diff --git a/mocks/pkg/ovs/interface.go b/mocks/pkg/ovs/interface.go index 98cbc0553c9..1741de4224b 100644 --- a/mocks/pkg/ovs/interface.go +++ b/mocks/pkg/ovs/interface.go @@ -1871,32 +1871,32 @@ func (mr *MockACLMockRecorder) CreateSgDenyAllACL(sgName any) *gomock.Call { } // DeleteAcls mocks base method. -func (m *MockACL) DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string) error { +func (m *MockACL) DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string, tier int) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "DeleteAcls", parentName, parentType, direction, externalIDs) + ret := m.ctrl.Call(m, "DeleteAcls", parentName, parentType, direction, externalIDs, tier) ret0, _ := ret[0].(error) return ret0 } // DeleteAcls indicates an expected call of DeleteAcls. -func (mr *MockACLMockRecorder) DeleteAcls(parentName, parentType, direction, externalIDs any) *gomock.Call { +func (mr *MockACLMockRecorder) DeleteAcls(parentName, parentType, direction, externalIDs, tier any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAcls", reflect.TypeOf((*MockACL)(nil).DeleteAcls), parentName, parentType, direction, externalIDs) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAcls", reflect.TypeOf((*MockACL)(nil).DeleteAcls), parentName, parentType, direction, externalIDs, tier) } // DeleteAclsOps mocks base method. -func (m *MockACL) DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string) ([]ovsdb.Operation, error) { +func (m *MockACL) DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string, tier int) ([]ovsdb.Operation, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "DeleteAclsOps", parentName, parentType, direction, externalIDs) + ret := m.ctrl.Call(m, "DeleteAclsOps", parentName, parentType, direction, externalIDs, tier) ret0, _ := ret[0].([]ovsdb.Operation) ret1, _ := ret[1].(error) return ret0, ret1 } // DeleteAclsOps indicates an expected call of DeleteAclsOps. -func (mr *MockACLMockRecorder) DeleteAclsOps(parentName, parentType, direction, externalIDs any) *gomock.Call { +func (mr *MockACLMockRecorder) DeleteAclsOps(parentName, parentType, direction, externalIDs, tier any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAclsOps", reflect.TypeOf((*MockACL)(nil).DeleteAclsOps), parentName, parentType, direction, externalIDs) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAclsOps", reflect.TypeOf((*MockACL)(nil).DeleteAclsOps), parentName, parentType, direction, externalIDs, tier) } // SGLostACL mocks base method. @@ -3150,32 +3150,32 @@ func (mr *MockNbClientMockRecorder) CreateVirtualLogicalSwitchPorts(lsName any, } // DeleteAcls mocks base method. -func (m *MockNbClient) DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string) error { +func (m *MockNbClient) DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string, tier int) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "DeleteAcls", parentName, parentType, direction, externalIDs) + ret := m.ctrl.Call(m, "DeleteAcls", parentName, parentType, direction, externalIDs, tier) ret0, _ := ret[0].(error) return ret0 } // DeleteAcls indicates an expected call of DeleteAcls. -func (mr *MockNbClientMockRecorder) DeleteAcls(parentName, parentType, direction, externalIDs any) *gomock.Call { +func (mr *MockNbClientMockRecorder) DeleteAcls(parentName, parentType, direction, externalIDs, tier any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAcls", reflect.TypeOf((*MockNbClient)(nil).DeleteAcls), parentName, parentType, direction, externalIDs) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAcls", reflect.TypeOf((*MockNbClient)(nil).DeleteAcls), parentName, parentType, direction, externalIDs, tier) } // DeleteAclsOps mocks base method. -func (m *MockNbClient) DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string) ([]ovsdb.Operation, error) { +func (m *MockNbClient) DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string, tier int) ([]ovsdb.Operation, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "DeleteAclsOps", parentName, parentType, direction, externalIDs) + ret := m.ctrl.Call(m, "DeleteAclsOps", parentName, parentType, direction, externalIDs, tier) ret0, _ := ret[0].([]ovsdb.Operation) ret1, _ := ret[1].(error) return ret0, ret1 } // DeleteAclsOps indicates an expected call of DeleteAclsOps. -func (mr *MockNbClientMockRecorder) DeleteAclsOps(parentName, parentType, direction, externalIDs any) *gomock.Call { +func (mr *MockNbClientMockRecorder) DeleteAclsOps(parentName, parentType, direction, externalIDs, tier any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAclsOps", reflect.TypeOf((*MockNbClient)(nil).DeleteAclsOps), parentName, parentType, direction, externalIDs) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAclsOps", reflect.TypeOf((*MockNbClient)(nil).DeleteAclsOps), parentName, parentType, direction, externalIDs, tier) } // DeleteAddressSet mocks base method. diff --git a/pkg/controller/admin_network_policy.go b/pkg/controller/admin_network_policy.go index aaa9814f068..604095b936f 100644 --- a/pkg/controller/admin_network_policy.go +++ b/pkg/controller/admin_network_policy.go @@ -190,7 +190,7 @@ func (c *Controller) handleAddAnp(key string) (err error) { return err } - ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil) + ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil, util.NilACLTier) if err != nil { klog.Errorf("failed to generate clear operations for anp %s ingress acls: %v", key, err) return err @@ -266,7 +266,7 @@ func (c *Controller) handleAddAnp(key string) (err error) { return fmt.Errorf("failed to delete unused ingress address set for anp %s: %w", key, err) } - egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil) + egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil, util.NilACLTier) if err != nil { klog.Errorf("failed to generate clear operations for anp %s egress acls: %v", key, err) return err diff --git a/pkg/controller/baseline_admin_network_policy.go b/pkg/controller/baseline_admin_network_policy.go index 819d7a18872..5b64bceb057 100644 --- a/pkg/controller/baseline_admin_network_policy.go +++ b/pkg/controller/baseline_admin_network_policy.go @@ -148,7 +148,7 @@ func (c *Controller) handleAddBanp(key string) (err error) { return err } - ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil) + ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil, util.NilACLTier) if err != nil { klog.Errorf("failed to generate clear operations for banp %s ingress acls: %v", key, err) return err @@ -225,7 +225,7 @@ func (c *Controller) handleAddBanp(key string) (err error) { return fmt.Errorf("failed to delete unused ingress address set for banp %s: %w", key, err) } - egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil) + egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil, util.NilACLTier) if err != nil { klog.Errorf("failed to generate clear operations for banp %s egress acls: %v", key, err) return err diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index 7f7c0529592..a4508f85335 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -995,6 +995,8 @@ func (c *Controller) Run(ctx context.Context) { } } + c.handleUpgrading() + // start workers to do all the network operations c.startWorkers(ctx) @@ -1131,6 +1133,25 @@ func (c *Controller) shutdown() { } } +func (c *Controller) handleUpgrading() { + klog.Info("Start upgrading") + + if err := c.upgradeSecurityGroups(); err != nil { + util.LogFatalAndExit(err, "failed to upgrade security groups") + } + if err := c.upgradeSubnets(); err != nil { + util.LogFatalAndExit(err, "failed to upgrade subnets") + } + if c.config.EnableNP { + if err := c.upgradeNetworkPolicies(); err != nil { + util.LogFatalAndExit(err, "failed to upgrade network policies") + } + } + if err := c.upgradeNodes(); err != nil { + util.LogFatalAndExit(err, "failed to upgrade nodes") + } +} + func (c *Controller) startWorkers(ctx context.Context) { klog.Info("Starting workers") diff --git a/pkg/controller/controller_test.go b/pkg/controller/controller_test.go index 5fb9005929c..b755dd76dd7 100644 --- a/pkg/controller/controller_test.go +++ b/pkg/controller/controller_test.go @@ -7,6 +7,7 @@ import ( "go.uber.org/mock/gomock" "k8s.io/client-go/informers" coreinformers "k8s.io/client-go/informers/core/v1" + networkinformers "k8s.io/client-go/informers/networking/v1" "k8s.io/client-go/kubernetes/fake" mockovs "github.com/kubeovn/kube-ovn/mocks/pkg/ovs" @@ -18,7 +19,10 @@ import ( type fakeControllerInformers struct { vpcInformer kubeovninformer.VpcInformer subnetInformer kubeovninformer.SubnetInformer + sgInformer kubeovninformer.SecurityGroupInformer serviceInformer coreinformers.ServiceInformer + npInformer networkinformers.NetworkPolicyInformer + nodeInformer coreinformers.NodeInformer } type fakeController struct { @@ -34,17 +38,23 @@ func newFakeController(t *testing.T) *fakeController { kubeClient := fake.NewSimpleClientset() kubeInformerFactory := informers.NewSharedInformerFactory(kubeClient, 0) serviceInformer := kubeInformerFactory.Core().V1().Services() + npInformer := kubeInformerFactory.Networking().V1().NetworkPolicies() + nodeInformer := kubeInformerFactory.Core().V1().Nodes() /* fake kube ovn client */ kubeovnClient := kubeovnfake.NewSimpleClientset() kubeovnInformerFactory := kubeovninformerfactory.NewSharedInformerFactory(kubeovnClient, 0) vpcInformer := kubeovnInformerFactory.Kubeovn().V1().Vpcs() subnetInformer := kubeovnInformerFactory.Kubeovn().V1().Subnets() + sgInformer := kubeovnInformerFactory.Kubeovn().V1().SecurityGroups() fakeInformers := &fakeControllerInformers{ vpcInformer: vpcInformer, subnetInformer: subnetInformer, + sgInformer: sgInformer, serviceInformer: serviceInformer, + npInformer: npInformer, + nodeInformer: nodeInformer, } /* ovn fake client */ @@ -52,7 +62,10 @@ func newFakeController(t *testing.T) *fakeController { ctrl := &Controller{ servicesLister: serviceInformer.Lister(), + npsLister: npInformer.Lister(), + nodesLister: nodeInformer.Lister(), vpcsLister: vpcInformer.Lister(), + sgsLister: sgInformer.Lister(), vpcSynced: alwaysReady, subnetsLister: subnetInformer.Lister(), subnetSynced: alwaysReady, diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go index 55835a8feb6..2daf062025e 100644 --- a/pkg/controller/network_policy.go +++ b/pkg/controller/network_policy.go @@ -62,6 +62,40 @@ func (c *Controller) enqueueUpdateNp(oldObj, newObj interface{}) { } } +// for upgrading from v1.12.x to v1.13.x +func (c *Controller) upgradeNetworkPoliciesToV1_13() error { + // clear legacy acls in tier 0 for all network policies + // including ingress, egress and subnet gateway acls + nps, err := c.npsLister.NetworkPolicies(corev1.NamespaceAll).List(labels.Everything()) + if err != nil { + klog.Errorf("failed to list network policies %v", err) + return err + } + + for _, np := range nps { + npName := np.Name + nameArray := []rune(np.Name) + if !unicode.IsLetter(nameArray[0]) { + npName = "np" + np.Name + } + pgName := strings.ReplaceAll(fmt.Sprintf("%s.%s", npName, np.Namespace), "-", ".") + if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.DefaultACLTier); err != nil { + klog.Errorf("clear legacy network policy %s acls: %v", pgName, err) + return err + } + } + + return nil +} + +func (c *Controller) upgradeNetworkPolicies() error { + if err := c.upgradeNetworkPoliciesToV1_13(); err != nil { + klog.Errorf("failed to upgrade network policies to v1.13.x, err: %v", err) + return err + } + return nil +} + func (c *Controller) createAsForNetpol(ns, name, direction, asName string, addresses []string) error { if err := c.OVNNbClient.CreateAddressSet(asName, map[string]string{ networkPolicyKey: fmt.Sprintf("%s/%s/%s", ns, name, direction), @@ -165,7 +199,7 @@ func (c *Controller) handleUpdateNp(key string) error { return err } - ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil) + ingressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "to-lport", nil, util.NilACLTier) if err != nil { klog.Errorf("generate operations that clear np %s ingress acls: %v", key, err) return err @@ -281,7 +315,7 @@ func (c *Controller) handleUpdateNp(key string) error { } } } else { - if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "to-lport", nil); err != nil { + if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "to-lport", nil, util.NilACLTier); err != nil { klog.Errorf("delete np %s ingress acls: %v", key, err) return err } @@ -294,7 +328,7 @@ func (c *Controller) handleUpdateNp(key string) error { } } - egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil) + egressACLOps, err := c.OVNNbClient.DeleteAclsOps(pgName, portGroupKey, "from-lport", nil, util.NilACLTier) if err != nil { klog.Errorf("generate operations that clear np %s egress acls: %v", key, err) return err @@ -408,7 +442,7 @@ func (c *Controller) handleUpdateNp(key string) error { } } } else { - if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "from-lport", nil); err != nil { + if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "from-lport", nil, util.NilACLTier); err != nil { klog.Errorf("delete np %s egress acls: %v", key, err) return err } diff --git a/pkg/controller/network_policy_test.go b/pkg/controller/network_policy_test.go new file mode 100644 index 00000000000..edce3bd1570 --- /dev/null +++ b/pkg/controller/network_policy_test.go @@ -0,0 +1,36 @@ +package controller + +import ( + "testing" + + "github.com/stretchr/testify/require" + "go.uber.org/mock/gomock" + netv1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/kubeovn/kube-ovn/pkg/util" +) + +func Test_upgradeNetworkPolicies(t *testing.T) { + t.Parallel() + + fakeController := newFakeController(t) + ctrl := fakeController.fakeController + fakeinformers := fakeController.fakeInformers + mockOvnClient := fakeController.mockOvnClient + + np := &netv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "np1", + Namespace: "default", + }, + } + + err := fakeinformers.npInformer.Informer().GetStore().Add(np) + require.NoError(t, err) + + mockOvnClient.EXPECT().DeleteAcls(gomock.Any(), portGroupKey, "", nil, util.DefaultACLTier).Return(nil) + + err = ctrl.upgradeNetworkPolicies() + require.NoError(t, err) +} diff --git a/pkg/controller/node.go b/pkg/controller/node.go index 343d6731685..359ff7cb213 100644 --- a/pkg/controller/node.go +++ b/pkg/controller/node.go @@ -94,6 +94,37 @@ func nodeUnderlayAddressSetName(node string, af int) string { return fmt.Sprintf("node_%s_underlay_v%d", strings.ReplaceAll(node, "-", "_"), af) } +// for upgrading from v1.12.x to v1.13.x +func (c *Controller) upgradeNodesToV1_13() error { + // clear legacy acls in tier 0 for node port group + nodes, err := c.nodesLister.List(labels.Everything()) + if err != nil { + klog.Errorf("failed to list nodes: %v", err) + return err + } + + for _, node := range nodes { + pgName := strings.ReplaceAll(node.Annotations[util.PortNameAnnotation], "-", ".") + if pgName == "" { + continue + } + if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.DefaultACLTier); err != nil { + klog.Errorf("delete legacy node acl for node pg %s: %v", pgName, err) + return err + } + } + + return nil +} + +func (c *Controller) upgradeNodes() error { + if err := c.upgradeNodesToV1_13(); err != nil { + klog.Errorf("failed to upgrade nodes to v1.13.x, err: %v", err) + return err + } + return nil +} + func (c *Controller) handleAddNode(key string) error { c.nodeKeyMutex.LockKey(key) defer func() { _ = c.nodeKeyMutex.UnlockKey(key) }() @@ -786,7 +817,7 @@ func (c *Controller) checkAndUpdateNodePortGroup() error { } } else { // clear all acl - if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil); err != nil { + if err = c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.NilACLTier); err != nil { klog.Errorf("delete node acl for node pg %s: %v", pgName, err) } } diff --git a/pkg/controller/node_test.go b/pkg/controller/node_test.go new file mode 100644 index 00000000000..97b3c1f1bdf --- /dev/null +++ b/pkg/controller/node_test.go @@ -0,0 +1,38 @@ +package controller + +import ( + "testing" + + "github.com/stretchr/testify/require" + "go.uber.org/mock/gomock" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/kubeovn/kube-ovn/pkg/util" +) + +func Test_upgradeNodes(t *testing.T) { + t.Parallel() + + fakeController := newFakeController(t) + ctrl := fakeController.fakeController + fakeinformers := fakeController.fakeInformers + mockOvnClient := fakeController.mockOvnClient + + node := &corev1.Node{ + ObjectMeta: metav1.ObjectMeta{ + Name: "node-1", + Annotations: map[string]string{ + util.PortNameAnnotation: "node-1", + }, + }, + } + + err := fakeinformers.nodeInformer.Informer().GetStore().Add(node) + require.NoError(t, err) + + mockOvnClient.EXPECT().DeleteAcls(gomock.Any(), portGroupKey, "", nil, util.DefaultACLTier).Return(nil).Times(1) + + err = ctrl.upgradeNodes() + require.NoError(t, err) +} diff --git a/pkg/controller/security_group.go b/pkg/controller/security_group.go index 8e9890f5a3b..729ecae8fa6 100644 --- a/pkg/controller/security_group.go +++ b/pkg/controller/security_group.go @@ -62,6 +62,40 @@ func (c *Controller) enqueueDeleteSg(obj interface{}) { c.delSgQueue.Add(key) } +// for upgrading from v1.12.x to v1.13.x +func (c *Controller) upgradeSecurityGroupsToV1_13() error { + // clear legacy acls in tier 0 for deny all sg + pgName := ovs.GetSgPortGroupName(util.DenyAllSecurityGroup) + if err := c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.DefaultACLTier); err != nil { + klog.Error(err) + return fmt.Errorf("delete legacy acls from port group %s: %w", pgName, err) + } + + // clear legacy acls in tier 0 for all sg port groups + sgs, err := c.sgsLister.List(labels.Everything()) + if err != nil { + klog.Errorf("failed to list security groups: %v", err) + return err + } + for _, sg := range sgs { + pgName := ovs.GetSgPortGroupName(sg.Name) + if err := c.OVNNbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.DefaultACLTier); err != nil { + klog.Error(err) + return fmt.Errorf("delete legacy acls from port group %s: %w", pgName, err) + } + } + + return nil +} + +func (c *Controller) upgradeSecurityGroups() error { + if err := c.upgradeSecurityGroupsToV1_13(); err != nil { + klog.Errorf("failed to upgrade security groups to v1.13.x, err: %v", err) + return err + } + return nil +} + func (c *Controller) initDefaultDenyAllSecurityGroup() error { pgName := ovs.GetSgPortGroupName(util.DenyAllSecurityGroup) if err := c.OVNNbClient.CreatePortGroup(pgName, map[string]string{ diff --git a/pkg/controller/security_group_test.go b/pkg/controller/security_group_test.go index dbd6fecb5c7..fe75d2bb1f0 100644 --- a/pkg/controller/security_group_test.go +++ b/pkg/controller/security_group_test.go @@ -5,9 +5,12 @@ import ( "github.com/stretchr/testify/require" "go.uber.org/mock/gomock" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1" "github.com/kubeovn/kube-ovn/pkg/ovs" "github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb" + "github.com/kubeovn/kube-ovn/pkg/util" ) func mockLsp() *ovnnb.LogicalSwitchPort { @@ -39,6 +42,29 @@ func Test_getPortSg(t *testing.T) { }) } +func Test_upgradeSecurityGroups(t *testing.T) { + t.Parallel() + + fakeController := newFakeController(t) + ctrl := fakeController.fakeController + fakeinformers := fakeController.fakeInformers + mockOvnClient := fakeController.mockOvnClient + + sg := &kubeovnv1.SecurityGroup{ + ObjectMeta: metav1.ObjectMeta{ + Name: "sg", + }, + } + + err := fakeinformers.sgInformer.Informer().GetStore().Add(sg) + require.NoError(t, err) + + mockOvnClient.EXPECT().DeleteAcls(gomock.Any(), portGroupKey, "", nil, util.DefaultACLTier).Return(nil).Times(2) + + err = ctrl.upgradeSecurityGroups() + require.NoError(t, err) +} + func Test_securityGroupALLNotExist(t *testing.T) { t.Parallel() diff --git a/pkg/controller/subnet.go b/pkg/controller/subnet.go index 7c506f252ff..1024703f865 100644 --- a/pkg/controller/subnet.go +++ b/pkg/controller/subnet.go @@ -152,6 +152,32 @@ func (c *Controller) enqueueUpdateSubnet(oldObj, newObj interface{}) { } } +// for upgrading from v1.12.x to v1.13.x +func (c *Controller) upgradeSubnetsToV1_13() error { + // clear legacy acls in tier 0 for all subnets + subnets, err := c.subnetsLister.List(labels.Everything()) + if err != nil { + klog.Errorf("failed to list subnets %v", err) + return err + } + + for _, subnet := range subnets { + if err = c.OVNNbClient.DeleteAcls(subnet.Name, logicalSwitchKey, "", nil, util.DefaultACLTier); err != nil { + klog.Errorf("clear legacy logical switch %s acls: %v", subnet.Name, err) + return err + } + } + return nil +} + +func (c *Controller) upgradeSubnets() error { + if err := c.upgradeSubnetsToV1_13(); err != nil { + klog.Errorf("failed to upgrade subnets to v1.13.x, err: %v", err) + return err + } + return nil +} + func (c *Controller) formatSubnet(subnet *kubeovnv1.Subnet) (*kubeovnv1.Subnet, error) { var ( changed bool @@ -790,7 +816,7 @@ func (c *Controller) handleAddOrUpdateSubnet(key string) error { } } else { // clear acl when direction is "" - if err = c.OVNNbClient.DeleteAcls(subnet.Name, logicalSwitchKey, "", nil); err != nil { + if err = c.OVNNbClient.DeleteAcls(subnet.Name, logicalSwitchKey, "", nil, util.NilACLTier); err != nil { if err = c.patchSubnetStatus(subnet, "ResetLogicalSwitchAclFailed", err.Error()); err != nil { klog.Error(err) return err @@ -890,7 +916,7 @@ func (c *Controller) handleDeleteLogicalSwitch(key string) (err error) { } // clear acl when direction is "" - if err = c.OVNNbClient.DeleteAcls(key, logicalSwitchKey, "", nil); err != nil { + if err = c.OVNNbClient.DeleteAcls(key, logicalSwitchKey, "", nil, util.NilACLTier); err != nil { klog.Errorf("clear logical switch %s acls: %v", key, err) return err } diff --git a/pkg/controller/subnet_test.go b/pkg/controller/subnet_test.go index 6b63aedcd33..f3612cf14cb 100644 --- a/pkg/controller/subnet_test.go +++ b/pkg/controller/subnet_test.go @@ -12,8 +12,33 @@ import ( kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1" "github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb" + "github.com/kubeovn/kube-ovn/pkg/util" ) +func Test_upgradeSubnets(t *testing.T) { + t.Parallel() + + fakeController := newFakeController(t) + ctrl := fakeController.fakeController + fakeinformers := fakeController.fakeInformers + mockOvnClient := fakeController.mockOvnClient + + subnet := &kubeovnv1.Subnet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ovn-test", + }, + Spec: kubeovnv1.SubnetSpec{}, + } + + err := fakeinformers.subnetInformer.Informer().GetStore().Add(subnet) + require.NoError(t, err) + + mockOvnClient.EXPECT().DeleteAcls(gomock.Any(), logicalSwitchKey, "", nil, util.DefaultACLTier).Return(nil) + + err = ctrl.upgradeSubnets() + require.NoError(t, err) +} + func Test_reconcileVips(t *testing.T) { t.Parallel() diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go index 67a230b9a16..612fa39f32c 100644 --- a/pkg/ovs/interface.go +++ b/pkg/ovs/interface.go @@ -162,8 +162,8 @@ type ACL interface { SetACLLog(pgName string, logEnable, isIngress bool) error SetLogicalSwitchPrivate(lsName, cidrBlock, nodeSwitchCIDR string, allowSubnets []string) error SGLostACL(sg *kubeovnv1.SecurityGroup) (bool, error) - DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string) error - DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string) ([]ovsdb.Operation, error) + DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string, tier int) error + DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string, tier int) ([]ovsdb.Operation, error) UpdateAnpRuleACLOps(pgName, asName, protocol, aclName string, priority int, aclAction ovnnb.ACLAction, logACLActions []ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error) } diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go index 07143253ec6..224b11f2613 100644 --- a/pkg/ovs/ovn-nb-acl.go +++ b/pkg/ovs/ovn-nb-acl.go @@ -384,7 +384,7 @@ func (c *OVNNbClient) UpdateSgACL(sg *kubeovnv1.SecurityGroup, direction string) pgName := GetSgPortGroupName(sg.Name) // clear acl - if err := c.DeleteAcls(pgName, portGroupKey, direction, nil); err != nil { + if err := c.DeleteAcls(pgName, portGroupKey, direction, nil, util.NilACLTier); err != nil { klog.Error(err) return fmt.Errorf("delete direction '%s' acls from port group %s: %w", direction, pgName, err) } @@ -441,7 +441,7 @@ func (c *OVNNbClient) UpdateSgACL(sg *kubeovnv1.SecurityGroup, direction string) } func (c *OVNNbClient) UpdateLogicalSwitchACL(lsName, cidrBlock string, subnetAcls []kubeovnv1.ACL, allowEWTraffic bool) error { - if err := c.DeleteAcls(lsName, logicalSwitchKey, "", map[string]string{"subnet": lsName}); err != nil { + if err := c.DeleteAcls(lsName, logicalSwitchKey, "", map[string]string{"subnet": lsName}, util.NilACLTier); err != nil { klog.Error(err) return fmt.Errorf("delete subnet acls from %s: %w", lsName, err) } @@ -530,7 +530,7 @@ func (c *OVNNbClient) UpdateACL(acl *ovnnb.ACL, fields ...interface{}) error { // SetLogicalSwitchPrivate will drop all ingress traffic except allow subnets, same subnet and node subnet func (c *OVNNbClient) SetLogicalSwitchPrivate(lsName, cidrBlock, nodeSwitchCIDR string, allowSubnets []string) error { // clear acls - if err := c.DeleteAcls(lsName, logicalSwitchKey, "", nil); err != nil { + if err := c.DeleteAcls(lsName, logicalSwitchKey, "", nil, util.NilACLTier); err != nil { klog.Error(err) return fmt.Errorf("clear logical switch %s acls: %w", lsName, err) } @@ -731,8 +731,8 @@ func (c *OVNNbClient) CreateBareACL(parentName, direction, priority, match, acti // DeleteAcls delete several acl once, // delete to-lport and from-lport direction acl when direction is empty, otherwise one-way // parentType is 'ls' or 'pg' -func (c *OVNNbClient) DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string) error { - ops, err := c.DeleteAclsOps(parentName, parentType, direction, externalIDs) +func (c *OVNNbClient) DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string, tier int) error { + ops, err := c.DeleteAclsOps(parentName, parentType, direction, externalIDs, tier) if err != nil { klog.Error(err) return err @@ -822,14 +822,16 @@ func (c *OVNNbClient) GetACL(parent, direction, priority, match string, ignoreNo // result should include all to-lport and from-lport acls when direction is empty, // result should include all acls when externalIDs is empty, // result should include all acls which externalIDs[key] is not empty when externalIDs[key] is "" +// result should include all acls when tier is -1 +// result should include all acls in specific tier when tier is not -1 // TODO: maybe add other filter conditions(priority or match) -func (c *OVNNbClient) ListAcls(direction string, externalIDs map[string]string) ([]ovnnb.ACL, error) { +func (c *OVNNbClient) ListAcls(direction string, externalIDs map[string]string, tier int) ([]ovnnb.ACL, error) { ctx, cancel := context.WithTimeout(context.Background(), c.Timeout) defer cancel() aclList := make([]ovnnb.ACL, 0) - if err := c.WhereCache(aclFilter(direction, externalIDs)).List(ctx, &aclList); err != nil { + if err := c.WhereCache(aclFilter(direction, externalIDs, tier)).List(ctx, &aclList); err != nil { klog.Error(err) return nil, fmt.Errorf("list acls: %w", err) } @@ -1091,8 +1093,10 @@ func newNetworkPolicyACLMatch(pgName, asAllowName, asExceptName, protocol, direc // result should include all to-lport and from-lport acls when direction is empty, // result should include all acls when externalIDs is empty, // result should include all acls which externalIDs[key] is not empty when externalIDs[key] is "" +// result should include all acls when tier is -1 +// result should include all acls in specific tier when tier is not -1 // TODO: maybe add other filter conditions(priority or match) -func aclFilter(direction string, externalIDs map[string]string) func(acl *ovnnb.ACL) bool { +func aclFilter(direction string, externalIDs map[string]string, tier int) func(acl *ovnnb.ACL) bool { return func(acl *ovnnb.ACL) bool { if len(acl.ExternalIDs) < len(externalIDs) { return false @@ -1118,6 +1122,10 @@ func aclFilter(direction string, externalIDs map[string]string) func(acl *ovnnb. return false } + if tier != util.NilACLTier && acl.Tier != tier { + return false + } + return true } } @@ -1173,7 +1181,7 @@ func (c *OVNNbClient) CreateAclsOps(parentName, parentType string, acls ...*ovnn // DeleteAcls return operation which delete several acl once, // delete to-lport and from-lport direction acl when direction is empty, otherwise one-way // parentType is 'ls' or 'pg' -func (c *OVNNbClient) DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string) ([]ovsdb.Operation, error) { +func (c *OVNNbClient) DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string, tier int) ([]ovsdb.Operation, error) { if parentName == "" { return nil, errors.New("the port group name or logical switch name is required") } @@ -1185,7 +1193,7 @@ func (c *OVNNbClient) DeleteAclsOps(parentName, parentType, direction string, ex externalIDs[aclParentKey] = parentName /* delete acls from port group or logical switch */ - acls, err := c.ListAcls(direction, externalIDs) + acls, err := c.ListAcls(direction, externalIDs, tier) if err != nil { klog.Error(err) return nil, fmt.Errorf("list type %s %s acls: %w", parentType, parentName, err) diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go index 5ac5a6f3445..5930f6a29f6 100644 --- a/pkg/ovs/ovn-nb-acl_test.go +++ b/pkg/ovs/ovn-nb-acl_test.go @@ -1393,6 +1393,93 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { err = nbClient.CreateBareLogicalSwitch(lsName) require.NoError(t, err) + t.Run("delete legacy acls from port group", func(t *testing.T) { + priority := "5601" + basePort := 5601 + acls := make([]*ovnnb.ACL, 0, 5) + + // create legacy acls + // to-lport + for i := 0; i < 2; i++ { + match := fmt.Sprintf("%s && tcp.dst == %d", matchPrefix, basePort+i) + acl, err := nbClient.newACL(pgName, ovnnb.ACLDirectionToLport, priority, match, ovnnb.ACLActionAllowRelated, util.DefaultACLTier) + require.NoError(t, err) + acls = append(acls, acl) + } + + // from-lport + for i := 0; i < 3; i++ { + match := fmt.Sprintf("%s && tcp.dst == %d", matchPrefix, basePort+i) + acl, err := nbClient.newACL(pgName, ovnnb.ACLDirectionFromLport, priority, match, ovnnb.ACLActionAllowRelated, util.DefaultACLTier) + require.NoError(t, err) + acls = append(acls, acl) + } + + err = nbClient.CreateAcls(pgName, portGroupKey, acls...) + require.NoError(t, err) + + pg, err := nbClient.GetPortGroup(pgName, false) + require.NoError(t, err) + require.Len(t, pg.ACLs, 5) + + err = nbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.DefaultACLTier) + require.NoError(t, err) + + pg, err = nbClient.GetPortGroup(pgName, false) + require.NoError(t, err) + require.Empty(t, pg.ACLs) + }) + + t.Run("delete acls in specific tier from port group", func(t *testing.T) { + priority := "5601" + basePort := 5601 + acls := make([]*ovnnb.ACL, 0, 5) + + // to-lport + for i := 0; i < 2; i++ { + match := fmt.Sprintf("%s && tcp.dst == %d", matchPrefix, basePort+i) + + // tier 0 + acl0, err := nbClient.newACL(pgName, ovnnb.ACLDirectionToLport, priority, match, ovnnb.ACLActionAllowRelated, util.DefaultACLTier) + require.NoError(t, err) + acls = append(acls, acl0) + + // tier 2 + acl2, err := nbClient.newACL(pgName, ovnnb.ACLDirectionToLport, priority, match, ovnnb.ACLActionAllowRelated, util.NetpolACLTier) + require.NoError(t, err) + acls = append(acls, acl2) + } + + // from-lport + for i := 0; i < 3; i++ { + match := fmt.Sprintf("%s && tcp.dst == %d", matchPrefix, basePort+i) + + // tier 0 + acl0, err := nbClient.newACL(pgName, ovnnb.ACLDirectionFromLport, priority, match, ovnnb.ACLActionAllowRelated, util.DefaultACLTier) + require.NoError(t, err) + acls = append(acls, acl0) + + // tier 2 + acl2, err := nbClient.newACL(pgName, ovnnb.ACLDirectionFromLport, priority, match, ovnnb.ACLActionAllowRelated, util.NetpolACLTier) + require.NoError(t, err) + acls = append(acls, acl2) + } + + err = nbClient.CreateAcls(pgName, portGroupKey, acls...) + require.NoError(t, err) + + pg, err := nbClient.GetPortGroup(pgName, false) + require.NoError(t, err) + require.Len(t, pg.ACLs, 10) + + err = nbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.DefaultACLTier) + require.NoError(t, err) + + pg, err = nbClient.GetPortGroup(pgName, false) + require.NoError(t, err) + require.Len(t, pg.ACLs, 5) + }) + t.Run("delete all direction acls from port group", func(t *testing.T) { priority := "5601" basePort := 5601 @@ -1421,7 +1508,7 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { require.NoError(t, err) require.Len(t, pg.ACLs, 5) - err = nbClient.DeleteAcls(pgName, portGroupKey, "", nil) + err = nbClient.DeleteAcls(pgName, portGroupKey, "", nil, util.NilACLTier) require.NoError(t, err) pg, err = nbClient.GetPortGroup(pgName, false) @@ -1458,7 +1545,7 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { require.Len(t, pg.ACLs, 5) /* delete to-lport direction acl */ - err = nbClient.DeleteAcls(pgName, portGroupKey, ovnnb.ACLDirectionToLport, nil) + err = nbClient.DeleteAcls(pgName, portGroupKey, ovnnb.ACLDirectionToLport, nil, util.NilACLTier) require.NoError(t, err) pg, err = nbClient.GetPortGroup(pgName, false) @@ -1466,7 +1553,7 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { require.Len(t, pg.ACLs, 3) /* delete from-lport direction acl */ - err = nbClient.DeleteAcls(pgName, portGroupKey, ovnnb.ACLDirectionFromLport, nil) + err = nbClient.DeleteAcls(pgName, portGroupKey, ovnnb.ACLDirectionFromLport, nil, util.NilACLTier) require.NoError(t, err) pg, err = nbClient.GetPortGroup(pgName, false) @@ -1502,7 +1589,7 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { require.NoError(t, err) require.Len(t, ls.ACLs, 5) - err = nbClient.DeleteAcls(lsName, logicalSwitchKey, "", nil) + err = nbClient.DeleteAcls(lsName, logicalSwitchKey, "", nil, util.NilACLTier) require.NoError(t, err) ls, err = nbClient.GetLogicalSwitch(lsName, false) @@ -1539,7 +1626,7 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { require.Len(t, ls.ACLs, 5) /* delete to-lport direction acl */ - err = nbClient.DeleteAcls(lsName, logicalSwitchKey, ovnnb.ACLDirectionToLport, nil) + err = nbClient.DeleteAcls(lsName, logicalSwitchKey, ovnnb.ACLDirectionToLport, nil, util.NilACLTier) require.NoError(t, err) ls, err = nbClient.GetLogicalSwitch(lsName, false) @@ -1547,7 +1634,7 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { require.Len(t, ls.ACLs, 3) /* delete from-lport direction acl */ - err = nbClient.DeleteAcls(lsName, logicalSwitchKey, ovnnb.ACLDirectionFromLport, nil) + err = nbClient.DeleteAcls(lsName, logicalSwitchKey, ovnnb.ACLDirectionFromLport, nil, util.NilACLTier) require.NoError(t, err) ls, err = nbClient.GetLogicalSwitch(lsName, false) @@ -1584,7 +1671,7 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { require.NoError(t, err) /* delete to-lport direction acl */ - err = nbClient.DeleteAcls(lsName, logicalSwitchKey, ovnnb.ACLDirectionToLport, map[string]string{"subnet": lsName}) + err = nbClient.DeleteAcls(lsName, logicalSwitchKey, ovnnb.ACLDirectionToLport, map[string]string{"subnet": lsName}, util.NilACLTier) require.NoError(t, err) ls, err = nbClient.GetLogicalSwitch(lsName, false) @@ -1593,7 +1680,7 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { }) t.Run("should no err when acls does not exist", func(t *testing.T) { - err = nbClient.DeleteAcls("test-nonexist-ls", logicalSwitchKey, ovnnb.ACLDirectionToLport, map[string]string{"subnet": "test-nonexist-ls"}) + err = nbClient.DeleteAcls("test-nonexist-ls", logicalSwitchKey, ovnnb.ACLDirectionToLport, map[string]string{"subnet": "test-nonexist-ls"}, util.NilACLTier) require.NoError(t, err) }) @@ -1615,7 +1702,7 @@ func (suite *OvnClientTestSuite) testDeleteAcls() { err = failedNbClient.CreateAcls(lsName, logicalSwitchKey, acls...) require.Error(t, err) // TODO:// should err but not for now - err = failedNbClient.DeleteAcls(lsName, logicalSwitchKey, ovnnb.ACLDirectionToLport, map[string]string{"subnet": lsName}) + err = failedNbClient.DeleteAcls(lsName, logicalSwitchKey, ovnnb.ACLDirectionToLport, map[string]string{"subnet": lsName}, util.NilACLTier) require.NoError(t, err) }) } @@ -1799,7 +1886,7 @@ func (suite *OvnClientTestSuite) testListAcls() { } /* list all direction acl */ - out, err := nbClient.ListAcls("", nil) + out, err := nbClient.ListAcls("", nil, util.NilACLTier) require.NoError(t, err) count := 0 for _, v := range out { @@ -2025,7 +2112,7 @@ func (suite *OvnClientTestSuite) testACLFilter() { } /* include all direction acl */ - filterFunc := aclFilter("", nil) + filterFunc := aclFilter("", nil, util.NilACLTier) count := 0 for _, acl := range acls { if filterFunc(acl) { @@ -2035,7 +2122,7 @@ func (suite *OvnClientTestSuite) testACLFilter() { require.Equal(t, count, 11) /* include all direction acl with external ids */ - filterFunc = aclFilter("", map[string]string{aclParentKey: pgName}) + filterFunc = aclFilter("", map[string]string{aclParentKey: pgName}, util.NilACLTier) count = 0 for _, acl := range acls { if filterFunc(acl) { @@ -2045,7 +2132,7 @@ func (suite *OvnClientTestSuite) testACLFilter() { require.Equal(t, count, 5) /* include to-lport acl */ - filterFunc = aclFilter(ovnnb.ACLDirectionToLport, nil) + filterFunc = aclFilter(ovnnb.ACLDirectionToLport, nil, util.NilACLTier) count = 0 for _, acl := range acls { if filterFunc(acl) { @@ -2055,7 +2142,7 @@ func (suite *OvnClientTestSuite) testACLFilter() { require.Equal(t, count, 4) /* include to-lport acl with external ids */ - filterFunc = aclFilter(ovnnb.ACLDirectionToLport, map[string]string{aclParentKey: pgName}) + filterFunc = aclFilter(ovnnb.ACLDirectionToLport, map[string]string{aclParentKey: pgName}, util.NilACLTier) count = 0 for _, acl := range acls { if filterFunc(acl) { @@ -2065,7 +2152,7 @@ func (suite *OvnClientTestSuite) testACLFilter() { require.Equal(t, count, 2) /* include from-lport acl */ - filterFunc = aclFilter(ovnnb.ACLDirectionFromLport, nil) + filterFunc = aclFilter(ovnnb.ACLDirectionFromLport, nil, util.NilACLTier) count = 0 for _, acl := range acls { if filterFunc(acl) { @@ -2075,7 +2162,7 @@ func (suite *OvnClientTestSuite) testACLFilter() { require.Equal(t, count, 7) /* include all from-lport acl with acl parent key*/ - filterFunc = aclFilter(ovnnb.ACLDirectionFromLport, map[string]string{aclParentKey: ""}) + filterFunc = aclFilter(ovnnb.ACLDirectionFromLport, map[string]string{aclParentKey: ""}, util.NilACLTier) count = 0 for _, acl := range acls { if filterFunc(acl) { @@ -2094,7 +2181,7 @@ func (suite *OvnClientTestSuite) testACLFilter() { filterFunc := aclFilter("", map[string]string{ aclParentKey: pgName, "key": "value", - }) + }, util.NilACLTier) require.False(t, filterFunc(acl)) }) diff --git a/pkg/ovs/ovn-nb-suite_test.go b/pkg/ovs/ovn-nb-suite_test.go index 054d39f8607..6c5bd42e305 100644 --- a/pkg/ovs/ovn-nb-suite_test.go +++ b/pkg/ovs/ovn-nb-suite_test.go @@ -23,6 +23,7 @@ import ( "github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb" "github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnsb" + "github.com/kubeovn/kube-ovn/pkg/util" ) type OvnClientTestSuite struct { @@ -1248,7 +1249,7 @@ func Test_scratch(t *testing.T) { ovnClient, err := newOvnNbClient(t, endpoint, 10) require.NoError(t, err) - err = ovnClient.DeleteAcls("test_pg", portGroupKey, ovnnb.ACLDirectionToLport, nil) + err = ovnClient.DeleteAcls("test_pg", portGroupKey, ovnnb.ACLDirectionToLport, nil, util.NilACLTier) require.NoError(t, err) } diff --git a/pkg/ovs/ovn-nb.go b/pkg/ovs/ovn-nb.go index 7d66342db4a..d9ff86b130e 100644 --- a/pkg/ovs/ovn-nb.go +++ b/pkg/ovs/ovn-nb.go @@ -118,7 +118,7 @@ func (c *OVNNbClient) DeleteSecurityGroup(sgName string) error { pgName := GetSgPortGroupName(sgName) // clear acl - if err := c.DeleteAcls(pgName, portGroupKey, "", nil); err != nil { + if err := c.DeleteAcls(pgName, portGroupKey, "", nil, util.NilACLTier); err != nil { klog.Error(err) return fmt.Errorf("delete acls from port group %s: %w", pgName, err) } diff --git a/pkg/util/const.go b/pkg/util/const.go index a54e73260e9..708275b89c3 100644 --- a/pkg/util/const.go +++ b/pkg/util/const.go @@ -160,6 +160,8 @@ const ( AnpMaxPriority = 99 AnpACLMaxPriority = 30000 BanpACLMaxPriority = 1800 + NilACLTier = -1 + DefaultACLTier = 0 AnpACLTier = 1 NetpolACLTier = 2 BanpACLTier = 3