Label Identity replication for multi-cluster NetworkPolicies (antrea-…

…io#3664) This commit is the first part of the multi-cluster stretched network policy implementation. In order to enforce policies globally based on label selections, Antrea MC Service needs to inform each member cluster of all Pod + Namespace label combinations in the ClusterSet. Each unique Pod + Namespace label combination is defined as labelidentity, which is a normalized string calculated based on Pod's own labels and its Namespace labels. A couple of new controllers and CRDs are added, namely: - A label_identity_controller in each member cluster, which watches Pod and Namespace events, and updates ResourceExport of type labelidentity for each unique label identity in the cluster. - A label_identity_export_controller in the leader cluster, which watches for ResourceExports of type labelidentity from all member clusters, dedups the label identities and assigns a unique ID for each for them. It also creates an ResourceImport of type labelidentity object for the combination of each such labelidentity and its assigned ID in the leader cluster. - A label_identity_export_controller in each member cluster, which watches for ResourceImport of type labelidentity events in the leader, and creates a LabelIdentity CRD object in each member cluster for each ResourceImport of type labelidentity. Signed-off-by: Dyanngg <[email protected]> Co-authored-by: wgrayson <[email protected]>
hongliangl · Oct 3, 2022 · 1e31a78 · 1e31a78
1 parent d92132c
commit 1e31a78
Show file tree

Hide file tree

Showing 38 changed files with 2,826 additions and 82 deletions.
diff --git a/go.mod b/go.mod
@@ -61,6 +61,7 @@ require (
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
 	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
+	golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210506160403-92e472f520a5
 	google.golang.org/grpc v1.49.0
 	google.golang.org/protobuf v1.28.1
@@ -197,7 +198,6 @@ require (
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20210427022245-097af6e1351b // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect

diff --git a/multicluster/apis/multicluster/v1alpha1/labelidentity_types.go b/multicluster/apis/multicluster/v1alpha1/labelidentity_types.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2022 Antrea Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=labelidentities,scope=Cluster
+
+// +kubebuilder:printcolumn:name="Label",type=string,JSONPath=`.spec.label`,description="Normalized string of a label identity"
+// +kubebuilder:printcolumn:name="ID",type=string,JSONPath=`.spec.id`,description="ID allocated for the label identity by the leader cluster"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=`.metadata.creationTimestamp`
+// LabelIdentity is an imported label identity from the ClusterSet.
+// For each unique label identity, a LabelIdentity will be created in the member cluster.
+type LabelIdentity struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec LabelIdentitySpec `json:"spec,omitempty"`
+}
+
+type LabelIdentitySpec struct {
+	// Label is the normalized string of a label identity.
+	// The format of normalized label identity is `ns:(?P<nslabels>(.)*)&pod:(?P<podlabels>(.)*)`
+	// E.g., `ns:kubernetes.io/metadata.name=kube-system&pod:app=db`
+	Label string `json:"label,omitempty"`
+	// ID is the ID allocated for the label identity by the leader cluster.
+	ID uint32 `json:"id,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// LabelIdentityList contains a list of LabelIdentity.
+type LabelIdentityList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []LabelIdentity `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(
+		&LabelIdentity{},
+		&LabelIdentityList{},
+	)
+}
diff --git a/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceexport_types.go
@@ -39,6 +39,10 @@ type ExternalEntityExport struct {
 	ExternalEntitySpec v1alpha2.ExternalEntitySpec `json:"externalEntitySpec,omitempty"`
 }
 
+type LabelIdentityExport struct {
+	NormalizedLabel string `json:"normalizedLabel,omitempty"`
+}
+
 // RawResourceExport exports opaque resources.
 type RawResourceExport struct {
 	Data []byte `json:"data,omitempty"`
@@ -65,6 +69,8 @@ type ResourceExportSpec struct {
 	ExternalEntity *ExternalEntityExport `json:"externalEntity,omitempty"`
 	// If exported resource is AntreaClusterNetworkPolicy.
 	ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusterNetworkPolicy,omitempty"`
+	// If exported resource is LabelIdentity of a cluster.
+	LabelIdentity *LabelIdentityExport `json:"labelIdentity,omitempty"`
 	// If exported resource kind is unknown.
 	Raw *RawResourceExport `json:"raw,omitempty"`
 }
@@ -102,8 +108,8 @@ type ResourceExportStatus struct {
 }
 
 // +genclient
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 
 // +kubebuilder:printcolumn:name="Cluster ID",type=string,JSONPath=`.spec.clusterID`,description="Cluster ID of the exporting cluster"
 // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.spec.kind`,description="Kind of the exported resource"
@@ -119,7 +125,7 @@ type ResourceExport struct {
 	Status ResourceExportStatus `json:"status,omitempty"`
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // ResourceExportList contains a list of ResourceExport.
 type ResourceExportList struct {

diff --git a/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go b/multicluster/apis/multicluster/v1alpha1/resourceimport_types.go
@@ -62,10 +62,8 @@ type ResourceImportSpec struct {
 	ExternalEntity *ExternalEntityImport `json:"externalentity,omitempty"`
 	// If imported resource is AntreaClusterNetworkPolicy.
 	ClusterNetworkPolicy *v1alpha1.ClusterNetworkPolicySpec `json:"clusternetworkpolicy,omitempty"`
-	// If imported resource is ANP.
-	// TODO:
-	// ANP uses float64 as priority.  Type float64 is discouraged by k8s, and is not supported by controller-gen tools.
-	// NetworkPolicy *v1alpha1.NetworkPolicySpec `json:"networkpolicy,omitempty"`
+	// If imported resource kind is LabelIdentity.
+	LabelIdentity *LabelIdentitySpec `json:"labelIdentity,omitempty"`
 	// If imported resource kind is unknown.
 	Raw *RawResourceImport `json:"raw,omitempty"`
 }
@@ -105,8 +103,8 @@ type ResourceImportStatus struct {
 }
 
 // +genclient
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 
 // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.spec.kind`,description="Kind of the imported resource"
 // +kubebuilder:printcolumn:name="Namespace",type=string,JSONPath=`.spec.namespace`,description="Namespace of the imported resource"
@@ -121,7 +119,7 @@ type ResourceImport struct {
 	Status ResourceImportStatus `json:"status,omitempty"`
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // ResourceImportList contains a list of ResourceImport.
 type ResourceImportList struct {
@@ -131,5 +129,8 @@ type ResourceImportList struct {
 }
 
 func init() {
-	SchemeBuilder.Register(&ResourceImport{}, &ResourceImportList{})
+	SchemeBuilder.Register(
+		&ResourceImport{},
+		&ResourceImportList{},
+	)
 }
diff --git a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go
diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml
@@ -2824,6 +2824,12 @@ spec:
               kind:
                 description: Kind of exported resource.
                 type: string
+              labelIdentity:
+                description: If exported resource is LabelIdentity of a cluster.
+                properties:
+                  normalizedLabel:
+                    type: string
+                type: object
               name:
                 description: Name of exported resource.
                 type: string
@@ -5718,17 +5724,28 @@ spec:
               kind:
                 description: Kind of imported resource.
                 type: string
+              labelIdentity:
+                description: If imported resource kind is LabelIdentity.
+                properties:
+                  id:
+                    description: ID is the ID allocated for the label identity by
+                      the leader cluster.
+                    format: int32
+                    type: integer
+                  label:
+                    description: Label is the normalized string of a label identity.
+                      The format of normalized label identity is `ns:(?P<nslabels>(.)*)&pod:(?P<podlabels>(.)*)`
+                      E.g., `ns:kubernetes.io/metadata.name=kube-system&pod:app=db`
+                    type: string
+                type: object
               name:
                 description: Name of imported resource.
                 type: string
               namespace:
                 description: Namespace of imported resource.
                 type: string
               raw:
-                description: 'If imported resource is ANP. TODO: ANP uses float64
-                  as priority.  Type float64 is discouraged by k8s, and is not supported
-                  by controller-gen tools. NetworkPolicy *v1alpha1.NetworkPolicySpec
-                  `json:"networkpolicy,omitempty"` If imported resource kind is unknown.'
+                description: If imported resource kind is unknown.
                 properties:
                   data:
                     format: byte