network: support network isolate

Add new crd to convert kubesphere network policy to k8s network policy, and then other network plugin will do the rest work. Use cache.go from calico project's kube-controller, it aim to sync nsnp with k8s np, delete unused np, and relieve the pressure on k8s restful client. If you want higher performance, you can implement interface NsNetworkPolicyProvider in pkg/controller/provider/namespace_np.go. Signed-off-by: Duan Jiong <djduanjiong@gmail.com>
2020-04-15 21:42:29 +08:00
parent fc373b18e3
commit d3bdcd0465
85 changed files with 4130 additions and 6254 deletions
--- a/cmd/controller-manager/app/controllers.go
+++ b/cmd/controller-manager/app/controllers.go
@@ -25,6 +25,8 @@ import (
 	"kubesphere.io/kubesphere/pkg/controller/devopscredential"
 	"kubesphere.io/kubesphere/pkg/controller/devopsproject"
 	"kubesphere.io/kubesphere/pkg/controller/job"
+	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy"
+	"kubesphere.io/kubesphere/pkg/controller/network/provider"
 	"kubesphere.io/kubesphere/pkg/controller/pipeline"
 	"kubesphere.io/kubesphere/pkg/controller/s2ibinary"
 	"kubesphere.io/kubesphere/pkg/controller/s2irun"
@@ -126,6 +128,16 @@ func AddControllers(
 		kubesphereInformer.Cluster().V1alpha1().Clusters(),
 		client.KubeSphere().ClusterV1alpha1().Clusters())

+	nsnpProvider, err := provider.NewNsNetworkPolicyProvider(client.Kubernetes(),
+		kubernetesInformer.Networking().V1().NetworkPolicies())
+	if err != nil {
+		return err
+	}
+	nsnpController := nsnetworkpolicy.NewNSNetworkPolicyController(client.Kubernetes(),
+		client.KubeSphere().NetworkV1alpha1(), kubesphereInformer.Network().V1alpha1().NamespaceNetworkPolicies(),
+		kubernetesInformer.Core().V1().Services(), kubesphereInformer.Tenant().V1alpha1().Workspaces(),
+		kubernetesInformer.Core().V1().Namespaces(), nsnpProvider)
+
 	controllers := map[string]manager.Runnable{
 		"virtualservice-controller":   vsController,
 		"destinationrule-controller":  drController,
@@ -137,8 +149,9 @@ func AddControllers(
 		"devopsprojects-controller":   devopsProjectController,
 		"pipeline-controller":         devopsPipelineController,
 		"devopscredential-controller": devopsCredentialController,
-		"cluster-controller":          clusterController,
 		"user-controller":             userController,
+		"cluster-controller":          clusterController,
+		"nsnp-controller":             nsnpController,
 	}

 	for name, ctrl := range controllers {
--- a/cmd/controller-manager/app/server.go
+++ b/cmd/controller-manager/app/server.go
@@ -35,6 +35,7 @@ import (
 	controllerconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
 	"kubesphere.io/kubesphere/pkg/client/clientset/versioned/scheme"
 	"kubesphere.io/kubesphere/pkg/controller/namespace"
+	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy"
 	"kubesphere.io/kubesphere/pkg/controller/user"
 	"kubesphere.io/kubesphere/pkg/controller/workspace"
 	"kubesphere.io/kubesphere/pkg/simple/client/openpitrix"
@@ -160,6 +161,7 @@ func Run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 		klog.Info("registering webhooks to the webhook server")
 		hookServer.Register("/mutating-encrypt-password-iam-kubesphere-io-v1alpha2-user", &webhook.Admission{Handler: &user.PasswordCipher{Client: mgr.GetClient()}})
 		hookServer.Register("/validate-email-iam-kubesphere-io-v1alpha2-user", &webhook.Admission{Handler: &user.EmailValidator{Client: mgr.GetClient()}})
+		hookServer.Register("/validate-service-nsnp-kubesphere-io-v1alpha1-network", &webhook.Admission{Handler: &nsnetworkpolicy.ServiceValidator{}})

 		klog.V(0).Info("Starting the controllers.")
 		if err = mgr.Start(stopCh); err != nil {
--- a/cmd/ks-network/main.go
+++ b/cmd/ks-network/main.go
@@ -1,25 +0,0 @@
-package main
-
-import (
-	"flag"
-
-	"k8s.io/klog"
-	"kubesphere.io/kubesphere/pkg/controller/network/runoption"
-)
-
-var opt runoption.RunOption
-
-func init() {
-	flag.StringVar(&opt.ProviderName, "np-provider", "calico", "specify the network policy provider, k8s or calico")
-	flag.BoolVar(&opt.AllowInsecureEtcd, "allow-insecure-etcd", false, "specify allow connect to etcd using insecure http")
-	flag.StringVar(&opt.DataStoreType, "datastore-type", "k8s", "specify the datastore type of calico")
-	//TODO add more flags
-}
-
-func main() {
-	klog.InitFlags(nil)
-	flag.Set("logtostderr", "true")
-	flag.Parse()
-	klog.V(1).Info("Preparing kubernetes client")
-	klog.Fatal(opt.Run())
-}