat(filePath); err == nil { + return fmt.Errorf("packet file already exists. this may be due to an unexpected termination") + } else if os.IsNotExist(err) { + file, err = defaultFS.Create(filePath) + if err != nil { + return fmt.Errorf("failed to create pcapng file: %w", err) + } + } else { + return fmt.Errorf("couldn't check if the file exists: %w", err) + } + writer, err := pcapgo.NewNgWriter(file, layers.LinkTypeEthernet) + if err != nil { + return fmt.Errorf("couldn't init pcap writer: %w", err) + } + pcState.shouldSyncPackets = len(podInterfaces) > 0 + pcState.pcapngFile = file + pcState.pcapngWriter = writer + pcState.updateRateLimiter = rate.NewLimiter(rate.Every(captureStatusUpdatePeriod), 1) + c.runningPacketCaptures[pcState.tag] = pcState + c.runningPacketCapturesMutex.Unlock() + + timeout := crdv1alpha1.DefaultPacketCaptureTimeout + if pc.Spec.Timeout != nil { + timeout = *pc.Spec.Timeout + } + klog.V(2).InfoS("Installing flow entries for PacketCapture", "name", pc.Name) + err = c.ofClient.InstallPacketCaptureFlows(pcState.tag, senderOnly, receiverOnly, senderPacket, endpointPackets, ofPort, timeout) + if err != nil { + klog.ErrorS(err, "Install flow entries failed", "name", pc.Name) + } + return err +} + +// genEndpointMatchPackets generates match packets (with destination Endpoint's IP/port info) besides the normal match packet. +// these match packets will help the pipeline to capture the pod -> svc traffic. +// TODO: 1. support name based port name 2. dual-stack support +func (c *Controller) genEndpointMatchPackets(pc *crdv1alpha1.PacketCapture) ([]binding.Packet, error) { + var port int32 + if pc.Spec.Packet.TransportHeader.TCP != nil { + port = pc.Spec.Packet.TransportHeader.TCP.DstPort + } else if pc.Spec.Packet.TransportHeader.UDP != nil { + port = pc.Spec.Packet.TransportHeader.UDP.DstPort + } + var packets []binding.Packet + dstSvc, err := c.serviceLister.Services(pc.Spec.Destination.Namespace).Get(pc.Spec.Destination.Service) + if err != nil { + return nil, err + } + for _, item := range dstSvc.Spec.Ports { + if item.Port == port { + if item.TargetPort.Type == intstr.Int { + port = item.TargetPort.IntVal + } + } + } + dstEndpoint, err := c.endpointLister.Endpoints(pc.Spec.Destination.Namespace).Get(pc.Spec.Destination.Service) + if err != nil { + return nil, err + } + for _, item := range dstEndpoint.Subsets[0].Addresses { + packet := binding.Packet{} + packet.DestinationIP = net.ParseIP(item.IP) + if port != 0 { + packet.DestinationPort = uint16(port) + } + packet.IPProto, _ = parseTargetProto(pc.Spec.Packet) + packets = append(packets, packet) + } + return packets, nil +} + +func (c *Controller) preparePacket(pc *crdv1alpha1.PacketCapture, intf *interfacestore.InterfaceConfig, receiverOnly bool) (*binding.Packet, error) { + packet := new(binding.Packet) + if pc.Spec.Packet == nil { + pc.Spec.Packet = &crdv1alpha1.Packet{} + } + packet.IsIPv6 = pc.Spec.Packet.IPFamily == v1.IPv6Protocol + + if receiverOnly { + if pc.Spec.Source.IP != "" { + packet.SourceIP = net.ParseIP(pc.Spec.Source.IP) + } + packet.DestinationMAC = intf.MAC + } else if pc.Spec.Destination.IP != "" { + packet.DestinationIP = net.ParseIP(pc.Spec.Destination.IP) + } else if pc.Spec.Destination.Pod != "" { + dstPodInterfaces := c.interfaceStore.GetContainerInterfacesByPod(pc.Spec.Destination.Pod, pc.Spec.Destination.Namespace) + if len(dstPodInterfaces) > 0 { + if packet.IsIPv6 { + packet.DestinationIP = dstPodInterfaces[0].GetIPv6Addr() + } else { + packet.DestinationIP = dstPodInterfaces[0].GetIPv4Addr() + } + } else { + dstPod, err := c.kubeClient.CoreV1().Pods(pc.Spec.Destination.Namespace).Get(context.TODO(), pc.Spec.Destination.Pod, metav1.GetOptions{}) + if err != nil { + return nil, fmt.Errorf("failed to get the destination pod %s/%s: %v", pc.Spec.Destination.Namespace, pc.Spec.Destination.Pod, err) + } + podIPs := make([]net.IP, len(dstPod.Status.PodIPs)) + for i, ip := range dstPod.Status.PodIPs { + podIPs[i] = net.ParseIP(ip.IP) + } + if packet.IsIPv6 { + packet.DestinationIP, _ = util.GetIPWithFamily(podIPs, util.FamilyIPv6) + } else { + packet.DestinationIP = util.GetIPv4Addr(podIPs) + } + } + if packet.DestinationIP == nil { + if packet.IsIPv6 { + return nil, errors.New("destination Pod does not have an IPv6 address") + } + return nil, errors.New("destination Pod does not have an IPv4 address") + } + } else if pc.Spec.Destination.Service != "" { + dstSvc, err := c.serviceLister.Services(pc.Spec.Destination.Namespace).Get(pc.Spec.Destination.Service) + if err != nil { + return nil, fmt.Errorf("failed to get the destination service %s/%s: %v", pc.Spec.Destination.Namespace, pc.Spec.Destination.Service, err) + } + if dstSvc.Spec.ClusterIP == "" { + return nil, errors.New("destination Service does not have a ClusterIP") + } + + packet.DestinationIP = net.ParseIP(dstSvc.Spec.ClusterIP) + if !packet.IsIPv6 { + packet.DestinationIP = packet.DestinationIP.To4() + if packet.DestinationIP == nil { + return nil, errors.New("destination Service does not have an IPv4 address") + } + } else if packet.DestinationIP.To4() != nil { + return nil, errors.New("destination Service does not have an IPv6 address") + } + } else { + return nil, errors.New("destination is not specified") + } + + if pc.Spec.Packet.TransportHeader.TCP != nil { + packet.SourcePort = uint16(pc.Spec.Packet.TransportHeader.TCP.SrcPort) + packet.DestinationPort = uint16(pc.Spec.Packet.TransportHeader.TCP.DstPort) + if pc.Spec.Packet.TransportHeader.TCP.Flags != nil { + packet.TCPFlags = uint8(*pc.Spec.Packet.TransportHeader.TCP.Flags) + } + } else if pc.Spec.Packet.TransportHeader.UDP != nil { + packet.SourcePort = uint16(pc.Spec.Packet.TransportHeader.UDP.SrcPort) + packet.DestinationPort = uint16(pc.Spec.Packet.TransportHeader.UDP.DstPort) + } + + proto, err := parseTargetProto(pc.Spec.Packet) + if err != nil { + return nil, err + } + packet.IPProto = proto + return packet, nil +} + +func parseTargetProto(packet *crdv1alpha1.Packet) (uint8, error) { + var ipProto uint8 + isIPv6 := packet.IPFamily == v1.IPv6Protocol + + if packet.TransportHeader.TCP != nil { + ipProto = protocol.Type_TCP + } else if packet.TransportHeader.UDP != nil { + ipProto = protocol.Type_UDP + } else { + ipProto = protocol.Type_ICMP + if isIPv6 { + ipProto = protocol.Type_IPv6ICMP + } + } + + inputProto := packet.Protocol + if inputProto.StrVal == "TCP" { + inputProto = &intstr.IntOrString{Type: intstr.Int, IntVal: protocol.Type_TCP} + } else if inputProto.StrVal == "ICMP" { + inputProto = &intstr.IntOrString{Type: intstr.Int, IntVal: protocol.Type_ICMP} + } else if inputProto.StrVal == "UDP" { + inputProto = &intstr.IntOrString{Type: intstr.Int, IntVal: protocol.Type_UDP} + } else { + inputProto = &intstr.IntOrString{Type: intstr.Int, IntVal: protocol.Type_IPv6ICMP} + } + + if inputProto.IntVal != int32(ipProto) { + return 0, errors.New("Unmatch protocol settings in Packet between transportHeader and protocol") + } + + return ipProto, nil +} + +func (c *Controller) syncPacketCapture(pcName string) error { + startTime := time.Now() + defer func() { + klog.V(4).InfoS("Finished syncing PacketCapture", "name", pcName, "startTime", time.Since(startTime)) + }() + + pc, err := c.packetCaptureLister.Get(pcName) + if err != nil { + if apierrors.IsNotFound(err) { + c.cleanupPacketCapture(pcName) + return nil + } + return err + } + + switch pc.Status.Phase { + case "": + err = c.initPacketCapture(pc) + case crdv1alpha1.PacketCaptureRunning: + err = c.checkPacketCaptureStatus(pc) + default: + c.cleanupPacketCapture(pcName) + } + return err + +} + +// Allocates a tag. If the PacketCapture request has been allocated with a tag +// already, 0 is returned. If number of existing PacketCapture requests reaches +// the upper limit, an error is returned. +func (c *Controller) allocateTag(name string) (uint8, error) { + c.runningPacketCapturesMutex.Lock() + defer c.runningPacketCapturesMutex.Unlock() + + for _, state := range c.runningPacketCaptures { + if state != nil && state.name == name { + // The packetcapture request has been processed already. + return 0, nil + } + } + for i := minTagNum; i <= maxTagNum; i += 1 { + if _, ok := c.runningPacketCaptures[i]; !ok { + c.runningPacketCaptures[i] = &packetCaptureState{ + name: name, + tag: i, + } + return i, nil + } + } + return 0, fmt.Errorf("number of on-going PacketCapture operations already reached the upper limit: %d", maxTagNum) +} + +func (c *Controller) getUploaderByProtocol(protocol StorageProtocolType) (ftp.Uploader, error) { + if protocol == sftpProtocol { + return c.sftpUploader, nil + } + return nil, fmt.Errorf("unsupported protocol %s", protocol) +} + +func (c *Controller) generatePacketsPathForServer(name string) string { + return name + ".pcapng" +} + +func getDefaultFileServerAuth() *crdv1alpha1.BundleServerAuthConfiguration { + return &crdv1alpha1.BundleServerAuthConfiguration{ + AuthType: crdv1alpha1.BasicAuthentication, + AuthSecret: &v1.SecretReference{ + Name: fileServerAuthSecretName, + Namespace: fileServerAuthSecretNamespace, + }, + } +} + +func (c *Controller) uploadPackets(pc *crdv1alpha1.PacketCapture, outputFile afero.File) error { + klog.V(2).InfoS("Uploading captured packets for PacketCapture", "name", pc.Name) + uploader, err := c.getUploaderByProtocol(sftpProtocol) + if err != nil { + return fmt.Errorf("failed to upload support bundle while getting uploader: %v", err) + } + authConfig := getDefaultFileServerAuth() + serverAuth, err := ftp.ParseBundleAuth(*authConfig, c.kubeClient) + if err != nil { + klog.ErrorS(err, "Failed to get authentication defined in the PacketCapture CR", "name", pc.Name, "authentication", authConfig) + return err + } + cfg := ftp.GenSSHClientConfig(serverAuth.BasicAuthentication.Username, serverAuth.BasicAuthentication.Password) + return uploader.Upload(pc.Spec.FileServer.URL, c.generatePacketsPathForServer(string(pc.UID)), cfg, outputFile) + +} + +// initPacketCapture mark the PacketCapture as running and allocate tag for it, then start the capture. the tag will +// serve as a unique id for concurrent processing. +func (c *Controller) initPacketCapture(pc *crdv1alpha1.PacketCapture) error { + tag, err := c.allocateTag(pc.Name) + if err != nil { + return err + } + if tag == 0 { + return nil + } + err = c.updatePacketCaptureStatus(pc, crdv1alpha1.PacketCaptureRunning, "", 0) + if err != nil { + c.deallocateTag(pc.Name, tag) + return err + } + return c.startPacketCapture(pc, c.runningPacketCaptures[tag]) +} + +func (c *Controller) updatePacketCaptureStatus(pc *crdv1alpha1.PacketCapture, phase crdv1alpha1.PacketCapturePhase, reason string, numCapturedPackets int32) error { + type PacketCapture struct { + Status crdv1alpha1.PacketCaptureStatus `json:"status,omitempty"` + } + patchData := PacketCapture{Status: crdv1alpha1.PacketCaptureStatus{Phase: phase}} + if phase == crdv1alpha1.PacketCaptureRunning && pc.Status.StartTime == nil { + t := metav1.Now() + patchData.Status.StartTime = &t + } + if reason != "" { + patchData.Status.Reason = reason + } + if numCapturedPackets != 0 { + patchData.Status.NumCapturedPackets = &numCapturedPackets + } + if phase == crdv1alpha1.PacketCaptureSucceeded { + patchData.Status.PacketsFileName = c.generatePacketsPathForServer(string(pc.UID)) + } + payloads, _ := json.Marshal(patchData) + _, err := c.crdClient.CrdV1alpha1().PacketCaptures().Patch(context.TODO(), pc.Name, types.MergePatchType, payloads, metav1.PatchOptions{}, "status") + return err +} + +func (c *Controller) deallocateTag(name string, tag uint8) { + c.runningPacketCapturesMutex.Lock() + defer c.runningPacketCapturesMutex.Unlock() + if state, ok := c.runningPacketCaptures[tag]; ok { + if state != nil && name == state.name { + delete(c.runningPacketCaptures, tag) + } + } +} + +func (c *Controller) getTagForPacketCapture(name string) uint8 { + c.runningPacketCapturesMutex.RLock() + defer c.runningPacketCapturesMutex.RUnlock() + for tag, state := range c.runningPacketCaptures { + if state != nil && state.name == name { + // The packetcapture request has been processed already. + return tag + } + } + return 0 +} + +// checkPacketCaptureStatus is only called for PacketCaptures in the Running phase +func (c *Controller) checkPacketCaptureStatus(pc *crdv1alpha1.PacketCapture) error { + tag := c.getTagForPacketCapture(pc.Name) + if tag == 0 { + return nil + } + if checkPacketCaptureSucceeded(pc) { + c.deallocateTag(pc.Name, tag) + return c.updatePacketCaptureStatus(pc, crdv1alpha1.PacketCaptureSucceeded, "", 0) + } + + if isPacketCaptureTimeout(pc) { + c.deallocateTag(pc.Name, tag) + return c.updatePacketCaptureStatus(pc, crdv1alpha1.PacketCaptureFailed, captureTimeoutReason, 0) + } + return nil +} + +func checkPacketCaptureSucceeded(pc *crdv1alpha1.PacketCapture) bool { + succeeded := false + cfg := pc.Spec.CaptureConfig.FirstN + captured := pc.Status.NumCapturedPackets + if cfg != nil && captured != nil && *captured == cfg.Number { + succeeded = true + } + return succeeded +} + +func isPacketCaptureTimeout(pc *crdv1alpha1.PacketCapture) bool { + var timeout time.Duration + if pc.Spec.Timeout != nil { + timeout = time.Duration(*pc.Spec.Timeout) * time.Second + } else { + timeout = defaultTimeoutDuration + } + var startTime time.Time + if pc.Status.StartTime != nil { + startTime = pc.Status.StartTime.Time + } else { + klog.V(2).InfoS("StartTime field in PacketCapture Status should not be empty", "PacketCapture", klog.KObj(pc)) + startTime = pc.CreationTimestamp.Time + } + return startTime.Add(timeout).Before(time.Now()) +} diff --git a/pkg/agent/controller/packetcapture/packetcapture_controller_test.go b/pkg/agent/controller/packetcapture/packetcapture_controller_test.go new file mode 100644 index 00000000000..c16e12786ef --- /dev/null +++ b/pkg/agent/controller/packetcapture/packetcapture_controller_test.go @@ -0,0 +1,991 @@ +// Copyright 2024 Antrea Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package packetcapture + +import ( + "bytes" + "net" + "os" + "reflect" + "testing" + "time" + + "antrea.io/libOpenflow/protocol" + "github.com/google/gopacket/layers" + "github.com/google/gopacket/pcapgo" + "github.com/spf13/afero" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/mock/gomock" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/client-go/informers" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/fake" + "k8s.io/klog/v2" + + "antrea.io/antrea/pkg/agent/config" + "antrea.io/antrea/pkg/agent/interfacestore" + openflowtest "antrea.io/antrea/pkg/agent/openflow/testing" + "antrea.io/antrea/pkg/agent/util" + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + fakeversioned "antrea.io/antrea/pkg/client/clientset/versioned/fake" + crdinformers "antrea.io/antrea/pkg/client/informers/externalversions" + binding "antrea.io/antrea/pkg/ovs/openflow" + "antrea.io/antrea/pkg/util/k8s" +) + +var ( + pod1IPv4 = "192.168.10.10" + pod2IPv4 = "192.168.11.10" + service1IPv4 = "10.96.0.10" + dstIPv4 = "192.168.99.99" + pod1MAC, _ = net.ParseMAC("aa:bb:cc:dd:ee:0f") + pod2MAC, _ = net.ParseMAC("aa:bb:cc:dd:ee:00") + ofPortPod1 = uint32(1) + ofPortPod2 = uint32(2) + testTCPFlags = int32(11) + icmp6Proto = intstr.FromInt(58) + + pod1 = v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod-1", + Namespace: "default", + }, + Status: v1.PodStatus{ + PodIP: pod1IPv4, + }, + } + pod2 = v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod-2", + Namespace: "default", + }, + Status: v1.PodStatus{ + PodIP: pod2IPv4, + }, + } + pod3 = v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod-3", + Namespace: "default", + }, + } + + secret1 = v1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: fileServerAuthSecretName, + Namespace: fileServerAuthSecretNamespace, + }, + Data: map[string][]byte{ + "username": []byte("username"), + "password": []byte("password"), + }, + } + + service1 = v1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: "service-1", + Namespace: "default", + }, + Spec: v1.ServiceSpec{ + ClusterIP: service1IPv4, + }, + } +) + +type fakePacketCaptureController struct { + *Controller + kubeClient kubernetes.Interface + mockController *gomock.Controller + mockOFClient *openflowtest.MockClient + crdClient *fakeversioned.Clientset + crdInformerFactory crdinformers.SharedInformerFactory + informerFactory informers.SharedInformerFactory +} + +func newFakePacketCaptureController(t *testing.T, runtimeObjects []runtime.Object, initObjects []runtime.Object, nodeConfig *config.NodeConfig) *fakePacketCaptureController { + controller := gomock.NewController(t) + objs := []runtime.Object{ + &pod1, + &pod2, + &pod3, + &service1, + &secret1, + } + objs = append(objs, generateTestSecret()) + if runtimeObjects != nil { + objs = append(objs, runtimeObjects...) + } + kubeClient := fake.NewSimpleClientset(objs...) + mockOFClient := openflowtest.NewMockClient(controller) + crdClient := fakeversioned.NewSimpleClientset(initObjects...) + crdInformerFactory := crdinformers.NewSharedInformerFactory(crdClient, 0) + packetCaptureInformer := crdInformerFactory.Crd().V1alpha1().PacketCaptures() + informerFactory := informers.NewSharedInformerFactory(kubeClient, 0) + serviceInformer := informerFactory.Core().V1().Services() + endpointInformer := informerFactory.Core().V1().Endpoints() + + ifaceStore := interfacestore.NewInterfaceStore() + addPodInterface(ifaceStore, pod1.Namespace, pod1.Name, pod1IPv4, pod1MAC.String(), int32(ofPortPod1)) + addPodInterface(ifaceStore, pod2.Namespace, pod2.Name, pod2IPv4, pod2MAC.String(), int32(ofPortPod2)) + + mockOFClient.EXPECT().RegisterPacketInHandler(gomock.Any(), gomock.Any()).Times(1) + pcController := NewPacketCaptureController( + kubeClient, + crdClient, + serviceInformer, + endpointInformer, + packetCaptureInformer, + mockOFClient, + ifaceStore, + nodeConfig, + ) + pcController.sftpUploader = &testUploader{} + + return &fakePacketCaptureController{ + Controller: pcController, + kubeClient: kubeClient, + mockController: controller, + mockOFClient: mockOFClient, + crdClient: crdClient, + crdInformerFactory: crdInformerFactory, + informerFactory: informerFactory, + } +} + +func addPodInterface(ifaceStore interfacestore.InterfaceStore, podNamespace, podName, podIP, podMac string, ofPort int32) { + containerName := k8s.NamespacedName(podNamespace, podName) + ifIPs := []net.IP{net.ParseIP(podIP)} + mac, _ := net.ParseMAC(podMac) + ifaceStore.AddInterface(&interfacestore.InterfaceConfig{ + IPs: ifIPs, + MAC: mac, + InterfaceName: util.GenerateContainerInterfaceName(podName, podNamespace, containerName), + ContainerInterfaceConfig: &interfacestore.ContainerInterfaceConfig{PodName: podName, PodNamespace: podNamespace, ContainerID: containerName}, + OVSPortConfig: &interfacestore.OVSPortConfig{OFPort: ofPort}, + }) +} + +func TestErrPacketCaptureCRD(t *testing.T) { + pc := &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pc", + UID: "uid", + }, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + }, + Status: crdv1alpha1.PacketCaptureStatus{ + Phase: crdv1alpha1.PacketCaptureRunning, + }, + } + expectedPC := pc + reason := "failed" + expectedPC.Status.Phase = crdv1alpha1.PacketCaptureFailed + expectedPC.Status.Reason = reason + + pcc := newFakePacketCaptureController(t, nil, []runtime.Object{pc}, nil) + + err := pcc.updatePacketCaptureStatus(pc, crdv1alpha1.PacketCaptureFailed, reason, 0) + require.NoError(t, err) +} + +func TestPreparePacket(t *testing.T) { + pcs := []struct { + name string + pc *crdv1alpha1.PacketCapture + intf *interfacestore.InterfaceConfig + receiverOnly bool + expectedPacket *binding.Packet + expectedErr string + }{ + { + name: "empty destination", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc2", UID: "uid2"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + }, + }, + expectedErr: "destination is not specified", + }, + { + name: "ipv4 tcp packet", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc3", UID: "uid3"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + Packet: &crdv1alpha1.Packet{ + TransportHeader: crdv1alpha1.TransportHeader{ + TCP: &crdv1alpha1.TCPHeader{ + SrcPort: 80, + DstPort: 81, + Flags: &testTCPFlags, + }, + }, + }, + }, + }, + expectedPacket: &binding.Packet{ + DestinationIP: net.ParseIP(pod2IPv4), + IPProto: protocol.Type_TCP, + SourcePort: 80, + DestinationPort: 81, + TCPFlags: 11, + }, + }, + { + name: "receiver only with source ip", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc4", UID: "uid4"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + IP: "192.168.12.4", + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + }, + }, + receiverOnly: true, + expectedPacket: &binding.Packet{ + SourceIP: net.ParseIP("192.168.12.4"), + DestinationMAC: pod1MAC, + IPProto: 1, + }, + }, + { + name: "destination Pod without IPv6 address", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc4", UID: "uid4"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + Packet: &crdv1alpha1.Packet{ + IPFamily: v1.IPv6Protocol, + }, + }, + }, + expectedErr: "destination Pod does not have an IPv6 address", + }, + { + name: "pod to ipv6 packet capture", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc5", UID: "uid5"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + IP: "2001:db8::68", + }, + Packet: &crdv1alpha1.Packet{ + IPFamily: v1.IPv6Protocol, + Protocol: &icmp6Proto, + }, + }, + }, + expectedPacket: &binding.Packet{ + IsIPv6: true, + DestinationIP: net.ParseIP("2001:db8::68"), + IPProto: protocol.Type_IPv6ICMP, + }, + }, + { + name: "tcp packet without flags", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc6", UID: "uid6"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + Packet: &crdv1alpha1.Packet{ + TransportHeader: crdv1alpha1.TransportHeader{ + TCP: &crdv1alpha1.TCPHeader{ + SrcPort: 80, + DstPort: 81, + }, + }, + }, + }, + }, + expectedPacket: &binding.Packet{ + DestinationIP: net.ParseIP(pod2IPv4), + IPProto: protocol.Type_TCP, + SourcePort: 80, + DestinationPort: 81, + }, + }, + { + name: "udp packet", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc7", UID: "uid7"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + Packet: &crdv1alpha1.Packet{ + TransportHeader: crdv1alpha1.TransportHeader{ + UDP: &crdv1alpha1.UDPHeader{ + SrcPort: 80, + DstPort: 100, + }, + }, + }, + }, + }, + expectedPacket: &binding.Packet{ + DestinationIP: net.ParseIP(pod2IPv4), + IPProto: protocol.Type_UDP, + SourcePort: 80, + DestinationPort: 100, + }, + }, + { + name: "icmp packet", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc8", UID: "uid8"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + Packet: &crdv1alpha1.Packet{}, + }, + }, + expectedPacket: &binding.Packet{ + DestinationIP: net.ParseIP(pod2IPv4), + IPProto: protocol.Type_ICMP, + }, + }, + { + name: "destination Pod unavailable", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc11", UID: "uid11"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Destination: crdv1alpha1.Destination{ + Pod: "unknown pod", + Namespace: "default", + }, + }, + }, + expectedErr: "failed to get the destination pod default/unknown pod: pods \"unknown pod\"", + }, + { + name: "to service packet", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc12", UID: "uid12"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Service: service1.Name, + Namespace: service1.Namespace, + }, + Packet: &crdv1alpha1.Packet{ + TransportHeader: crdv1alpha1.TransportHeader{ + TCP: &crdv1alpha1.TCPHeader{ + SrcPort: 80, + DstPort: 81, + Flags: &testTCPFlags, + }, + }, + }, + }, + }, + expectedPacket: &binding.Packet{ + DestinationIP: net.ParseIP(service1IPv4).To4(), + IPProto: protocol.Type_TCP, + SourcePort: 80, + DestinationPort: 81, + TCPFlags: 11, + }, + }, + } + for _, pc := range pcs { + t.Run(pc.name, func(t *testing.T) { + pcc := newFakePacketCaptureController(t, nil, []runtime.Object{pc.pc}, nil) + podInterfaces := pcc.interfaceStore.GetContainerInterfacesByPod(pod1.Name, pod1.Namespace) + if pc.intf != nil { + podInterfaces[0] = pc.intf + } + stopCh := make(chan struct{}) + defer close(stopCh) + pcc.crdInformerFactory.Start(stopCh) + pcc.crdInformerFactory.WaitForCacheSync(stopCh) + pcc.informerFactory.Start(stopCh) + pcc.informerFactory.WaitForCacheSync(stopCh) + + pkt, err := pcc.preparePacket(pc.pc, podInterfaces[0], pc.receiverOnly) + if pc.expectedErr == "" { + require.NoError(t, err) + assert.Equal(t, pc.expectedPacket, pkt) + } else { + assert.ErrorContains(t, err, pc.expectedErr) + assert.Nil(t, pkt) + } + }) + } +} + +func TestSyncPacketCapture(t *testing.T) { + // create test os + defaultFS = afero.NewMemMapFs() + defaultFS.MkdirAll("/tmp/antrea/packetcapture/packets", 0755) + file, err := defaultFS.Create(uidToPath(testUID)) + if err != nil { + t.Fatal("create pcapng file error: ", err) + } + + testWriter, err := pcapgo.NewNgWriter(file, layers.LinkTypeEthernet) + if err != nil { + t.Fatal("create test pcapng writer failed: ", err) + } + + pcs := []struct { + name string + pc *crdv1alpha1.PacketCapture + existingState *packetCaptureState + newState *packetCaptureState + expectedCalls func(mockOFClient *openflowtest.MockClient) + }{ + { + name: "start packetcapture", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc1", UID: "uid1"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + }, + }, + existingState: &packetCaptureState{ + name: "pc1", + tag: 1, + }, + newState: &packetCaptureState{ + name: "pc1", + tag: 1, + }, + }, + + { + name: "packetcapture in failed phase", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc1", UID: types.UID(testUID)}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + }, + Status: crdv1alpha1.PacketCaptureStatus{ + Phase: crdv1alpha1.PacketCaptureFailed, + }, + }, + existingState: &packetCaptureState{ + name: "pc1", + pcapngFile: file, + pcapngWriter: testWriter, + tag: 1, + }, + expectedCalls: func(mockOFClient *openflowtest.MockClient) { + mockOFClient.EXPECT().UninstallPacketCaptureFlows(uint8(1)) + }, + }, + } + + for _, pc := range pcs { + t.Run(pc.name, func(t *testing.T) { + pcc := newFakePacketCaptureController(t, nil, []runtime.Object{pc.pc}, nil) + stopCh := make(chan struct{}) + defer close(stopCh) + pcc.crdInformerFactory.Start(stopCh) + pcc.crdInformerFactory.WaitForCacheSync(stopCh) + + if pc.existingState != nil { + pcc.runningPacketCaptures[pc.existingState.tag] = pc.existingState + } + + if pc.expectedCalls != nil { + pc.expectedCalls(pcc.mockOFClient) + } + + err := pcc.syncPacketCapture(pc.pc.Name) + require.NoError(t, err) + assert.Equal(t, pc.newState, pcc.runningPacketCaptures[pc.existingState.tag]) + }) + } +} + +// TestPacketCaptureControllerRun was used to validate the whole run process is working. It doesn't wait for +// the testing pc to finish. +func TestPacketCaptureControllerRun(t *testing.T) { + // create test os + defaultFS = afero.NewMemMapFs() + defaultFS.MkdirAll("/tmp/antrea/packetcapture/packets", 0755) + pc := struct { + name string + pc *crdv1alpha1.PacketCapture + newState *packetCaptureState + }{ + name: "start packetcapture", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc1", UID: "uid1"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + }, + }, + newState: &packetCaptureState{tag: 1}, + } + + pcc := newFakePacketCaptureController(t, nil, []runtime.Object{pc.pc}, nil) + stopCh := make(chan struct{}) + defer close(stopCh) + pcc.crdInformerFactory.Start(stopCh) + pcc.crdInformerFactory.WaitForCacheSync(stopCh) + pcc.informerFactory.Start(stopCh) + pcc.informerFactory.WaitForCacheSync(stopCh) + pcc.mockOFClient.EXPECT().InstallPacketCaptureFlows(pc.newState.tag, false, false, + &binding.Packet{DestinationIP: net.ParseIP(pod2.Status.PodIP), IPProto: protocol.Type_ICMP}, + nil, ofPortPod1, crdv1alpha1.DefaultPacketCaptureTimeout) + go pcc.Run(stopCh) + time.Sleep(300 * time.Millisecond) +} + +func TestProcessPacketCaptureItem(t *testing.T) { + // create test os + defaultFS = afero.NewMemMapFs() + defaultFS.MkdirAll("/tmp/antrea/packetcapture/packets", 0755) + pc := struct { + pc *crdv1alpha1.PacketCapture + ofPort uint32 + receiverOnly bool + packet *binding.Packet + expected bool + }{ + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc1", UID: "uid1"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + }, + }, + ofPort: ofPortPod1, + packet: &binding.Packet{ + DestinationIP: net.ParseIP(pod2IPv4), + IPProto: 1, + }, + expected: true, + } + + pcc := newFakePacketCaptureController(t, nil, []runtime.Object{pc.pc}, nil) + stopCh := make(chan struct{}) + defer close(stopCh) + pcc.crdInformerFactory.Start(stopCh) + pcc.crdInformerFactory.WaitForCacheSync(stopCh) + + pcc.mockOFClient.EXPECT().InstallPacketCaptureFlows(uint8(1), false, pc.receiverOnly, pc.packet, nil, pc.ofPort, crdv1alpha1.DefaultPacketCaptureTimeout) + pcc.enqueuePacketCapture(pc.pc) + got := pcc.processPacketCaptureItem() + assert.Equal(t, pc.expected, got) +} + +func TestStartPacketCapture(t *testing.T) { + defaultFS = afero.NewMemMapFs() + defaultFS.MkdirAll(packetDirectory, 0755) + tcs := []struct { + name string + pc *crdv1alpha1.PacketCapture + state *packetCaptureState + ofPort uint32 + receiverOnly bool + packet *binding.Packet + expectedCalls func(mockOFClient *openflowtest.MockClient) + nodeConfig *config.NodeConfig + expectedErr string + expectedErrLog string + }{ + { + name: "Pod-to-Pod PacketCapture", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc1", UID: "uid1"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod2.Namespace, + Pod: pod2.Name, + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + }, + + Status: crdv1alpha1.PacketCaptureStatus{ + Phase: crdv1alpha1.PacketCaptureRunning, + }, + }, + state: &packetCaptureState{tag: 1}, + ofPort: ofPortPod1, + packet: &binding.Packet{ + SourceIP: net.ParseIP(pod1IPv4), + SourceMAC: pod1MAC, + DestinationIP: net.ParseIP(pod2IPv4), + DestinationMAC: pod2MAC, + IPProto: 1, + TTL: 64, + ICMPType: 8, + }, + expectedCalls: func(mockOFClient *openflowtest.MockClient) { + mockOFClient.EXPECT().InstallPacketCaptureFlows(uint8(1), false, false, + &binding.Packet{ + DestinationIP: net.ParseIP(pod2IPv4), + IPProto: 1, + }, + nil, ofPortPod1, crdv1alpha1.DefaultPacketCaptureTimeout) + }, + }, + { + name: "Pod-to-IPv4 packetcapture", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc1", UID: "uid2"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + IP: dstIPv4, + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + }, + Status: crdv1alpha1.PacketCaptureStatus{ + Phase: crdv1alpha1.PacketCaptureRunning, + }, + }, + state: &packetCaptureState{tag: 2}, + ofPort: ofPortPod1, + packet: &binding.Packet{ + SourceIP: net.ParseIP(pod1IPv4), + SourceMAC: pod1MAC, + DestinationIP: net.ParseIP(dstIPv4), + IPProto: 1, + TTL: 64, + ICMPType: 8, + }, + expectedCalls: func(mockOFClient *openflowtest.MockClient) { + mockOFClient.EXPECT().InstallPacketCaptureFlows(uint8(2), true, false, &binding.Packet{ + DestinationIP: net.ParseIP(dstIPv4), + IPProto: 1, + }, nil, ofPortPod1, crdv1alpha1.DefaultPacketCaptureTimeout) + }, + }, + } + + for _, tt := range tcs { + t.Run(tt.name, func(t *testing.T) { + tfc := newFakePacketCaptureController(t, nil, []runtime.Object{tt.pc}, tt.nodeConfig) + if tt.expectedCalls != nil { + tt.expectedCalls(tfc.mockOFClient) + } + + bufWriter := bytes.NewBuffer(nil) + klog.SetOutput(bufWriter) + klog.LogToStderr(false) + defer func() { + klog.SetOutput(os.Stderr) + klog.LogToStderr(true) + }() + + err := tfc.startPacketCapture(tt.pc, tt.state) + if tt.expectedErr != "" { + assert.ErrorContains(t, err, tt.expectedErr) + } else { + require.NoError(t, err) + } + if tt.expectedErrLog != "" { + assert.Contains(t, bufWriter.String(), tt.expectedErrLog) + } + }) + } +} + +func TestPrepareEndpointsPackets(t *testing.T) { + pcs := []struct { + name string + pc *crdv1alpha1.PacketCapture + expectedPackets []binding.Packet + objs []runtime.Object + expectedErr string + }{ + { + name: "svc-not-exist", + expectedErr: "service \"svc1\" not found", + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc1", UID: "uid2"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod1.Namespace, + Service: "svc1", + }, + Packet: &crdv1alpha1.Packet{ + TransportHeader: crdv1alpha1.TransportHeader{ + TCP: &crdv1alpha1.TCPHeader{ + DstPort: 80, + }, + }, + }, + }, + }, + }, + { + name: "ep-not-exist", + expectedErr: "endpoints \"svc1\" not found", + objs: []runtime.Object{&v1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: pod1.Namespace, + Name: "svc1", + }, + Spec: v1.ServiceSpec{ + Ports: []v1.ServicePort{ + { + Name: "http", + Port: 80, + TargetPort: intstr.IntOrString{ + Type: intstr.Int, + IntVal: 8080, + }, + }, + }, + }, + }}, + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc2", UID: "uid2"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod1.Namespace, + Service: "svc1", + }, + Packet: &crdv1alpha1.Packet{ + TransportHeader: crdv1alpha1.TransportHeader{ + TCP: &crdv1alpha1.TCPHeader{ + DstPort: 80, + }, + }, + }, + }, + }, + }, + { + name: "tcp-2-backends-svc", + expectedPackets: []binding.Packet{ + { + DestinationIP: net.ParseIP(pod1.Status.PodIP), + DestinationPort: 8080, + IPProto: protocol.Type_TCP, + }, + { + DestinationIP: net.ParseIP(pod2.Status.PodIP), + DestinationPort: 8080, + IPProto: protocol.Type_TCP, + }, + }, + objs: []runtime.Object{&v1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: pod1.Namespace, + Name: "svc1", + }, + Spec: v1.ServiceSpec{ + Ports: []v1.ServicePort{ + { + Name: "http", + Port: 80, + TargetPort: intstr.IntOrString{ + Type: intstr.Int, + IntVal: 8080, + }, + }, + }, + }, + }, &v1.Endpoints{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: pod1.Namespace, + Name: "svc1", + }, + Subsets: []v1.EndpointSubset{ + { + Addresses: []v1.EndpointAddress{ + { + IP: pod1.Status.PodIP, + }, + { + IP: pod2.Status.PodIP, + }, + }, + Ports: []v1.EndpointPort{ + { + Name: "http", + Port: 8080, + }, + }, + }, + }, + }}, + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{Name: "pc1", UID: "uid1"}, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: pod1.Namespace, + Pod: pod1.Name, + }, + Destination: crdv1alpha1.Destination{ + Namespace: pod1.Namespace, + Service: "svc1", + }, + Packet: &crdv1alpha1.Packet{ + TransportHeader: crdv1alpha1.TransportHeader{ + TCP: &crdv1alpha1.TCPHeader{ + DstPort: 80, + }, + }, + }, + }, + }, + }, + } + + for _, pc := range pcs { + t.Run(pc.name, func(t *testing.T) { + pcc := newFakePacketCaptureController(t, pc.objs, []runtime.Object{pc.pc}, nil) + stopCh := make(chan struct{}) + defer close(stopCh) + pcc.crdInformerFactory.Start(stopCh) + pcc.crdInformerFactory.WaitForCacheSync(stopCh) + pcc.informerFactory.Start(stopCh) + pcc.informerFactory.WaitForCacheSync(stopCh) + + pkts, err := pcc.genEndpointMatchPackets(pc.pc) + if pc.expectedErr == "" { + require.NoError(t, err) + if !reflect.DeepEqual(pc.expectedPackets, pkts) { + t.Errorf("expected packets: %+v, got: %+v", pc.expectedPackets, pkts) + } + + } else { + assert.ErrorContains(t, err, pc.expectedErr) + assert.Nil(t, pkts) + } + }) + } +} diff --git a/pkg/agent/controller/packetcapture/packetin.go b/pkg/agent/controller/packetcapture/packetin.go new file mode 100644 index 00000000000..a10a14439e5 --- /dev/null +++ b/pkg/agent/controller/packetcapture/packetin.go @@ -0,0 +1,106 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package packetcapture + +import ( + "fmt" + "time" + + "antrea.io/libOpenflow/util" + "antrea.io/ofnet/ofctrl" + "github.com/google/gopacket" + "k8s.io/klog/v2" + + "antrea.io/antrea/pkg/agent/openflow" + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" +) + +// HandlePacketIn processes PacketIn messages from the OFSwitch. If the register value match, it will be counted and captured. +// Once the total number reaches the target, the PacketCapture will be marked as Succeed. +func (c *Controller) HandlePacketIn(pktIn *ofctrl.PacketIn) error { + klog.V(4).InfoS("PacketIn for PacketCapture", "PacketIn", pktIn.PacketIn) + captureState, captureFinished, err := c.parsePacketIn(pktIn) + if err != nil { + return fmt.Errorf("parsePacketIn error: %w", err) + } + if captureFinished { + return nil + } + rawData := pktIn.Data.(*util.Buffer).Bytes() + ci := gopacket.CaptureInfo{ + Timestamp: time.Now(), + CaptureLength: len(rawData), + Length: len(rawData), + } + err = captureState.pcapngWriter.WritePacket(ci, rawData) + if err != nil { + return fmt.Errorf("couldn't write packet: %w", err) + } + reachTarget := captureState.numCapturedPackets == captureState.maxNumCapturedPackets + // use rate limiter to reduce the times we need to update status. + if reachTarget || captureState.updateRateLimiter.Allow() { + pc, err := c.packetCaptureLister.Get(captureState.name) + if err != nil { + return fmt.Errorf("get PacketCapture failed: %w", err) + } + // if reach the target. flush the file and upload it. + if reachTarget { + if err := captureState.pcapngWriter.Flush(); err != nil { + return err + } + if err := c.uploadPackets(pc, captureState.pcapngFile); err != nil { + return err + } + } + err = c.updatePacketCaptureStatus(pc, crdv1alpha1.PacketCaptureRunning, "", captureState.numCapturedPackets) + if err != nil { + return fmt.Errorf("failed to update the PacketCapture: %w", err) + } + klog.InfoS("Updated PacketCapture", "PacketCapture", klog.KObj(pc), "numCapturedPackets", captureState.numCapturedPackets) + } + return nil +} + +// parsePacketIn parses the packet-in message. If the value in register match with existing PacketCapture's state(tag), +// it will be counted. If the total count reach the target, the ovs flow will be uninstalled. +func (c *Controller) parsePacketIn(pktIn *ofctrl.PacketIn) (_ *packetCaptureState, captureFinished bool, _ error) { + var tag uint8 + matchers := pktIn.GetMatches() + match := openflow.GetMatchFieldByRegID(matchers, openflow.PacketCaptureMark.GetRegID()) + if match != nil { + value, err := openflow.GetInfoInReg(match, openflow.PacketCaptureMark.GetRange().ToNXRange()) + if err != nil { + return nil, false, fmt.Errorf("failed to get PacketCapture tag from packet-in message: %w", err) + } + tag = uint8(value) + } + c.runningPacketCapturesMutex.Lock() + defer c.runningPacketCapturesMutex.Unlock() + pcState, exists := c.runningPacketCaptures[tag] + if !exists { + return nil, false, fmt.Errorf("PacketCapture for dataplane tag %d not found in cache", tag) + } + if pcState.numCapturedPackets == pcState.maxNumCapturedPackets { + return nil, true, nil + } + pcState.numCapturedPackets++ + if pcState.numCapturedPackets == pcState.maxNumCapturedPackets { + err := c.ofClient.UninstallPacketCaptureFlows(tag) + if err != nil { + return nil, false, fmt.Errorf("uninstall PacketCapture ovs flow failed: %v", err) + } + } + return pcState, false, nil +} diff --git a/pkg/agent/controller/packetcapture/packetin_test.go b/pkg/agent/controller/packetcapture/packetin_test.go new file mode 100644 index 00000000000..e5d21138246 --- /dev/null +++ b/pkg/agent/controller/packetcapture/packetin_test.go @@ -0,0 +1,266 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package packetcapture + +import ( + "context" + "encoding/binary" + "fmt" + "net" + "testing" + + "antrea.io/libOpenflow/openflow15" + "antrea.io/libOpenflow/protocol" + "antrea.io/libOpenflow/util" + "antrea.io/ofnet/ofctrl" + "github.com/google/gopacket/layers" + "github.com/google/gopacket/pcapgo" + "github.com/spf13/afero" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "golang.org/x/crypto/ssh" + "golang.org/x/time/rate" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + + "antrea.io/antrea/pkg/agent/config" + openflowtest "antrea.io/antrea/pkg/agent/openflow/testing" + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" +) + +const ( + maxNum = 5 +) + +const ( + testTag = uint8(3) + testUID = "1-2-3-4" + testSFTPUrl = "sftp://127.0.0.1:22/root/packetcaptures" +) + +// generatePacketInMatchFromTag reverse the packetIn message/matcher -> REG4/tag value path +// to generate test matchers. It follows the following process: +// 1. shift bits to generate uint32, which represents data in REG4 and another REG (unrelated) +// 2. convert uint32 to bytes(bigEndian), which will be the Match value/mask. +// 3. generate MatchField from the bytes. +func generatePacketInMatchFromTag(tag uint8) *openflow15.MatchField { + value := uint32(tag) << 28 + regID := 4 + data := make([]byte, 8) + binary.BigEndian.PutUint32(data, value) + + m := openflow15.MatchField{ + Class: openflow15.OXM_CLASS_PACKET_REGS, + Field: uint8(regID / 2), + HasMask: false, + Value: &openflow15.ByteArrayField{Data: data}, + } + return &m +} + +func genMatchers() []openflow15.MatchField { + // m := generateMatch(openflow.PacketCaptureMark.GetRegID(), testTagData) + matchers := []openflow15.MatchField{*generatePacketInMatchFromTag(testTag)} + return matchers +} + +func getTestPacketBytes(dstIP string) []byte { + ipPacket := &protocol.IPv4{ + Version: 0x4, + IHL: 5, + Protocol: uint8(8), + Length: 20, + NWSrc: net.IP(pod1IPv4), + NWDst: net.IP(dstIP), + } + ethernetPkt := protocol.NewEthernet() + ethernetPkt.HWSrc = pod1MAC + ethernetPkt.Ethertype = protocol.IPv4_MSG + ethernetPkt.Data = ipPacket + pktBytes, _ := ethernetPkt.MarshalBinary() + return pktBytes +} + +func generateTestPCState(name string, pcapngFile afero.File, writer *pcapgo.NgWriter, num int32) *packetCaptureState { + return &packetCaptureState{ + name: name, + maxNumCapturedPackets: maxNum, + numCapturedPackets: num, + tag: testTag, + pcapngWriter: writer, + pcapngFile: pcapngFile, + shouldSyncPackets: true, + updateRateLimiter: rate.NewLimiter(rate.Every(captureStatusUpdatePeriod), 1), + } +} + +func generatePacketCapture(name string) *crdv1alpha1.PacketCapture { + return &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + UID: testUID, + }, + Status: crdv1alpha1.PacketCaptureStatus{}, + Spec: crdv1alpha1.PacketCaptureSpec{ + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + FileServer: crdv1alpha1.BundleFileServer{ + URL: testSFTPUrl, + }, + }, + } +} + +func generateTestSecret() *v1.Secret { + return &v1.Secret{ + TypeMeta: metav1.TypeMeta{ + Kind: "Secret", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "AAA", + Namespace: "default", + }, + Data: map[string][]byte{ + "username": []byte("AAA"), + "password": []byte("BBBCCC"), + }, + } +} + +type testUploader struct { + url string + fileName string +} + +func (uploader *testUploader) Upload(url string, fileName string, config *ssh.ClientConfig, outputFile afero.File) error { + if url != uploader.url { + return fmt.Errorf("expected url: %s for uploader, got: %s", uploader.url, url) + } + if fileName != uploader.fileName { + return fmt.Errorf("expected filename: %s for uploader, got: %s", uploader.fileName, fileName) + } + return nil +} + +func TestHandlePacketCapturePacketIn(t *testing.T) { + + invalidPktBytes := getTestPacketBytes("89.207.132.170") + pktBytesPodToPod := getTestPacketBytes(pod2IPv4) + + // create test os + defaultFS = afero.NewMemMapFs() + defaultFS.MkdirAll("/tmp/packetcapture/packets", 0755) + file, err := defaultFS.Create(uidToPath(testUID)) + if err != nil { + t.Fatal("create pcapng file error: ", err) + } + + testWriter, err := pcapgo.NewNgWriter(file, layers.LinkTypeEthernet) + if err != nil { + t.Fatal("create test pcapng writer failed: ", err) + } + + tests := []struct { + name string + networkConfig *config.NetworkConfig + nodeConfig *config.NodeConfig + pcState *packetCaptureState + pktIn *ofctrl.PacketIn + expectedPC *crdv1alpha1.PacketCapture + expectedErrStr string + expectedCalls func(mockOFClient *openflowtest.MockClient) + expectedNum int32 + expectedUploader *testUploader + }{ + { + name: "invalid packets", + pcState: generateTestPCState("pc-with-invalid-packet", nil, testWriter, 0), + expectedPC: generatePacketCapture("pc-with-invalid-packet"), + pktIn: &ofctrl.PacketIn{ + PacketIn: &openflow15.PacketIn{ + Data: util.NewBuffer(invalidPktBytes), + }, + }, + expectedErrStr: "parsePacketIn error: PacketCapture for dataplane tag 0 not found in cache", + }, + { + name: "not hitting target number", + pcState: generateTestPCState("pc-with-less-num", nil, testWriter, 1), + expectedPC: generatePacketCapture("pc-with-less-num"), + expectedNum: 2, + pktIn: &ofctrl.PacketIn{ + PacketIn: &openflow15.PacketIn{ + Data: util.NewBuffer(pktBytesPodToPod), + Match: openflow15.Match{ + Fields: genMatchers(), + }, + }, + }, + }, + { + name: "hit target number", + pcState: generateTestPCState("pc-with-max-num", file, testWriter, maxNum-1), + expectedPC: generatePacketCapture("pc-with-max-num"), + expectedNum: maxNum, + pktIn: &ofctrl.PacketIn{ + PacketIn: &openflow15.PacketIn{ + Data: util.NewBuffer(pktBytesPodToPod), + Match: openflow15.Match{ + Fields: genMatchers(), + }, + }, + }, + expectedCalls: func(mockOFClient *openflowtest.MockClient) { + mockOFClient.EXPECT().UninstallPacketCaptureFlows(testTag) + }, + expectedUploader: &testUploader{ + fileName: testUID + ".pcapng", + url: testSFTPUrl, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + pcc := newFakePacketCaptureController(t, nil, []runtime.Object{tt.expectedPC}, &config.NodeConfig{Name: "node1"}) + if tt.expectedCalls != nil { + tt.expectedCalls(pcc.mockOFClient) + } + stopCh := make(chan struct{}) + defer close(stopCh) + pcc.crdInformerFactory.Start(stopCh) + pcc.crdInformerFactory.WaitForCacheSync(stopCh) + pcc.runningPacketCaptures[tt.pcState.tag] = tt.pcState + pcc.sftpUploader = tt.expectedUploader + + err := pcc.HandlePacketIn(tt.pktIn) + if err == nil { + assert.Equal(t, tt.expectedErrStr, "") + // check target num in status + pc, err := pcc.crdClient.CrdV1alpha1().PacketCaptures().Get(context.TODO(), tt.expectedPC.Name, metav1.GetOptions{}) + require.Nil(t, err) + assert.Equal(t, tt.expectedNum, pc.Status.NumCapturedPackets) + } else { + assert.Equal(t, tt.expectedErrStr, err.Error()) + } + + }) + } +} diff --git a/pkg/agent/openflow/client.go b/pkg/agent/openflow/client.go index e6d3ec5ef87..c8fae2b42b3 100644 --- a/pkg/agent/openflow/client.go +++ b/pkg/agent/openflow/client.go @@ -234,9 +234,15 @@ type Client interface { // InstallTraceflowFlows installs flows for a Traceflow request. InstallTraceflowFlows(dataplaneTag uint8, liveTraffic, droppedOnly, receiverOnly bool, packet *binding.Packet, ofPort uint32, timeoutSeconds uint16) error + // InstallPacketCaptureFlows installs flows for a PacketCapture request. + InstallPacketCaptureFlows(dataplaneTag uint8, senderOnly bool, receiverOnly bool, packet *binding.Packet, endpointPackets []binding.Packet, ofPort uint32, timeoutSeconds uint16) error + // UninstallTraceflowFlows uninstalls flows for a Traceflow request. UninstallTraceflowFlows(dataplaneTag uint8) error + // UninstallPacketCaptureFlows uninstalls flows for a PacketCapture request. + UninstallPacketCaptureFlows(dataplaneTag uint8) error + // GetPolicyInfoFromConjunction returns the following policy information for the provided conjunction ID: // NetworkPolicy reference, OF priority, rule name, label // The boolean return value indicates whether the policy information was found. @@ -928,6 +934,7 @@ func (c *client) generatePipelines() { c.enableL7FlowExporter) c.activatedFeatures = append(c.activatedFeatures, c.featurePodConnectivity) c.traceableFeatures = append(c.traceableFeatures, c.featurePodConnectivity) + c.packetCaptureFeatures = append(c.packetCaptureFeatures, c.featurePodConnectivity) c.featureService = newFeatureService(c.cookieAllocator, c.nodeIPChecker, @@ -943,6 +950,7 @@ func (c *client) generatePipelines() { c.connectUplinkToBridge) c.activatedFeatures = append(c.activatedFeatures, c.featureService) c.traceableFeatures = append(c.traceableFeatures, c.featureService) + c.packetCaptureFeatures = append(c.packetCaptureFeatures, c.featureService) } if c.nodeType == config.ExternalNode { @@ -990,6 +998,11 @@ func (c *client) generatePipelines() { c.featureTraceflow = newFeatureTraceflow() c.activatedFeatures = append(c.activatedFeatures, c.featureTraceflow) + if c.enablePacketCapture { + c.featurePacketCapture = newFeaturePacketCapture() + c.activatedFeatures = append(c.activatedFeatures, c.featurePacketCapture) + } + // Pipelines to generate. pipelineIDs := []binding.PipelineID{pipelineRoot, pipelineIP} if c.networkConfig.IPv4Enabled { @@ -1234,6 +1247,22 @@ func (c *client) SendTraceflowPacket(dataplaneTag uint8, packet *binding.Packet, return c.bridge.SendPacketOut(packetOutObj) } +func (c *client) InstallPacketCaptureFlows(dataplaneTag uint8, senderOnly, receiverOnly bool, packet *binding.Packet, endpointPackets []binding.Packet, ofPort uint32, timeoutSeconds uint16) error { + cacheKey := fmt.Sprintf("%x", dataplaneTag) + var flows []binding.Flow + for _, f := range c.packetCaptureFeatures { + flows = append(flows, f.flowsToCapture(dataplaneTag, + c.ovsMetersAreSupported, + senderOnly, + receiverOnly, + packet, + endpointPackets, + ofPort, + timeoutSeconds)...) + } + return c.addFlows(c.featurePacketCapture.cachedFlows, cacheKey, flows) +} + func (c *client) InstallTraceflowFlows(dataplaneTag uint8, liveTraffic, droppedOnly, receiverOnly bool, packet *binding.Packet, ofPort uint32, timeoutSeconds uint16) error { cacheKey := fmt.Sprintf("%x", dataplaneTag) var flows []binding.Flow @@ -1255,6 +1284,11 @@ func (c *client) UninstallTraceflowFlows(dataplaneTag uint8) error { return c.deleteFlows(c.featureTraceflow.cachedFlows, cacheKey) } +func (c *client) UninstallPacketCaptureFlows(dataplaneTag uint8) error { + cacheKey := fmt.Sprintf("%x", dataplaneTag) + return c.deleteFlows(c.featurePacketCapture.cachedFlows, cacheKey) +} + // setBasePacketOutBuilder sets base IP properties of a packetOutBuilder which can have more packet data added. func setBasePacketOutBuilder(packetOutBuilder binding.PacketOutBuilder, srcMAC string, dstMAC string, srcIP string, dstIP string, inPort uint32, outPort uint32) (binding.PacketOutBuilder, error) { // Set ethernet header. diff --git a/pkg/agent/openflow/client_test.go b/pkg/agent/openflow/client_test.go index 658193b1220..7c05b0e8e62 100644 --- a/pkg/agent/openflow/client_test.go +++ b/pkg/agent/openflow/client_test.go @@ -94,6 +94,7 @@ type clientOptions struct { enableMulticluster bool enableL7NetworkPolicy bool enableL7FlowExporter bool + enablePacketCapture bool trafficEncryptionMode config.TrafficEncryptionModeType } @@ -168,6 +169,10 @@ func enableMulticluster(o *clientOptions) { o.enableMulticluster = true } +func enablePacketCapture(o *clientOptions) { + o.enablePacketCapture = true +} + func setTrafficEncryptionMode(trafficEncryptionMode config.TrafficEncryptionModeType) clientOptionsFn { return func(o *clientOptions) { o.trafficEncryptionMode = trafficEncryptionMode @@ -419,6 +424,7 @@ func newFakeClientWithBridge( o.enableMulticluster, NewGroupAllocator(), false, + o.enablePacketCapture, defaultPacketInRate) // Meters must be supported to enable Egress traffic shaping. @@ -1778,6 +1784,126 @@ func Test_client_InstallEgressQoS(t *testing.T) { require.False(t, ok) } +func Test_client_InstallPacketCaptureFlows(t *testing.T) { + type fields struct { + } + type args struct { + dataplaneTag uint8 + senderOnly bool + receiverOnly bool + packet *binding.Packet + endpointsPacket []binding.Packet + } + srcMAC, _ := net.ParseMAC("11:22:33:44:55:66") + dstMAC, _ := net.ParseMAC("11:22:33:44:55:77") + tests := []struct { + name string + fields fields + args args + wantErr bool + prepareFunc func(*gomock.Controller) *client + }{ + { + name: "packetcapture flow", + fields: fields{}, + args: args{ + dataplaneTag: 1, + packet: &binding.Packet{ + SourceMAC: srcMAC, + DestinationMAC: dstMAC, + SourceIP: net.ParseIP("1.2.3.4"), + DestinationIP: net.ParseIP("1.2.3.5"), + IPProto: 1, + TTL: 64, + }, + }, + wantErr: false, + prepareFunc: preparePacketCaptureFlow, + }, + { + name: "packetcapture flow with receiver only", + fields: fields{}, + args: args{ + dataplaneTag: 1, + receiverOnly: true, + packet: &binding.Packet{ + SourceMAC: srcMAC, + DestinationMAC: dstMAC, + SourceIP: net.ParseIP("1.2.3.4"), + DestinationIP: net.ParseIP("1.2.3.5"), + IPProto: 1, + TTL: 64, + }, + }, + wantErr: false, + prepareFunc: preparePacketCaptureFlow, + }, + { + name: "packetcapture flow with sender only", + fields: fields{}, + args: args{ + dataplaneTag: 1, + senderOnly: true, + packet: &binding.Packet{ + SourceMAC: srcMAC, + DestinationMAC: dstMAC, + SourceIP: net.ParseIP("1.2.3.4"), + DestinationIP: net.ParseIP("1.2.3.5"), + IPProto: 1, + TTL: 64, + }, + }, + wantErr: false, + prepareFunc: preparePacketCaptureFlow, + }, + { + name: "packetcapture flow with endpoints packets", + fields: fields{}, + args: args{ + dataplaneTag: 1, + senderOnly: true, + packet: &binding.Packet{ + SourceMAC: srcMAC, + DestinationMAC: dstMAC, + SourceIP: net.ParseIP("1.2.3.4"), + DestinationIP: net.ParseIP("1.2.3.5"), + IPProto: 1, + TTL: 64, + }, + endpointsPacket: []binding.Packet{ + { + SourceMAC: srcMAC, + DestinationMAC: dstMAC, + SourceIP: net.ParseIP("1.2.3.4"), + DestinationIP: net.ParseIP("1.2.3.6"), + IPProto: 1, + TTL: 64, + }, + { + SourceMAC: srcMAC, + DestinationMAC: dstMAC, + SourceIP: net.ParseIP("1.2.3.4"), + DestinationIP: net.ParseIP("1.2.3.7"), + IPProto: 1, + TTL: 64, + }, + }, + }, + wantErr: false, + prepareFunc: preparePacketCaptureFlow, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + ctrl := gomock.NewController(t) + c := tt.prepareFunc(ctrl) + if err := c.InstallPacketCaptureFlows(tt.args.dataplaneTag, tt.args.senderOnly, tt.args.receiverOnly, tt.args.packet, nil, 0, 300); (err != nil) != tt.wantErr { + t.Errorf("InstallPacketCaptureFlows() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + func Test_client_InstallTraceflowFlows(t *testing.T) { type fields struct { } @@ -1918,6 +2044,32 @@ func Test_client_SendTraceflowPacket(t *testing.T) { } } +func preparePacketCaptureFlow(ctrl *gomock.Controller) *client { + m := opstest.NewMockOFEntryOperations(ctrl) + fc := newFakeClientWithBridge(m, true, false, config.K8sNode, config.TrafficEncapModeEncap, ovsoftest.NewMockBridge(ctrl), enablePacketCapture) + defer resetPipelines() + + m.EXPECT().AddAll(gomock.Any()).Return(nil).Times(1) + _, ipCIDR, _ := net.ParseCIDR("192.168.2.30/32") + flows, _ := EgressDefaultTable.ofTable.BuildFlow(priority100).Action().Drop().Done().GetBundleMessages(binding.AddMessage) + flowMsg := flows[0].GetMessage().(*openflow15.FlowMod) + ctx := &conjMatchFlowContext{ + dropFlow: flowMsg, + dropFlowEnableLogging: false, + conjunctiveMatch: &conjunctiveMatch{ + tableID: 1, + matchPairs: []matchPair{ + { + matchKey: MatchCTSrcIPNet, + matchValue: *ipCIDR, + }, + }, + }} + fc.featureNetworkPolicy.globalConjMatchFlowCache["mockContext"] = ctx + fc.featureNetworkPolicy.policyCache.Add(&policyRuleConjunction{metricFlows: []*openflow15.FlowMod{flowMsg}}) + return fc +} + func prepareTraceflowFlow(ctrl *gomock.Controller) *client { m := opstest.NewMockOFEntryOperations(ctrl) fc := newFakeClientWithBridge(m, true, false, config.K8sNode, config.TrafficEncapModeEncap, ovsoftest.NewMockBridge(ctrl)) @@ -2031,7 +2183,7 @@ func Test_client_setBasePacketOutBuilder(t *testing.T) { } func prepareSetBasePacketOutBuilder(ctrl *gomock.Controller, success bool) *client { - ofClient := NewClient(bridgeName, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, true, false, false, false, false, false, false, false, false, false, false, false, nil, false, defaultPacketInRate) + ofClient := NewClient(bridgeName, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, true, false, false, false, false, false, false, false, false, false, false, false, nil, false, false, defaultPacketInRate) m := ovsoftest.NewMockBridge(ctrl) ofClient.bridge = m bridge := binding.OFBridge{} diff --git a/pkg/agent/openflow/cookie/allocator.go b/pkg/agent/openflow/cookie/allocator.go index 3aef3db4c84..9d6dbdeaae2 100644 --- a/pkg/agent/openflow/cookie/allocator.go +++ b/pkg/agent/openflow/cookie/allocator.go @@ -39,6 +39,7 @@ const ( Multicluster Traceflow ExternalNodeConnectivity + PacketCapture ) func (c Category) String() string { @@ -61,6 +62,8 @@ func (c Category) String() string { return "Traceflow" case ExternalNodeConnectivity: return "ExternalNodeConnectivity" + case PacketCapture: + return "PacketCapture" default: return "Invalid" } diff --git a/pkg/agent/openflow/fields.go b/pkg/agent/openflow/fields.go index 78f0845a143..6d522e97eb8 100644 --- a/pkg/agent/openflow/fields.go +++ b/pkg/agent/openflow/fields.go @@ -150,6 +150,9 @@ var ( // reg4[28]: Mark to indicate that whether the traffic's source is a local Pod or the Node. FromLocalRegMark = binding.NewOneBitRegMark(4, 28) + // reg4[28..31]: Field mark the flow for packet capture case. + PacketCaptureMark = binding.NewRegField(4, 28, 31) + // reg5(NXM_NX_REG5) // Field to cache the Egress conjunction ID hit by TraceFlow packet. TFEgressConjIDField = binding.NewRegField(5, 0, 31) diff --git a/pkg/agent/openflow/framework.go b/pkg/agent/openflow/framework.go index d8c353ee2a2..8c32be13d50 100644 --- a/pkg/agent/openflow/framework.go +++ b/pkg/agent/openflow/framework.go @@ -309,6 +309,10 @@ func (f *featureTraceflow) getRequiredTables() []*Table { return nil } +func (f *featurePacketCapture) getRequiredTables() []*Table { + return nil +} + func (f *featureExternalNodeConnectivity) getRequiredTables() []*Table { return []*Table{ ConntrackTable, @@ -336,3 +340,14 @@ type traceableFeature interface { ofPort uint32, timeoutSeconds uint16) []binding.Flow } + +type packetCaptureFeature interface { + flowsToCapture(dataplaneTag uint8, + ovsMetersAreSupported, + senderOnly bool, + receiverOnly bool, + packet *binding.Packet, + endpointPackets []binding.Packet, + ofPort uint32, + timeoutSeconds uint16) []binding.Flow +} diff --git a/pkg/agent/openflow/packetcapture.go b/pkg/agent/openflow/packetcapture.go new file mode 100644 index 00000000000..01905e765ad --- /dev/null +++ b/pkg/agent/openflow/packetcapture.go @@ -0,0 +1,55 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package openflow + +import ( + "antrea.io/libOpenflow/openflow15" + + binding "antrea.io/antrea/pkg/ovs/openflow" +) + +type featurePacketCapture struct { + cachedFlows *flowCategoryCache +} + +func (f *featurePacketCapture) getFeatureName() string { + return "PacketCapture" +} + +func newFeaturePacketCapture() *featurePacketCapture { + return &featurePacketCapture{ + cachedFlows: newFlowCategoryCache(), + } +} + +func (f *featurePacketCapture) initFlows() []*openflow15.FlowMod { + return []*openflow15.FlowMod{} +} + +func (f *featurePacketCapture) replayFlows() []*openflow15.FlowMod { + return []*openflow15.FlowMod{} +} + +func (f *featurePacketCapture) initGroups() []binding.OFEntry { + return nil +} + +func (f *featurePacketCapture) replayGroups() []binding.OFEntry { + return nil +} + +func (f *featurePacketCapture) replayMeters() []binding.OFEntry { + return nil +} diff --git a/pkg/agent/openflow/packetin.go b/pkg/agent/openflow/packetin.go index 608f1759e34..6103d06d586 100644 --- a/pkg/agent/openflow/packetin.go +++ b/pkg/agent/openflow/packetin.go @@ -53,6 +53,8 @@ const ( // PacketInCategorySvcReject is used to process the Service packets not matching any // Endpoints within packetIn message. PacketInCategorySvcReject + // PacketInCategoryPacketCapture is used for packetIn messages related to capture. + PacketInCategoryPacketCapture // PacketIn operations below are used to decide which operation(s) should be // executed by a handler. It(they) should be loaded in the second byte of the diff --git a/pkg/agent/openflow/pipeline.go b/pkg/agent/openflow/pipeline.go index 601e910f186..3869f73f3a8 100644 --- a/pkg/agent/openflow/pipeline.go +++ b/pkg/agent/openflow/pipeline.go @@ -402,6 +402,7 @@ type client struct { enableL7FlowExporter bool enableMulticluster bool enablePrometheusMetrics bool + enablePacketCapture bool connectUplinkToBridge bool nodeType config.NodeType roundInfo types.RoundInfo @@ -421,6 +422,9 @@ type client struct { featureTraceflow *featureTraceflow traceableFeatures []traceableFeature + featurePacketCapture *featurePacketCapture + packetCaptureFeatures []packetCaptureFeature + pipelines map[binding.PipelineID]binding.Pipeline // ofEntryOperations is a wrapper interface for operating multiple OpenFlow entries with action AddAll / ModifyAll / DeleteAll. @@ -847,6 +851,206 @@ func (f *featureService) snatConntrackFlows() []binding.Flow { return flows } +func matchTransportHeader(packet *binding.Packet, flowBuilder binding.FlowBuilder, endpointPackets []binding.Packet) binding.FlowBuilder { + // Match transport header + switch packet.IPProto { + case protocol.Type_ICMP: + flowBuilder = flowBuilder.MatchProtocol(binding.ProtocolICMP) + case protocol.Type_IPv6ICMP: + flowBuilder = flowBuilder.MatchProtocol(binding.ProtocolICMPv6) + case protocol.Type_TCP: + if packet.IsIPv6 { + flowBuilder = flowBuilder.MatchProtocol(binding.ProtocolTCPv6) + } else { + flowBuilder = flowBuilder.MatchProtocol(binding.ProtocolTCP) + } + case protocol.Type_UDP: + if packet.IsIPv6 { + flowBuilder = flowBuilder.MatchProtocol(binding.ProtocolUDPv6) + } else { + flowBuilder = flowBuilder.MatchProtocol(binding.ProtocolUDP) + } + default: + flowBuilder = flowBuilder.MatchIPProtocolValue(packet.IsIPv6, packet.IPProto) + } + if packet.IPProto == protocol.Type_TCP || packet.IPProto == protocol.Type_UDP { + if endpointPackets != nil && endpointPackets[0].DestinationPort != 0 { + flowBuilder = flowBuilder.MatchDstPort(endpointPackets[0].DestinationPort, nil) + } else if packet.DestinationPort != 0 { + flowBuilder = flowBuilder.MatchDstPort(packet.DestinationPort, nil) + } + if packet.SourcePort != 0 { + flowBuilder = flowBuilder.MatchSrcPort(packet.SourcePort, nil) + } + } + + return flowBuilder +} + +// flowsToCapture generates flows for packet capture. dataplaneTag is used as a mark for the target flow. +func (f *featurePodConnectivity) flowsToCapture(dataplaneTag uint8, + ovsMetersAreSupported, + senderOnly bool, + receiverOnly bool, + packet *binding.Packet, + endpointPackets []binding.Packet, + ofPort uint32, + timeout uint16) []binding.Flow { + cookieID := f.cookieAllocator.Request(cookie.PacketCapture).Raw() + var flows []binding.Flow + tag := uint32(dataplaneTag) + var flowBuilder binding.FlowBuilder + if !receiverOnly { + // if not receiverOnly, ofPort is inPort + if endpointPackets == nil { + flowBuilder = ConntrackStateTable.ofTable.BuildFlow(priorityHigh). + Cookie(cookieID). + MatchInPort(ofPort). + MatchCTStateTrk(true). + Action().LoadToRegField(PacketCaptureMark, tag). + SetHardTimeout(timeout). + Action().GotoStage(stagePreRouting) + if packet.DestinationIP != nil { + flowBuilder = flowBuilder.MatchDstIP(packet.DestinationIP) + } + } else { + // generate flows to endpoints. + for _, epPacket := range endpointPackets { + tmpFlowBuilder := ConntrackStateTable.ofTable.BuildFlow(priorityHigh). + Cookie(cookieID). + MatchInPort(ofPort). + MatchCTStateTrk(true). + Action().LoadToRegField(PacketCaptureMark, tag). + SetHardTimeout(timeout). + Action().GotoStage(stagePreRouting) + tmpFlowBuilder.MatchDstIP(epPacket.DestinationIP) + flow := matchTransportHeader(packet, tmpFlowBuilder, endpointPackets).Done() + flows = append(flows, flow) + } + } + } else { + flowBuilder = L2ForwardingCalcTable.ofTable.BuildFlow(priorityHigh). + Cookie(cookieID). + MatchCTStateTrk(true). + MatchDstMAC(packet.DestinationMAC). + Action().LoadToRegField(TargetOFPortField, ofPort). + Action().LoadRegMark(OutputToOFPortRegMark). + Action().LoadToRegField(PacketCaptureMark, tag). + SetHardTimeout(timeout). + Action().GotoStage(stageIngressSecurity) + if packet.SourceIP != nil { + flowBuilder = flowBuilder.MatchSrcIP(packet.SourceIP) + } + } + + // for sender only case, capture the first tracked packet for svc. + if senderOnly { + for _, ipProtocol := range f.ipProtocols { + tmpFlowBuilder := ConntrackStateTable.ofTable.BuildFlow(priorityHigh). + Cookie(cookieID). + MatchInPort(ofPort). + MatchProtocol(ipProtocol). + MatchCTStateNew(true). + MatchCTStateTrk(true). + Action().LoadRegMark(RewriteMACRegMark). + Action().LoadToRegField(PacketCaptureMark, tag). + SetHardTimeout(timeout). + Action().GotoStage(stagePreRouting) + tmpFlowBuilder.MatchDstIP(packet.DestinationIP) + tmpFlowBuilder = matchTransportHeader(packet, tmpFlowBuilder, nil) + flows = append(flows, tmpFlowBuilder.Done()) + } + } + + if flowBuilder != nil { + flow := matchTransportHeader(packet, flowBuilder, nil).Done() + flows = append(flows, flow) + } + + output := func(fb binding.FlowBuilder) binding.FlowBuilder { + return fb.Action().OutputToRegField(TargetOFPortField) + } + + sendToController := func(fb binding.FlowBuilder) binding.FlowBuilder { + if ovsMetersAreSupported { + fb = fb.Action().Meter(PacketInMeterIDTF) + } + fb = fb.Action().SendToController([]byte{uint8(PacketInCategoryPacketCapture)}, false) + return fb + } + + // This generates PacketCapture specific flows that outputs capture + // non-hairpin packets to OVS port and Antrea Agent after + // L2 forwarding calculation. + for _, ipProtocol := range f.ipProtocols { + if f.networkConfig.TrafficEncapMode.SupportsEncap() { + // SendToController and Output if output port is tunnel port. + fb := OutputTable.ofTable.BuildFlow(priorityNormal+3). + Cookie(cookieID). + MatchRegFieldWithValue(TargetOFPortField, f.tunnelPort). + MatchProtocol(ipProtocol). + MatchRegMark(OutputToOFPortRegMark). + MatchRegFieldWithValue(PacketCaptureMark, tag). + SetHardTimeout(timeout). + Action().OutputToRegField(TargetOFPortField) + fb = sendToController(fb) + flows = append(flows, fb.Done()) + // For injected packets, only SendToController if output port is local gateway. In encapMode, a PacketCapture + // packet going out of the gateway port (i.e. exiting the overlay) essentially means that the PacketCapture + // request is complete. + fb = OutputTable.ofTable.BuildFlow(priorityNormal+2). + Cookie(cookieID). + MatchRegFieldWithValue(TargetOFPortField, f.gatewayPort). + MatchProtocol(ipProtocol). + MatchRegMark(OutputToOFPortRegMark). + MatchRegFieldWithValue(PacketCaptureMark, tag). + SetHardTimeout(timeout) + fb = sendToController(fb) + fb = output(fb) + flows = append(flows, fb.Done()) + } else { + // SendToController and Output if output port is local gateway. Unlike in encapMode, inter-Node Pod-to-Pod + // traffic is expected to go out of the gateway port on the way to its destination. + fb := OutputTable.ofTable.BuildFlow(priorityNormal+2). + Cookie(cookieID). + MatchRegFieldWithValue(TargetOFPortField, f.gatewayPort). + MatchProtocol(ipProtocol). + MatchRegMark(OutputToOFPortRegMark). + MatchRegFieldWithValue(PacketCaptureMark, tag). + SetHardTimeout(timeout). + Action().OutputToRegField(TargetOFPortField) + fb = sendToController(fb) + flows = append(flows, fb.Done()) + } + + gatewayIP := f.gatewayIPs[ipProtocol] + if gatewayIP != nil { + fb := OutputTable.ofTable.BuildFlow(priorityNormal+3). + Cookie(cookieID). + MatchRegFieldWithValue(TargetOFPortField, f.gatewayPort). + MatchProtocol(ipProtocol). + MatchDstIP(gatewayIP). + MatchRegMark(OutputToOFPortRegMark). + MatchRegFieldWithValue(PacketCaptureMark, tag). + SetHardTimeout(timeout) + fb = sendToController(fb) + fb = output(fb) + flows = append(flows, fb.Done()) + } + + fb := OutputTable.ofTable.BuildFlow(priorityNormal+2). + Cookie(cookieID). + MatchProtocol(ipProtocol). + MatchRegMark(OutputToOFPortRegMark). + MatchRegFieldWithValue(PacketCaptureMark, tag). + SetHardTimeout(timeout) + fb = sendToController(fb) + fb = output(fb) + flows = append(flows, fb.Done()) + } + return flows +} + // TODO: Use DuplicateToBuilder or integrate this function into original one to avoid unexpected difference. // flowsToTrace generates Traceflow specific flows in the connectionTrackStateTable or L2ForwardingCalcTable for featurePodConnectivity. // When packet is not provided, the flows bypass the drop flow in conntrackStateFlow to avoid unexpected drop of the @@ -936,14 +1140,7 @@ func (f *featurePodConnectivity) flowsToTrace(dataplaneTag uint8, default: flowBuilder = flowBuilder.MatchIPProtocolValue(packet.IsIPv6, packet.IPProto) } - if packet.IPProto == protocol.Type_TCP || packet.IPProto == protocol.Type_UDP { - if packet.DestinationPort != 0 { - flowBuilder = flowBuilder.MatchDstPort(packet.DestinationPort, nil) - } - if packet.SourcePort != 0 { - flowBuilder = flowBuilder.MatchSrcPort(packet.SourcePort, nil) - } - } + flows = append(flows, flowBuilder.Done()) } @@ -1040,6 +1237,44 @@ func (f *featurePodConnectivity) flowsToTrace(dataplaneTag uint8, return flows } +// flowsToCapture is used to generate flows for PacketCapture in featureService. +func (f *featureService) flowsToCapture(dataplaneTag uint8, + ovsMetersAreSupported, + senderOnly bool, + receiverOnly bool, + packet *binding.Packet, + endpointPackets []binding.Packet, + ofPort uint32, + timeout uint16) []binding.Flow { + cookieID := f.cookieAllocator.Request(cookie.PacketCapture).Raw() + var flows []binding.Flow + + sendToController := func(fb binding.FlowBuilder) binding.FlowBuilder { + if ovsMetersAreSupported { + fb = fb.Action().Meter(PacketInMeterIDTF) + } + fb = fb.Action().SendToController([]byte{uint8(PacketInCategoryPacketCapture)}, false) + return fb + } + + // This generates PacketCapture specific flows that outputs hairpin PacketCapture packets to OVS port and Antrea Agent after + // L2forwarding calculation. + for _, ipProtocol := range f.ipProtocols { + if f.enableProxy { + fb := OutputTable.ofTable.BuildFlow(priorityHigh+2). + Cookie(cookieID). + MatchProtocol(ipProtocol). + MatchCTMark(HairpinCTMark). + MatchRegFieldWithValue(PacketCaptureMark, uint32(dataplaneTag)). + SetHardTimeout(timeout) + fb = sendToController(fb) + fb = fb.Action().OutputToRegField(TargetOFPortField) + flows = append(flows, fb.Done()) + } + } + return flows +} + // flowsToTrace is used to generate flows for Traceflow in featureService. func (f *featureService) flowsToTrace(dataplaneTag uint8, ovsMetersAreSupported, @@ -2834,6 +3069,7 @@ func NewClient(bridgeName string, enableMulticluster bool, groupIDAllocator GroupAllocator, enablePrometheusMetrics bool, + enablePacketCapture bool, packetInRate int, ) *client { bridge := binding.NewOFBridge(bridgeName, mgmtAddr) @@ -2853,6 +3089,7 @@ func NewClient(bridgeName string, enableL7FlowExporter: enableL7FlowExporter, enableMulticluster: enableMulticluster, enablePrometheusMetrics: enablePrometheusMetrics, + enablePacketCapture: enablePacketCapture, connectUplinkToBridge: connectUplinkToBridge, pipelines: make(map[binding.PipelineID]binding.Pipeline), packetInHandlers: map[uint8]PacketInHandler{}, diff --git a/pkg/agent/openflow/pipeline_test.go b/pkg/agent/openflow/pipeline_test.go index 451abe7ccc1..3d094d15ca8 100644 --- a/pkg/agent/openflow/pipeline_test.go +++ b/pkg/agent/openflow/pipeline_test.go @@ -19,6 +19,7 @@ import ( "testing" "antrea.io/libOpenflow/openflow15" + "antrea.io/libOpenflow/protocol" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/mock/gomock" @@ -301,3 +302,94 @@ func getGroupModLen(g *openflow15.GroupMod) uint32 { } return n } + +func TestMatchTransportHeader(t *testing.T) { + + testCases := []struct { + name string + packet *binding.Packet + endpointPackets []binding.Packet + expectCalls func(ctrl *gomock.Controller, builder *openflowtest.MockFlowBuilder) *openflowtest.MockFlowBuilder + }{ + { + name: "tcp proto", + packet: &binding.Packet{ + IPProto: protocol.Type_TCP, + }, + expectCalls: func(ctrl *gomock.Controller, builder *openflowtest.MockFlowBuilder) *openflowtest.MockFlowBuilder { + builder.EXPECT().MatchProtocol(binding.ProtocolTCP) + return builder + + }, + }, + { + name: "udp proto", + packet: &binding.Packet{ + IPProto: protocol.Type_UDP, + }, + expectCalls: func(ctrl *gomock.Controller, builder *openflowtest.MockFlowBuilder) *openflowtest.MockFlowBuilder { + builder.EXPECT().MatchProtocol(binding.ProtocolUDP) + return builder + }, + }, + { + name: "ipv6-tcp", + packet: &binding.Packet{ + IPProto: protocol.Type_TCP, + IsIPv6: true, + }, + expectCalls: func(ctrl *gomock.Controller, builder *openflowtest.MockFlowBuilder) *openflowtest.MockFlowBuilder { + builder.EXPECT().MatchProtocol(binding.ProtocolTCPv6) + return builder + }, + }, + { + name: "udp-with-src-and-dst-port", + packet: &binding.Packet{ + IPProto: protocol.Type_UDP, + SourcePort: 1000, + DestinationPort: 53, + }, + expectCalls: func(ctrl *gomock.Controller, builder *openflowtest.MockFlowBuilder) *openflowtest.MockFlowBuilder { + builder.EXPECT().MatchProtocol(binding.ProtocolUDP).Return(builder).AnyTimes() + builder.EXPECT().MatchDstPort(uint16(53), nil).Return(builder).AnyTimes() + builder.EXPECT().MatchSrcPort(uint16(1000), nil).Return(builder).AnyTimes() + return builder + }, + }, + { + name: "with endpoints packets", + packet: &binding.Packet{ + IPProto: protocol.Type_TCP, + SourcePort: 1000, + DestinationPort: 53, + }, + endpointPackets: []binding.Packet{ + { + IPProto: protocol.Type_TCP, + SourcePort: 1000, + DestinationPort: 54, + }, + }, + expectCalls: func(ctrl *gomock.Controller, builder *openflowtest.MockFlowBuilder) *openflowtest.MockFlowBuilder { + builder.EXPECT().MatchProtocol(binding.ProtocolTCP).Return(builder).AnyTimes() + builder.EXPECT().MatchDstPort(uint16(54), nil).Return(builder).AnyTimes() + builder.EXPECT().MatchSrcPort(uint16(1000), nil).Return(builder).AnyTimes() + return builder + }, + }, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + ctrl := gomock.NewController(t) + fakeOfTable := openflowtest.NewMockTable(ctrl) + ConntrackStateTable.ofTable = fakeOfTable + defer func() { + ConntrackStateTable.ofTable = nil + }() + testBuilder := openflowtest.NewMockFlowBuilder(ctrl) + tc.expectCalls(ctrl, testBuilder) + matchTransportHeader(tc.packet, testBuilder, tc.endpointPackets) + }) + } +} diff --git a/pkg/agent/openflow/testing/mock_openflow.go b/pkg/agent/openflow/testing/mock_openflow.go index 99c21e47119..088b0dcfc0e 100644 --- a/pkg/agent/openflow/testing/mock_openflow.go +++ b/pkg/agent/openflow/testing/mock_openflow.go @@ -420,6 +420,20 @@ func (mr *MockClientMockRecorder) InstallNodeFlows(arg0, arg1, arg2, arg3, arg4 return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InstallNodeFlows", reflect.TypeOf((*MockClient)(nil).InstallNodeFlows), arg0, arg1, arg2, arg3, arg4) } +// InstallPacketCaptureFlows mocks base method. +func (m *MockClient) InstallPacketCaptureFlows(arg0 byte, arg1, arg2 bool, arg3 *openflow0.Packet, arg4 []openflow0.Packet, arg5 uint32, arg6 uint16) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "InstallPacketCaptureFlows", arg0, arg1, arg2, arg3, arg4, arg5, arg6) + ret0, _ := ret[0].(error) + return ret0 +} + +// InstallPacketCaptureFlows indicates an expected call of InstallPacketCaptureFlows. +func (mr *MockClientMockRecorder) InstallPacketCaptureFlows(arg0, arg1, arg2, arg3, arg4, arg5, arg6 any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InstallPacketCaptureFlows", reflect.TypeOf((*MockClient)(nil).InstallPacketCaptureFlows), arg0, arg1, arg2, arg3, arg4, arg5, arg6) +} + // InstallPodFlows mocks base method. func (m *MockClient) InstallPodFlows(arg0 string, arg1 []net.IP, arg2 net.HardwareAddr, arg3 uint32, arg4 uint16, arg5 *uint32) error { m.ctrl.T.Helper() @@ -960,6 +974,20 @@ func (mr *MockClientMockRecorder) UninstallNodeFlows(arg0 any) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UninstallNodeFlows", reflect.TypeOf((*MockClient)(nil).UninstallNodeFlows), arg0) } +// UninstallPacketCaptureFlows mocks base method. +func (m *MockClient) UninstallPacketCaptureFlows(arg0 byte) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "UninstallPacketCaptureFlows", arg0) + ret0, _ := ret[0].(error) + return ret0 +} + +// UninstallPacketCaptureFlows indicates an expected call of UninstallPacketCaptureFlows. +func (mr *MockClientMockRecorder) UninstallPacketCaptureFlows(arg0 any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UninstallPacketCaptureFlows", reflect.TypeOf((*MockClient)(nil).UninstallPacketCaptureFlows), arg0) +} + // UninstallPodFlows mocks base method. func (m *MockClient) UninstallPodFlows(arg0 string) error { m.ctrl.T.Helper() diff --git a/pkg/agent/supportbundlecollection/support_bundle_controller.go b/pkg/agent/supportbundlecollection/support_bundle_controller.go index 1202448019e..98099d8b4a2 100644 --- a/pkg/agent/supportbundlecollection/support_bundle_controller.go +++ b/pkg/agent/supportbundlecollection/support_bundle_controller.go @@ -17,16 +17,11 @@ package supportbundlecollection import ( "context" "fmt" - "io" - "net/url" - "path" "reflect" "sync" "time" - "github.com/pkg/sftp" "github.com/spf13/afero" - "golang.org/x/crypto/ssh" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/util/wait" @@ -43,18 +38,15 @@ import ( "antrea.io/antrea/pkg/querier" "antrea.io/antrea/pkg/support" "antrea.io/antrea/pkg/util/compress" + "antrea.io/antrea/pkg/util/ftp" "antrea.io/antrea/pkg/util/k8s" ) type ProtocolType string const ( - sftpProtocol ProtocolType = "sftp" - - controllerName = "SupportBundleCollectionController" - - uploadToFileServerTries = 5 - uploadToFileServerRetryDelay = 5 * time.Second + sftpProtocol ProtocolType = "sftp" + controllerName string = "SupportBundleCollectionController" ) var ( @@ -78,7 +70,7 @@ type SupportBundleController struct { npq querier.AgentNetworkPolicyInfoQuerier v4Enabled bool v6Enabled bool - sftpUploader uploader + sftpUploader ftp.Uploader } func NewSupportBundleController(nodeName string, @@ -101,7 +93,7 @@ func NewSupportBundleController(nodeName string, npq: npq, v4Enabled: v4Enabled, v6Enabled: v6Enabled, - sftpUploader: &sftpUploader{}, + sftpUploader: &ftp.SftpUploader{}, } return c } @@ -302,100 +294,20 @@ func (c *SupportBundleController) uploadSupportBundle(supportBundle *cpv1b2.Supp if err != nil { return fmt.Errorf("failed to upload support bundle while getting uploader: %v", err) } - if _, err := outputFile.Seek(0, 0); err != nil { - return fmt.Errorf("failed to upload support bundle to file server while setting offset: %v", err) - } - // fileServer.URL should be like: 10.92.23.154:22/path or sftp://10.92.23.154:22/path - parsedURL, err := parseUploadUrl(supportBundle.FileServer.URL) - if err != nil { - return fmt.Errorf("failed to upload support bundle while parsing upload URL: %v", err) - } - triesLeft := uploadToFileServerTries - var uploadErr error - for triesLeft > 0 { - if uploadErr = c.uploadToFileServer(uploader, supportBundle.Name, parsedURL, &supportBundle.Authentication, outputFile); uploadErr == nil { - return nil - } - triesLeft-- - if triesLeft == 0 { - return fmt.Errorf("failed to upload support bundle after %d attempts", uploadToFileServerTries) - } - klog.InfoS("Failed to upload support bundle", "UploadError", uploadErr, "TriesLeft", triesLeft) - time.Sleep(uploadToFileServerRetryDelay) - } - return nil -} -func parseUploadUrl(uploadUrl string) (*url.URL, error) { - parsedURL, err := url.Parse(uploadUrl) - if err != nil { - parsedURL, err = url.Parse("sftp://" + uploadUrl) - if err != nil { - return nil, err - } - } - if parsedURL.Scheme != "sftp" { - return nil, fmt.Errorf("not sftp protocol") - } - return parsedURL, nil + fileName := c.nodeName + "_" + supportBundle.Name + ".tar.gz" + serverAuth := supportBundle.Authentication.BasicAuthentication + cfg := ftp.GenSSHClientConfig(serverAuth.Username, serverAuth.Password) + return uploader.Upload(supportBundle.FileServer.URL, fileName, cfg, outputFile) } -func (c *SupportBundleController) uploadToFileServer(up uploader, bundleName string, parsedURL *url.URL, serverAuth *cpv1b2.BundleServerAuthConfiguration, tarGzFile io.Reader) error { - joinedPath := path.Join(parsedURL.Path, c.nodeName+"_"+bundleName+".tar.gz") - cfg := &ssh.ClientConfig{ - User: serverAuth.BasicAuthentication.Username, - Auth: []ssh.AuthMethod{ssh.Password(serverAuth.BasicAuthentication.Password)}, - // #nosec G106: skip host key check here and users can specify their own checks if needed - HostKeyCallback: ssh.InsecureIgnoreHostKey(), - Timeout: time.Second, - } - return up.upload(parsedURL.Host, joinedPath, cfg, tarGzFile) -} - -func (c *SupportBundleController) getUploaderByProtocol(protocol ProtocolType) (uploader, error) { +func (c *SupportBundleController) getUploaderByProtocol(protocol ProtocolType) (ftp.Uploader, error) { if protocol == sftpProtocol { return c.sftpUploader, nil } return nil, fmt.Errorf("unsupported protocol %s", protocol) } -type uploader interface { - upload(addr string, path string, config *ssh.ClientConfig, tarGzFile io.Reader) error -} - -type sftpUploader struct { -} - -func (uploader *sftpUploader) upload(address string, path string, config *ssh.ClientConfig, tarGzFile io.Reader) error { - conn, err := ssh.Dial("tcp", address, config) - if err != nil { - return fmt.Errorf("error when connecting to fs server: %w", err) - } - sftpClient, err := sftp.NewClient(conn) - if err != nil { - return fmt.Errorf("error when setting up sftp client: %w", err) - } - defer func() { - if err := sftpClient.Close(); err != nil { - klog.ErrorS(err, "Error when closing sftp client") - } - }() - targetFile, err := sftpClient.Create(path) - if err != nil { - return fmt.Errorf("error when creating target file on remote: %v", err) - } - defer func() { - if err := targetFile.Close(); err != nil { - klog.ErrorS(err, "Error when closing target file on remote") - } - }() - if written, err := io.Copy(targetFile, tarGzFile); err != nil { - return fmt.Errorf("error when copying target file: %v, written: %d", err, written) - } - klog.InfoS("Successfully upload file to path", "filePath", path) - return nil -} - func (c *SupportBundleController) updateSupportBundleCollectionStatus(key string, complete bool, genErr error) error { antreaClient, err := c.antreaClientGetter.GetAntreaClient() if err != nil { diff --git a/pkg/agent/supportbundlecollection/support_bundle_controller_test.go b/pkg/agent/supportbundlecollection/support_bundle_controller_test.go index 72b24d317bd..3016bc8eaef 100644 --- a/pkg/agent/supportbundlecollection/support_bundle_controller_test.go +++ b/pkg/agent/supportbundlecollection/support_bundle_controller_test.go @@ -16,7 +16,6 @@ package supportbundlecollection import ( "fmt" - "io" "testing" "github.com/spf13/afero" @@ -29,6 +28,8 @@ import ( "k8s.io/klog/v2" "k8s.io/utils/exec" + "antrea.io/antrea/pkg/util/ftp" + agentquerier "antrea.io/antrea/pkg/agent/querier" "antrea.io/antrea/pkg/apis/controlplane" cpv1b2 "antrea.io/antrea/pkg/apis/controlplane/v1beta2" @@ -69,7 +70,7 @@ func TestSupportBundleCollectionAdd(t *testing.T) { supportBundleCollection *cpv1b2.SupportBundleCollection expectedCompleted bool agentDumper *mockAgentDumper - uploader uploader + uploader ftp.Uploader }{ { name: "Add SupportBundleCollection", @@ -90,7 +91,7 @@ func TestSupportBundleCollectionAdd(t *testing.T) { supportBundleCollection: generateSupportbundleCollection("supportBundle3", "https://10.220.175.92:22/root/supportbundle"), expectedCompleted: false, agentDumper: &mockAgentDumper{}, - uploader: &testUploader{}, + uploader: &testFailedUploader{}, }, { name: "Add SupportBundleCollection with retry logics", @@ -198,7 +199,7 @@ func TestSupportBundleCollectionDelete(t *testing.T) { type testUploader struct { } -func (uploader *testUploader) upload(address string, path string, config *ssh.ClientConfig, tarGzFile io.Reader) error { +func (uploader *testUploader) Upload(url string, fileName string, config *ssh.ClientConfig, outputFile afero.File) error { klog.Info("Called test uploader") return nil } @@ -206,7 +207,7 @@ func (uploader *testUploader) upload(address string, path string, config *ssh.Cl type testFailedUploader struct { } -func (uploader *testFailedUploader) upload(address string, path string, config *ssh.ClientConfig, tarGzFile io.Reader) error { +func (uploader *testFailedUploader) Upload(url string, fileName string, config *ssh.ClientConfig, outputFile afero.File) error { klog.Info("Called test uploader for failed case") return fmt.Errorf("uploader failed") } diff --git a/pkg/apis/crd/v1alpha1/register.go b/pkg/apis/crd/v1alpha1/register.go index ecefd26a924..fc46da806a3 100644 --- a/pkg/apis/crd/v1alpha1/register.go +++ b/pkg/apis/crd/v1alpha1/register.go @@ -57,8 +57,9 @@ func addKnownTypes(scheme *runtime.Scheme) error { &NodeLatencyMonitorList{}, &BGPPolicy{}, &BGPPolicyList{}, + &PacketCapture{}, + &PacketCaptureList{}, ) - metav1.AddToGroupVersion( scheme, SchemeGroupVersion, diff --git a/pkg/apis/crd/v1alpha1/types.go b/pkg/apis/crd/v1alpha1/types.go index 378d3a5c58c..956fc1542fb 100644 --- a/pkg/apis/crd/v1alpha1/types.go +++ b/pkg/apis/crd/v1alpha1/types.go @@ -17,6 +17,7 @@ package v1alpha1 import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" ) // IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed @@ -354,3 +355,123 @@ type BGPPeer struct { // a restart before deleting stale routes. The range of the value is from 1 to 3600, and the default value is 120. GracefulRestartTimeSeconds *int32 `json:"gracefulRestartTimeSeconds,omitempty"` } + +// Source describes the source spec of the packetcapture. +type Source struct { + // Namespace is the source Namespace. + Namespace string `json:"namespace"` + // Pod is the source Pod. + Pod string `json:"pod"` + // IP is the source IPv4 or IPv6 address. + IP string `json:"ip"` +} + +// Destination describes the destination spec of the PacketCapture. +type Destination struct { + // Namespace is the destination Namespace. + Namespace string `json:"namespace"` + // Pod is the destination Pod, exclusive with destination Service. + Pod string `json:"pod"` + // Service is the destination Service, exclusive with destination Pod. + Service string `json:"service"` + // IP is the destination IPv4 or IPv6 address. + IP string `json:"ip"` +} + +// TransportHeader describes spec of a TransportHeader. +type TransportHeader struct { + UDP *UDPHeader `json:"udp,omitempty" yaml:"udp,omitempty"` + TCP *TCPHeader `json:"tcp,omitempty" yaml:"tcp,omitempty"` +} + +// UDPHeader describes spec of a UDP header. +type UDPHeader struct { + // SrcPort is the source port. + SrcPort int32 `json:"srcPort,omitempty"` + // DstPort is the destination port. + DstPort int32 `json:"dstPort,omitempty"` +} + +// TCPHeader describes spec of a TCP header. +type TCPHeader struct { + // SrcPort is the source port. + SrcPort int32 `json:"srcPort,omitempty"` + // DstPort is the destination port. + DstPort int32 `json:"dstPort,omitempty"` + // Flags are flags in the header. + Flags *int32 `json:"flags,omitempty"` +} + +// Packet includes header info. +type Packet struct { + // IPFamily is the filter's IP family . default to `IPv4`. + IPFamily v1.IPFamily `json:"ipFamily"` + // Protocol represents the transport protocol. default to ICMP(1). Other + // possible choices are: TCP(6), UDP(17). + Protocol *intstr.IntOrString `json:"protocol,omitempty"` + TransportHeader TransportHeader `json:"transportHeader"` +} + +// PacketCaptureFirstNConfig contains the config for the FirstN type capture. The only supported parameter is +// `Number` at the moment, meaning capturing the first specified number of packets in a flow. +type PacketCaptureFirstNConfig struct { + Number int32 `json:"number"` +} + +const DefaultPacketCaptureTimeout uint16 = 60 + +type PacketCapturePhase string + +const ( + PacketCaptureRunning PacketCapturePhase = "Running" + PacketCaptureSucceeded PacketCapturePhase = "Succeeded" + PacketCaptureFailed PacketCapturePhase = "Failed" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type PacketCaptureList struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ListMeta `json:"metadata,omitempty"` + + Items []PacketCapture `json:"items"` +} + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +type PacketCapture struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec PacketCaptureSpec `json:"spec"` + Status PacketCaptureStatus `json:"status"` +} + +type CaptureConfig struct { + FirstN *PacketCaptureFirstNConfig `json:"firstN,omitempty"` +} + +type PacketCaptureSpec struct { + Timeout *uint16 `json:"timeout,omitempty"` + CaptureConfig CaptureConfig `json:"captureConfig"` + Source Source `json:"source"` + Destination Destination `json:"destination"` + Packet *Packet `json:"packet,omitempty"` + // FileServer specifies the sftp url config for the fileServer. Captured packets will be uploaded to this server. + FileServer BundleFileServer `json:"fileServer"` +} + +type PacketCaptureStatus struct { + Phase PacketCapturePhase `json:"phase"` + // Reason records the failure reason when the capture fails. + Reason string `json:"reason"` + // NumCapturedPackets records how many packets have been captured. If it reaches the target number, the capture + // can be considered as finished. + NumCapturedPackets *int32 `json:"numCapturedPackets,omitempty"` + // PacketsFileName is the file name where the captured packets are temporarily cached. The file will be + // removed after the PacketCapture is deleted. + PacketsFileName string `json:"packetsFileName"` + StartTime *metav1.Time `json:"startTime,omitempty"` +} diff --git a/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go index a45bdeca9c0..448c35b18fa 100644 --- a/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go @@ -23,6 +23,7 @@ import ( corev1 "k8s.io/api/core/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" + intstr "k8s.io/apimachinery/pkg/util/intstr" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -266,6 +267,43 @@ func (in *BundleServerAuthConfiguration) DeepCopy() *BundleServerAuthConfigurati return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CaptureConfig) DeepCopyInto(out *CaptureConfig) { + *out = *in + if in.FirstN != nil { + in, out := &in.FirstN, &out.FirstN + *out = new(PacketCaptureFirstNConfig) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CaptureConfig. +func (in *CaptureConfig) DeepCopy() *CaptureConfig { + if in == nil { + return nil + } + out := new(CaptureConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Destination) DeepCopyInto(out *Destination) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Destination. +func (in *Destination) DeepCopy() *Destination { + if in == nil { + return nil + } + out := new(Destination) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EgressAdvertisement) DeepCopyInto(out *EgressAdvertisement) { *out = *in @@ -536,6 +574,160 @@ func (in *NodeLatencyMonitorSpec) DeepCopy() *NodeLatencyMonitorSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Packet) DeepCopyInto(out *Packet) { + *out = *in + if in.Protocol != nil { + in, out := &in.Protocol, &out.Protocol + *out = new(intstr.IntOrString) + **out = **in + } + in.TransportHeader.DeepCopyInto(&out.TransportHeader) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Packet. +func (in *Packet) DeepCopy() *Packet { + if in == nil { + return nil + } + out := new(Packet) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacketCapture) DeepCopyInto(out *PacketCapture) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacketCapture. +func (in *PacketCapture) DeepCopy() *PacketCapture { + if in == nil { + return nil + } + out := new(PacketCapture) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PacketCapture) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacketCaptureFirstNConfig) DeepCopyInto(out *PacketCaptureFirstNConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacketCaptureFirstNConfig. +func (in *PacketCaptureFirstNConfig) DeepCopy() *PacketCaptureFirstNConfig { + if in == nil { + return nil + } + out := new(PacketCaptureFirstNConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacketCaptureList) DeepCopyInto(out *PacketCaptureList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]PacketCapture, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacketCaptureList. +func (in *PacketCaptureList) DeepCopy() *PacketCaptureList { + if in == nil { + return nil + } + out := new(PacketCaptureList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PacketCaptureList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacketCaptureSpec) DeepCopyInto(out *PacketCaptureSpec) { + *out = *in + if in.Timeout != nil { + in, out := &in.Timeout, &out.Timeout + *out = new(uint16) + **out = **in + } + in.CaptureConfig.DeepCopyInto(&out.CaptureConfig) + out.Source = in.Source + out.Destination = in.Destination + if in.Packet != nil { + in, out := &in.Packet, &out.Packet + *out = new(Packet) + (*in).DeepCopyInto(*out) + } + out.FileServer = in.FileServer + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacketCaptureSpec. +func (in *PacketCaptureSpec) DeepCopy() *PacketCaptureSpec { + if in == nil { + return nil + } + out := new(PacketCaptureSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PacketCaptureStatus) DeepCopyInto(out *PacketCaptureStatus) { + *out = *in + if in.NumCapturedPackets != nil { + in, out := &in.NumCapturedPackets, &out.NumCapturedPackets + *out = new(int32) + **out = **in + } + if in.StartTime != nil { + in, out := &in.StartTime, &out.StartTime + *out = (*in).DeepCopy() + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacketCaptureStatus. +func (in *PacketCaptureStatus) DeepCopy() *PacketCaptureStatus { + if in == nil { + return nil + } + out := new(PacketCaptureStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PodAdvertisement) DeepCopyInto(out *PodAdvertisement) { *out = *in @@ -573,6 +765,22 @@ func (in *ServiceAdvertisement) DeepCopy() *ServiceAdvertisement { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Source) DeepCopyInto(out *Source) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source. +func (in *Source) DeepCopy() *Source { + if in == nil { + return nil + } + out := new(Source) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SupportBundleCollection) DeepCopyInto(out *SupportBundleCollection) { *out = *in @@ -702,6 +910,27 @@ func (in *SupportBundleCollectionStatus) DeepCopy() *SupportBundleCollectionStat return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TCPHeader) DeepCopyInto(out *TCPHeader) { + *out = *in + if in.Flags != nil { + in, out := &in.Flags, &out.Flags + *out = new(int32) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPHeader. +func (in *TCPHeader) DeepCopy() *TCPHeader { + if in == nil { + return nil + } + out := new(TCPHeader) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSProtocol) DeepCopyInto(out *TLSProtocol) { *out = *in @@ -717,3 +946,45 @@ func (in *TLSProtocol) DeepCopy() *TLSProtocol { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TransportHeader) DeepCopyInto(out *TransportHeader) { + *out = *in + if in.UDP != nil { + in, out := &in.UDP, &out.UDP + *out = new(UDPHeader) + **out = **in + } + if in.TCP != nil { + in, out := &in.TCP, &out.TCP + *out = new(TCPHeader) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransportHeader. +func (in *TransportHeader) DeepCopy() *TransportHeader { + if in == nil { + return nil + } + out := new(TransportHeader) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UDPHeader) DeepCopyInto(out *UDPHeader) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDPHeader. +func (in *UDPHeader) DeepCopy() *UDPHeader { + if in == nil { + return nil + } + out := new(UDPHeader) + in.DeepCopyInto(out) + return out +} diff --git a/pkg/apiserver/handlers/featuregates/handler_test.go b/pkg/apiserver/handlers/featuregates/handler_test.go index 401a14d9562..54ec43c13a4 100644 --- a/pkg/apiserver/handlers/featuregates/handler_test.go +++ b/pkg/apiserver/handlers/featuregates/handler_test.go @@ -73,6 +73,7 @@ func Test_getGatesResponse(t *testing.T) { {Component: "agent", Name: "NodeLatencyMonitor", Status: "Disabled", Version: "ALPHA"}, {Component: "agent", Name: "NodeNetworkPolicy", Status: "Disabled", Version: "ALPHA"}, {Component: "agent", Name: "NodePortLocal", Status: "Enabled", Version: "GA"}, + {Component: "agent", Name: "PacketCapture", Status: "Disabled", Version: "ALPHA"}, {Component: "agent", Name: "SecondaryNetwork", Status: "Disabled", Version: "ALPHA"}, {Component: "agent", Name: "ServiceExternalIP", Status: "Disabled", Version: "ALPHA"}, {Component: "agent", Name: "ServiceTrafficDistribution", Status: "Enabled", Version: "BETA"}, diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha1/crd_client.go b/pkg/client/clientset/versioned/typed/crd/v1alpha1/crd_client.go index bcff19f9bd7..c0780d228ec 100644 --- a/pkg/client/clientset/versioned/typed/crd/v1alpha1/crd_client.go +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha1/crd_client.go @@ -29,6 +29,7 @@ type CrdV1alpha1Interface interface { BGPPoliciesGetter ExternalNodesGetter NodeLatencyMonitorsGetter + PacketCapturesGetter SupportBundleCollectionsGetter } @@ -49,6 +50,10 @@ func (c *CrdV1alpha1Client) NodeLatencyMonitors() NodeLatencyMonitorInterface { return newNodeLatencyMonitors(c) } +func (c *CrdV1alpha1Client) PacketCaptures() PacketCaptureInterface { + return newPacketCaptures(c) +} + func (c *CrdV1alpha1Client) SupportBundleCollections() SupportBundleCollectionInterface { return newSupportBundleCollections(c) } diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha1/fake/fake_crd_client.go b/pkg/client/clientset/versioned/typed/crd/v1alpha1/fake/fake_crd_client.go index 4d6c869b949..34b1c00ff7e 100644 --- a/pkg/client/clientset/versioned/typed/crd/v1alpha1/fake/fake_crd_client.go +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha1/fake/fake_crd_client.go @@ -38,6 +38,10 @@ func (c *FakeCrdV1alpha1) NodeLatencyMonitors() v1alpha1.NodeLatencyMonitorInter return &FakeNodeLatencyMonitors{c} } +func (c *FakeCrdV1alpha1) PacketCaptures() v1alpha1.PacketCaptureInterface { + return &FakePacketCaptures{c} +} + func (c *FakeCrdV1alpha1) SupportBundleCollections() v1alpha1.SupportBundleCollectionInterface { return &FakeSupportBundleCollections{c} } diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha1/fake/fake_packetcapture.go b/pkg/client/clientset/versioned/typed/crd/v1alpha1/fake/fake_packetcapture.go new file mode 100644 index 00000000000..36b7b7682ce --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha1/fake/fake_packetcapture.go @@ -0,0 +1,130 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakePacketCaptures implements PacketCaptureInterface +type FakePacketCaptures struct { + Fake *FakeCrdV1alpha1 +} + +var packetcapturesResource = v1alpha1.SchemeGroupVersion.WithResource("packetcaptures") + +var packetcapturesKind = v1alpha1.SchemeGroupVersion.WithKind("PacketCapture") + +// Get takes name of the packetCapture, and returns the corresponding packetCapture object, and an error if there is any. +func (c *FakePacketCaptures) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.PacketCapture, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootGetAction(packetcapturesResource, name), &v1alpha1.PacketCapture{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.PacketCapture), err +} + +// List takes label and field selectors, and returns the list of PacketCaptures that match those selectors. +func (c *FakePacketCaptures) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.PacketCaptureList, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootListAction(packetcapturesResource, packetcapturesKind, opts), &v1alpha1.PacketCaptureList{}) + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.PacketCaptureList{ListMeta: obj.(*v1alpha1.PacketCaptureList).ListMeta} + for _, item := range obj.(*v1alpha1.PacketCaptureList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested packetCaptures. +func (c *FakePacketCaptures) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewRootWatchAction(packetcapturesResource, opts)) +} + +// Create takes the representation of a packetCapture and creates it. Returns the server's representation of the packetCapture, and an error, if there is any. +func (c *FakePacketCaptures) Create(ctx context.Context, packetCapture *v1alpha1.PacketCapture, opts v1.CreateOptions) (result *v1alpha1.PacketCapture, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(packetcapturesResource, packetCapture), &v1alpha1.PacketCapture{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.PacketCapture), err +} + +// Update takes the representation of a packetCapture and updates it. Returns the server's representation of the packetCapture, and an error, if there is any. +func (c *FakePacketCaptures) Update(ctx context.Context, packetCapture *v1alpha1.PacketCapture, opts v1.UpdateOptions) (result *v1alpha1.PacketCapture, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateAction(packetcapturesResource, packetCapture), &v1alpha1.PacketCapture{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.PacketCapture), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakePacketCaptures) UpdateStatus(ctx context.Context, packetCapture *v1alpha1.PacketCapture, opts v1.UpdateOptions) (*v1alpha1.PacketCapture, error) { + obj, err := c.Fake. + Invokes(testing.NewRootUpdateSubresourceAction(packetcapturesResource, "status", packetCapture), &v1alpha1.PacketCapture{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.PacketCapture), err +} + +// Delete takes name of the packetCapture and deletes it. Returns an error if one occurs. +func (c *FakePacketCaptures) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewRootDeleteActionWithOptions(packetcapturesResource, name, opts), &v1alpha1.PacketCapture{}) + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakePacketCaptures) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewRootDeleteCollectionAction(packetcapturesResource, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.PacketCaptureList{}) + return err +} + +// Patch applies the patch and returns the patched packetCapture. +func (c *FakePacketCaptures) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.PacketCapture, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootPatchSubresourceAction(packetcapturesResource, name, pt, data, subresources...), &v1alpha1.PacketCapture{}) + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.PacketCapture), err +} diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha1/generated_expansion.go b/pkg/client/clientset/versioned/typed/crd/v1alpha1/generated_expansion.go index 0631615e701..fdcf058ec7e 100644 --- a/pkg/client/clientset/versioned/typed/crd/v1alpha1/generated_expansion.go +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha1/generated_expansion.go @@ -22,4 +22,6 @@ type ExternalNodeExpansion interface{} type NodeLatencyMonitorExpansion interface{} +type PacketCaptureExpansion interface{} + type SupportBundleCollectionExpansion interface{} diff --git a/pkg/client/clientset/versioned/typed/crd/v1alpha1/packetcapture.go b/pkg/client/clientset/versioned/typed/crd/v1alpha1/packetcapture.go new file mode 100644 index 00000000000..3cbff9e855d --- /dev/null +++ b/pkg/client/clientset/versioned/typed/crd/v1alpha1/packetcapture.go @@ -0,0 +1,182 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + scheme "antrea.io/antrea/pkg/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// PacketCapturesGetter has a method to return a PacketCaptureInterface. +// A group's client should implement this interface. +type PacketCapturesGetter interface { + PacketCaptures() PacketCaptureInterface +} + +// PacketCaptureInterface has methods to work with PacketCapture resources. +type PacketCaptureInterface interface { + Create(ctx context.Context, packetCapture *v1alpha1.PacketCapture, opts v1.CreateOptions) (*v1alpha1.PacketCapture, error) + Update(ctx context.Context, packetCapture *v1alpha1.PacketCapture, opts v1.UpdateOptions) (*v1alpha1.PacketCapture, error) + UpdateStatus(ctx context.Context, packetCapture *v1alpha1.PacketCapture, opts v1.UpdateOptions) (*v1alpha1.PacketCapture, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.PacketCapture, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.PacketCaptureList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.PacketCapture, err error) + PacketCaptureExpansion +} + +// packetCaptures implements PacketCaptureInterface +type packetCaptures struct { + client rest.Interface +} + +// newPacketCaptures returns a PacketCaptures +func newPacketCaptures(c *CrdV1alpha1Client) *packetCaptures { + return &packetCaptures{ + client: c.RESTClient(), + } +} + +// Get takes name of the packetCapture, and returns the corresponding packetCapture object, and an error if there is any. +func (c *packetCaptures) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.PacketCapture, err error) { + result = &v1alpha1.PacketCapture{} + err = c.client.Get(). + Resource("packetcaptures"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of PacketCaptures that match those selectors. +func (c *packetCaptures) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.PacketCaptureList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.PacketCaptureList{} + err = c.client.Get(). + Resource("packetcaptures"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested packetCaptures. +func (c *packetCaptures) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Resource("packetcaptures"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a packetCapture and creates it. Returns the server's representation of the packetCapture, and an error, if there is any. +func (c *packetCaptures) Create(ctx context.Context, packetCapture *v1alpha1.PacketCapture, opts v1.CreateOptions) (result *v1alpha1.PacketCapture, err error) { + result = &v1alpha1.PacketCapture{} + err = c.client.Post(). + Resource("packetcaptures"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(packetCapture). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a packetCapture and updates it. Returns the server's representation of the packetCapture, and an error, if there is any. +func (c *packetCaptures) Update(ctx context.Context, packetCapture *v1alpha1.PacketCapture, opts v1.UpdateOptions) (result *v1alpha1.PacketCapture, err error) { + result = &v1alpha1.PacketCapture{} + err = c.client.Put(). + Resource("packetcaptures"). + Name(packetCapture.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(packetCapture). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *packetCaptures) UpdateStatus(ctx context.Context, packetCapture *v1alpha1.PacketCapture, opts v1.UpdateOptions) (result *v1alpha1.PacketCapture, err error) { + result = &v1alpha1.PacketCapture{} + err = c.client.Put(). + Resource("packetcaptures"). + Name(packetCapture.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(packetCapture). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the packetCapture and deletes it. Returns an error if one occurs. +func (c *packetCaptures) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Resource("packetcaptures"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *packetCaptures) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Resource("packetcaptures"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched packetCapture. +func (c *packetCaptures) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.PacketCapture, err error) { + result = &v1alpha1.PacketCapture{} + err = c.client.Patch(pt). + Resource("packetcaptures"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/pkg/client/informers/externalversions/crd/v1alpha1/interface.go b/pkg/client/informers/externalversions/crd/v1alpha1/interface.go index e69100682ba..244bbe860f2 100644 --- a/pkg/client/informers/externalversions/crd/v1alpha1/interface.go +++ b/pkg/client/informers/externalversions/crd/v1alpha1/interface.go @@ -28,6 +28,8 @@ type Interface interface { ExternalNodes() ExternalNodeInformer // NodeLatencyMonitors returns a NodeLatencyMonitorInformer. NodeLatencyMonitors() NodeLatencyMonitorInformer + // PacketCaptures returns a PacketCaptureInformer. + PacketCaptures() PacketCaptureInformer // SupportBundleCollections returns a SupportBundleCollectionInformer. SupportBundleCollections() SupportBundleCollectionInformer } @@ -58,6 +60,11 @@ func (v *version) NodeLatencyMonitors() NodeLatencyMonitorInformer { return &nodeLatencyMonitorInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } +// PacketCaptures returns a PacketCaptureInformer. +func (v *version) PacketCaptures() PacketCaptureInformer { + return &packetCaptureInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} +} + // SupportBundleCollections returns a SupportBundleCollectionInformer. func (v *version) SupportBundleCollections() SupportBundleCollectionInformer { return &supportBundleCollectionInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} diff --git a/pkg/client/informers/externalversions/crd/v1alpha1/packetcapture.go b/pkg/client/informers/externalversions/crd/v1alpha1/packetcapture.go new file mode 100644 index 00000000000..1995048a4c9 --- /dev/null +++ b/pkg/client/informers/externalversions/crd/v1alpha1/packetcapture.go @@ -0,0 +1,87 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + versioned "antrea.io/antrea/pkg/client/clientset/versioned" + internalinterfaces "antrea.io/antrea/pkg/client/informers/externalversions/internalinterfaces" + v1alpha1 "antrea.io/antrea/pkg/client/listers/crd/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// PacketCaptureInformer provides access to a shared informer and lister for +// PacketCaptures. +type PacketCaptureInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.PacketCaptureLister +} + +type packetCaptureInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// NewPacketCaptureInformer constructs a new informer for PacketCapture type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewPacketCaptureInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredPacketCaptureInformer(client, resyncPeriod, indexers, nil) +} + +// NewFilteredPacketCaptureInformer constructs a new informer for PacketCapture type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredPacketCaptureInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1alpha1().PacketCaptures().List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.CrdV1alpha1().PacketCaptures().Watch(context.TODO(), options) + }, + }, + &crdv1alpha1.PacketCapture{}, + resyncPeriod, + indexers, + ) +} + +func (f *packetCaptureInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredPacketCaptureInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *packetCaptureInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&crdv1alpha1.PacketCapture{}, f.defaultInformer) +} + +func (f *packetCaptureInformer) Lister() v1alpha1.PacketCaptureLister { + return v1alpha1.NewPacketCaptureLister(f.Informer().GetIndexer()) +} diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go index 07c1d724cbc..d8325bbf33f 100644 --- a/pkg/client/informers/externalversions/generic.go +++ b/pkg/client/informers/externalversions/generic.go @@ -59,6 +59,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().ExternalNodes().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("nodelatencymonitors"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().NodeLatencyMonitors().Informer()}, nil + case v1alpha1.SchemeGroupVersion.WithResource("packetcaptures"): + return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().PacketCaptures().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("supportbundlecollections"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().SupportBundleCollections().Informer()}, nil diff --git a/pkg/client/listers/crd/v1alpha1/expansion_generated.go b/pkg/client/listers/crd/v1alpha1/expansion_generated.go index 6d1c92155c1..ebe5ff42e87 100644 --- a/pkg/client/listers/crd/v1alpha1/expansion_generated.go +++ b/pkg/client/listers/crd/v1alpha1/expansion_generated.go @@ -32,6 +32,10 @@ type ExternalNodeNamespaceListerExpansion interface{} // NodeLatencyMonitorLister. type NodeLatencyMonitorListerExpansion interface{} +// PacketCaptureListerExpansion allows custom methods to be added to +// PacketCaptureLister. +type PacketCaptureListerExpansion interface{} + // SupportBundleCollectionListerExpansion allows custom methods to be added to // SupportBundleCollectionLister. type SupportBundleCollectionListerExpansion interface{} diff --git a/pkg/client/listers/crd/v1alpha1/packetcapture.go b/pkg/client/listers/crd/v1alpha1/packetcapture.go new file mode 100644 index 00000000000..b7c9cc4ad53 --- /dev/null +++ b/pkg/client/listers/crd/v1alpha1/packetcapture.go @@ -0,0 +1,66 @@ +// Copyright 2024 Antrea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// PacketCaptureLister helps list PacketCaptures. +// All objects returned here must be treated as read-only. +type PacketCaptureLister interface { + // List lists all PacketCaptures in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.PacketCapture, err error) + // Get retrieves the PacketCapture from the index for a given name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.PacketCapture, error) + PacketCaptureListerExpansion +} + +// packetCaptureLister implements the PacketCaptureLister interface. +type packetCaptureLister struct { + indexer cache.Indexer +} + +// NewPacketCaptureLister returns a new PacketCaptureLister. +func NewPacketCaptureLister(indexer cache.Indexer) PacketCaptureLister { + return &packetCaptureLister{indexer: indexer} +} + +// List lists all PacketCaptures in the indexer. +func (s *packetCaptureLister) List(selector labels.Selector) (ret []*v1alpha1.PacketCapture, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.PacketCapture)) + }) + return ret, err +} + +// Get retrieves the PacketCapture from the index for a given name. +func (s *packetCaptureLister) Get(name string) (*v1alpha1.PacketCapture, error) { + obj, exists, err := s.indexer.GetByKey(name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("packetcapture"), name) + } + return obj.(*v1alpha1.PacketCapture), nil +} diff --git a/pkg/controller/supportbundlecollection/controller.go b/pkg/controller/supportbundlecollection/controller.go index aabf9101f0b..98d52a66aab 100644 --- a/pkg/controller/supportbundlecollection/controller.go +++ b/pkg/controller/supportbundlecollection/controller.go @@ -15,7 +15,6 @@ package supportbundlecollection import ( - "bytes" "context" "fmt" "reflect" @@ -45,6 +44,7 @@ import ( crdinformers "antrea.io/antrea/pkg/client/informers/externalversions/crd/v1alpha1" crdlisters "antrea.io/antrea/pkg/client/listers/crd/v1alpha1" "antrea.io/antrea/pkg/controller/types" + "antrea.io/antrea/pkg/util/ftp" "antrea.io/antrea/pkg/util/k8s" ) @@ -390,7 +390,7 @@ func (c *Controller) createInternalSupportBundleCollection(bundle *v1alpha1.Supp } nodeSpan := nodeNames.Union(externalNodeNames) // Get authentication from the Secret provided in authentication field in the CRD - authentication, err := c.parseBundleAuth(bundle.Spec.Authentication) + authentication, err := ftp.ParseBundleAuth(bundle.Spec.Authentication, c.kubeClient) if err != nil { klog.ErrorS(err, "Failed to get authentication defined in the SupportBundleCollection CR", "name", bundle.Name, "authentication", bundle.Spec.Authentication) return nil, err @@ -511,60 +511,6 @@ func (c *Controller) deleteInternalSupportBundleCollection(key string) error { return nil } -// parseBundleAuth returns the authentication from the Secret provided in BundleServerAuthConfiguration. -// The authentication is stored in the Secret Data with a key decided by the AuthType, and encoded using base64. -func (c *Controller) parseBundleAuth(authentication v1alpha1.BundleServerAuthConfiguration) (*controlplane.BundleServerAuthConfiguration, error) { - secretReference := authentication.AuthSecret - if secretReference == nil { - return nil, fmt.Errorf("authentication is not specified") - } - secret, err := c.kubeClient.CoreV1().Secrets(secretReference.Namespace).Get(context.TODO(), secretReference.Name, metav1.GetOptions{}) - if err != nil { - return nil, fmt.Errorf("unable to get Secret with name %s in Namespace %s: %v", secretReference.Name, secretReference.Namespace, err) - } - parseAuthValue := func(secretData map[string][]byte, key string) (string, error) { - authValue, found := secret.Data[key] - if !found { - return "", fmt.Errorf("not found authentication in Secret %s/%s with key %s", secretReference.Namespace, secretReference.Name, key) - } - return bytes.NewBuffer(authValue).String(), nil - } - switch authentication.AuthType { - case v1alpha1.APIKey: - value, err := parseAuthValue(secret.Data, secretKeyWithAPIKey) - if err != nil { - return nil, err - } - return &controlplane.BundleServerAuthConfiguration{ - APIKey: value, - }, nil - case v1alpha1.BearerToken: - value, err := parseAuthValue(secret.Data, secretKeyWithBearerToken) - if err != nil { - return nil, err - } - return &controlplane.BundleServerAuthConfiguration{ - BearerToken: value, - }, nil - case v1alpha1.BasicAuthentication: - username, err := parseAuthValue(secret.Data, secretKeyWithUsername) - if err != nil { - return nil, err - } - password, err := parseAuthValue(secret.Data, secretKeyWithPassword) - if err != nil { - return nil, err - } - return &controlplane.BundleServerAuthConfiguration{ - BasicAuthentication: &controlplane.BasicAuthentication{ - Username: username, - Password: password, - }, - }, nil - } - return nil, fmt.Errorf("unsupported authentication type %s", authentication.AuthType) -} - // addInternalSupportBundleCollection adds internalBundle into supportBundleCollectionStore, and creates a // supportBundleCollectionAppliedTo resource to maintain the SupportBundleCollection's required Nodes or ExternalNodes. func (c *Controller) addInternalSupportBundleCollection( diff --git a/pkg/controller/supportbundlecollection/controller_test.go b/pkg/controller/supportbundlecollection/controller_test.go index 678215dadd5..1b3d2eb490c 100644 --- a/pkg/controller/supportbundlecollection/controller_test.go +++ b/pkg/controller/supportbundlecollection/controller_test.go @@ -660,111 +660,6 @@ type secretConfig struct { data map[string][]byte } -func TestParseBundleAuth(t *testing.T) { - ns := "ns-auth" - apiKey := testKeyString - token := testTokenString - usr := "user" - pwd := "pwd123456" - var secretObjects []runtime.Object - for _, s := range prepareSecrets(ns, []secretConfig{ - {name: "s1", data: map[string][]byte{secretKeyWithAPIKey: []byte(apiKey)}}, - {name: "s2", data: map[string][]byte{secretKeyWithBearerToken: []byte(token)}}, - {name: "s3", data: map[string][]byte{secretKeyWithUsername: []byte(usr), secretKeyWithPassword: []byte(pwd)}}, - {name: "invalid-base64", data: map[string][]byte{secretKeyWithAPIKey: []byte("invalid string to decode with base64")}}, - {name: "invalid-secret", data: map[string][]byte{"unknown": []byte(apiKey)}}, - }) { - secretObjects = append(secretObjects, s) - } - - testClient := newTestClient(secretObjects, nil) - controller := newController(testClient) - stopCh := make(chan struct{}) - testClient.start(stopCh) - - testClient.waitForSync(stopCh) - - for _, tc := range []struct { - authentication v1alpha1.BundleServerAuthConfiguration - expectedError string - expectedAuth *controlplane.BundleServerAuthConfiguration - }{ - { - authentication: v1alpha1.BundleServerAuthConfiguration{ - AuthType: v1alpha1.APIKey, - AuthSecret: &corev1.SecretReference{ - Namespace: ns, - Name: "s1", - }, - }, - expectedAuth: &controlplane.BundleServerAuthConfiguration{ - APIKey: testKeyString, - }, - }, - { - authentication: v1alpha1.BundleServerAuthConfiguration{ - AuthType: v1alpha1.BearerToken, - AuthSecret: &corev1.SecretReference{ - Namespace: ns, - Name: "s2", - }, - }, - expectedAuth: &controlplane.BundleServerAuthConfiguration{ - BearerToken: testTokenString, - }, - }, - { - authentication: v1alpha1.BundleServerAuthConfiguration{ - AuthType: v1alpha1.BasicAuthentication, - AuthSecret: &corev1.SecretReference{ - Namespace: ns, - Name: "s3", - }, - }, - expectedAuth: &controlplane.BundleServerAuthConfiguration{ - BasicAuthentication: &controlplane.BasicAuthentication{ - Username: usr, - Password: pwd, - }, - }, - }, - { - authentication: v1alpha1.BundleServerAuthConfiguration{ - AuthType: v1alpha1.BearerToken, - AuthSecret: &corev1.SecretReference{ - Namespace: ns, - Name: "invalid-secret", - }, - }, - expectedError: fmt.Sprintf("not found authentication in Secret %s/invalid-secret with key %s", ns, secretKeyWithBearerToken), - }, - { - authentication: v1alpha1.BundleServerAuthConfiguration{ - AuthType: v1alpha1.BearerToken, - AuthSecret: &corev1.SecretReference{ - Namespace: ns, - Name: "not-exist", - }, - }, - expectedError: fmt.Sprintf("unable to get Secret with name not-exist in Namespace %s", ns), - }, - { - authentication: v1alpha1.BundleServerAuthConfiguration{ - AuthType: v1alpha1.APIKey, - AuthSecret: nil, - }, - expectedError: "authentication is not specified", - }, - } { - auth, err := controller.parseBundleAuth(tc.authentication) - if tc.expectedError != "" { - assert.Contains(t, err.Error(), tc.expectedError) - } else { - assert.Equal(t, tc.expectedAuth, auth) - } - } -} - func TestCreateAndDeleteInternalSupportBundleCollection(t *testing.T) { coreObjects, crdObjects := prepareTopology() testClient := newTestClient(coreObjects, crdObjects) diff --git a/pkg/features/antrea_features.go b/pkg/features/antrea_features.go index 8dc612a9340..54546d6b97c 100644 --- a/pkg/features/antrea_features.go +++ b/pkg/features/antrea_features.go @@ -73,6 +73,10 @@ const ( // Allows to trace path from a generated packet. Traceflow featuregate.Feature = "Traceflow" + // alpha: v2.0 + // Allows to capture packets for a flow. + PacketCapture featuregate.Feature = "PacketCapture" + // alpha: v0.9 // Flow exporter exports IPFIX flow records of Antrea flows seen in conntrack module. FlowExporter featuregate.Feature = "FlowExporter" @@ -196,6 +200,7 @@ var ( ServiceTrafficDistribution: {Default: true, PreRelease: featuregate.Beta}, CleanupStaleUDPSvcConntrack: {Default: true, PreRelease: featuregate.Beta}, Traceflow: {Default: true, PreRelease: featuregate.Beta}, + PacketCapture: {Default: false, PreRelease: featuregate.Alpha}, AntreaIPAM: {Default: false, PreRelease: featuregate.Alpha}, FlowExporter: {Default: false, PreRelease: featuregate.Alpha}, NetworkPolicyStats: {Default: true, PreRelease: featuregate.Beta}, @@ -244,6 +249,7 @@ var ( SupportBundleCollection, TopologyAwareHints, Traceflow, + PacketCapture, TrafficControl, EgressTrafficShaping, EgressSeparateSubnet, @@ -301,6 +307,7 @@ var ( NodeNetworkPolicy: {}, L7FlowExporter: {}, NodeLatencyMonitor: {}, + PacketCapture: {}, } // supportedFeaturesOnExternalNode records the features supported on an external // Node. Antrea Agent checks the enabled features if it is running on an diff --git a/pkg/util/ftp/auth.go b/pkg/util/ftp/auth.go new file mode 100644 index 00000000000..2900c0e4812 --- /dev/null +++ b/pkg/util/ftp/auth.go @@ -0,0 +1,102 @@ +// Copyright 2024 Antrea Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ftp + +import ( + "bytes" + "context" + "fmt" + "time" + + "golang.org/x/crypto/ssh" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + clientset "k8s.io/client-go/kubernetes" + + "antrea.io/antrea/pkg/apis/controlplane" + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" +) + +const ( + secretKeyWithAPIKey = "apikey" + secretKeyWithBearerToken = "token" + secretKeyWithUsername = "username" + secretKeyWithPassword = "password" +) + +// GenSSHClientConfig generates ssh.ClientConfig from username and password +func GenSSHClientConfig(username, password string) *ssh.ClientConfig { + cfg := &ssh.ClientConfig{ + User: username, + Auth: []ssh.AuthMethod{ssh.Password(password)}, + // #nosec G106: skip host key check here and users can specify their own checks if needed + HostKeyCallback: ssh.InsecureIgnoreHostKey(), + Timeout: time.Second, + } + return cfg +} + +// ParseBundleAuth returns the authentication from the Secret provided in BundleServerAuthConfiguration. +// The authentication is stored in the Secret Data with a key decided by the AuthType, and encoded using base64. +func ParseBundleAuth(authentication crdv1alpha1.BundleServerAuthConfiguration, kubeClient clientset.Interface) (*controlplane.BundleServerAuthConfiguration, error) { + secretReference := authentication.AuthSecret + if secretReference == nil { + return nil, fmt.Errorf("authentication is not specified") + } + secret, err := kubeClient.CoreV1().Secrets(secretReference.Namespace).Get(context.TODO(), secretReference.Name, metav1.GetOptions{}) + if err != nil { + return nil, fmt.Errorf("unable to get Secret with name %s in Namespace %s: %v", secretReference.Name, secretReference.Namespace, err) + } + parseAuthValue := func(secretData map[string][]byte, key string) (string, error) { + authValue, found := secret.Data[key] + if !found { + return "", fmt.Errorf("not found authentication in Secret %s/%s with key %s", secretReference.Namespace, secretReference.Name, key) + } + return bytes.NewBuffer(authValue).String(), nil + } + switch authentication.AuthType { + case crdv1alpha1.APIKey: + value, err := parseAuthValue(secret.Data, secretKeyWithAPIKey) + if err != nil { + return nil, err + } + return &controlplane.BundleServerAuthConfiguration{ + APIKey: value, + }, nil + case crdv1alpha1.BearerToken: + value, err := parseAuthValue(secret.Data, secretKeyWithBearerToken) + if err != nil { + return nil, err + } + return &controlplane.BundleServerAuthConfiguration{ + BearerToken: value, + }, nil + case crdv1alpha1.BasicAuthentication: + username, err := parseAuthValue(secret.Data, secretKeyWithUsername) + if err != nil { + return nil, err + } + password, err := parseAuthValue(secret.Data, secretKeyWithPassword) + if err != nil { + return nil, err + } + return &controlplane.BundleServerAuthConfiguration{ + BasicAuthentication: &controlplane.BasicAuthentication{ + Username: username, + Password: password, + }, + }, nil + } + return nil, fmt.Errorf("unsupported authentication type %s", authentication.AuthType) +} diff --git a/pkg/util/ftp/auth_test.go b/pkg/util/ftp/auth_test.go new file mode 100644 index 00000000000..f2d4a3dc0bf --- /dev/null +++ b/pkg/util/ftp/auth_test.go @@ -0,0 +1,183 @@ +// Copyright 2024 Antrea Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ftp + +import ( + "fmt" + "testing" + "time" + + "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/informers" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/fake" + + "antrea.io/antrea/pkg/apis/controlplane" + "antrea.io/antrea/pkg/apis/crd/v1alpha1" +) + +const ( + informerDefaultResync = 30 * time.Second + + testKeyString = "it is a valid API key" + testTokenString = "it is a valid token" +) + +type secretConfig struct { + name string + data map[string][]byte +} + +func prepareSecrets(ns string, secretConfigs []secretConfig) []*corev1.Secret { + secrets := make([]*corev1.Secret, 0) + for _, s := range secretConfigs { + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: s.name, + Namespace: ns, + }, + Data: s.data, + } + secrets = append(secrets, secret) + } + return secrets +} + +type testClient struct { + client kubernetes.Interface + informerFactory informers.SharedInformerFactory +} + +func (c *testClient) start(stopCh <-chan struct{}) { + c.informerFactory.Start(stopCh) +} + +func (c *testClient) waitForSync(stopCh <-chan struct{}) { + c.informerFactory.WaitForCacheSync(stopCh) +} + +func newTestClient(coreObjects []runtime.Object, crdObjects []runtime.Object) *testClient { + client := fake.NewSimpleClientset(coreObjects...) + return &testClient{ + client: client, + informerFactory: informers.NewSharedInformerFactory(client, informerDefaultResync), + } +} + +func TestParseBundleAuth(t *testing.T) { + ns := "ns-auth" + apiKey := testKeyString + token := testTokenString + usr := "user" + pwd := "pwd123456" + var secretObjects []runtime.Object + for _, s := range prepareSecrets(ns, []secretConfig{ + {name: "s1", data: map[string][]byte{secretKeyWithAPIKey: []byte(apiKey)}}, + {name: "s2", data: map[string][]byte{secretKeyWithBearerToken: []byte(token)}}, + {name: "s3", data: map[string][]byte{secretKeyWithUsername: []byte(usr), secretKeyWithPassword: []byte(pwd)}}, + {name: "invalid-base64", data: map[string][]byte{secretKeyWithAPIKey: []byte("invalid string to decode with base64")}}, + {name: "invalid-secret", data: map[string][]byte{"unknown": []byte(apiKey)}}, + }) { + secretObjects = append(secretObjects, s) + } + + testClient := newTestClient(secretObjects, nil) + stopCh := make(chan struct{}) + testClient.start(stopCh) + testClient.waitForSync(stopCh) + + for _, tc := range []struct { + authentication v1alpha1.BundleServerAuthConfiguration + expectedError string + expectedAuth *controlplane.BundleServerAuthConfiguration + }{ + { + authentication: v1alpha1.BundleServerAuthConfiguration{ + AuthType: v1alpha1.APIKey, + AuthSecret: &corev1.SecretReference{ + Namespace: ns, + Name: "s1", + }, + }, + expectedAuth: &controlplane.BundleServerAuthConfiguration{ + APIKey: testKeyString, + }, + }, + { + authentication: v1alpha1.BundleServerAuthConfiguration{ + AuthType: v1alpha1.BearerToken, + AuthSecret: &corev1.SecretReference{ + Namespace: ns, + Name: "s2", + }, + }, + expectedAuth: &controlplane.BundleServerAuthConfiguration{ + BearerToken: testTokenString, + }, + }, + { + authentication: v1alpha1.BundleServerAuthConfiguration{ + AuthType: v1alpha1.BasicAuthentication, + AuthSecret: &corev1.SecretReference{ + Namespace: ns, + Name: "s3", + }, + }, + expectedAuth: &controlplane.BundleServerAuthConfiguration{ + BasicAuthentication: &controlplane.BasicAuthentication{ + Username: usr, + Password: pwd, + }, + }, + }, + { + authentication: v1alpha1.BundleServerAuthConfiguration{ + AuthType: v1alpha1.BearerToken, + AuthSecret: &corev1.SecretReference{ + Namespace: ns, + Name: "invalid-secret", + }, + }, + expectedError: fmt.Sprintf("not found authentication in Secret %s/invalid-secret with key %s", ns, secretKeyWithBearerToken), + }, + { + authentication: v1alpha1.BundleServerAuthConfiguration{ + AuthType: v1alpha1.BearerToken, + AuthSecret: &corev1.SecretReference{ + Namespace: ns, + Name: "not-exist", + }, + }, + expectedError: fmt.Sprintf("unable to get Secret with name not-exist in Namespace %s", ns), + }, + { + authentication: v1alpha1.BundleServerAuthConfiguration{ + AuthType: v1alpha1.APIKey, + AuthSecret: nil, + }, + expectedError: "authentication is not specified", + }, + } { + auth, err := ParseBundleAuth(tc.authentication, testClient.client) + if tc.expectedError != "" { + assert.Contains(t, err.Error(), tc.expectedError) + } else { + assert.Equal(t, tc.expectedAuth, auth) + } + } +} diff --git a/pkg/util/ftp/ftp.go b/pkg/util/ftp/ftp.go new file mode 100644 index 00000000000..f1e8fb2ea1d --- /dev/null +++ b/pkg/util/ftp/ftp.go @@ -0,0 +1,106 @@ +// Copyright 2024 Antrea Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ftp + +import ( + "fmt" + "io" + "net/url" + "path" + "time" + + "github.com/pkg/sftp" + "github.com/spf13/afero" + "golang.org/x/crypto/ssh" + "k8s.io/klog/v2" +) + +const ( + uploadToFileServerTries = 5 + uploadToFileServerRetryDelay = 5 * time.Second +) + +func ParseFTPUploadUrl(uploadUrl string) (*url.URL, error) { + parsedURL, err := url.Parse(uploadUrl) + if err != nil { + return nil, err + } + if parsedURL.Scheme != "sftp" { + return nil, fmt.Errorf("not sftp protocol") + } + return parsedURL, nil +} + +type Uploader interface { + // Upload uploads a file to the target sftp address using ssh config. + Upload(url string, fileName string, config *ssh.ClientConfig, outputFile afero.File) error +} + +type SftpUploader struct { +} + +func (uploader *SftpUploader) Upload(url string, fileName string, config *ssh.ClientConfig, outputFile afero.File) error { + if _, err := outputFile.Seek(0, 0); err != nil { + return fmt.Errorf("failed to upload to file server while setting offset: %v", err) + } + // url should be like: 10.92.23.154:22/path or sftp://10.92.23.154:22/path + parsedURL, _ := ParseFTPUploadUrl(url) + joinedPath := path.Join(parsedURL.Path, fileName) + + triesLeft := uploadToFileServerTries + var uploadErr error + for triesLeft > 0 { + if uploadErr = upload(parsedURL.Host, joinedPath, config, outputFile); uploadErr == nil { + return nil + } + triesLeft-- + if triesLeft == 0 { + return fmt.Errorf("failed to upload file after %d attempts", uploadToFileServerTries) + } + klog.InfoS("Failed to upload file", "UploadError", uploadErr, "TriesLeft", triesLeft) + time.Sleep(uploadToFileServerRetryDelay) + } + return nil +} + +func upload(address string, path string, config *ssh.ClientConfig, file io.Reader) error { + conn, err := ssh.Dial("tcp", address, config) + if err != nil { + return fmt.Errorf("error when connecting to fs server: %w", err) + } + sftpClient, err := sftp.NewClient(conn) + if err != nil { + return fmt.Errorf("error when setting up sftp client: %w", err) + } + defer func() { + if err := sftpClient.Close(); err != nil { + klog.ErrorS(err, "Error when closing sftp client") + } + }() + targetFile, err := sftpClient.Create(path) + if err != nil { + return fmt.Errorf("error when creating target file on remote: %v", err) + } + defer func() { + if err := targetFile.Close(); err != nil { + klog.ErrorS(err, "Error when closing target file on remote") + } + }() + if written, err := io.Copy(targetFile, file); err != nil { + return fmt.Errorf("error when copying target file: %v, written: %d", err, written) + } + klog.InfoS("Successfully upload file to path", "filePath", path) + return nil +} diff --git a/pkg/util/ftp/ftp_test.go b/pkg/util/ftp/ftp_test.go new file mode 100644 index 00000000000..df70dc7a4d8 --- /dev/null +++ b/pkg/util/ftp/ftp_test.go @@ -0,0 +1,58 @@ +// Copyright 2024 Antrea Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package ftp + +import ( + "net/url" + "reflect" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestParseFTPUploadUrl(t *testing.T) { + cases := []struct { + url string + expectedError string + expectedURL url.URL + }{ + { + url: "sftp://127.0.0.1:22/path", + expectedURL: url.URL{ + Scheme: "sftp", + Host: "127.0.0.1:22", + Path: "/path", + }, + }, + { + url: "https://127.0.0.1:22/root/supportbundle", + expectedError: "not sftp protocol", + }, + } + + for _, tc := range cases { + uploadUrl, err := ParseFTPUploadUrl(tc.url) + if tc.expectedError == "" { + assert.NoError(t, err) + if !reflect.DeepEqual(tc.expectedURL, *uploadUrl) { + t.Errorf("expected %v, got %v", tc.expectedURL, *uploadUrl) + + } + } else { + assert.Equal(t, tc.expectedError, err.Error()) + } + } + +} diff --git a/test/e2e/framework.go b/test/e2e/framework.go index 27d82df258f..297eddaa983 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -675,7 +675,7 @@ func (data *TestData) collectClusterInfo() error { podCIDRs, err := retrieveCIDRs("kubectl cluster-info dump | grep cluster-cidr", `cluster-cidr=([^"]+)`) if err != nil { // Retrieve cluster CIDRs for Rancher clusters. - podCIDRs, err = retrieveCIDRs("ps aux | grep kube-controller | grep cluster-cidr", `cluster-cidr=([^\s]+)`) + podCIDRs, err = retrieveCIDRs("pc aux | grep kube-controller | grep cluster-cidr", `cluster-cidr=([^\s]+)`) if err != nil { return err } @@ -687,7 +687,7 @@ func (data *TestData) collectClusterInfo() error { svcCIDRs, err := retrieveCIDRs("kubectl cluster-info dump | grep service-cluster-ip-range", `service-cluster-ip-range=([^"]+)`) if err != nil { // Retrieve service CIDRs for Rancher clusters. - svcCIDRs, err = retrieveCIDRs("ps aux | grep kube-controller | grep service-cluster-ip-range", `service-cluster-ip-range=([^\s]+)`) + svcCIDRs, err = retrieveCIDRs("pc aux | grep kube-controller | grep service-cluster-ip-range", `service-cluster-ip-range=([^\s]+)`) if err != nil { return err } diff --git a/test/e2e/packetcapture_test.go b/test/e2e/packetcapture_test.go new file mode 100644 index 00000000000..923ebaa7e8e --- /dev/null +++ b/test/e2e/packetcapture_test.go @@ -0,0 +1,642 @@ +// Copyright 2024 Antrea Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package e2e + +import ( + "context" + "fmt" + "net" + "testing" + "time" + + "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/util/wait" + + crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1" + agentconfig "antrea.io/antrea/pkg/config/agent" + controllerconfig "antrea.io/antrea/pkg/config/controller" + "antrea.io/antrea/pkg/features" +) + +var ( + pcSecretNamespace = "kube-system" + // #nosec G101 + pcSecretName = "antrea-packetcapture-fileserver-auth" + tcpServerPodName = "tcp-server" + pcToolboxPodName = "toolbox" + udpServerPodName = "udp-server" + nonExistPodName = "non-existing-pod" + dstServiceName = "svc" + dstServiceIP = "" + + tcpProto = intstr.FromInt(6) + icmpProto = intstr.FromInt(1) + udpProto = intstr.FromInt(17) + icmp6Proto = intstr.FromInt(58) +) + +type pcTestCase struct { + name string + pc *crdv1alpha1.PacketCapture + expectedPhase crdv1alpha1.PacketCapturePhase + expectedReason string + expectedNum int32 + // required IP version, skip if not match. + ipVersion int + // Source Pod to run ping for live-traffic PacketCapture. + srcPod string +} + +func genSFTPService() *v1.Service { + selector := map[string]string{"app": "sftp"} + return &v1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: "sftp", + Labels: selector, + }, + Spec: v1.ServiceSpec{ + Type: v1.ServiceTypeNodePort, + Selector: selector, + Ports: []v1.ServicePort{ + { + Port: 22, + TargetPort: intstr.FromInt32(22), + NodePort: 30010, + }, + }, + }, + } +} + +func genSFTPDeployment() *appsv1.Deployment { + replicas := int32(1) + selector := map[string]string{"app": "sftp"} + return &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: "sftp", + Labels: selector, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: selector, + }, + Template: v1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Name: "sftp", + Labels: selector, + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "sftp", + Image: "antrea/sftp", + ImagePullPolicy: v1.PullIfNotPresent, + Args: []string{"foo:pass:::upload"}, + }, + }, + }, + }, + }, + } +} + +func createUDPServerPod(name string, ns string, portNum int32, serverNode string) error { + port := v1.ContainerPort{Name: fmt.Sprintf("port-%d", portNum), ContainerPort: portNum} + return NewPodBuilder(name, ns, agnhostImage). + OnNode(serverNode). + WithContainerName("agnhost"). + WithArgs([]string{"serve-hostname", "--udp", "--http=false", "--port", fmt.Sprint(portNum)}). + WithPorts([]v1.ContainerPort{port}). + Create(testData) +} + +// TestPacketCapture is the top-level test which contains all subtests for +// PacketCapture related test cases, so they can share setup, teardown. +func TestPacketCapture(t *testing.T) { + data, err := setupTest(t) + if err != nil { + t.Fatalf("Error when setting up test: %v", err) + } + defer teardownTest(t, data) + + var previousAgentPacketCaptureEnableState bool + var previousControllerPacketCaptureEnableState bool + + ac := func(config *agentconfig.AgentConfig) { + previousAgentPacketCaptureEnableState = config.FeatureGates[string(features.PacketCapture)] + config.FeatureGates[string(features.PacketCapture)] = true + } + cc := func(config *controllerconfig.ControllerConfig) { + previousControllerPacketCaptureEnableState = config.FeatureGates[string(features.PacketCapture)] + config.FeatureGates[string(features.PacketCapture)] = true + } + if err := data.mutateAntreaConfigMap(cc, ac, true, true); err != nil { + t.Fatalf("Failed to enable PacketCapture flag: %v", err) + } + defer func() { + ac := func(config *agentconfig.AgentConfig) { + config.FeatureGates[string(features.PacketCapture)] = previousAgentPacketCaptureEnableState + } + cc := func(config *controllerconfig.ControllerConfig) { + config.FeatureGates[string(features.PacketCapture)] = previousControllerPacketCaptureEnableState + } + if err := data.mutateAntreaConfigMap(cc, ac, true, true); err != nil { + t.Errorf("Failed to disable PacketCapture flag: %v", err) + } + }() + + // setup sftp server for test. + secretUserName := "foo" + secretPassword := "pass" + _, err = data.clientset.AppsV1().Deployments(data.testNamespace).Create(context.TODO(), genSFTPDeployment(), metav1.CreateOptions{}) + require.NoError(t, err) + _, err = data.clientset.CoreV1().Services(data.testNamespace).Create(context.TODO(), genSFTPService(), metav1.CreateOptions{}) + require.NoError(t, err) + failOnError(data.waitForDeploymentReady(t, data.testNamespace, "sftp", defaultTimeout), t) + + sec := &v1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: pcSecretName, + Namespace: pcSecretNamespace, + }, + Data: map[string][]byte{ + "username": []byte(secretUserName), + "password": []byte(secretPassword), + }, + } + _, err = data.clientset.CoreV1().Secrets(pcSecretNamespace).Create(context.TODO(), sec, metav1.CreateOptions{}) + require.NoError(t, err) + defer data.clientset.CoreV1().Secrets(pcSecretNamespace).Delete(context.TODO(), pcSecretName, metav1.DeleteOptions{}) + + t.Run("testPacketCaptureBasic", func(t *testing.T) { + testPacketCaptureBasic(t, data) + }) + t.Run("testPacketCapture", func(t *testing.T) { + testPacketCapture(t, data) + }) +} + +func testPacketCapture(t *testing.T, data *TestData) { + nodeIdx := 0 + if len(clusterInfo.windowsNodes) != 0 { + nodeIdx = clusterInfo.windowsNodes[0] + } + node1 := nodeName(nodeIdx) + + err := data.createServerPodWithLabels(tcpServerPodName, data.testNamespace, serverPodPort, nil) + require.NoError(t, err) + err = data.createToolboxPodOnNode(pcToolboxPodName, data.testNamespace, node1, false) + require.NoError(t, err) + + svc, cleanup := data.createAgnhostServiceAndBackendPods(t, dstServiceName, data.testNamespace, node1, v1.ServiceTypeClusterIP) + defer cleanup() + t.Logf("%s Service is ready", dstServiceName) + dstServiceIP = svc.Spec.ClusterIP + + podIPs := waitForPodIPs(t, data, []PodInfo{ + {tcpServerPodName, getOSString(), "", data.testNamespace}, + {pcToolboxPodName, getOSString(), "", data.testNamespace}, + }) + + // Give a little time for Windows containerd Nodes to set up OVS. + // Containerd configures port asynchronously, which could cause execution time of installing flow longer than docker. + time.Sleep(time.Second * 1) + + testcases := []pcTestCase{ + { + name: "to-ipv4-ip", + ipVersion: 4, + srcPod: pcToolboxPodName, + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(fmt.Sprintf("%s-%s-to-%s-%s-", data.testNamespace, pcToolboxPodName, data.testNamespace, tcpServerPodName)), + }, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: data.testNamespace, + Pod: pcToolboxPodName, + }, + Destination: crdv1alpha1.Destination{ + IP: podIPs[tcpServerPodName].IPv4.String(), + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + FileServer: crdv1alpha1.BundleFileServer{ + URL: fmt.Sprintf("sftp://%s:30010/upload", controlPlaneNodeIPv4()), + }, + Packet: &crdv1alpha1.Packet{ + Protocol: &tcpProto, + TransportHeader: crdv1alpha1.TransportHeader{ + TCP: &crdv1alpha1.TCPHeader{ + DstPort: serverPodPort, + }, + }, + }, + }, + }, + + expectedPhase: crdv1alpha1.PacketCaptureSucceeded, + expectedNum: 5, + }, + { + name: "to-svc", + ipVersion: 4, + srcPod: pcToolboxPodName, + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(fmt.Sprintf("%s-%s-to-%s-%s-", data.testNamespace, pcToolboxPodName, data.testNamespace, tcpServerPodName)), + }, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: data.testNamespace, + Pod: pcToolboxPodName, + }, + Destination: crdv1alpha1.Destination{ + Service: dstServiceName, + Namespace: data.testNamespace, + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + FileServer: crdv1alpha1.BundleFileServer{ + URL: fmt.Sprintf("sftp://%s:30010/upload", controlPlaneNodeIPv4()), + }, + Packet: &crdv1alpha1.Packet{ + Protocol: &tcpProto, + TransportHeader: crdv1alpha1.TransportHeader{ + TCP: &crdv1alpha1.TCPHeader{ + DstPort: serverPodPort, + }, + }, + }, + }, + }, + + expectedPhase: crdv1alpha1.PacketCaptureSucceeded, + expectedNum: 5, + }, + } + t.Run("testPacketCapture", func(t *testing.T) { + for _, tc := range testcases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + runPacketCaptureTest(t, data, tc) + }) + } + }) + +} + +// testPacketCaptureTCP verifies if PacketCapture can capture tcp packets. this function only contains basic +// cases with pod-to-pod. +func testPacketCaptureBasic(t *testing.T, data *TestData) { + nodeIdx := 0 + if len(clusterInfo.windowsNodes) != 0 { + nodeIdx = clusterInfo.windowsNodes[0] + } + node1 := nodeName(nodeIdx) + + node1Pods, _, _ := createTestAgnhostPods(t, data, 3, data.testNamespace, node1) + err := createUDPServerPod(udpServerPodName, data.testNamespace, serverPodPort, node1) + defer data.DeletePodAndWait(defaultTimeout, udpServerPodName, data.testNamespace) + require.NoError(t, err) + // test tcp server pod + err = data.createServerPodWithLabels(tcpServerPodName, data.testNamespace, serverPodPort, nil) + defer data.DeletePodAndWait(defaultTimeout, tcpServerPodName, data.testNamespace) + require.NoError(t, err) + err = data.createToolboxPodOnNode(pcToolboxPodName, data.testNamespace, node1, false) + defer data.DeletePodAndWait(defaultTimeout, pcToolboxPodName, data.testNamespace) + require.NoError(t, err) + + // Give a little time for Windows containerd Nodes to set up OVS. + // Containerd configures port asynchronously, which could cause execution time of installing flow longer than docker. + time.Sleep(time.Second * 1) + + testcases := []pcTestCase{ + { + name: "ipv4-tcp", + ipVersion: 4, + srcPod: pcToolboxPodName, + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(fmt.Sprintf("%s-%s-to-%s-%s-", data.testNamespace, pcToolboxPodName, data.testNamespace, tcpServerPodName)), + }, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: data.testNamespace, + Pod: pcToolboxPodName, + }, + Destination: crdv1alpha1.Destination{ + Namespace: data.testNamespace, + Pod: tcpServerPodName, + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + FileServer: crdv1alpha1.BundleFileServer{ + URL: fmt.Sprintf("sftp://%s:30010/upload", controlPlaneNodeIPv4()), + }, + Packet: &crdv1alpha1.Packet{ + Protocol: &tcpProto, + TransportHeader: crdv1alpha1.TransportHeader{ + TCP: &crdv1alpha1.TCPHeader{ + DstPort: serverPodPort, + }, + }, + }, + }, + }, + expectedPhase: crdv1alpha1.PacketCaptureSucceeded, + expectedNum: 5, + }, + { + name: "ipv4-udp", + ipVersion: 4, + srcPod: pcToolboxPodName, + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(fmt.Sprintf("%s-%s-to-%s-%s-", data.testNamespace, pcToolboxPodName, data.testNamespace, udpServerPodName)), + }, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: data.testNamespace, + Pod: pcToolboxPodName, + }, + Destination: crdv1alpha1.Destination{ + Namespace: data.testNamespace, + Pod: udpServerPodName, + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + FileServer: crdv1alpha1.BundleFileServer{ + URL: fmt.Sprintf("sftp://%s:30010/upload", controlPlaneNodeIPv4()), + }, + Packet: &crdv1alpha1.Packet{ + Protocol: &udpProto, + TransportHeader: crdv1alpha1.TransportHeader{ + UDP: &crdv1alpha1.UDPHeader{ + DstPort: serverPodPort, + }, + }, + }, + }, + }, + expectedPhase: crdv1alpha1.PacketCaptureSucceeded, + expectedNum: 5, + }, + { + name: "ipv4-icmp", + ipVersion: 4, + srcPod: node1Pods[0], + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(fmt.Sprintf("%s-%s-to-%s-%s-", data.testNamespace, node1Pods[0], data.testNamespace, node1Pods[1])), + }, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: data.testNamespace, + Pod: node1Pods[0], + }, + Destination: crdv1alpha1.Destination{ + Namespace: data.testNamespace, + Pod: node1Pods[1], + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + FileServer: crdv1alpha1.BundleFileServer{ + URL: fmt.Sprintf("sftp://%s:30010/upload", controlPlaneNodeIPv4()), + }, + Packet: &crdv1alpha1.Packet{ + Protocol: &icmpProto, + }, + }, + }, + expectedPhase: crdv1alpha1.PacketCaptureSucceeded, + expectedNum: 5, + }, + { + name: "ipv6-icmp", + ipVersion: 6, + srcPod: node1Pods[0], + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(fmt.Sprintf("%s-%s-to-%s-%s-ipv6", data.testNamespace, node1Pods[0], data.testNamespace, node1Pods[1])), + }, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: data.testNamespace, + Pod: node1Pods[0], + }, + Destination: crdv1alpha1.Destination{ + Namespace: data.testNamespace, + Pod: node1Pods[1], + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + FileServer: crdv1alpha1.BundleFileServer{ + URL: fmt.Sprintf("sftp://%s:30010/upload", controlPlaneNodeIPv4()), + }, + Packet: &crdv1alpha1.Packet{ + IPFamily: v1.IPv6Protocol, + Protocol: &icmp6Proto, + }, + }, + }, + expectedPhase: crdv1alpha1.PacketCaptureSucceeded, + expectedNum: 5, + }, + { + + name: "non-exist-pod", + ipVersion: 4, + srcPod: node1Pods[0], + pc: &crdv1alpha1.PacketCapture{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(fmt.Sprintf("%s-%s-to-%s-%s-", data.testNamespace, node1Pods[0], data.testNamespace, nonExistPodName)), + }, + Spec: crdv1alpha1.PacketCaptureSpec{ + Source: crdv1alpha1.Source{ + Namespace: data.testNamespace, + Pod: node1Pods[0], + }, + Destination: crdv1alpha1.Destination{ + Namespace: data.testNamespace, + Pod: nonExistPodName, + }, + CaptureConfig: crdv1alpha1.CaptureConfig{ + FirstN: &crdv1alpha1.PacketCaptureFirstNConfig{ + Number: 5, + }, + }, + FileServer: crdv1alpha1.BundleFileServer{ + URL: fmt.Sprintf("sftp://%s:30010/upload", controlPlaneNodeIPv4()), + }, + }, + }, + expectedPhase: crdv1alpha1.PacketCaptureFailed, + expectedReason: fmt.Sprintf("Node: %s, Error: failed to get the destination pod %s/%s: pods \"%s\" not found", node1, data.testNamespace, nonExistPodName, nonExistPodName), + }, + } + t.Run("testPacketCaptureBasic", func(t *testing.T) { + for _, tc := range testcases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + runPacketCaptureTest(t, data, tc) + }) + } + }) +} + +func getOSString() string { + if len(clusterInfo.windowsNodes) != 0 { + return "windows" + } else { + return "linux" + } +} + +func runPacketCaptureTest(t *testing.T, data *TestData, tc pcTestCase) { + switch tc.ipVersion { + case 4: + skipIfNotIPv4Cluster(t) + case 6: + skipIfNotIPv6Cluster(t) + } + // wait for toolbox + waitForPodIPs(t, data, []PodInfo{{pcToolboxPodName, getOSString(), "", data.testNamespace}}) + + dstPodName := tc.pc.Spec.Destination.Pod + var dstPodIPs *PodIPs + if dstPodName != nonExistPodName && dstPodName != "" { + // wait for pods to be ready first , or the pc will skip install flow + podIPs := waitForPodIPs(t, data, []PodInfo{{dstPodName, getOSString(), "", data.testNamespace}}) + dstPodIPs = podIPs[dstPodName] + } + + if _, err := data.crdClient.CrdV1alpha1().PacketCaptures().Create(context.TODO(), tc.pc, metav1.CreateOptions{}); err != nil { + t.Fatalf("Error when creating PacketCapture: %v", err) + } + defer func() { + if err := data.crdClient.CrdV1alpha1().PacketCaptures().Delete(context.TODO(), tc.pc.Name, metav1.DeleteOptions{}); err != nil { + t.Errorf("Error when deleting PacketCapture: %v", err) + } + }() + + if tc.pc.Spec.Destination.Pod != nonExistPodName { + srcPod := tc.srcPod + if dstIP := tc.pc.Spec.Destination.IP; dstIP != "" { + ip := net.ParseIP(dstIP) + if ip.To4() != nil { + dstPodIPs = &PodIPs{IPv4: &ip} + } else { + dstPodIPs = &PodIPs{IPv6: &ip} + } + } else if tc.pc.Spec.Destination.Service != "" { + ip := net.ParseIP(dstServiceIP) + if ip.To4() != nil { + dstPodIPs = &PodIPs{IPv4: &ip} + } else { + dstPodIPs = &PodIPs{IPv6: &ip} + } + } + // Give a little time for Nodes to install OVS flows. + time.Sleep(time.Second * 2) + protocol := tc.pc.Spec.Packet.Protocol.IntVal + server := dstPodIPs.IPv4.String() + if tc.ipVersion == 6 { + server = dstPodIPs.IPv6.String() + } + // Send an ICMP echo packet from the source Pod to the destination. + if protocol == protocolICMP || protocol == protocolICMPv6 { + if err := data.RunPingCommandFromTestPod(PodInfo{srcPod, getOSString(), "", data.testNamespace}, + data.testNamespace, dstPodIPs, agnhostContainerName, 10, 0, false); err != nil { + t.Logf("Ping(%d) '%s' -> '%v' failed: ERROR (%v)", protocol, srcPod, *dstPodIPs, err) + } + } else if protocol == protocolTCP { + for i := 1; i <= 5; i++ { + if err := data.runNetcatCommandFromTestPodWithProtocol(tc.srcPod, data.testNamespace, toolboxContainerName, server, serverPodPort, "tcp"); err != nil { + t.Logf("Netcat(TCP) '%s' -> '%v' failed: ERROR (%v)", srcPod, server, err) + } + } + } else if protocol == protocolUDP { + for i := 1; i <= 5; i++ { + if err := data.runNetcatCommandFromTestPodWithProtocol(tc.srcPod, data.testNamespace, toolboxContainerName, server, serverPodPort, "udp"); err != nil { + t.Logf("Netcat(UDP) '%s' -> '%v' failed: ERROR (%v)", srcPod, server, err) + } + } + } + } + + pc, err := data.waitForPacketCapture(t, tc.pc.Name, tc.expectedPhase) + if err != nil { + t.Fatalf("Error: Get PacketCapture failed: %v", err) + } + if tc.expectedPhase == crdv1alpha1.PacketCaptureFailed { + if pc.Status.Reason != tc.expectedReason { + t.Fatalf("Error: PacketCapture Error Reason should be %v, but got %s", tc.expectedReason, pc.Status.Reason) + } + } + captured := pc.Status.NumCapturedPackets + if captured == nil || *captured != tc.expectedNum { + got := "nil" + if captured != nil { + got = string(*captured) + } + t.Fatalf("Error: PacketCapture captured packets count should be %v, but got %v", tc.expectedNum, got) + } + +} + +func (data *TestData) waitForPacketCapture(t *testing.T, name string, phase crdv1alpha1.PacketCapturePhase) (*crdv1alpha1.PacketCapture, error) { + var pc *crdv1alpha1.PacketCapture + var err error + timeout := 15 * time.Second + if err = wait.PollUntilContextTimeout(context.Background(), defaultInterval, timeout, true, func(ctx context.Context) (bool, error) { + pc, err = data.crdClient.CrdV1alpha1().PacketCaptures().Get(ctx, name, metav1.GetOptions{}) + if err != nil || pc.Status.Phase != phase { + return false, nil + } + return true, nil + }); err != nil { + if pc != nil { + t.Errorf("Latest PacketCapture status: %s %v", pc.Name, pc.Status) + } + return nil, err + } + return pc, nil +} diff --git a/test/integration/agent/openflow_test.go b/test/integration/agent/openflow_test.go index a6d7fe72582..4732972c9aa 100644 --- a/test/integration/agent/openflow_test.go +++ b/test/integration/agent/openflow_test.go @@ -120,7 +120,7 @@ func TestConnectivityFlows(t *testing.T) { antrearuntime.WindowsOS = runtime.GOOS } - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, true, true, false, false, false, false, false, false, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, true, true, false, false, false, false, false, false, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge: %v", err)) defer func() { @@ -176,7 +176,7 @@ func TestAntreaFlexibleIPAMConnectivityFlows(t *testing.T) { legacyregistry.Reset() metrics.InitializeOVSMetrics() - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, true, true, false, false, false, true, false, false, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, true, true, false, false, false, true, false, false, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge: %v", err)) defer func() { @@ -239,7 +239,7 @@ func TestReplayFlowsConnectivityFlows(t *testing.T) { legacyregistry.Reset() metrics.InitializeOVSMetrics() - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, true, true, false, false, false, false, false, false, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, true, true, false, false, false, false, false, false, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge: %v", err)) @@ -281,7 +281,7 @@ func TestReplayFlowsNetworkPolicyFlows(t *testing.T) { legacyregistry.Reset() metrics.InitializeOVSMetrics() - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, false, false, false, false, false, false, false, false, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, false, false, false, false, false, false, false, false, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge: %v", err)) @@ -466,7 +466,7 @@ func TestNetworkPolicyFlows(t *testing.T) { legacyregistry.Reset() metrics.InitializeOVSMetrics() - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, false, false, false, false, false, false, false, false, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, false, false, false, false, false, false, false, false, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge %s", br)) @@ -580,7 +580,7 @@ func TestIPv6ConnectivityFlows(t *testing.T) { legacyregistry.Reset() metrics.InitializeOVSMetrics() - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, true, true, false, false, false, false, false, false, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, true, true, false, false, false, false, false, false, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge: %v", err)) @@ -621,7 +621,7 @@ func TestProxyServiceFlowsAntreaPolicyDisabled(t *testing.T) { legacyregistry.Reset() metrics.InitializeOVSMetrics() - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, false, false, false, false, false, false, false, false, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, false, false, false, false, false, false, false, false, false, false, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge %s", br)) @@ -711,7 +711,7 @@ func TestProxyServiceFlowsAntreaPoilcyEnabled(t *testing.T) { legacyregistry.Reset() metrics.InitializeOVSMetrics() - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, true, false, false, false, false, false, false, false, false, false, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), true, true, false, false, false, false, false, false, false, false, false, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge %s", br)) @@ -1793,7 +1793,7 @@ func testEgressMarkFlows(t *testing.T, trafficShaping bool) { legacyregistry.Reset() metrics.InitializeOVSMetrics() - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), false, false, false, true, trafficShaping, false, false, false, false, false, false, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), false, false, false, true, trafficShaping, false, false, false, false, false, false, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge %s", br)) @@ -1850,7 +1850,7 @@ func TestTrafficControlFlows(t *testing.T) { legacyregistry.Reset() metrics.InitializeOVSMetrics() - c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), false, false, false, false, false, false, false, false, false, false, true, false, false, groupIDAllocator, false, defaultPacketInRate) + c = ofClient.NewClient(br, bridgeMgmtAddr, nodeiptest.NewFakeNodeIPChecker(), false, false, false, false, false, false, false, false, false, false, true, false, false, groupIDAllocator, false, false, defaultPacketInRate) err := ofTestUtils.PrepareOVSBridge(br) require.Nil(t, err, fmt.Sprintf("Failed to prepare OVS bridge %s", br))