From 9bc6652585f30f3de0d1b3e668bb59deeb41c7ad Mon Sep 17 00:00:00 2001 From: Hao Zhou Date: Fri, 2 Feb 2024 21:00:59 +0000 Subject: [PATCH 1/2] combine endpoints based on cidr --- pkg/policyendpoints/manager.go | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/pkg/policyendpoints/manager.go b/pkg/policyendpoints/manager.go index 15ba92a..c1a1b1a 100644 --- a/pkg/policyendpoints/manager.go +++ b/pkg/policyendpoints/manager.go @@ -167,7 +167,37 @@ func (m *policyEndpointsManager) computePolicyEndpoints(policy *networking.Netwo } } - return createPolicyEndpoints, updatePolicyEndpoints, deletePolicyEndpoints, nil + return m.processPolicyEndpoints(createPolicyEndpoints), m.processPolicyEndpoints(updatePolicyEndpoints), deletePolicyEndpoints, nil +} + +func (m *policyEndpointsManager) processPolicyEndpoints(pes []policyinfo.PolicyEndpoint) []policyinfo.PolicyEndpoint { + var newPEs []policyinfo.PolicyEndpoint + for _, pe := range pes { + pe.Spec.Ingress = combineRulesEndpoints(pe.Spec.Ingress) + pe.Spec.Egress = combineRulesEndpoints(pe.Spec.Egress) + newPEs = append(newPEs, pe) + } + m.logger.Info("manager processed policy endpoints to consolidate rules", "preLen", len(pes), "postLen", len(newPEs), "newPEs", newPEs) + return newPEs +} + +// the controller should consolidate the ingress endpoints and put entries to one CIDR if they belong to a same cidr +func combineRulesEndpoints(ingressEndpoints []policyinfo.EndpointInfo) []policyinfo.EndpointInfo { + combinedMap := make(map[string]policyinfo.EndpointInfo) + for _, iep := range ingressEndpoints { + if _, ok := combinedMap[string(iep.CIDR)]; ok { + tempIEP := combinedMap[string(iep.CIDR)] + tempIEP.Ports = append(combinedMap[string(iep.CIDR)].Ports, iep.Ports...) + tempIEP.Except = append(combinedMap[string(iep.CIDR)].Except, iep.Except...) + combinedMap[string(iep.CIDR)] = tempIEP + } else { + combinedMap[string(iep.CIDR)] = iep + } + } + if len(combinedMap) > 0 { + return maps.Values(combinedMap) + } + return nil } func (m *policyEndpointsManager) newPolicyEndpoint(policy *networking.NetworkPolicy, From 338d6fee80c44a6498044cfb38cbf778b95a2f0b Mon Sep 17 00:00:00 2001 From: Hao Zhou Date: Sat, 3 Feb 2024 00:40:22 +0000 Subject: [PATCH 2/2] add unit test for combining rules --- pkg/policyendpoints/manager.go | 2 +- pkg/policyendpoints/manager_test.go | 59 +++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 1 deletion(-) diff --git a/pkg/policyendpoints/manager.go b/pkg/policyendpoints/manager.go index c1a1b1a..26634f5 100644 --- a/pkg/policyendpoints/manager.go +++ b/pkg/policyendpoints/manager.go @@ -181,7 +181,7 @@ func (m *policyEndpointsManager) processPolicyEndpoints(pes []policyinfo.PolicyE return newPEs } -// the controller should consolidate the ingress endpoints and put entries to one CIDR if they belong to a same cidr +// the controller should consolidate the ingress and egress endpoints and put entries to one CIDR if they belong to a same CIDR func combineRulesEndpoints(ingressEndpoints []policyinfo.EndpointInfo) []policyinfo.EndpointInfo { combinedMap := make(map[string]policyinfo.EndpointInfo) for _, iep := range ingressEndpoints { diff --git a/pkg/policyendpoints/manager_test.go b/pkg/policyendpoints/manager_test.go index 2f7a15d..16049e7 100644 --- a/pkg/policyendpoints/manager_test.go +++ b/pkg/policyendpoints/manager_test.go @@ -9,6 +9,7 @@ import ( networking "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/api/equality" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/log/zap" policyinfo "github.com/aws/amazon-network-policy-controller-k8s/api/v1alpha1" ) @@ -494,3 +495,61 @@ func Test_policyEndpointsManager_computePolicyEndpoints(t *testing.T) { }) } } + +func Test_processPolicyEndpoints(t *testing.T) { + m := &policyEndpointsManager{ + logger: zap.New(), + } + + p80 := int32(80) + p8080 := int32(8080) + pTCP := corev1.ProtocolTCP + pUDP := corev1.ProtocolUDP + + pes := m.processPolicyEndpoints([]policyinfo.PolicyEndpoint{ + { + Spec: policyinfo.PolicyEndpointSpec{ + Ingress: []policyinfo.EndpointInfo{ + { + CIDR: "1.2.3.4", + Ports: []policyinfo.Port{ + {Port: &p80, Protocol: &pTCP}, + }, + }, + { + CIDR: "1.2.3.4", + Ports: []policyinfo.Port{ + {Port: &p8080, Protocol: &pTCP}, + }, + }, + { + CIDR: "1.2.3.4", + Ports: []policyinfo.Port{ + {Protocol: &pUDP}, + }, + }, + }, + Egress: []policyinfo.EndpointInfo{ + { + CIDR: "1.2.3.5", + Ports: []policyinfo.Port{ + {Port: &p80, Protocol: &pTCP}, + }, + }, + { + CIDR: "1.2.3.5", + Ports: []policyinfo.Port{ + {Port: &p8080, Protocol: &pTCP}, + }, + }, + }, + }, + }, + }) + assert.Equal(t, 1, len(pes[0].Spec.Ingress)) + assert.Equal(t, 1, len(pes[0].Spec.Egress)) + assert.Equal(t, "1.2.3.4", string(pes[0].Spec.Ingress[0].CIDR)) + assert.Equal(t, "1.2.3.5", string(pes[0].Spec.Egress[0].CIDR)) + assert.Equal(t, 3, len(pes[0].Spec.Ingress[0].Ports)) + assert.Equal(t, 2, len(pes[0].Spec.Egress[0].Ports)) +}