Add support for NodeNetworkPolicy dataplane

Signed-off-by: Hongliang Liu <[email protected]>
antrea-io · Dec 11, 2023 · 7506017 · 7506017
1 parent edac36c
commit 7506017
Show file tree

Hide file tree

Showing 37 changed files with 3,935 additions and 168 deletions.
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -117,6 +117,33 @@ Kubernetes: `>= 1.16.0-0`
 | nodeIPAM.nodeCIDRMaskSizeIPv6 | int | `64` | Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. |
 | nodeIPAM.serviceCIDR | string | `""` | IPv4 CIDR ranges reserved for Services. |
 | nodeIPAM.serviceCIDRv6 | string | `""` | IPv6 CIDR ranges reserved for Services. |
+| nodeNetworkPolicy.privilegedRules[0].description | string | `"allow ingress traffic to SSH"` |  |
+| nodeNetworkPolicy.privilegedRules[0].direction | string | `"ingress"` |  |
+| nodeNetworkPolicy.privilegedRules[0].ports[0] | int | `22` |  |
+| nodeNetworkPolicy.privilegedRules[0].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedRules[1].description | string | `"allow ingress traffic to Kubernetes ports"` |  |
+| nodeNetworkPolicy.privilegedRules[1].direction | string | `"ingress"` |  |
+| nodeNetworkPolicy.privilegedRules[1].ports[0] | int | `6443` |  |
+| nodeNetworkPolicy.privilegedRules[1].ports[1] | string | `"10248-10250"` |  |
+| nodeNetworkPolicy.privilegedRules[1].ports[2] | string | `"10256-10258"` |  |
+| nodeNetworkPolicy.privilegedRules[1].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedRules[2].description | string | `"allow egress traffic to Kubernetes ports"` |  |
+| nodeNetworkPolicy.privilegedRules[2].direction | string | `"egress"` |  |
+| nodeNetworkPolicy.privilegedRules[2].ports[0] | int | `6443` |  |
+| nodeNetworkPolicy.privilegedRules[2].ports[1] | string | `"10248-10250"` |  |
+| nodeNetworkPolicy.privilegedRules[2].ports[2] | string | `"10256-10258"` |  |
+| nodeNetworkPolicy.privilegedRules[2].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedRules[3].description | string | `"allow ingress traffic to Antrea ports"` |  |
+| nodeNetworkPolicy.privilegedRules[3].direction | string | `"ingress"` |  |
+| nodeNetworkPolicy.privilegedRules[3].ports[0] | string | `"10348-10351"` |  |
+| nodeNetworkPolicy.privilegedRules[3].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedRules[4].description | string | `"allow egress traffic to Antrea ports"` |  |
+| nodeNetworkPolicy.privilegedRules[4].direction | string | `"egress"` |  |
+| nodeNetworkPolicy.privilegedRules[4].ports[0] | string | `"10348-10351"` |  |
+| nodeNetworkPolicy.privilegedRules[4].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedRules[5].description | string | `"allow egress traffic to DNS port"` |  |
+| nodeNetworkPolicy.privilegedRules[5].direction | string | `"egress"` |  |
+| nodeNetworkPolicy.privilegedRules[5].ports[0] | int | `53` |  |
 | nodePortLocal.enable | bool | `false` | Enable the NodePortLocal feature. |
 | nodePortLocal.portRange | string | `"61000-62000"` | Port range used by NodePortLocal when creating Pod port mappings. |
 | ovs.bridgeName | string | `"br-int"` | Name of the OVS bridge antrea-agent will create and use. |

diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -79,6 +79,9 @@ featureGates:
 # Enable Egress traffic shaping.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "EgressTrafficShaping" "default" false) }}
 
+# Allow users to protect their Kubernetes Nodes.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodeNetworkPolicy" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}
@@ -431,3 +434,11 @@ secondaryNetwork:
 {{- end }}
 
 {{- end }}
+
+nodeNetworkPolicy:
+{{- with .Values.nodeNetworkPolicy }}
+  # privilegedRules is a list of rules applied to Nodes to guarantee the their availability of network alongside any
+  # user-defined NodeNetworkPolicy rules.
+  privilegedRules:
+  {{- toYaml .privilegedRules | trim | nindent 4 }}
+{{- end }}
diff --git a/build/charts/antrea/conf/antrea-controller.conf b/build/charts/antrea/conf/antrea-controller.conf
@@ -54,6 +54,9 @@ featureGates:
 # set security postures for their clusters.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AdminNetworkPolicy" "default" false) }}
 
+# Allow users to protect their Kubernetes Nodes.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodeNetworkPolicy" "default" false) }}
+
 # The port for the antrea-controller APIServer to serve on.
 # Note that if it's set to another value, the `containerPort` of the `api` port of the
 # `antrea-controller` container must be set to the same value.

diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -416,6 +416,43 @@ multicluster:
     # -- WireGuard tunnel port for cross-cluster traffic.
     port: 51821
 
+nodeNetworkPolicy:
+  # Configure nodeNetworkPolicy privileged rules for Antrea Agent.
+  privilegedRules:
+    - protocol: tcp
+      direction: ingress
+      ports:
+        - 22
+      description: "allow ingress traffic to SSH"
+    - protocol: tcp
+      direction: ingress
+      ports:
+        - 6443
+        - 10248-10250
+        - 10256-10258
+      description:  "allow ingress traffic to Kubernetes ports"
+    - protocol: tcp
+      direction: egress
+      ports:
+        - 6443
+        - 10248-10250
+        - 10256-10258
+      description: "allow egress traffic to Kubernetes ports"
+    - protocol: tcp
+      direction: ingress
+      ports:
+        - 10348-10351
+      description:  "allow ingress traffic to Antrea ports"
+    - protocol: tcp
+      direction: egress
+      ports:
+        - 10348-10351
+      description: "allow egress traffic to Antrea ports"
+    - direction: egress
+      ports:
+        - 53
+      description: "allow egress traffic to DNS port"
+
 testing:
   # -- Enable code coverage measurement (used when testing Antrea only).
   coverage: false

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -5576,6 +5576,9 @@ data:
     # Enable Egress traffic shaping.
     #  EgressTrafficShaping: false
 
+    # Allow users to protect their Kubernetes Nodes.
+    #  NodeNetworkPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5884,6 +5887,44 @@ data:
       maxAge: 28
       # Compress enables gzip compression on rotated files.
       compress: true
+
+    nodeNetworkPolicy:
+      # privilegedRules is a list of rules applied to Nodes to guarantee the their availability of network alongside any
+      # user-defined NodeNetworkPolicy rules.
+      privilegedRules:
+      - description: allow ingress traffic to SSH
+        direction: ingress
+        ports:
+        - 22
+        protocol: tcp
+      - description: allow ingress traffic to Kubernetes ports
+        direction: ingress
+        ports:
+        - 6443
+        - 10248-10250
+        - 10256-10258
+        protocol: tcp
+      - description: allow egress traffic to Kubernetes ports
+        direction: egress
+        ports:
+        - 6443
+        - 10248-10250
+        - 10256-10258
+        protocol: tcp
+      - description: allow ingress traffic to Antrea ports
+        direction: ingress
+        ports:
+        - 10348-10351
+        protocol: tcp
+      - description: allow egress traffic to Antrea ports
+        direction: egress
+        ports:
+        - 10348-10351
+        protocol: tcp
+      - description: allow egress traffic to DNS port
+        direction: egress
+        ports:
+        - 53
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -5964,6 +6005,9 @@ data:
     # set security postures for their clusters.
     #  AdminNetworkPolicy: false
 
+    # Allow users to protect their Kubernetes Nodes.
+    #  NodeNetworkPolicy: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -6868,7 +6912,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: abaf2d6048c053447397fee6ad607f19fb7c833e77416872024e71688fabcbda
       labels:
         app: antrea
         component: antrea-agent
@@ -7106,7 +7150,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: abaf2d6048c053447397fee6ad607f19fb7c833e77416872024e71688fabcbda
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -5576,6 +5576,9 @@ data:
     # Enable Egress traffic shaping.
     #  EgressTrafficShaping: false
 
+    # Allow users to protect their Kubernetes Nodes.
+    #  NodeNetworkPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5884,6 +5887,44 @@ data:
       maxAge: 28
       # Compress enables gzip compression on rotated files.
       compress: true
+
+    nodeNetworkPolicy:
+      # privilegedRules is a list of rules applied to Nodes to guarantee the their availability of network alongside any
+      # user-defined NodeNetworkPolicy rules.
+      privilegedRules:
+      - description: allow ingress traffic to SSH
+        direction: ingress
+        ports:
+        - 22
+        protocol: tcp
+      - description: allow ingress traffic to Kubernetes ports
+        direction: ingress
+        ports:
+        - 6443
+        - 10248-10250
+        - 10256-10258
+        protocol: tcp
+      - description: allow egress traffic to Kubernetes ports
+        direction: egress
+        ports:
+        - 6443
+        - 10248-10250
+        - 10256-10258
+        protocol: tcp
+      - description: allow ingress traffic to Antrea ports
+        direction: ingress
+        ports:
+        - 10348-10351
+        protocol: tcp
+      - description: allow egress traffic to Antrea ports
+        direction: egress
+        ports:
+        - 10348-10351
+        protocol: tcp
+      - description: allow egress traffic to DNS port
+        direction: egress
+        ports:
+        - 53
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -5964,6 +6005,9 @@ data:
     # set security postures for their clusters.
     #  AdminNetworkPolicy: false
 
+    # Allow users to protect their Kubernetes Nodes.
+    #  NodeNetworkPolicy: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -6868,7 +6912,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: abaf2d6048c053447397fee6ad607f19fb7c833e77416872024e71688fabcbda
       labels:
         app: antrea
         component: antrea-agent
@@ -7107,7 +7151,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: abaf2d6048c053447397fee6ad607f19fb7c833e77416872024e71688fabcbda
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -5576,6 +5576,9 @@ data:
     # Enable Egress traffic shaping.
     #  EgressTrafficShaping: false
 
+    # Allow users to protect their Kubernetes Nodes.
+    #  NodeNetworkPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5884,6 +5887,44 @@ data:
       maxAge: 28
       # Compress enables gzip compression on rotated files.
       compress: true
+
+    nodeNetworkPolicy:
+      # privilegedRules is a list of rules applied to Nodes to guarantee the their availability of network alongside any
+      # user-defined NodeNetworkPolicy rules.
+      privilegedRules:
+      - description: allow ingress traffic to SSH
+        direction: ingress
+        ports:
+        - 22
+        protocol: tcp
+      - description: allow ingress traffic to Kubernetes ports
+        direction: ingress
+        ports:
+        - 6443
+        - 10248-10250
+        - 10256-10258
+        protocol: tcp
+      - description: allow egress traffic to Kubernetes ports
+        direction: egress
+        ports:
+        - 6443
+        - 10248-10250
+        - 10256-10258
+        protocol: tcp
+      - description: allow ingress traffic to Antrea ports
+        direction: ingress
+        ports:
+        - 10348-10351
+        protocol: tcp
+      - description: allow egress traffic to Antrea ports
+        direction: egress
+        ports:
+        - 10348-10351
+        protocol: tcp
+      - description: allow egress traffic to DNS port
+        direction: egress
+        ports:
+        - 53
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -5964,6 +6005,9 @@ data:
     # set security postures for their clusters.
     #  AdminNetworkPolicy: false
 
+    # Allow users to protect their Kubernetes Nodes.
+    #  NodeNetworkPolicy: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -6868,7 +6912,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 3b1758664de8044af1aa7454c64bd1a4911750e562e1ae9375c9c16a335a469d
+        checksum/config: 63a1ee2c95dadff00662700101f56736088e6f0c17bc47430ebda2b8a881d951
       labels:
         app: antrea
         component: antrea-agent
@@ -7104,7 +7148,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 3b1758664de8044af1aa7454c64bd1a4911750e562e1ae9375c9c16a335a469d
+        checksum/config: 63a1ee2c95dadff00662700101f56736088e6f0c17bc47430ebda2b8a881d951
       labels:
         app: antrea
         component: antrea-controller