Skip to content

policy: Add Port Range Support for Policies Part 2/3 #32675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 29, 2024
Merged

policy: Add Port Range Support for Policies Part 2/3 #32675

merged 3 commits into from
May 29, 2024

Conversation

nathanjsweet
Copy link
Member

@nathanjsweet nathanjsweet commented May 22, 2024
edited
Loading

This PR prepares the policy engine for adding port ranges
by enabling the underlying userspace cache to calculate
insertion, deletion, and lookups with port ranges, as well
as adding unit tests to ensure that the logic works. It does
not add support for adding policy port ranges at the API
level that will be addressed in the final PR.

The Policy CRD is modified by this PR without
supporting port ranges at the policy repository level
(this will be added in the final PR). This has to be done
because the "PortProtocol" struct is shared by both
the CRD (aka the API level) and the L4Filter struct
(aka the cache level).

See commits for details.

@nathanjsweet nathanjsweet requested review from a team as code owners May 22, 2024 19:03
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 22, 2024
@nathanjsweet nathanjsweet requested a review from tommyp1ckles May 22, 2024 19:03
@github-actions github-actions bot added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label May 22, 2024
@nathanjsweet nathanjsweet added release-note/misc This PR makes changes that have no direct user impact. and removed sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels May 22, 2024
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-policy-port-range-mapping-part-2 branch from d65985c to bf32472 Compare May 22, 2024 19:20
@nathanjsweet nathanjsweet requested a review from a team as a code owner May 22, 2024 19:20
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-policy-port-range-mapping-part-2 branch from bf32472 to d16e24a Compare May 22, 2024 19:46
@nathanjsweet
Copy link
Member Author

/test

tommyp1ckles
tommyp1ckles approved these changes May 23, 2024
View reviewed changes
Copy link
Contributor

@tommyp1ckles tommyp1ckles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

endpoint changes lgtm

kaworu
kaworu approved these changes May 24, 2024
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hubble changes LGTM

learnitall
learnitall approved these changes May 24, 2024
View reviewed changes
Copy link
Contributor

@learnitall learnitall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

API changes LGTM!

doniacld
doniacld approved these changes May 28, 2024
View reviewed changes
Copy link
Contributor

@doniacld doniacld left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit question, otherwise LGTM! 🫰

@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-policy-port-range-mapping-part-2 branch 2 times, most recently from 8e8ff17 to 2ea1f3a Compare May 28, 2024 21:56
@nathanjsweet
policy: Add InvertedPortMask to MapState Key
e028f01 
- Add PortMask to MapKey structure, to make "0" the default value.
- Use PortRangeToMaskedPorts when creating keys for toMapState in L4 policies.
- Update maps/policy to account for mask.
- Introduce range logic into mapstate.
- Fix minor IsSupersetOf test issues.
- Add range unit tests to distillery tests.

Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
@nathanjsweet
policy: Fix Deny Insertion Logic
4a727b1 
Deny insertion has, heretofore, handled duplicate
deny entries by only checking for wildcard port
protocol entries as a way to prevent duplicate
deny entries or by ignoring them completely as
duplicate deny entries did not cause any problems.
This does not work with the more
precise de-duplication logic required by port
ranges, because overlapping ranges is a new
dimension of de-duplication that has to be
enforced.

Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
@nathanjsweet
policy: Add Unit Tests for Port Ranges
665f290 
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-policy-port-range-mapping-part-2 branch from 2ea1f3a to 665f290 Compare May 28, 2024 22:13
@nathanjsweet
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 29, 2024
@nathanjsweet nathanjsweet added this pull request to the merge queue May 29, 2024
Merged via the queue into main with commit 885b998 May 29, 2024
@nathanjsweet nathanjsweet deleted the pr/nathanjsweet/add-policy-port-range-mapping-part-2 branch May 29, 2024 14:15
@nathanjsweet nathanjsweet mentioned this pull request Jun 14, 2024
Merged
@jrajahalme jrajahalme mentioned this pull request Jul 10, 2024
Merged
@jrajahalme jrajahalme mentioned this pull request Jul 22, 2024
Merged
@christarazi christarazi added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@tommyp1ckles tommyp1ckles tommyp1ckles approved these changes

+2 more reviewers

@learnitall learnitall learnitall approved these changes

@doniacld doniacld doniacld approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@nathanjsweet @kaworu @tommyp1ckles @learnitall @doniacld @christarazi