Support deny action for Azure cloud (#312)

With this PR, Nephe will support Deny action for Azure cloud. If an ANP is configured with Drop action, it will be translated to Deny action for Azure. Nephe will also support ANP tier and priority and re-arrange the rules based on priority. Lower the priority, higher the precedence. Changes - Introduce priroity and action in CloudRule - Translate ANP tier, priority, and rule priority to CloudRule priority - Cloud Rule will store rule priority in the rule description field which will be used to insert new rule at its correct location/priority - Update sync logic to ignore action/priority for aws cloud - Update logic to detect ANP modify, in case of tier or priority changes - Update unit tests - Add integration test for validating priority re-ordering Signed-off-by: Rahul Jain <[email protected]>
antrea-io · Sep 27, 2023 · 2aee30e · 2aee30e
1 parent b3d4a6b
commit 2aee30e
Show file tree

Hide file tree

Showing 16 changed files with 626 additions and 145 deletions.
diff --git a/pkg/cloudprovider/cloudresource/cloudresource.go b/pkg/cloudprovider/cloudresource/cloudresource.go
@@ -21,8 +21,10 @@ import (
 	"fmt"
 	"net"
 	"reflect"
+	"strconv"
 	"strings"
 
+	antreacrdv1beta1 "antrea.io/antrea/pkg/apis/crd/v1beta1"
 	runtimev1alpha1 "antrea.io/nephe/apis/runtime/v1alpha1"
 )
 
@@ -97,16 +99,21 @@ func (c *CloudResourceID) String() string {
 const (
 	Name      = "Name"
 	Namespace = "Ns"
+	Priority  = "Priority"
 )
 
 type CloudRuleDescription struct {
 	Name      string
 	Namespace string
+	Priority  *float64
 }
 
 func (r *CloudRuleDescription) String() string {
-	return Name + ":" + r.Name + ", " +
-		Namespace + ":" + r.Namespace
+	retVal := Name + ":" + r.Name + ", " + Namespace + ":" + r.Namespace
+	if r.Priority != nil {
+		retVal = retVal + ", " + Priority + ":" + strconv.FormatFloat(*r.Priority, 'f', 4, 64)
+	}
+	return retVal
 }
 
 type Rule interface {
@@ -120,6 +127,8 @@ type IngressRule struct {
 	FromSecurityGroups []*CloudResourceID
 	Protocol           *int
 	AppliedToGroup     map[string]struct{}
+	Priority           *float64
+	Action             *antreacrdv1beta1.RuleAction
 }
 
 func (i *IngressRule) isRule() {}
@@ -131,6 +140,8 @@ type EgressRule struct {
 	ToSecurityGroups []*CloudResourceID
 	Protocol         *int
 	AppliedToGroup   map[string]struct{}
+	Priority         *float64
+	Action           *antreacrdv1beta1.RuleAction
 }
 
 func (e *EgressRule) isRule() {}
@@ -142,6 +153,27 @@ type CloudRule struct {
 	AppliedToGrp     string
 }
 
+const (
+	tierStepCount = 50
+	maxPriority   = 10000
+)
+
+// GetRulePriority calculates and returns rule priority.
+func GetRulePriority(tier *int32, policyPriority *float64, rulePriority int32) *float64 {
+	// Antrea tier priorities are increment of 50 and max priority for an ANP policy/rule is 10k.
+	// Hence, we add tier priority with policy priority allowing a gap of 10K priorities(basically ANP).
+	// Further, rule priority is added as decimal for uniqueness of rules within an ANP policy.
+	var tierVal int32
+	if tier != nil {
+		tierVal = *tier
+	}
+	if policyPriority == nil {
+		return nil
+	}
+	priority := float64((tierVal/tierStepCount)*maxPriority) + *policyPriority + float64(rulePriority)/maxPriority
+	return &priority
+}
+
 func (c *CloudRule) GetHash() string {
 	hash := sha1.New()
 	bytes, _ := json.Marshal(c)

diff --git a/pkg/cloudprovider/plugins/aws/aws_converters.go b/pkg/cloudprovider/plugins/aws/aws_converters.go
@@ -147,7 +147,7 @@ func convertIngressToIpPermission(rules []*cloudresource.CloudRule, cloudSGNameT
 		if rule == nil {
 			continue
 		}
-		description, err := utils.GenerateCloudDescription(obj.NpNamespacedName)
+		description, err := utils.GenerateCloudDescription(obj.NpNamespacedName, rule.Priority)
 		if err != nil {
 			return nil, fmt.Errorf("unable to generate rule description, err: %v", err)
 		}
@@ -176,7 +176,7 @@ func convertEgressToIpPermission(rules []*cloudresource.CloudRule, cloudSGNameTo
 		if rule == nil {
 			continue
 		}
-		description, err := utils.GenerateCloudDescription(obj.NpNamespacedName)
+		description, err := utils.GenerateCloudDescription(obj.NpNamespacedName, rule.Priority)
 		if err != nil {
 			return nil, fmt.Errorf("unable to generate rule description, err: %v", err)
 		}

diff --git a/pkg/cloudprovider/plugins/aws/aws_security_test.go b/pkg/cloudprovider/plugins/aws/aws_security_test.go
@@ -474,7 +474,7 @@ var _ = Describe("AWS Cloud Security", func() {
 			output1 := constructEc2DescribeSecurityGroupsOutput(&webSgIdentifier1.CloudResourceID, true, false)
 			output2 := constructEc2DescribeSecurityGroupsOutput(&webSgIdentifier2.CloudResourceID, true, false)
 			outputAt := constructEc2DescribeSecurityGroupsOutput(&webSgIdentifier1.CloudResourceID, false, false)
-			desc, _ := utils.GenerateCloudDescription(testAnpNamespacedName.String())
+			desc, _ := utils.GenerateCloudDescription(testAnpNamespacedName.String(), nil)
 			outputAt.SecurityGroups[0].IpPermissions = []*ec2.IpPermission{
 				{
 					FromPort:   aws.Int64(22),
@@ -576,7 +576,7 @@ var _ = Describe("AWS Cloud Security", func() {
 			output1 := constructEc2DescribeSecurityGroupsOutput(&webSgIdentifier1.CloudResourceID, true, false)
 			output2 := constructEc2DescribeSecurityGroupsOutput(&webSgIdentifier2.CloudResourceID, true, false)
 			outputAt := constructEc2DescribeSecurityGroupsOutput(&webSgIdentifier1.CloudResourceID, false, false)
-			desc, _ := utils.GenerateCloudDescription(testAnpNamespacedName.String())
+			desc, _ := utils.GenerateCloudDescription(testAnpNamespacedName.String(), nil)
 			outputAt.SecurityGroups[0].IpPermissionsEgress = []*ec2.IpPermission{
 				{
 					FromPort:   aws.Int64(22),