use of org.onosproject.k8snetworking.api.Constants.SHIFTED_IP_PREFIX in project onos by opennetworkinglab.
the class K8sNetworkPolicyHandler method setAllowRulesByPolicy.
private void setAllowRulesByPolicy(NetworkPolicy policy, boolean install) {
Map<String, Map<String, List<NetworkPolicyPort>>> white = Maps.newConcurrentMap();
int nsHash = namespaceHashByNamespace(k8sNamespaceService, policy.getMetadata().getNamespace());
List<NetworkPolicyIngressRule> ingress = policy.getSpec().getIngress();
if (ingress != null && ingress.size() == 1) {
NetworkPolicyIngressRule rule = ingress.get(0);
if (rule.getFrom().size() == 0 && rule.getPorts().size() == 0) {
setAllowAllRule(nsHash, DIRECTION_INGRESS, install);
}
}
policy.getSpec().getIngress().forEach(i -> {
Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();
direction.put(DIRECTION_INGRESS, i.getPorts());
i.getFrom().forEach(peer -> {
// IP block
if (peer.getIpBlock() != null) {
if (peer.getIpBlock().getExcept() != null && peer.getIpBlock().getExcept().size() > 0) {
Map<String, List<NetworkPolicyPort>> blkDirection = Maps.newConcurrentMap();
blkDirection.put(DIRECTION_INGRESS, i.getPorts());
white.compute(peer.getIpBlock().getCidr(), (k, v) -> blkDirection);
setBlackRules(peer.getIpBlock().getCidr(), DIRECTION_INGRESS, peer.getIpBlock().getExcept(), install);
} else {
white.compute(peer.getIpBlock().getCidr(), (k, v) -> direction);
}
}
// POD selector
Set<Pod> pods = podsFromPolicyPeer(peer, policy.getMetadata().getNamespace());
pods.stream().filter(pod -> pod.getStatus().getPodIP() != null).forEach(pod -> {
white.compute(shiftIpDomain(pod.getStatus().getPodIP(), SHIFTED_IP_PREFIX) + "/" + HOST_PREFIX, (m, n) -> direction);
white.compute(pod.getStatus().getPodIP() + "/" + HOST_PREFIX, (m, n) -> direction);
});
// Namespace selector
setAllowNamespaceRules(nsHash, namespacesByPolicyPeer(peer), DIRECTION_INGRESS, install);
});
});
List<NetworkPolicyEgressRule> egress = policy.getSpec().getEgress();
if (egress != null && egress.size() == 1) {
NetworkPolicyEgressRule rule = egress.get(0);
if (rule.getTo().size() == 0 && rule.getPorts().size() == 0) {
setAllowAllRule(nsHash, DIRECTION_EGRESS, install);
}
}
policy.getSpec().getEgress().forEach(e -> {
Map<String, List<NetworkPolicyPort>> direction = Maps.newConcurrentMap();
direction.put(DIRECTION_EGRESS, e.getPorts());
e.getTo().forEach(peer -> {
// IP block
if (peer.getIpBlock() != null) {
if (peer.getIpBlock().getExcept() != null && peer.getIpBlock().getExcept().size() > 0) {
Map<String, List<NetworkPolicyPort>> blkDirection = Maps.newConcurrentMap();
blkDirection.put(DIRECTION_EGRESS, e.getPorts());
white.compute(peer.getIpBlock().getCidr(), (k, v) -> {
if (v != null) {
v.put(DIRECTION_EGRESS, e.getPorts());
return v;
} else {
return blkDirection;
}
});
setBlackRules(peer.getIpBlock().getCidr(), DIRECTION_EGRESS, peer.getIpBlock().getExcept(), install);
} else {
white.compute(peer.getIpBlock().getCidr(), (k, v) -> {
if (v != null) {
v.put(DIRECTION_EGRESS, e.getPorts());
return v;
} else {
return direction;
}
});
}
}
// POD selector
Set<Pod> pods = podsFromPolicyPeer(peer, policy.getMetadata().getNamespace());
pods.stream().filter(pod -> pod.getStatus().getPodIP() != null).forEach(pod -> {
white.compute(shiftIpDomain(pod.getStatus().getPodIP(), SHIFTED_IP_PREFIX) + "/" + HOST_PREFIX, (m, n) -> {
if (n != null) {
n.put(DIRECTION_EGRESS, e.getPorts());
return n;
} else {
return direction;
}
});
white.compute(pod.getStatus().getPodIP() + "/" + HOST_PREFIX, (m, n) -> {
if (n != null) {
n.put(DIRECTION_EGRESS, e.getPorts());
return n;
} else {
return direction;
}
});
});
// Namespace selector
setAllowNamespaceRules(nsHash, namespacesByPolicyPeer(peer), DIRECTION_EGRESS, install);
});
});
setAllowRules(namespaceHashByNamespace(k8sNamespaceService, policy.getMetadata().getNamespace()), white, install);
setBlackToRouteRules(true);
}
use of org.onosproject.k8snetworking.api.Constants.SHIFTED_IP_PREFIX in project onos by opennetworkinglab.
the class K8sSwitchingArpHandler method processArpRequest.
private void processArpRequest(PacketContext context, Ethernet ethPacket) {
ARP arpPacket = (ARP) ethPacket.getPayload();
K8sPort srcK8sPort = k8sNetworkService.ports().stream().filter(p -> p.macAddress().equals(ethPacket.getSourceMAC())).findAny().orElse(null);
PortNumber srcPortNum = context.inPacket().receivedFrom().port();
DeviceId srcDeviceId = context.inPacket().receivedFrom().deviceId();
boolean isEntryPort = false;
for (K8sNode node : k8sNodeService.completeNodes()) {
if (srcDeviceId.equals(node.intgBridge()) && srcPortNum.equals(node.intgEntryPortNum())) {
isEntryPort = true;
}
}
// integration bridge entry port, we simply ignore the ARP request...
if (srcK8sPort == null && !isEntryPort) {
log.warn("Failed to find source port(MAC:{})", ethPacket.getSourceMAC());
return;
}
IpAddress targetIp = Ip4Address.valueOf(arpPacket.getTargetProtocolAddress());
// look up the MAC address from regular k8s ports
MacAddress replyMac = k8sNetworkService.ports().stream().filter(p -> p.ipAddress().equals(targetIp)).map(K8sPort::macAddress).findAny().orElse(null);
// look up the MAC address from special integration entry port (e.g., LOCAL, k8s-int-os)
for (K8sNetwork network : k8sNetworkService.networks()) {
if (network.gatewayIp().equals(targetIp)) {
K8sNode node = k8sNodeService.node(network.name());
replyMac = node.intgEntryPortMac();
}
}
if (replyMac == null) {
String cidr = k8sNetworkService.networks().stream().map(K8sNetwork::cidr).findAny().orElse(null);
if (cidr != null) {
String unshiftedIp = unshiftIpDomain(targetIp.toString(), SHIFTED_IP_PREFIX, cidr);
replyMac = k8sNetworkService.ports().stream().filter(p -> p.ipAddress().equals(IpAddress.valueOf(unshiftedIp))).map(K8sPort::macAddress).findAny().orElse(null);
}
}
if (replyMac == null) {
Set<String> serviceIps = k8sServiceService.services().stream().map(s -> s.getSpec().getClusterIP()).collect(Collectors.toSet());
if (serviceIps.contains(targetIp.toString())) {
replyMac = MacAddress.valueOf(SERVICE_FAKE_MAC_STR);
}
}
if (replyMac == null) {
if (targetIp.toString().startsWith(NODE_IP_PREFIX)) {
String targetIpPrefix = targetIp.toString().split("\\.")[1];
String nodePrefix = NODE_IP_PREFIX + "." + targetIpPrefix;
String origNodeCidr = k8sNodeService.completeNodes().stream().map(n -> n.nodeIp().toString()).findAny().orElse(null);
if (origNodeCidr != null) {
String origNodeIp = unshiftIpDomain(targetIp.toString(), nodePrefix, origNodeCidr);
IpPrefix k8sNodeIpCidr = IpPrefix.valueOf(IpAddress.valueOf(origNodeCidr), 24);
SubnetUtils k8sNodeSubnet = new SubnetUtils(k8sNodeIpCidr.toString());
String k8sNodeGateway = getGatewayIp(k8sNodeIpCidr.toString()).toString();
String seekIp = "";
if (!k8sNodeSubnet.getInfo().isInRange(origNodeIp)) {
replyMac = extHostMacStore.asJavaMap().get(IpAddress.valueOf(k8sNodeGateway));
seekIp = k8sNodeGateway;
} else {
replyMac = extHostMacStore.asJavaMap().get(IpAddress.valueOf(origNodeIp));
seekIp = origNodeIp;
}
// we need to manually learn their MAC addresses
if (replyMac == null) {
ConnectPoint cp = context.inPacket().receivedFrom();
K8sNode k8sNode = k8sNodeService.node(cp.deviceId());
if (k8sNode != null) {
// we use fake IP and MAC address as a source to
// query destination MAC address
setArpRequest(MacAddress.valueOf(NODE_FAKE_MAC_STR).toBytes(), IpAddress.valueOf(NODE_FAKE_IP_STR).toOctets(), IpAddress.valueOf(seekIp).toOctets(), k8sNode);
context.block();
return;
}
}
}
}
}
if (replyMac == null) {
replyMac = MacAddress.valueOf(gatewayMac);
}
Ethernet ethReply = ARP.buildArpReply(targetIp.getIp4Address(), replyMac, ethPacket);
TrafficTreatment treatment = DefaultTrafficTreatment.builder().setOutput(context.inPacket().receivedFrom().port()).build();
packetService.emit(new DefaultOutboundPacket(context.inPacket().receivedFrom().deviceId(), treatment, ByteBuffer.wrap(ethReply.serialize())));
context.block();
}
Aggregations