add custom acls for subnet

681f698b · hzma · 7bd25c63 · 681f698b · 681f698b · 681f698b
Commit 681f698b authored 3 years ago by hzma
Hide whitespace changes
Inline Side-by-side

Showing

with 144 additions and 1 deletion
+144 -1
--- a/dist/images/install.sh
+++ b/dist/images/install.sh
@@ -643,6 +643,30 @@ spec:
                  type: boolean
                ipv6RAConfigs:
                  type: string
+                acls:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      direction:
+                        type: string
+                        enum:
+                          - from-lport
+                          - to-lport
+                      priority:
+                        type: integer
+                        minimum: 0
+                        maximum: 32767
+                      match:
+                        type: string
+                      action:
+                        type: string
+                        enum:
+                          - allow-related
+                          - allow-stateless
+                          - allow
+                          - drop
+                          - reject
  scope: Cluster
  names:
    plural: subnets

--- a/pkg/apis/kubeovn/v1/types.go
+++ b/pkg/apis/kubeovn/v1/types.go
@@ -133,6 +133,15 @@ type SubnetSpec struct {

 	EnableIPv6RA  bool   `json:"enableIPv6RA"`
 	IPv6RAConfigs string `json:"ipv6RAConfigs"`
+
+	Acls []Acl `json:"acls,omitempty"`
+}
+
+type Acl struct {
+	Direction string `json:"direction,omitempty"`
+	Priority  int    `json:"priority,omitempty"`
+	Match     string `json:"match,omitempty"`
+	Action    string `json:"action,omitempty"`
 }

 // ConditionType encodes information on the condition

--- a/pkg/apis/kubeovn/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/kubeovn/v1/zz_generated.deepcopy.go
@@ -25,6 +25,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Acl) DeepCopyInto(out *Acl) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Acl.
+func (in *Acl) DeepCopy() *Acl {
+	if in == nil {
+		return nil
+	}
+	out := new(Acl)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomInterface) DeepCopyInto(out *CustomInterface) {
 	*out = *in
@@ -682,6 +698,11 @@ func (in *SubnetSpec) DeepCopyInto(out *SubnetSpec) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.Acls != nil {
+		in, out := &in.Acls, &out.Acls
+		*out = make([]Acl, len(*in))
+		copy(*out, *in)
+	}
 	return
 }


--- a/pkg/controller/subnet.go
+++ b/pkg/controller/subnet.go
@@ -97,7 +97,8 @@ func (c *Controller) enqueueUpdateSubnet(old, new interface{}) {
 		oldSubnet.Spec.DHCPv6Options != newSubnet.Spec.DHCPv6Options ||
 		oldSubnet.Spec.EnableIPv6RA != newSubnet.Spec.EnableIPv6RA ||
 		oldSubnet.Spec.IPv6RAConfigs != newSubnet.Spec.IPv6RAConfigs ||
-		oldSubnet.Spec.Protocol != newSubnet.Spec.Protocol {
+		oldSubnet.Spec.Protocol != newSubnet.Spec.Protocol ||
+		!reflect.DeepEqual(oldSubnet.Spec.Acls, newSubnet.Spec.Acls) {
 		klog.V(3).Infof("enqueue update subnet %s", key)
 		c.addOrUpdateSubnetQueue.Add(key)
 	}
@@ -701,6 +702,11 @@ func (c *Controller) handleAddOrUpdateSubnet(key string) error {
 		c.patchSubnetStatus(subnet, "ResetLogicalSwitchAclSuccess", "")
 	}

+	if err := c.ovnClient.UpdateSubnetACL(subnet.Name, subnet.Spec.Acls); err != nil {
+		c.patchSubnetStatus(subnet, "SetLogicalSwitchAclsFailed", err.Error())
+		return err
+	}
+
 	c.updateVpcStatusQueue.Add(subnet.Spec.Vpc)
 	return nil
 }

--- a/pkg/ovs/ovn-nbctl.go
+++ b/pkg/ovs/ovn-nbctl.go
@@ -2483,3 +2483,62 @@ func (c *Client) UpdateRouterPortIPv6RA(ls, lr, cidrBlock, gateway, ipv6RAConfig
 	}
 	return nil
 }
+
+func (c Client) DeleteSubnetACL(ls string) error {
+	results, err := c.CustomFindEntity("acl", []string{"direction", "priority", "match"}, fmt.Sprintf("external_ids:subnet=\"%s\"", ls))
+	if err != nil {
+		klog.Errorf("customFindEntity failed, %v", err)
+		return err
+	}
+	if len(results) == 0 {
+		return nil
+	}
+
+	for _, result := range results {
+		aclArgs := []string{"acl-del", ls}
+		aclArgs = append(aclArgs, result["direction"][0], result["priority"][0], result["match"][0])
+
+		_, err := c.ovnNbCommand(aclArgs...)
+		return err
+	}
+	return nil
+}
+
+func (c Client) UpdateSubnetACL(ls string, acls []kubeovnv1.Acl) error {
+	if len(acls) == 0 {
+		return nil
+	}
+
+	if err := c.DeleteSubnetACL(ls); err != nil {
+		klog.Errorf("delete subnet acl failed, %v", err)
+		return err
+	}
+
+	for _, acl := range acls {
+		aclArgs := []string{}
+		aclArgs = append(aclArgs, "--", MayExist, "acl-add", ls, acl.Direction, strconv.Itoa(acl.Priority), acl.Match, acl.Action)
+		_, err := c.ovnNbCommand(aclArgs...)
+		if err != nil {
+			klog.Errorf("create subnet acl failed, %v", err)
+			return err
+		}
+
+		results, err := c.CustomFindEntity("acl", []string{"_uuid"}, fmt.Sprintf("priority=%d", acl.Priority), fmt.Sprintf("direction=%s", acl.Direction), fmt.Sprintf("match=\"%s\"", acl.Match))
+		if err != nil {
+			klog.Errorf("customFindEntity failed, %v", err)
+			return err
+		}
+		if len(results) == 0 {
+			return nil
+		}
+
+		uuid := results[0]["_uuid"][0]
+		ovnCmd := []string{"set", "acl", uuid}
+		ovnCmd = append(ovnCmd, fmt.Sprintf("external_ids:subnet=\"%s\"", ls))
+
+		if _, err := c.ovnNbCommand(ovnCmd...); err != nil {
+			return fmt.Errorf("failed to set subnet acl externalIds, %v", err)
+		}
+	}
+	return nil
+}
--- a/yamls/crd.yaml
+++ b/yamls/crd.yaml
@@ -238,6 +238,30 @@ spec:
                  type: string
                htbqos:
                  type: string
+                acls:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      direction:
+                        type: string
+                        enum:
+                          - from-lport
+                          - to-lport
+                      priority:
+                        type: integer
+                        minimum: 0
+                        maximum: 32767
+                      match:
+                        type: string
+                      action:
+                        type: string
+                        enum:
+                          - allow-related
+                          - allow-stateless
+                          - allow
+                          - drop
+                          - reject
  scope: Cluster
  names:
    plural: subnets