Add v1beta2 support #67
Conversation
Pull Request Test Coverage Report for Build 11165520063Details
💛 - Coveralls |
nkinkade
changed the title
|
@zeeke: Thank you for the reply. I have modified this PR such that it should only contain changes to go.mod, go.sum, vendor/, and the import renaming for v1beta2. I realized as I was putting this together that I don't know how to handle stacked PRs from a forked repository back to the upstream in Github, to the extent that Github can even natively handle them. I have the changes that should go on top of this PR for v1beta2 support queued up in my fork: If I create a PR with that against this repository, the Github UI compares it to I can submit the other PR, and the Github UI should do the right thing once/if this PR gets merged. Do you have any suggestions on how to proceed? Thanks! Nathan |
|
Oh, I also noted that one of the e2e tests that were triggered by my PR failed. I will try to take a look at that to see if it was the result of my changes. |
nkinkade
changed the title
|
/uncc |
|
hi @nkinkade, I suggest you to proceed as following: Otherwise, you can deep dive into the mechanism of |
|
@zeeke: I apologize, I'm a little confused by your suggestions. What if I back up and start from the beginning? When you requested that I split the original PR into modules/vendor/imports and policyrules.go, that left the the implementation of actually supporting v1beta2 split between two PRs, which seemed odd to me, but I tried to do it since that is what you requested. It seems to me that the v1beta1->v1beta2 module/alias import changes should go be in the same PR as the changes to policyrules.go, since neither one works without the other. To clarify, I would normally not touch Go modules at all, nor vendoring, but I only did so because the current go.mod imports a version of github.com/k8snetworkplumbingwg/multi-networkpolicy from before that module supported v1beta2 (v0.0.0-20200903074708-7b3ce95ae804). Perhaps it would have been better for me to manually update that single module import in go.mod rather than just running What do you think about me closing #69, and backuping up on this PR, removing almost all modifications to go.mod/go.sum and vendor/, except for the one specific update necessary in go.mod for github.com/k8snetworkplumbingwg/multi-networkpolicy? Then this PR could consist of nothing but the precise changes necessary to support v1beta2. I apologize if I've made this harder than it needs to have been by originally including a bunch of changes to Go modules and vendoring that didn't necessarily have anything to do with the functionality introduced the PR. When working on repos that I own, I'll generally pull in all changes to modules while I'm at it, just so that modules do get to stale, but I can see that this strategy doesn't work well when contributing to other projects. |
|
hi @nkinkade, and thanks for putting effort into this work. I really appreciate it. What I meant in my request is to split the commit, not the PR. I think having a single PR for bumping the dependency (go.mod + vendor + other changes) is good. In the first push, this PR had 3 commits:
The first commit (33d115a) is a little bit hard to review, as it contains a log of change. My request is to have 1 PR (you can use this by using
Ok to close #69 Please let me know if you need guidance on this |
|
Ah, I apologize for the confusion on my part! Now your previous suggestions make more sense. I will refactor this PR into discrete commits that are easier to review. |
This is purely the results of running `go mod tidy` and `go mod vendor`. The only reason for doing this is to update the module github.com/k8snetworkplumbingwg/multi-networkpolicy to a version in which v1beta2 is supported.
This commit updates all references to the import to use the new import alias of "v1beta2" and "multiinformerv1beta2". Additionally, there are 5 or 6 small changes suggested by the Go linter in vscode.
This commit simply adds a small conditional checking whether port.EndPort is not nil, in which case it writes the iptable rule with flag `--dport N:N`, else it write the same iptables rule as before.
Verfies that a port specification which includes endPort writes the expected iptables rule with `--dport N:N`, and that one that doesn't include endPort writes the normal iptables rule with `--dport N`.
nkinkade
changed the title
|
@zeeke: The commit history of this PR show now be much cleaner and easy to inspect. There is still, at least, one outstanding issue that will probably need to be resolved before this PR can be accepted. I noticed on my first PR that most of the Kind e2e tests were failing with my changes. I suspect that this is because the e2e tests deploy the MultiNetworkPolicy CRD using scheme.yml from the master branch of the repository github.com/k8snetworkplumbingwg/multi-networkpolicy. That CRD has v1beta2 disabled. There was already some discussion of this issue not that long ago: k8snetworkplumbingwg/multi-networkpolicy#23 Do you have any advice on how to handle this dependency, as well as the Kind e2e tests? |
pkg/server/policyrules.go
Outdated
| if port.EndPort != nil { | ||
| writeLine(ipt.ingressPorts, "-A", chainName, | ||
| "-i", podIntf.InterfaceName, | ||
| "-m", proto, "-p", proto, "--dport", fmt.Sprintf("%s:%d", port.Port.String(), *port.EndPort), | ||
| "-j", "MARK", "--set-xmark", "0x10000/0x10000") | ||
| } else { | ||
| writeLine(ipt.ingressPorts, "-A", chainName, | ||
| "-i", podIntf.InterfaceName, | ||
| "-m", proto, "-p", proto, "--dport", port.Port.String(), | ||
| "-j", "MARK", "--set-xmark", "0x10000/0x10000") | ||
| } |
There was a problem hiding this comment.
what do you think about this form?
| if port.EndPort != nil { | |
| writeLine(ipt.ingressPorts, "-A", chainName, | |
| "-i", podIntf.InterfaceName, | |
| "-m", proto, "-p", proto, "--dport", fmt.Sprintf("%s:%d", port.Port.String(), *port.EndPort), | |
| "-j", "MARK", "--set-xmark", "0x10000/0x10000") | |
| } else { | |
| writeLine(ipt.ingressPorts, "-A", chainName, | |
| "-i", podIntf.InterfaceName, | |
| "-m", proto, "-p", proto, "--dport", port.Port.String(), | |
| "-j", "MARK", "--set-xmark", "0x10000/0x10000") | |
| } | |
| dport := port.Port.String() | |
| if port.EndPort != nil { | |
| dport = fmt.Sprintf("%s:%d", port.Port.String(), *port.EndPort) | |
| } | |
| writeLine(ipt.ingressPorts, "-A", chainName, | |
| "-i", podIntf.InterfaceName, | |
| "-m", proto, "-p", proto, "--dport", dport, | |
| "-j", "MARK", "--set-xmark", "0x10000/0x10000") |
Might read a little bit simpler, WDYT?
Also, do you mind adding a similar logic to renderEgressPorts(...)?
There was a problem hiding this comment.
Your suggested change makes sense and is better and more readable... eliminating a duplication of writeLine().
I also added the same functionality to renderEgressPorts(), along with a basic unit test. This was an oversight on my part. Our use case only requires ingress rules, but clearly this functionality needs to exist for both. Thanks for catching that.
This was an oversight on my part, as our use case only requires ingress rules, but the functionality needs to be available for both ingress and egress rules. Additionally, I reformated the logic, per PR reviewer suggestions, to eliminate some redudnacy and make the code cleaner and more readable.
This PR attempts to add v1beta2 support to this repository. A container image built with these changes is currently running in our sandbox cluster and appears to be working as intended. That said, I know little to nothing about how kubernetes APIs are written or managed, nor necessarily best practices. It is entirely possible that while these changes function, that the implementation is way off. If so, any guidance would be appreciated.
Though this PR touches 49 files, I only manually touched a small handful of them. All the other changes are the result of running
go mod tidyandgo mod vendor. I essentially did these few things:multiv1beta2), and updated all references to it.multiinformerv1beta2), and updated all references to it.--dportflag of the iptables command whenport.EndPortis not nil.Are there any other changes that are necessary or that you would like to see to consider accepting this PR?