interceptor builds

fix loggin regressions and slim down interface fix test put nfqueue in a seperate package have to default config first duplicate metrics don't clean up rules till the end more to shutdown keep tryig thin down interface some type verdict
kubernetes-sigs · Nov 25, 2024 · 784bf6b · 784bf6b
1 parent c26c8d5
commit 784bf6b
Show file tree

Hide file tree

Showing 11 changed files with 738 additions and 615 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -8,15 +8,16 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"time"
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"sigs.k8s.io/kube-network-policies/pkg/networkpolicy"
+	"sigs.k8s.io/kube-network-policies/pkg/nfqinterceptor"
 	npaclient "sigs.k8s.io/network-policy-api/pkg/client/clientset/versioned"
 	npainformers "sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions"
 	"sigs.k8s.io/network-policy-api/pkg/client/informers/externalversions/apis/v1alpha1"
 
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/informers"
 	v1 "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
@@ -55,6 +56,12 @@ func init() {
 	}
 }
 
+type interceptor interface {
+	// Run should block until context is done and then clean up its resources.
+	Run(context.Context, func(networkpolicy.Packet) networkpolicy.Verdict) error
+	Sync(ctx context.Context, podV4IPs, podV6IPs sets.Set[string]) error
+}
+
 // This is a pattern to ensure that deferred functions executes before os.Exit
 func main() {
 	os.Exit(run())
@@ -90,7 +97,8 @@ func run() int {
 
 	nodeName, err := nodeutil.GetHostname(hostnameOverride)
 	if err != nil {
-		klog.Fatalf("can not obtain the node name, use the hostname-override flag if you want to set it to a specific value: %v", err)
+		logger.Error(err, "can not obtain the node name, use the hostname-override flag if you want to set it to a specific value")
+		return 1
 	}
 
 	cfg := networkpolicy.Config{
@@ -104,7 +112,8 @@ func run() int {
 	// creates the in-cluster config
 	config, err := rest.InClusterConfig()
 	if err != nil {
-		panic(err.Error())
+		logger.Error(err, "could not get cluster config")
+		return 1
 	}
 
 	// use protobuf for better performance at scale
@@ -116,7 +125,8 @@ func run() int {
 	// creates the clientset
 	clientset, err := kubernetes.NewForConfig(config)
 	if err != nil {
-		panic(err.Error())
+		logger.Error(err, "could not create clientset")
+		return 1
 	}
 
 	informersFactory := informers.NewSharedInformerFactory(clientset, 0)
@@ -128,7 +138,8 @@ func run() int {
 		nodeInformer = informersFactory.Core().V1().Nodes()
 		npaClient, err = npaclient.NewForConfig(npaConfig)
 		if err != nil {
-			klog.Fatalf("Failed to create Network client: %v", err)
+			logger.Error(err, "Failed to create Network client")
+			return 1
 		}
 		npaInformerFactory = npainformers.NewSharedInformerFactory(npaClient, 0)
 	}
@@ -148,13 +159,28 @@ func run() int {
 		utilruntime.HandleError(err)
 	}()
 
+	err = cfg.Defaults()
+	if err != nil {
+		logger.Error(err, "could not default config")
+		return 1
+	}
+
+	//TODO log config?
+
+	interceptor, err := nfqinterceptor.New(cfg)
+	if err != nil {
+		logger.Error(err, "could not start nfq interceptror")
+		return 1
+	}
+
 	networkPolicyController, err := networkpolicy.NewController(
 		clientset,
 		informersFactory.Networking().V1().NetworkPolicies(),
 		informersFactory.Core().V1().Namespaces(),
 		informersFactory.Core().V1().Pods(),
 		nodeInformer,
 		npaClient,
+		interceptor,
 		anpInformer,
 		banpInformer,
 		cfg,
@@ -163,19 +189,19 @@ func run() int {
 		logger.Error(err, "Can not start network policy controller")
 		return 1
 	}
-	go func() {
-		err := networkPolicyController.Run(ctx)
-		utilruntime.HandleError(err)
-	}()
+	err = networkPolicyController.Run(ctx)
+	if err != nil {
+		logger.Error(err, "Can not start network policy controller")
+		return 1
+	}
 
 	informersFactory.Start(ctx.Done())
 	if adminNetworkPolicy || baselineAdminNetworkPolicy {
 		npaInformerFactory.Start(ctx.Done())
 	}
 
-	<-ctx.Done()
+	//should block till its resources are cleane up.
+	interceptor.Run(ctx, networkPolicyController.EvaluatePacket)
 
-	// grace period to cleanup resources
-	time.Sleep(5 * time.Second)
 	return 0
 }