Add Azure-npm to provide native k8s network policy support

[saiyan86]

What this PR does / why we need it:

This PR provides native k8s policy support.
Azure-npm is a Microsoft Azure's fault-tolerant and scalable implementation of Kubernetes Network Policy plugin.
Azure-npm supports all network policies specified by current version of Kubernetes, and will continue to support future versions.

Azure-npm only supports Kubernetes v1.8 or later, as it requires NetworkPolicy API v1beta1.

[saiyan86]

/assign @jackfrancis

[CecileRobertMichon]

copy paste typo in the comment, should say Azure CNI, not cilium

[CecileRobertMichon]

This should probably be network plugin instead of network policy since you are adding one for network policy. Or maybe we could reuse the same constant for both? Your call.

[saiyan86]

@jackfrancis separated NetworkPolicy & NetworkPlugin. So basically NetworkPlugin means CNI and NetworkPolicy means network policy plugin. These are two different things.

[CecileRobertMichon]

Yes I meant the comment should reflect that, right it's // NetworkPluginAzure is the string expression for Azure CNI network policy which is confusing

[CecileRobertMichon]

What is the reason for changing the default here? This might break backwards compatibility so we'll have to do some extensive testing if this is something we want. cc: @jackfrancis

[saiyan86]

Previously we don't have network policy support in Azure CNI, now we just released it. Therefore we want to set default NetworkPolicy to azure.

[CecileRobertMichon]

Could you explain why this is needed?

[saiyan86]

For setting default NetworkPolicy to azure

[CecileRobertMichon]

I don't understand how this is setting the default NetworkPolicy to azure? What I'm reading is "if NetworkPolicy is none. set NetworkPolicy to "" and NetworkPlugin to kubenet". What am I missing?

[saiyan86]

Previously it overwrites NetworkPolicy to "" if NetworkPolicy == NetworkPolicyAzure. It's not needed anymore.

[jackfrancis]

These changes need to be removed from this PR. The entire reason for this code (as described in the comments) is to maintain backwards-compatibility with prior usage patterns. This code is not meant to accommodate ongoing usage pattern changes/additions.

[CecileRobertMichon]

Azure-npm only supports Kubernetes v1.8 or later, as it requires NetworkPolicy API v1beta1. does this mean we should add some validation on the k8s version? Right now it looks like it is being enabled by default, even if I specify k8s 1.7.x

[saiyan86]

@CecileRobertMichon You're right. We could overwrite the NetworkPolicy to DefaultNetworkPolicy for k8s < 1.8.

[CecileRobertMichon]

I think this should happen in defaults.go since it is modifying the default behavior

[codecov]

Codecov Report

Merging #3205 into master will increase coverage by 0.04%.
The diff coverage is 84%.

@@            Coverage Diff             @@
##           master    #3205      +/-   ##
==========================================
+ Coverage   54.55%   54.59%   +0.04%     
==========================================
  Files         104      104              
  Lines       15739    15759      +20     
==========================================
+ Hits         8586     8604      +18     
- Misses       6404     6405       +1     
- Partials      749      750       +1

[CecileRobertMichon]

How does this PR relate to #3198 ?

[saiyan86]

@CecileRobertMichon PR #3198 is Azure Container Network Monitering Service, which is used for container networking telemetry purposes. This PR adds native k8s network policy support.

[jackfrancis]

Let's move this < 1.8.0 logic up into the above switch/case statement, as it is executing against an identical condition (NetworkPolicy == "azure")

[CecileRobertMichon]

What is the expected default behavior for network policy after this PR if a user does not pass in any netork plugin/policy value? ie. with the default kubernetes example apimodel

We need to update the relevant docs (especially since the default behavior isn't straightforward by looking at the code because of all the back compat cruft), specifically https://github.com/Azure/acs-engine/blob/master/examples/networkpolicy/README.md and clusterdefinition.md

[jackfrancis]

This change should have no impact on the current expected default configuration outcome. From a high level, this PR:

• introduces a new allowd networkPlugin/networkPolicy combination of "azure"/"azure"
• The above, new, configuration installs the Azure NetworkPolicy daemonset via the addons vector onto their cluster

That should be it. I believe our unit tests should ensure no regressions in our default configuration cases.

[CecileRobertMichon]

/lgtm

[jackfrancis]

/lgtm

[acs-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon, jackfrancis, saiyan86

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CecileRobertMichon,jackfrancis]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[marrobi]

@saiyan86 Great to see this progressing. Where do we report issues with azure-npm? Is there a repo available? Certain policies do not seem to function correctly, for example try https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/04-deny-traffic-from-other-namespaces.md . This does not seem to work with azure-npm, but does with kube-router. Policies using pod selectors do seem to work.

@jackfrancis @CecileRobertMichon are you aware of a project that tests various network policies?

Thanks.

[sharmasushant]

@marrobi Thank you for trying it out. Please file the issue @ https://github.com/Azure/azure-container-networking/issues

[marrobi]

@sharmasushant see Azure/azure-container-networking#185

[jackfrancis]

@marrobi I'm not! We have a very basic NetworkPolicy validation in our E2E tests, would love to introduce something more thorough if you discover a comprehensive lib/project.

[saiyan86]

@jackfrancis I will add some tests soon that should work for both Calico and us.