Cloud Security Group and Rule Visibility (#251)

* Cloud Security Group and Rule Visibility Cloud Security Group and Rules will be fetched periodically with vpc/vm poll interval. It will contain both ingress and egress rules. SG will be added for managed VPC/VNET only and it will also include user defined SG too. Signed-off-by: Rahul Jain <[email protected]> * Security Group and rule visibility for Azure & AWS. - Add new fields in SecurityGroup runtime struct. - Enhance snapshot related code for handling cached SGs. - Add parsing logic for parsing SecurityGrup fields obtained from AWS, Azure clouds. - Implement SG Inventory add/delete code. - Implement plugin call from poller for fetching SG details from internal snapshot. - Added new unit tests for the entire feature ie in Azure plugin, AWS plugin, inventory and sg rest handling. Signed-off-by: Archana Holla <[email protected]> * Add support for enabling/disabling sg visibility Handle review comments too and fixed bugs found during UTP Signed-off-by: Rahul Jain <[email protected]> * Set cloudSecurityGroupVisibility in helm Signed-off-by: Rahul Jain <[email protected]> --------- Signed-off-by: Rahul Jain <[email protected]> Signed-off-by: Archana Holla <[email protected]> Co-authored-by: Archana Holla <[email protected]>
antrea-io · Aug 24, 2023 · 71c522a · 71c522a
1 parent d0b4c3c
commit 71c522a
Show file tree

Hide file tree

Showing 40 changed files with 2,716 additions and 49 deletions.
diff --git a/apis/runtime/v1alpha1/securitygroup_types.go b/apis/runtime/v1alpha1/securitygroup_types.go
@@ -0,0 +1,88 @@
+// Copyright 2023 Antrea Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1alpha1
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+type Rule struct {
+	Action      string   `json:"action,omitempty"`
+	Description string   `json:"description,omitempty"`
+	Destination []string `json:"destination,omitempty"`
+	Id          string   `json:"id,omitempty"`
+	Ingress     bool     `json:"ingress"`
+	Name        string   `json:"name,omitempty"`
+	Port        string   `json:"port"`
+	Priority    int32    `json:"priority,omitempty"`
+	Protocol    string   `json:"protocol"`
+	Source      []string `json:"source,omitempty"`
+}
+
+type SecurityGroupStatus struct {
+	// CloudName is the cloud assigned name of the SG.
+	CloudName string `json:"cloudName,omitempty"`
+	// CloudId is the cloud assigned ID of the SG.
+	CloudId string `json:"cloudId,omitempty"`
+	// Provider specifies cloud provider of the SG.
+	Provider CloudProvider `json:"provider,omitempty"`
+	// Region indicates the cloud region of the SG.
+	Region string `json:"region"`
+	// Rules contains ingress and egress rules of the SG.
+	Rules []Rule `json:"rules,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// SecurityGroup is the Schema for the Security Group API.
+// Security Group object is automatically created upon CloudProviderAccount CR add.
+type SecurityGroup struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Status SecurityGroupStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// SecurityGroupList is a list of Security Group objects.
+type SecurityGroupList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []SecurityGroup `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&SecurityGroup{}, &SecurityGroupList{})
+	SchemeBuilder.SchemeBuilder.Register(addSgConversionFuncs)
+}
+
+func addSgConversionFuncs(scheme *runtime.Scheme) error {
+	return scheme.AddFieldLabelConversionFunc(SchemeGroupVersion.WithKind("SecurityGroup"),
+		func(label, value string) (string, string, error) {
+			switch label {
+			case "metadata.name", "metadata.namespace", "status.cloudId":
+				return label, value, nil
+			default:
+				return "", "", fmt.Errorf("field label not supported: %s", label)
+			}
+		},
+	)
+}
diff --git a/apis/runtime/v1alpha1/virtualmachine_types.go b/apis/runtime/v1alpha1/virtualmachine_types.go
@@ -81,6 +81,10 @@ type NetworkInterface struct {
 	MAC string `json:"mac,omitempty"`
 	// IP addresses of this NetworkInterface.
 	IPs []IPAddress `json:"ips,omitempty"`
+	// Security groups attached to this NetworkInterface.
+	SecurityGroupIds []string `json:"securityGroupIds,omitempty"`
+	// Application Security groups attached to this NetworkInterface.
+	GroupIds []string `json:"groups,omitempty"`
 }
 
 // VirtualMachineStatus defines the observed state of VirtualMachine

diff --git a/apis/runtime/v1alpha1/zz_generated.deepcopy.go b/apis/runtime/v1alpha1/zz_generated.deepcopy.go
diff --git a/build/charts/nephe/README.md b/build/charts/nephe/README.md
@@ -23,6 +23,7 @@ Kubernetes: `>= 1.16.0-0`
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | cloudResourcePrefix | string | `"nephe"` | Specifies the prefix to be used while creating cloud resources. |
+| cloudSecurityGroupVisibility | bool | `true` | Enable/Disable polling of cloud security groups and rules. |
 | cloudSyncInterval | int | `300` | Specifies the interval (in seconds) to be used for syncing cloud resources with controller. |
 | crds | object | `{"enabled":true}` | Enable/Disable Nephe CRDs dependent chart. |
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"antrea/nephe","tag":""}` | Container image to use for Nephe Controller. |

diff --git a/build/charts/nephe/conf/nephe-controller.conf b/build/charts/nephe/conf/nephe-controller.conf
@@ -3,3 +3,6 @@ cloudResourcePrefix: {{ .Values.cloudResourcePrefix }}
 
 # Specifies the interval (in seconds) to be used for syncing cloud resources with controller.
 cloudSyncInterval: {{ .Values.cloudSyncInterval }}
+
+# Enable/Disable polling of cloud security groups and rules.
+cloudSecurityGroupVisibility: {{ .Values.cloudSecurityGroupVisibility }}
diff --git a/build/charts/nephe/values.yaml b/build/charts/nephe/values.yaml
@@ -10,6 +10,9 @@ cloudResourcePrefix: "nephe"
 # -- Specifies the interval (in seconds) to be used for syncing cloud resources with controller.
 cloudSyncInterval: 300
 
+# -- Enable/Disable polling of cloud security groups and rules.
+cloudSecurityGroupVisibility: true
+
 # -- Enable/Disable Nephe CRDs dependent chart.
 crds:
   enabled: true
diff --git a/cmd/nephe-controller/main.go b/cmd/nephe-controller/main.go
@@ -87,6 +87,7 @@ func main() {
 
 	setupLog.Info("Nephe ConfigMap", "ControllerConfig", opts.config)
 	cloudresource.SetCloudResourcePrefix(opts.config.CloudResourcePrefix)
+	cloudresource.SetCloudSecurityGroupVisibility(opts.config.CloudSecurityGroupVisibility)
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,

diff --git a/config/manager/nephe-controller.yaml b/config/manager/nephe-controller.yaml
@@ -28,6 +28,8 @@ data:
     # cloudResourcePrefix: nephe
     # Specifies the interval (in seconds) to be used for syncing cloud resources with controller.
     # cloudSyncInterval: 300
+    # Enable/Disable polling of cloud security groups and rules.
+    cloudSecurityGroupVisibility: true
 ---
 apiVersion: apps/v1
 kind: Deployment

diff --git a/config/nephe.yml b/config/nephe.yml
@@ -470,6 +470,8 @@ data:
     # cloudResourcePrefix: nephe
     # Specifies the interval (in seconds) to be used for syncing cloud resources with controller.
     # cloudSyncInterval: 300
+    # Enable/Disable polling of cloud security groups and rules.
+    cloudSecurityGroupVisibility: true
 kind: ConfigMap
 metadata:
   name: nephe-config

diff --git a/pkg/accountmanager/manager.go b/pkg/accountmanager/manager.go
@@ -75,6 +75,7 @@ func (a *AccountManager) AddAccount(namespacedName *types.NamespacedName, cloudP
 		accPoller.stopPoller()
 		_ = a.Inventory.DeleteVpcsFromCache(namespacedName)
 		_ = a.Inventory.DeleteAllVmsFromCache(namespacedName)
+		_ = a.Inventory.DeleteAllSgsFromCache(namespacedName)
 		return false, err
 	}
 
@@ -132,6 +133,7 @@ func (a *AccountManager) RemoveResourceFiltersFromAccount(accNamespacedName *typ
 	go func() {
 		accPoller.restartPoller(accNamespacedName)
 		_ = accPoller.inventory.DeleteVmsFromCache(accNamespacedName, selectorNamespacedName)
+		_ = accPoller.inventory.DeleteSgsFromCache(accNamespacedName, selectorNamespacedName)
 	}()
 	return nil
 }
@@ -181,6 +183,7 @@ func (a *AccountManager) removeAccountPoller(accPoller *accountPoller) {
 	accPoller.stopPoller()
 	_ = accPoller.inventory.DeleteAllVmsFromCache(accPoller.accountNamespacedName)
 	_ = accPoller.inventory.DeleteVpcsFromCache(accPoller.accountNamespacedName)
+	_ = a.Inventory.DeleteAllSgsFromCache(accPoller.accountNamespacedName)
 }
 
 // getAccountPoller returns the account poller matching the nameSpacedName

diff --git a/pkg/accountmanager/poller.go b/pkg/accountmanager/poller.go
@@ -160,6 +160,10 @@ func (p *accountPoller) doAccountPolling() {
 func (p *accountPoller) processCloudInventory(cloudInventory *nephetypes.CloudInventory) {
 	_ = p.inventory.BuildVpcCache(cloudInventory.VpcMap, p.accountNamespacedName)
 
+	for selectorNamespacedName, sgs := range cloudInventory.SgMap {
+		p.inventory.BuildSgCache(sgs, p.accountNamespacedName, &selectorNamespacedName)
+	}
+
 	// VMs are stored per selector in the VmMap.
 	for selectorNamespacedName, virtualMachines := range cloudInventory.VmMap {
 		// Maybe expose, Add, Delete, Update routine in inventory, and do the calculation here.

diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go
@@ -34,6 +34,7 @@ import (
 	controllerruntime "sigs.k8s.io/controller-runtime"
 
 	runtimev1alpha1 "antrea.io/nephe/apis/runtime/v1alpha1"
+	"antrea.io/nephe/pkg/apiserver/registry/inventory/securitygroup"
 	virtualmachineinventory "antrea.io/nephe/pkg/apiserver/registry/inventory/virtualmachine"
 	vpcinventory "antrea.io/nephe/pkg/apiserver/registry/inventory/vpc"
 	"antrea.io/nephe/pkg/apiserver/registry/virtualmachinepolicy"
@@ -237,12 +238,14 @@ func (c completedConfig) New(scheme *runtime.Scheme, codecs serializer.CodecFact
 	vpcStorage := vpcinventory.NewREST(c.ExtraConfig.cloudInventory, logger.WithName("VpcInventory"))
 	vmpStorage := virtualmachinepolicy.NewREST(c.ExtraConfig.npTrackerIndexer, logger.WithName("VirtualMachinePolicy"))
 	vmStorage := virtualmachineinventory.NewREST(c.ExtraConfig.cloudInventory, logger.WithName("VirtualMachineInventory"))
+	sgStorage := securitygroup.NewREST(c.ExtraConfig.cloudInventory, logger.WithName("SecurityGroup"))
 
 	cpGroup := genericapiserver.NewDefaultAPIGroupInfo(runtimev1alpha1.GroupVersion.Group, scheme, metav1.ParameterCodec, codecs)
 	cpv1alpha1Storage := map[string]rest.Storage{}
 	cpv1alpha1Storage["vpc"] = vpcStorage
 	cpv1alpha1Storage["virtualmachinepolicy"] = vmpStorage
 	cpv1alpha1Storage["virtualmachine"] = vmStorage
+	cpv1alpha1Storage["sg"] = sgStorage
 
 	cpGroup.VersionedResourcesStorageMap["v1alpha1"] = cpv1alpha1Storage