Skip to content

Commit

Permalink
Add support for attaching TCX, TC and XDP programs inside containers. (
Browse files Browse the repository at this point in the history 
…#345)

* Add ContainerSelector to tc, tcx, and xdp programs
* Add netns support for TCX, TC and XDP  programs.

GetPrimaryNodeInterface() only finds the primary "node" interface, which
may or may not be the name of the primary interface inside of a container.

Signed-off-by: Andre Fredette <afredette@redhat.com>
  • Loading branch information
@anfredette
anfredette authored Dec 6, 2024
1 parent 07f9ef1 commit 1165a8c
Show file tree
Hide file tree
Showing 28 changed files with 1,561 additions and 285 deletions.
6 changes: 6 additions & 0 deletions apis/v1alpha1/tcProgram_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,12 @@ type TcProgramInfo struct {
// Selector to determine the network interface (or interfaces)
InterfaceSelector InterfaceSelector `json:"interfaceselector"`

// Containers identifes the set of containers in which to attach the eBPF
// program. If Containers is not specified, the BPF program will be attached
// in the root network namespace.
// +optional
Containers *ContainerSelector `json:"containers"`

// Priority specifies the priority of the tc program in relation to
// other programs of the same type with the same attach point. It is a value
// from 0 to 1000 where lower values have higher precedence.
Expand Down
6 changes: 6 additions & 0 deletions apis/v1alpha1/tcxProgram_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,12 @@ type TcxProgramInfo struct {
// Selector to determine the network interface (or interfaces)
InterfaceSelector InterfaceSelector `json:"interfaceselector"`

// Containers identifes the set of containers in which to attach the eBPF
// program. If Containers is not specified, the BPF program will be attached
// in the root network namespace.
// +optional
Containers *ContainerSelector `json:"containers"`

// Direction specifies the direction of traffic the tcx program should
// attach to for a given network device.
// +kubebuilder:validation:Enum=ingress;egress
Expand Down
6 changes: 6 additions & 0 deletions apis/v1alpha1/xdpProgram_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,12 @@ type XdpProgramInfo struct {
// Selector to determine the network interface (or interfaces)
InterfaceSelector InterfaceSelector `json:"interfaceselector"`

// Containers identifes the set of containers in which to attach the eBPF
// program. If Containers is not specified, the BPF program will be attached
// in the root network namespace.
// +optional
Containers *ContainerSelector `json:"containers"`

// Priority specifies the priority of the bpf program in relation to
// other programs of the same type with the same attach point. It is a value
// from 0 to 1000 where lower values have higher precedence.
Expand Down
15 changes: 15 additions & 0 deletions apis/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion bundle/manifests/bpfman-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,7 @@ metadata:
capabilities: Basic Install
categories: OpenShift Optional
containerImage: quay.io/bpfman/bpfman-operator:latest
createdAt: "2024-11-01T20:38:03Z"
createdAt: "2024-12-06T14:27:05Z"
features.operators.openshift.io/cnf: "false"
features.operators.openshift.io/cni: "false"
features.operators.openshift.io/csi: "true"
Expand Down
204 changes: 204 additions & 0 deletions bundle/manifests/bpfman.io_bpfapplications.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -459,6 +459,74 @@ spec:
BpfFunctionName is the name of the function that is the entry point for the BPF
program
type: string
containers:
description: |-
Containers identifes the set of containers in which to attach the eBPF
program. If Containers is not specified, the BPF program will be attached
in the root network namespace.
properties:
containernames:
description: |-
Name(s) of container(s). If none are specified, all containers in the
pod are selected.
items:
type: string
type: array
namespace:
default: ""
description: Target namespaces.
type: string
pods:
description: |-
Target pods. This field must be specified, to select all pods use
standard metav1.LabelSelector semantics and make it empty.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- pods
type: object
direction:
description: |-
Direction specifies the direction of traffic the tc program should
Expand Down Expand Up @@ -582,6 +650,74 @@ spec:
BpfFunctionName is the name of the function that is the entry point for the BPF
program
type: string
containers:
description: |-
Containers identifes the set of containers in which to attach the eBPF
program. If Containers is not specified, the BPF program will be attached
in the root network namespace.
properties:
containernames:
description: |-
Name(s) of container(s). If none are specified, all containers in the
pod are selected.
items:
type: string
type: array
namespace:
default: ""
description: Target namespaces.
type: string
pods:
description: |-
Target pods. This field must be specified, to select all pods use
standard metav1.LabelSelector semantics and make it empty.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- pods
type: object
direction:
description: |-
Direction specifies the direction of traffic the tcx program should
Expand Down Expand Up @@ -1082,6 +1218,74 @@ spec:
BpfFunctionName is the name of the function that is the entry point for the BPF
program
type: string
containers:
description: |-
Containers identifes the set of containers in which to attach the eBPF
program. If Containers is not specified, the BPF program will be attached
in the root network namespace.
properties:
containernames:
description: |-
Name(s) of container(s). If none are specified, all containers in the
pod are selected.
items:
type: string
type: array
namespace:
default: ""
description: Target namespaces.
type: string
pods:
description: |-
Target pods. This field must be specified, to select all pods use
standard metav1.LabelSelector semantics and make it empty.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- pods
type: object
interfaceselector:
description: Selector to determine the network interface
(or interfaces)
Expand Down
Loading

0 comments on commit 1165a8c

Please sign in to comment.