Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial commit
Browse files Browse the repository at this point in the history
- Add basic daemon implementation that sets up signal
  handling and does nothing
- Add Makefile with basic targets to build, build image,
  run test, deploy and undeploy.
- Add Dockerfile to build daemon image including
  multi-stage build to support building updated iproute2
  package for updated TC userspace functionality as first
  implementation relies on executing tc shell commands
- Initialize go.mod/go.sum
- Add signal handling functionality to utils package
- Add CONTRIBUTING and OWNERS file

Signed-off-by: Adrian Chiris <[email protected]>
adrianchiris committed Jul 11, 2022
1 parent d8d518a commit a97c8a5
Showing 11 changed files with 1,086 additions and 0 deletions.
16 changes: 16 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Binary output dir
bin/
build/
e2e/bin/

# GOPATH created by the build script
gopath/

# Editor paths
.swp*
.swo*
.idea*

# Test outputs
*.out
*.test
42 changes: 42 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Multi Network Policy TC

## How to Contribute

multi-networkpolicy-tc is [Apache 2.0 licensed](LICENSE) and accepts contributions via GitHub pull requests.
This document outlines some of the conventions on development workflow, commit message formatting,
contact points and other resources to make it easier to get your contribution accepted.

## Coding Style

Please follows the standard formatting recommendations and language idioms set out in [Effective Go](https://golang.org/doc/effective_go.html) and in the [Go Code Review Comments wiki](https://github.com/golang/go/wiki/CodeReviewComments).

## Format of the patch

Each patch is expected to comply with the following format:

```
Change summary
More detailed explanation of your changes: Why and how.
Wrap it to 72 characters.
See [here] (http://chris.beams.io/posts/git-commit/)
for some more good advices.
[Fixes #NUMBER (or URL to the issue)]
```

For example:

```
Fix poorly named identifiers
One identifier, fnname, in func.go was poorly named. It has been renamed
to fnName. Another identifier retval was not needed and has been removed
entirely.
Fixes #1
```

## Contributing Code

TODO
32 changes: 32 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Build go project
FROM golang:1.18 as go-build

# Add everything
ADD . /usr/src/multi-networkpolicy-tc

RUN cd /usr/src/multi-networkpolicy-tc && \
go build ./cmd/multi-networkpolicy-tc/

# Build iproute2
FROM quay.io/centos/centos:stream8 as iproute-build

ARG IPROUTE2_TAG=v5.17.0

RUN dnf -q -y groupinstall "Development Tools"
RUN dnf -q -y install git libmnl-devel

RUN git clone --branch ${IPROUTE2_TAG} https://github.com/shemminger/iproute2.git && \
cd /iproute2 && make && make install

# collect everything into target container
# TODO(adrianc): once we switch to native netlink to drive TC we can switch back to distroless
#FROM gcr.io/distroless/base
FROM quay.io/centos/centos:stream8
LABEL io.k8s.display-name="Multus NetworkPolicy TC" \
io.k8s.description="This is a component provides NetworkPolicy objects for secondary interfaces created with Multus CNI"
RUN dnf -q -y install git libmnl
COPY --from=go-build /usr/src/multi-networkpolicy-tc/multi-networkpolicy-tc /usr/bin
COPY --from=iproute-build /sbin/tc /sbin
WORKDIR /usr/bin

ENTRYPOINT ["multi-networkpolicy-tc"]
108 changes: 108 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
# Image related parameters, used when building image
IMAGE_REPOSITORY ?= nvidia.com
IMAGE_NAME ?= multi-networkpolicy-tc
IMAGE_TAG ?= latest
IMG ?= $(IMAGE_REPOSITORY)/$(IMAGE_NAME):$(IMAGE_TAG)

# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
GOBIN=$(shell go env GOPATH)/bin
else
GOBIN=$(shell go env GOBIN)
endif

# Setting SHELL to bash allows bash commands to be executed by recipes.
# This is a requirement for 'setup-envtest.sh' in the test target.
# Options are set to exit when a recipe line exits non-zero or a piped command fails.
SHELL = /usr/bin/env bash -o pipefail
.SHELLFLAGS = -ec

TARGET_OS ?= $(shell go env GOOS)
TARGET_ARCH ?= $(shell go env GOARCH)

# Options for go build command
GO_BUILD_OPTS ?= CGO_ENABLED=0 GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH)
# Suffix for binary files
GO_BIN_SUFFIX ?= $(TARGET_OS)-$(TARGET_ARCH)

all: build


##@ General

# The help target prints out all targets with their descriptions organized
# beneath their categories. The categories are represented by '##@' and the
# target descriptions by '##'. The awk commands is responsible for reading the
# entire set of makefiles included in this invocation, looking for lines of the
# file as xyz: ## something, and then pretty-format the target and help. Then,
# if there's a line with ##@ something, that gets pretty-printed as a category.
# More info on the usage of ANSI control characters for terminal formatting:
# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
# More info on the awk command:
# http://linuxcommand.org/lc3_adv_awk.php

help: ## Display this help.
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)


##@ Development
lint: golangci-lint ## Lint code.
$(GOLANGCILINT) run --timeout 10m

unit-test: ## Run unit tests.
go test ./... -coverprofile cover.out

test: lint unit-test ## Run all tests (lint, unit-test).


##@ Build
.PHONY: build
build: ## Build multi-networkpolicy-tc binary.
$(GO_BUILD_OPTS) go build -o build/multi-networkpolicy-tc-$(GO_BIN_SUFFIX) cmd/multi-networkpolicy-tc/main.go

build-in-docker: ## Build in docker container
docker run -ti -v $(shell pwd):/code --user $(shell id -u $$(logname)):$(shell id -g $$(logname)) golang:1.18 bash -c \
"export GOCACHE=/tmp && cd /code && make build"

run: ## Run a multi-networkpolicy-tc from your host.
go run ./cmd/multi-networkpolicy-tc/main.go

docker-build: ## Build docker image.
dockerfile=Dockerfile; \
[ -f "$$dockerfile".$(TARGET_ARCH) ] && dockerfile="$$dockerfile".$(TARGET_ARCH); \
docker build -t $(IMG) -f $$dockerfile .

docker-push: ## Push docker image.
docker push ${IMG}


##@ Deployment
deploy: ## Deploy multi-networkpolicy-tc to the K8s cluster specified in ~/.kube/config.
kubectl apply -f deploy/deploy.yaml

undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
kubectl delete -f deploy/deploy.yaml


##@ Dependency download
KUSTOMIZE = $(shell pwd)/bin/kustomize
kustomize: ## Download kustomize locally if necessary.
$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/[email protected])

GOLANGCILINT = $(shell pwd)/bin/golangci-lint
golangci-lint: ## Download golangci-lint locally if necessary.
$(call go-install-tool,$(GOLANGCILINT),github.com/golangci/golangci-lint/cmd/[email protected])

MOCKERY = $(shell pwd)/bin/mockery
mockery: ## Download mockery if necessary.
$(call go-install-tool,$(MOCKERY),github.com/vektra/mockery/[email protected])

# go-get-tool will 'go get' any package $2 and install it to $1.
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
define go-install-tool
@[ -f $(1) ] || { \
set -e ;\
echo "Downloading $(2)" ;\
GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
}
endef
4 changes: 4 additions & 0 deletions OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
reviewers:
- adrianc
approvers:
- adrianc
55 changes: 55 additions & 0 deletions cmd/multi-networkpolicy-tc/main.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
package main

import (
"context"
"log"
"os"
"time"

"github.com/spf13/cobra"
"github.com/spf13/pflag"

"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/klog/v2"

"github.com/Mellanox/multi-networkpolicy-tc/pkg/utils"
)

const logFlushFreqFlagName = "log-flush-frequency"

var logFlushFreq = pflag.Duration(logFlushFreqFlagName, 5*time.Second, "Maximum number of seconds between log flushes")

// KlogWriter serves as a bridge between the standard log package and the glog package.
type KlogWriter struct{}

// Write implements the io.Writer interface.
func (writer KlogWriter) Write(data []byte) (n int, err error) {
klog.InfoDepth(1, string(data))
return len(data), nil
}

func initLogs(ctx context.Context) {
log.SetOutput(KlogWriter{})
log.SetFlags(0)
go wait.Until(klog.Flush, *logFlushFreq, ctx.Done())
}

func main() {
ctx := utils.SetupSignalHandler()
initLogs(ctx)
defer klog.Flush()

cmd := &cobra.Command{
Use: "multi-networkpolicy-tc",
Long: `TBD`,
Run: func(cmd *cobra.Command, args []string) {
klog.Infof("running multi-networkpolicy-tc")
klog.Infof("waiting for stop signal")
<- ctx.Done()
},
}

if err := cmd.Execute(); err != nil {
os.Exit(1)
}
}
103 changes: 103 additions & 0 deletions deploy/deploy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: multi-networkpolicy-tc
rules:
- apiGroups: ["k8s.cni.cncf.io"]
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
- namespaces
verbs:
- list
- watch
- get
- apiGroups:
- ""
- events.k8s.io
resources:
- events
verbs:
- create
- patch
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: multi-networkpolicy-tc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: multi-networkpolicy
subjects:
- kind: ServiceAccount
name: multi-networkpolicy
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: multi-networkpolicy-tc
namespace: kube-system
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: multi-networkpolicy-tc-ds-amd64
namespace: kube-system
labels:
tier: node
app: multi-networkpolicy-tc
name: multi-networkpolicy-tc
spec:
selector:
matchLabels:
name: multi-networkpolicy-tc
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
tier: node
app: multi-networkpolicy-tc
name: multi-networkpolicy-tc
spec:
hostNetwork: true
nodeSelector:
kubernetes.io/arch: amd64
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: multi-networkpolicy-tc
containers:
- name: multi-networkpolicy-tc
image: nvidia.com/multi-networkpolicy-tc:latest
imagePullPolicy: IfNotPresent
command: ["/usr/bin/multi-networkpolicy-tc"]
args:
- "--pod-rules-path=/var/lib/multi-networkpolicy-tc"
resources:
requests:
cpu: "100m"
memory: "150Mi"
limits:
cpu: "200m"
memory: "300Mi"
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN"]
volumeMounts:
- name: var-lib-multinetworkpolicy
mountPath: /var/lib/multi-networkpolicy
volumes:
- name: var-lib-multinetworkpolicy
hostPath:
path: /var/lib/multi-networkpolicy
Loading

0 comments on commit a97c8a5

Please sign in to comment.