compute rule update delta against the cloud in plugins #276
Conversation
|
|
||
| func convertIngressToIpPermission(rules []*cloudresource.CloudRule, cloudSGNameToObj map[string]*ec2.SecurityGroup) ( |
There was a problem hiding this comment.
nit: add a function description.
| } | ||
| description, err := utils.GenerateCloudDescription(obj.NpNamespacedName) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("unable to generate rule description, err: %v", err) |
There was a problem hiding this comment.
If any of the rules do not contain description, you fail the entire conversion?
There was a problem hiding this comment.
This is generating description for Nephe rules, which shouldn't fail at all. In an error case, we do want to fail the entire conversion or operation so the cloud won't be in partial state.
reachjainrahul
force-pushed
the
aws-delta
branch
from
236f7e1 to
9c6d262
Compare
| FromPort: ipPermission.FromPort, | ||
| IpProtocol: ipPermission.IpProtocol, | ||
| ToPort: ipPermission.ToPort, | ||
| UserIdGroupPairs: []*ec2.UserIdGroupPair{{GroupId: group.GroupId, Description: group.Description}}, |
There was a problem hiding this comment.
Why Description is stored only for user-groups? Isnt not needed for ipblocks
There was a problem hiding this comment.
For groups we are constructing new UserIdGroupPair with only groupId and Description to ignore other fields. For IpRange we are directly copying the object from previous slice into the new slice, which contains both cidr and description.
|
|
||
| addIngressRules = dedupIpPermissions(addIngressRules, cloudSGObjToAddRules.IpPermissions) | ||
| addEgressRules = dedupIpPermissions(addEgressRules, cloudSGObjToAddRules.IpPermissionsEgress) | ||
| removeIngressRules = findDupIpPermissions(removeIngressRules, cloudSGObjToAddRules.IpPermissions) |
There was a problem hiding this comment.
Remove this for now..
| normalizedRule := normalizeAzureSecurityRule(rule) | ||
| idx, found := findSecurityRule(normalizedRule, removeRules) | ||
| // skip the rule if found in remove list. | ||
| idx, found := findSecurityRule(normalizedRule, removeAzureRules) |
Signed-off-by: Alexander Liu <[email protected]>
|
/nephe-test-e2e-agentless |
Description
Currently, the plugin directly invokes cloud APIs with the update rule set passed from the network policy. However, this approach becomes problematic if the cloud rule indexer is out of sync with the actual cloud state, due to user actions or other failures. To address this issue, this PR introduces a solution that fetches and compares the current cloud rules with the update sets in the plugin before invoking cloud APIs. It computes the final sets of rules that need to be updated based on this comparison.
Changes