diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md index a24525b391f..40d703d394b 100644 --- a/build/charts/antrea/README.md +++ b/build/charts/antrea/README.md @@ -85,6 +85,7 @@ Kubernetes: `>= 1.16.0-0` | multicast.igmpQueryInterval | string | `"125s"` | The interval at which the antrea-agent sends IGMP queries to Pods. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". | | multicast.multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. | | multicluster.enable | bool | `false` | Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. This feature is supported only with encap mode. | +| multicluster.enableStretchedNetworkPolicy | bool | `false` | Enable Multicluster which allow Antrea-native policies to select peers from other clusters in a ClusterSet. This feature is supported only with encap mode when the tunnel type is Geneve. | | multicluster.namespace | string | `""` | The Namespace where Antrea Multi-cluster Controller is running. The default is antrea-agent's Namespace. | | noSNAT | bool | `false` | Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. | | nodeIPAM.clusterCIDRs | list | `[]` | CIDR ranges to use when allocating Pod IP addresses. | diff --git a/build/charts/antrea/conf/antrea-controller.conf b/build/charts/antrea/conf/antrea-controller.conf index fbb62e20429..aaf6095dd60 100644 --- a/build/charts/antrea/conf/antrea-controller.conf +++ b/build/charts/antrea/conf/antrea-controller.conf @@ -113,5 +113,5 @@ multicluster: {{- with .Values.multicluster }} # Enable Multicluster which allow Antrea-native policies to select peers # from other clusters in a ClusterSet. - enable: {{ .enable }} + enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }} {{- end }} diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml index 9dbdcb0f1e4..572ba01caa3 100644 --- a/build/charts/antrea/values.yaml +++ b/build/charts/antrea/values.yaml @@ -307,6 +307,10 @@ multicluster: # -- The Namespace where Antrea Multi-cluster Controller is running. # The default is antrea-agent's Namespace. namespace: "" + # -- Enable Multicluster which allow Antrea-native policies to select peers + # from other clusters in a ClusterSet. + # This feature is supported only with encap mode when the tunnel type is Geneve. + enableStretchedNetworkPolicy: false testing: ## -- enable code coverage measurement (used when testing Antrea only). diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 88934521b47..43e077337cd 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -3351,7 +3351,7 @@ data: multicluster: # Enable Multicluster which allow Antrea-native policies to select peers # from other clusters in a ClusterSet. - enable: false + enableStretchedNetworkPolicy: false --- # Source: antrea/templates/crds/group.yaml apiVersion: apiextensions.k8s.io/v1 @@ -4273,7 +4273,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 5ff20899f04440bb5318887c6743bdd2cf4d784ab7d790812bdb106dde147547 + checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a labels: app: antrea component: antrea-agent @@ -4514,7 +4514,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 5ff20899f04440bb5318887c6743bdd2cf4d784ab7d790812bdb106dde147547 + checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 828ad73f4e8..aa2b8990190 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -3351,7 +3351,7 @@ data: multicluster: # Enable Multicluster which allow Antrea-native policies to select peers # from other clusters in a ClusterSet. - enable: false + enableStretchedNetworkPolicy: false --- # Source: antrea/templates/crds/group.yaml apiVersion: apiextensions.k8s.io/v1 @@ -4273,7 +4273,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 5ff20899f04440bb5318887c6743bdd2cf4d784ab7d790812bdb106dde147547 + checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a labels: app: antrea component: antrea-agent @@ -4516,7 +4516,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 5ff20899f04440bb5318887c6743bdd2cf4d784ab7d790812bdb106dde147547 + checksum/config: 0bfe61fa131f03545550f3a41480c66a3122c1a87390077d700ca01df6371f9a labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index be76a9c0abb..46d0517e21f 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -3351,7 +3351,7 @@ data: multicluster: # Enable Multicluster which allow Antrea-native policies to select peers # from other clusters in a ClusterSet. - enable: false + enableStretchedNetworkPolicy: false --- # Source: antrea/templates/crds/group.yaml apiVersion: apiextensions.k8s.io/v1 @@ -4273,7 +4273,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 2e5482899752673a14f06dc83a064f3627322feb31db5ee8df6d8c8e5c33133b + checksum/config: db1a9feabdabaa45a5a006e8d89bd1b3b4a4e3c67573cb98d5f3630e15d4d757 labels: app: antrea component: antrea-agent @@ -4513,7 +4513,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 2e5482899752673a14f06dc83a064f3627322feb31db5ee8df6d8c8e5c33133b + checksum/config: db1a9feabdabaa45a5a006e8d89bd1b3b4a4e3c67573cb98d5f3630e15d4d757 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 771270fe49c..870714525a0 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -3364,7 +3364,7 @@ data: multicluster: # Enable Multicluster which allow Antrea-native policies to select peers # from other clusters in a ClusterSet. - enable: false + enableStretchedNetworkPolicy: false --- # Source: antrea/templates/crds/group.yaml apiVersion: apiextensions.k8s.io/v1 @@ -4286,7 +4286,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 4d8f8043d14832434e7a30c7c2f27952f1008fab11a01310f677b33b4be5d2c3 + checksum/config: 1cc89e2ac8e3f6c3c1297fb1d3d8ba1f8eb1f69a7ff915fc23322d9e45237d3f checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4 labels: app: antrea @@ -4572,7 +4572,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 4d8f8043d14832434e7a30c7c2f27952f1008fab11a01310f677b33b4be5d2c3 + checksum/config: 1cc89e2ac8e3f6c3c1297fb1d3d8ba1f8eb1f69a7ff915fc23322d9e45237d3f labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 1af047d1649..ca5bb97453a 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -3351,7 +3351,7 @@ data: multicluster: # Enable Multicluster which allow Antrea-native policies to select peers # from other clusters in a ClusterSet. - enable: false + enableStretchedNetworkPolicy: false --- # Source: antrea/templates/crds/group.yaml apiVersion: apiextensions.k8s.io/v1 @@ -4273,7 +4273,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: a59d7053f2f5d85cc6f24c5c6fd662295e710658caa8708399f19189ae559c03 + checksum/config: bb8e267e96249bf4d28379cb852eaada9d0e8d20467d58c8e8ab54e33a29fd93 labels: app: antrea component: antrea-agent @@ -4513,7 +4513,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: a59d7053f2f5d85cc6f24c5c6fd662295e710658caa8708399f19189ae559c03 + checksum/config: bb8e267e96249bf4d28379cb852eaada9d0e8d20467d58c8e8ab54e33a29fd93 labels: app: antrea component: antrea-controller diff --git a/cmd/antrea-controller/controller.go b/cmd/antrea-controller/controller.go index d844024a6a1..aac56387c5b 100644 --- a/cmd/antrea-controller/controller.go +++ b/cmd/antrea-controller/controller.go @@ -155,8 +155,6 @@ func run(o *Options) error { groupEntityIndex := grouping.NewGroupEntityIndex() groupEntityController := grouping.NewGroupEntityController(groupEntityIndex, podInformer, namespaceInformer, eeInformer) labelIdentityIndex := labelidentity.NewLabelIdentityIndex() - - multiclusterEnabled := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.Enable networkPolicyController := networkpolicy.NewNetworkPolicyController(client, crdClient, groupEntityIndex, @@ -174,7 +172,7 @@ func run(o *Options) error { appliedToGroupStore, networkPolicyStore, groupStore, - multiclusterEnabled) + o.config.Multicluster.EnableStretchedNetworkPolicy) var externalNodeController *externalnode.ExternalNodeController if features.DefaultFeatureGate.Enabled(features.ExternalNode) { @@ -317,7 +315,7 @@ func run(o *Options) error { go groupEntityController.Run(stopCh) - if multiclusterEnabled { + if o.config.Multicluster.EnableStretchedNetworkPolicy { mcInformerFactoty := mcinformers.NewSharedInformerFactory(mcClient, informerDefaultResync) labelIdentityInformer := mcInformerFactoty.Multicluster().V1alpha1().LabelIdentities() labelIdentityController := labelidentity.NewLabelIdentityController(labelIdentityIndex, labelIdentityInformer) diff --git a/cmd/antrea-controller/options.go b/cmd/antrea-controller/options.go index c3e776acc14..8594f858113 100644 --- a/cmd/antrea-controller/options.go +++ b/cmd/antrea-controller/options.go @@ -85,6 +85,10 @@ func (o *Options) validate(args []string) error { klog.InfoS("The legacyCRDMirroring config option is deprecated and will be ignored (no CRD mirroring)") } + if o.config.Multicluster.EnableStretchedNetworkPolicy && !features.DefaultFeatureGate.Enabled(features.Multicluster) { + return fmt.Errorf("EnableStretchedNetworkPolicy requires Multicluster feature gate is enabled") + } + return nil } diff --git a/multicluster/apis/multicluster/v1alpha1/multiclusterconfig_types.go b/multicluster/apis/multicluster/v1alpha1/multiclusterconfig_types.go index 7d0d38204b8..af0ed8c8c3c 100644 --- a/multicluster/apis/multicluster/v1alpha1/multiclusterconfig_types.go +++ b/multicluster/apis/multicluster/v1alpha1/multiclusterconfig_types.go @@ -53,6 +53,10 @@ type MultiClusterConfig struct { // PodIP type requires Multi-cluster Gateway too when there is no direct Pod-to-Pod // connectivity across member clusters. EndpointIPType string `json:"endpointIPType,omitempty"` + // Enable StretchedNetworkPolicy which will export and import labelIdentities in the + // ClusterSet and allow Antrea-native policies to select peers from other clusters + // in a ClusterSet. + EnableStretchedNetworkPolicy bool `json:"enableStretchedNetworkPolicy,omitempty"` } func init() { diff --git a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml index 718a872fe76..86c94666d98 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml @@ -326,6 +326,7 @@ data: - "" gatewayIPPrecedence: "private" endpointIPType: "ClusterIP" + enableStretchedNetworkPolicy: false kind: ConfigMap metadata: labels: @@ -365,7 +366,7 @@ spec: template: metadata: annotations: - checksum/config: 5da3da29da98cffcad8b7b40bbfcbff1273c65ce5205f4bcc9290f6bd532e9bb + checksum/config: 7eb0f1e65f7eb3e35b0739d6064b92b7621af0f4e41813c35bfdee71ceaefbe2 labels: app: antrea component: antrea-mc-controller diff --git a/multicluster/build/yamls/antrea-multicluster-member.yml b/multicluster/build/yamls/antrea-multicluster-member.yml index 7d91ca386d3..715205ea511 100644 --- a/multicluster/build/yamls/antrea-multicluster-member.yml +++ b/multicluster/build/yamls/antrea-multicluster-member.yml @@ -1050,6 +1050,7 @@ data: - "" gatewayIPPrecedence: "private" endpointIPType: "ClusterIP" + enableStretchedNetworkPolicy: false kind: ConfigMap metadata: labels: @@ -1089,7 +1090,7 @@ spec: template: metadata: annotations: - checksum/config: 5da3da29da98cffcad8b7b40bbfcbff1273c65ce5205f4bcc9290f6bd532e9bb + checksum/config: 7eb0f1e65f7eb3e35b0739d6064b92b7621af0f4e41813c35bfdee71ceaefbe2 labels: app: antrea component: antrea-mc-controller diff --git a/multicluster/cmd/multicluster-controller/leader.go b/multicluster/cmd/multicluster-controller/leader.go index df29b1a7b96..353920c5185 100644 --- a/multicluster/cmd/multicluster-controller/leader.go +++ b/multicluster/cmd/multicluster-controller/leader.go @@ -90,14 +90,16 @@ func runLeader(o *Options) error { if err = resExportReconciler.SetupWithManager(mgr); err != nil { return fmt.Errorf("error creating ResourceExport controller: %v", err) } - labelExportReconciler := multiclustercontrollers.NewLabelIdentityExportReconciler( - mgr.GetClient(), - mgr.GetScheme(), - env.GetPodNamespace()) - if err = labelExportReconciler.SetupWithManager(mgr); err != nil { - return fmt.Errorf("error creating LabelIdentityExport controller: %v", err) + if o.EnableStretchedNetworkPolicy { + labelExportReconciler := multiclustercontrollers.NewLabelIdentityExportReconciler( + mgr.GetClient(), + mgr.GetScheme(), + env.GetPodNamespace()) + if err = labelExportReconciler.SetupWithManager(mgr); err != nil { + return fmt.Errorf("error creating LabelIdentityExport controller: %v", err) + } + go labelExportReconciler.Run(stopCh) } - go labelExportReconciler.Run(stopCh) if err = (&multiclusterv1alpha1.ResourceExport{}).SetupWebhookWithManager(mgr); err != nil { return fmt.Errorf("error creating ResourceExport webhook: %v", err) diff --git a/multicluster/cmd/multicluster-controller/leader_test.go b/multicluster/cmd/multicluster-controller/leader_test.go index 4fefc560eac..c731498a0df 100644 --- a/multicluster/cmd/multicluster-controller/leader_test.go +++ b/multicluster/cmd/multicluster-controller/leader_test.go @@ -60,26 +60,31 @@ func initMockManager(mockManager *mocks.MockManager) { } func TestRunLeader(t *testing.T) { - mockCtrl := gomock.NewController(t) - mockLeaderManager := mocks.NewMockManager(mockCtrl) - initMockManager(mockLeaderManager) - - testCase := struct { - name string - setupFunc func(o *Options) (ctrl.Manager, error) + testCases := []struct { + name string + options *Options }{ - name: "Start leader controller successfully", - setupFunc: func(o *Options) (ctrl.Manager, error) { - return mockLeaderManager, nil + { + name: "Start leader controller successfully with default options", + options: &Options{}, + }, + { + name: "Start leader controller successfully with stretchedNetworkPolicy enabled", + options: &Options{EnableStretchedNetworkPolicy: true}, }, } - t.Run(testCase.name, func(t *testing.T) { - if testCase.setupFunc != nil { - setupManagerAndCertControllerFunc = testCase.setupFunc + for _, tc := range testCases { + mockCtrl := gomock.NewController(t) + mockLeaderManager := mocks.NewMockManager(mockCtrl) + initMockManager(mockLeaderManager) + setupManagerAndCertControllerFunc = func(o *Options) (ctrl.Manager, error) { + return mockLeaderManager, nil } ctrl.SetupSignalHandler = mockSetupSignalHandler - err := runLeader(&Options{}) - assert.NoError(t, err, "got error when running runLeader") - }) + t.Run(tc.name, func(t *testing.T) { + err := runLeader(tc.options) + assert.NoError(t, err, "got error when running runLeader") + }) + } } diff --git a/multicluster/cmd/multicluster-controller/member.go b/multicluster/cmd/multicluster-controller/member.go index 22179d53d29..289c098828e 100644 --- a/multicluster/cmd/multicluster-controller/member.go +++ b/multicluster/cmd/multicluster-controller/member.go @@ -65,6 +65,7 @@ func runMember(o *Options) error { clusterSetReconciler := multiclustercontrollers.NewMemberClusterSetReconciler(mgr.GetClient(), mgr.GetScheme(), env.GetPodNamespace(), + o.EnableStretchedNetworkPolicy, ) if err = clusterSetReconciler.SetupWithManager(mgr); err != nil { return fmt.Errorf("error creating ClusterSet controller: %v", err) @@ -79,16 +80,17 @@ func runMember(o *Options) error { if err = svcExportReconciler.SetupWithManager(mgr); err != nil { return fmt.Errorf("error creating ServiceExport controller: %v", err) } - labelIdentityReconciler := multiclustercontrollers.NewLabelIdentityReconciler( - mgr.GetClient(), - mgr.GetScheme(), - commonAreaGetter) - if err = labelIdentityReconciler.SetupWithManager(mgr); err != nil { - return fmt.Errorf("error creating LabelIdentity controller: %v", err) + if o.EnableStretchedNetworkPolicy { + labelIdentityReconciler := multiclustercontrollers.NewLabelIdentityReconciler( + mgr.GetClient(), + mgr.GetScheme(), + commonAreaGetter) + if err = labelIdentityReconciler.SetupWithManager(mgr); err != nil { + return fmt.Errorf("error creating LabelIdentity controller: %v", err) + } + go labelIdentityReconciler.Run(stopCh) } - go labelIdentityReconciler.Run(stopCh) - gwReconciler := multiclustercontrollers.NewGatewayReconciler( mgr.GetClient(), mgr.GetScheme(), diff --git a/multicluster/cmd/multicluster-controller/member_test.go b/multicluster/cmd/multicluster-controller/member_test.go index 473a6f71ec4..ea366d6e4f5 100644 --- a/multicluster/cmd/multicluster-controller/member_test.go +++ b/multicluster/cmd/multicluster-controller/member_test.go @@ -63,24 +63,31 @@ func TestCommands(t *testing.T) { } func TestRunMember(t *testing.T) { - mockCtrl := gomock.NewController(t) - mockMemberManager := mocks.NewMockManager(mockCtrl) - initMockManager(mockMemberManager) - - testCase := struct { - name string - setupFunc func(o *Options) (ctrl.Manager, error) + testCases := []struct { + name string + options *Options }{ - name: "Start member controller successfully", - setupFunc: func(o *Options) (ctrl.Manager, error) { - return mockMemberManager, nil + { + name: "Start member controller successfully with default options", + options: &Options{}, + }, + { + name: "Start member controller successfully with stretchedNetworkPolicy enabled", + options: &Options{EnableStretchedNetworkPolicy: true}, }, } - t.Run(testCase.name, func(t *testing.T) { - setupManagerAndCertControllerFunc = testCase.setupFunc + for _, tc := range testCases { + mockCtrl := gomock.NewController(t) + mockMemberManager := mocks.NewMockManager(mockCtrl) + initMockManager(mockMemberManager) + setupManagerAndCertControllerFunc = func(o *Options) (ctrl.Manager, error) { + return mockMemberManager, nil + } ctrl.SetupSignalHandler = mockSetupSignalHandler - err := runMember(&Options{}) - assert.NoError(t, err, "got error when running runMember") - }) + t.Run(tc.name, func(t *testing.T) { + err := runMember(tc.options) + assert.NoError(t, err, "got error when running runMember") + }) + } } diff --git a/multicluster/cmd/multicluster-controller/options.go b/multicluster/cmd/multicluster-controller/options.go index 06c8f6f8f39..51ed46cca98 100644 --- a/multicluster/cmd/multicluster-controller/options.go +++ b/multicluster/cmd/multicluster-controller/options.go @@ -40,6 +40,9 @@ type Options struct { // The type of IP address (ClusterIP or PodIP) to be used as the Multi-cluster // Services' Endpoints. EndpointIPType string + // Enable StretchedNetworkPolicy to exchange labelIdentities info among the whole + // ClusterSet. + EnableStretchedNetworkPolicy bool } func newOptions() *Options { @@ -83,6 +86,7 @@ func (o *Options) complete(args []string) error { } else { o.EndpointIPType = ctrlConfig.EndpointIPType } + o.EnableStretchedNetworkPolicy = ctrlConfig.EnableStretchedNetworkPolicy klog.InfoS("Using config from file", "config", o.options) } else { klog.InfoS("Using default config", "config", o.options) diff --git a/multicluster/config/default/configmap/controller_manager_config.yaml b/multicluster/config/default/configmap/controller_manager_config.yaml index decbb468ccb..853e3d117a2 100644 --- a/multicluster/config/default/configmap/controller_manager_config.yaml +++ b/multicluster/config/default/configmap/controller_manager_config.yaml @@ -13,3 +13,4 @@ podCIDRs: - "" gatewayIPPrecedence: "private" endpointIPType: "ClusterIP" +enableStretchedNetworkPolicy: false diff --git a/multicluster/controllers/multicluster/commonarea/remote_common_area.go b/multicluster/controllers/multicluster/commonarea/remote_common_area.go index 82bd43942b9..b3cbe52fc90 100644 --- a/multicluster/controllers/multicluster/commonarea/remote_common_area.go +++ b/multicluster/controllers/multicluster/commonarea/remote_common_area.go @@ -129,26 +129,32 @@ type remoteCommonArea struct { // managerStopFunc to stop the manager when the RemoteCommonArea is stopped. managerStopFunc context.CancelFunc + + // Enable StretchedNetworkPolicy which will export and import labelIdentities in the + // ClusterSet and allow Antrea-native policies to select peers from other clusters + // in a ClusterSet. + enableStretchedNetworkPolicy bool } // NewRemoteCommonArea returns a RemoteCommonArea instance which will use access credentials from the Secret to // connect to the leader cluster's CommonArea. func NewRemoteCommonArea(clusterID common.ClusterID, clusterSetID common.ClusterSetID, localClusterID common.ClusterSetID, mgr manager.Manager, remoteClient client.Client, - scheme *runtime.Scheme, localClusterClient client.Client, clusterSetNamespace string, localNamespace string, config *rest.Config) (RemoteCommonArea, error) { + scheme *runtime.Scheme, localClusterClient client.Client, clusterSetNamespace string, localNamespace string, config *rest.Config, enableStretchedNetworkPolicy bool) (RemoteCommonArea, error) { klog.InfoS("Create a RemoteCommonArea", "cluster", clusterID) remote := &remoteCommonArea{ - Client: remoteClient, - ClusterManager: mgr, - ClusterSetID: clusterSetID, - ClusterID: clusterID, - config: config, - scheme: scheme, - Namespace: clusterSetNamespace, - connected: false, - localClusterClient: localClusterClient, - localNamespace: localNamespace, - localClusterID: localClusterID, + Client: remoteClient, + ClusterManager: mgr, + ClusterSetID: clusterSetID, + ClusterID: clusterID, + config: config, + scheme: scheme, + Namespace: clusterSetNamespace, + connected: false, + localClusterClient: localClusterClient, + localNamespace: localNamespace, + localClusterID: localClusterID, + enableStretchedNetworkPolicy: enableStretchedNetworkPolicy, } remote.clusterStatus.Type = multiclusterv1alpha1.ClusterReady remote.clusterStatus.Status = v1.ConditionUnknown @@ -387,16 +393,18 @@ func (r *remoteCommonArea) StartWatching() error { if err := resImportReconciler.SetupWithManager(r.ClusterManager); err != nil { return fmt.Errorf("error creating ResourceImport controller for RemoteCommonArea: %v", err) } - labelIdentityImpReconciler := NewLabelIdentityResourceImportReconciler( - r.ClusterManager.GetClient(), - r.ClusterManager.GetScheme(), - r.localClusterClient, - string(r.ClusterID), - r.Namespace, - r, - ) - if err := labelIdentityImpReconciler.SetupWithManager(r.ClusterManager); err != nil { - return fmt.Errorf("error creating LabelIdentityResourceImport controller for RemoteCommonArea: %v", err) + if r.enableStretchedNetworkPolicy { + labelIdentityImpReconciler := NewLabelIdentityResourceImportReconciler( + r.ClusterManager.GetClient(), + r.ClusterManager.GetScheme(), + r.localClusterClient, + string(r.ClusterID), + r.Namespace, + r, + ) + if err := labelIdentityImpReconciler.SetupWithManager(r.ClusterManager); err != nil { + return fmt.Errorf("error creating LabelIdentityResourceImport controller for RemoteCommonArea: %v", err) + } } go func() { diff --git a/multicluster/controllers/multicluster/commonarea/remote_common_area_test.go b/multicluster/controllers/multicluster/commonarea/remote_common_area_test.go index c1cc1f01d59..34a91524b2a 100644 --- a/multicluster/controllers/multicluster/commonarea/remote_common_area_test.go +++ b/multicluster/controllers/multicluster/commonarea/remote_common_area_test.go @@ -193,7 +193,7 @@ func TestMemberAnnounceNewRemoteCommonArea(t *testing.T) { } actualRemoteCommonArea, err := NewRemoteCommonArea(expectedRemoteCommonArea.ClusterID, expectedRemoteCommonArea.ClusterSetID, expectedRemoteCommonArea.localClusterID, mockManager, fakeRemoteClient, scheme, nil, - "cluster-a-ns", "localnamespace", nil) + "cluster-a-ns", "localnamespace", nil, false) assert.Equal(t, nil, err) clusterStatus, leaderStatus := actualRemoteCommonArea.GetStatus()[0], actualRemoteCommonArea.GetStatus()[1] // Assign LastTransitionTime to clusterStatus and leaderStatus of expectedRemoteCommonArea to simply the following comparison. diff --git a/multicluster/controllers/multicluster/gateway_controller_test.go b/multicluster/controllers/multicluster/gateway_controller_test.go index aaab0457842..061ea484f09 100644 --- a/multicluster/controllers/multicluster/gateway_controller_test.go +++ b/multicluster/controllers/multicluster/gateway_controller_test.go @@ -153,7 +153,7 @@ func TestGatewayReconciler(t *testing.T) { fakeRemoteClient = fake.NewClientBuilder().WithScheme(scheme).WithObjects(tt.resExport).Build() } commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, leaderNamespace, nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(commonArea) commonAreaGatter := mcReconciler r := NewGatewayReconciler(fakeClient, scheme, "default", "10.96.0.0/12", []string{"10.200.1.1/16"}, commonAreaGatter) diff --git a/multicluster/controllers/multicluster/label_identity_controller_test.go b/multicluster/controllers/multicluster/label_identity_controller_test.go index 36dfd1595af..89eb212a017 100644 --- a/multicluster/controllers/multicluster/label_identity_controller_test.go +++ b/multicluster/controllers/multicluster/label_identity_controller_test.go @@ -171,7 +171,7 @@ func TestLabelIdentityReconciler(t *testing.T) { fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existingPods).WithObjects(ns).Build() fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, leaderNamespace, nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", true) mcReconciler.SetRemoteCommonArea(commonArea) r := NewLabelIdentityReconciler(fakeClient, scheme, mcReconciler) go r.Run(stopCh) @@ -238,7 +238,7 @@ func TestNamespaceMapFunc(t *testing.T) { fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(podA, podC, ns).Build() fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, leaderNamespace, nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", true) mcReconciler.SetRemoteCommonArea(commonArea) r := NewLabelIdentityReconciler(fakeClient, scheme, mcReconciler) diff --git a/multicluster/controllers/multicluster/member_clusterset_controller.go b/multicluster/controllers/multicluster/member_clusterset_controller.go index ee04f180f04..469d9eb8d5a 100644 --- a/multicluster/controllers/multicluster/member_clusterset_controller.go +++ b/multicluster/controllers/multicluster/member_clusterset_controller.go @@ -65,16 +65,20 @@ type MemberClusterSetReconciler struct { installedLeader leaderClusterInfo remoteCommonArea commonarea.RemoteCommonArea + + enableStretchedNetworkPolicy bool } func NewMemberClusterSetReconciler(client client.Client, scheme *runtime.Scheme, namespace string, + enableStretchedNetworkPolicy bool, ) *MemberClusterSetReconciler { return &MemberClusterSetReconciler{ - Client: client, - Scheme: scheme, - Namespace: namespace, + Client: client, + Scheme: scheme, + Namespace: namespace, + enableStretchedNetworkPolicy: enableStretchedNetworkPolicy, } } @@ -215,7 +219,7 @@ func (r *MemberClusterSetReconciler) createOrUpdateRemoteCommonArea(clusterSet * } r.remoteCommonArea, err = commonarea.NewRemoteCommonArea(clusterID, r.clusterSetID, common.ClusterSetID(r.clusterID), remoteCommonAreaMgr, remoteClient, r.Scheme, - r.Client, clusterSet.Spec.Namespace, r.Namespace, config) + r.Client, clusterSet.Spec.Namespace, r.Namespace, config, r.enableStretchedNetworkPolicy) if err != nil { klog.ErrorS(err, "Unable to create RemoteCommonArea", "cluster", clusterID) return err diff --git a/multicluster/controllers/multicluster/serviceexport_controller_test.go b/multicluster/controllers/multicluster/serviceexport_controller_test.go index abbe5f15e16..9df37d27ec9 100644 --- a/multicluster/controllers/multicluster/serviceexport_controller_test.go +++ b/multicluster/controllers/multicluster/serviceexport_controller_test.go @@ -68,7 +68,7 @@ func TestServiceExportReconciler_handleDeleteEvent(t *testing.T) { fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existSvcResExport, existEpResExport).Build() commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, "default", nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(commonArea) r := NewServiceExportReconciler(fakeClient, scheme, mcReconciler, "ClusterIP") r.installedSvcs.Add(&svcInfo{ @@ -205,7 +205,7 @@ func TestServiceExportReconciler_CheckExportStatus(t *testing.T) { fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, "default", nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(commonArea) r := NewServiceExportReconciler(fakeClient, scheme, mcReconciler, "ClusterIP") for _, tt := range tests { @@ -236,7 +236,7 @@ func TestServiceExportReconciler_handleServiceExportCreateEvent(t *testing.T) { fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, "default", nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(commonArea) r := NewServiceExportReconciler(fakeClient, scheme, mcReconciler, "ClusterIP") if _, err := r.Reconcile(ctx, nginxReq); err != nil { @@ -400,7 +400,7 @@ func TestServiceExportReconciler_handleUpdateEvent(t *testing.T) { fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existSvcRe, existEpRe).Build() commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, "default", nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(commonArea) r := NewServiceExportReconciler(fakeClient, scheme, mcReconciler, tt.endpointIPType) r.installedSvcs.Add(sinfo) diff --git a/multicluster/controllers/multicluster/stale_controller_test.go b/multicluster/controllers/multicluster/stale_controller_test.go index 8fd99c1fcfd..0ece0169fcb 100644 --- a/multicluster/controllers/multicluster/stale_controller_test.go +++ b/multicluster/controllers/multicluster/stale_controller_test.go @@ -94,7 +94,7 @@ func TestStaleController_CleanupService(t *testing.T) { fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existSvcList, tt.existSvcImpList).Build() fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existingResImpList).Build() commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, "default", nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(commonArea) c := NewStaleResCleanupController(fakeClient, scheme, "default", mcReconciler, MemberCluster) if err := c.cleanup(); err != nil { @@ -189,7 +189,7 @@ func TestStaleController_CleanupACNP(t *testing.T) { fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existingResImpList).Build() commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, "default", nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(commonArea) c := NewStaleResCleanupController(fakeClient, scheme, "default", mcReconciler, MemberCluster) if err := c.cleanup(); err != nil { @@ -384,7 +384,7 @@ func TestStaleController_CleanupResourceExport(t *testing.T) { fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existResExpList).Build() commonArea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, "default", nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(commonArea) c := NewStaleResCleanupController(fakeClient, scheme, "default", mcReconciler, MemberCluster) if err := c.cleanup(); err != nil { @@ -461,7 +461,7 @@ func TestStaleController_CleanupClusterInfoImport(t *testing.T) { fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existingResImpList).Build() commonarea := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, "antrea-mcs", nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(commonarea) c := NewStaleResCleanupController(fakeClient, scheme, "default", mcReconciler, MemberCluster) if err := c.cleanup(); err != nil { @@ -583,7 +583,7 @@ func TestStaleController_CleanupMemberClusterAnnounce(t *testing.T) { t.Run(tt.name, func(t *testing.T) { fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.memberClusterAnnounceList).WithLists(tt.clusterSet).Build() - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) c := NewStaleResCleanupController(fakeClient, scheme, "default", mcReconciler, LeaderCluster) assert.Equal(t, nil, c.cleanup()) @@ -659,7 +659,7 @@ func TestStaleController_CleanupLabelIdentites(t *testing.T) { fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(tt.existingResImpList).Build() ca := commonarea.NewFakeRemoteCommonArea(fakeRemoteClient, "leader-cluster", localClusterID, "antrea-mcs", nil) - mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default") + mcReconciler := NewMemberClusterSetReconciler(fakeClient, scheme, "default", false) mcReconciler.SetRemoteCommonArea(ca) c := NewStaleResCleanupController(fakeClient, scheme, "default", mcReconciler, MemberCluster) if err := c.cleanup(); err != nil { diff --git a/multicluster/test/integration/suite_test.go b/multicluster/test/integration/suite_test.go index ef1b8eef281..d94cabbaae8 100644 --- a/multicluster/test/integration/suite_test.go +++ b/multicluster/test/integration/suite_test.go @@ -137,6 +137,7 @@ var _ = BeforeSuite(func() { k8sManager.GetClient(), k8sManager.GetScheme(), LeaderNamespace, + false, ) err = clusterSetReconciler.SetupWithManager(k8sManager) Expect(err).ToNot(HaveOccurred()) diff --git a/pkg/config/controller/config.go b/pkg/config/controller/config.go index 5e1387fdfc5..ecec3eb4358 100644 --- a/pkg/config/controller/config.go +++ b/pkg/config/controller/config.go @@ -72,9 +72,9 @@ type ControllerConfig struct { } type MulticlusterConfig struct { - // Enable Multicluster which allow Antrea-native policies to select peers + // Enable StretchedNetworkPolicy which allow Antrea-native policies to select peers // from other clusters in a ClusterSet. - Enable bool `yaml:"enable,omitempty"` + EnableStretchedNetworkPolicy bool `yaml:"enableStretchedNetworkPolicy,omitempty"` // The Namespace where the Antrea Multi-cluster controller is running. // The default is antrea-agent's Namespace. Namespace string `yaml:"namespace,omitempty"`