-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Add basic daemon implementation that sets up signal handling and does nothing - Add Makefile with basic targets to build, build image, run test, deploy and undeploy. - Add Dockerfile to build daemon image including multi-stage build to support building updated iproute2 package for updated TC userspace functionality as first implementation relies on executing tc shell commands - Initialize go.mod/go.sum - Add signal handling functionality to utils package - Add CONTRIBUTING and OWNERS file Signed-off-by: Adrian Chiris <[email protected]>
1 parent
d8d518a
commit a97c8a5
Showing
11 changed files
with
1,086 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Binary output dir | ||
bin/ | ||
build/ | ||
e2e/bin/ | ||
|
||
# GOPATH created by the build script | ||
gopath/ | ||
|
||
# Editor paths | ||
.swp* | ||
.swo* | ||
.idea* | ||
|
||
# Test outputs | ||
*.out | ||
*.test |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# Multi Network Policy TC | ||
|
||
## How to Contribute | ||
|
||
multi-networkpolicy-tc is [Apache 2.0 licensed](LICENSE) and accepts contributions via GitHub pull requests. | ||
This document outlines some of the conventions on development workflow, commit message formatting, | ||
contact points and other resources to make it easier to get your contribution accepted. | ||
|
||
## Coding Style | ||
|
||
Please follows the standard formatting recommendations and language idioms set out in [Effective Go](https://golang.org/doc/effective_go.html) and in the [Go Code Review Comments wiki](https://github.com/golang/go/wiki/CodeReviewComments). | ||
|
||
## Format of the patch | ||
|
||
Each patch is expected to comply with the following format: | ||
|
||
``` | ||
Change summary | ||
More detailed explanation of your changes: Why and how. | ||
Wrap it to 72 characters. | ||
See [here] (http://chris.beams.io/posts/git-commit/) | ||
for some more good advices. | ||
[Fixes #NUMBER (or URL to the issue)] | ||
``` | ||
|
||
For example: | ||
|
||
``` | ||
Fix poorly named identifiers | ||
One identifier, fnname, in func.go was poorly named. It has been renamed | ||
to fnName. Another identifier retval was not needed and has been removed | ||
entirely. | ||
Fixes #1 | ||
``` | ||
|
||
## Contributing Code | ||
|
||
TODO |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# Build go project | ||
FROM golang:1.18 as go-build | ||
|
||
# Add everything | ||
ADD . /usr/src/multi-networkpolicy-tc | ||
|
||
RUN cd /usr/src/multi-networkpolicy-tc && \ | ||
go build ./cmd/multi-networkpolicy-tc/ | ||
|
||
# Build iproute2 | ||
FROM quay.io/centos/centos:stream8 as iproute-build | ||
|
||
ARG IPROUTE2_TAG=v5.17.0 | ||
|
||
RUN dnf -q -y groupinstall "Development Tools" | ||
RUN dnf -q -y install git libmnl-devel | ||
|
||
RUN git clone --branch ${IPROUTE2_TAG} https://github.com/shemminger/iproute2.git && \ | ||
cd /iproute2 && make && make install | ||
|
||
# collect everything into target container | ||
# TODO(adrianc): once we switch to native netlink to drive TC we can switch back to distroless | ||
#FROM gcr.io/distroless/base | ||
FROM quay.io/centos/centos:stream8 | ||
LABEL io.k8s.display-name="Multus NetworkPolicy TC" \ | ||
io.k8s.description="This is a component provides NetworkPolicy objects for secondary interfaces created with Multus CNI" | ||
RUN dnf -q -y install git libmnl | ||
COPY --from=go-build /usr/src/multi-networkpolicy-tc/multi-networkpolicy-tc /usr/bin | ||
COPY --from=iproute-build /sbin/tc /sbin | ||
WORKDIR /usr/bin | ||
|
||
ENTRYPOINT ["multi-networkpolicy-tc"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
# Image related parameters, used when building image | ||
IMAGE_REPOSITORY ?= nvidia.com | ||
IMAGE_NAME ?= multi-networkpolicy-tc | ||
IMAGE_TAG ?= latest | ||
IMG ?= $(IMAGE_REPOSITORY)/$(IMAGE_NAME):$(IMAGE_TAG) | ||
|
||
# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) | ||
ifeq (,$(shell go env GOBIN)) | ||
GOBIN=$(shell go env GOPATH)/bin | ||
else | ||
GOBIN=$(shell go env GOBIN) | ||
endif | ||
|
||
# Setting SHELL to bash allows bash commands to be executed by recipes. | ||
# This is a requirement for 'setup-envtest.sh' in the test target. | ||
# Options are set to exit when a recipe line exits non-zero or a piped command fails. | ||
SHELL = /usr/bin/env bash -o pipefail | ||
.SHELLFLAGS = -ec | ||
|
||
TARGET_OS ?= $(shell go env GOOS) | ||
TARGET_ARCH ?= $(shell go env GOARCH) | ||
|
||
# Options for go build command | ||
GO_BUILD_OPTS ?= CGO_ENABLED=0 GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) | ||
# Suffix for binary files | ||
GO_BIN_SUFFIX ?= $(TARGET_OS)-$(TARGET_ARCH) | ||
|
||
all: build | ||
|
||
|
||
##@ General | ||
|
||
# The help target prints out all targets with their descriptions organized | ||
# beneath their categories. The categories are represented by '##@' and the | ||
# target descriptions by '##'. The awk commands is responsible for reading the | ||
# entire set of makefiles included in this invocation, looking for lines of the | ||
# file as xyz: ## something, and then pretty-format the target and help. Then, | ||
# if there's a line with ##@ something, that gets pretty-printed as a category. | ||
# More info on the usage of ANSI control characters for terminal formatting: | ||
# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters | ||
# More info on the awk command: | ||
# http://linuxcommand.org/lc3_adv_awk.php | ||
|
||
help: ## Display this help. | ||
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) | ||
|
||
|
||
##@ Development | ||
lint: golangci-lint ## Lint code. | ||
$(GOLANGCILINT) run --timeout 10m | ||
|
||
unit-test: ## Run unit tests. | ||
go test ./... -coverprofile cover.out | ||
|
||
test: lint unit-test ## Run all tests (lint, unit-test). | ||
|
||
|
||
##@ Build | ||
.PHONY: build | ||
build: ## Build multi-networkpolicy-tc binary. | ||
$(GO_BUILD_OPTS) go build -o build/multi-networkpolicy-tc-$(GO_BIN_SUFFIX) cmd/multi-networkpolicy-tc/main.go | ||
|
||
build-in-docker: ## Build in docker container | ||
docker run -ti -v $(shell pwd):/code --user $(shell id -u $$(logname)):$(shell id -g $$(logname)) golang:1.18 bash -c \ | ||
"export GOCACHE=/tmp && cd /code && make build" | ||
|
||
run: ## Run a multi-networkpolicy-tc from your host. | ||
go run ./cmd/multi-networkpolicy-tc/main.go | ||
|
||
docker-build: ## Build docker image. | ||
dockerfile=Dockerfile; \ | ||
[ -f "$$dockerfile".$(TARGET_ARCH) ] && dockerfile="$$dockerfile".$(TARGET_ARCH); \ | ||
docker build -t $(IMG) -f $$dockerfile . | ||
|
||
docker-push: ## Push docker image. | ||
docker push ${IMG} | ||
|
||
|
||
##@ Deployment | ||
deploy: ## Deploy multi-networkpolicy-tc to the K8s cluster specified in ~/.kube/config. | ||
kubectl apply -f deploy/deploy.yaml | ||
|
||
undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. | ||
kubectl delete -f deploy/deploy.yaml | ||
|
||
|
||
##@ Dependency download | ||
KUSTOMIZE = $(shell pwd)/bin/kustomize | ||
kustomize: ## Download kustomize locally if necessary. | ||
$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/[email protected]) | ||
|
||
GOLANGCILINT = $(shell pwd)/bin/golangci-lint | ||
golangci-lint: ## Download golangci-lint locally if necessary. | ||
$(call go-install-tool,$(GOLANGCILINT),github.com/golangci/golangci-lint/cmd/[email protected]) | ||
|
||
MOCKERY = $(shell pwd)/bin/mockery | ||
mockery: ## Download mockery if necessary. | ||
$(call go-install-tool,$(MOCKERY),github.com/vektra/mockery/[email protected]) | ||
|
||
# go-get-tool will 'go get' any package $2 and install it to $1. | ||
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) | ||
define go-install-tool | ||
@[ -f $(1) ] || { \ | ||
set -e ;\ | ||
echo "Downloading $(2)" ;\ | ||
GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\ | ||
} | ||
endef |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
reviewers: | ||
- adrianc | ||
approvers: | ||
- adrianc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
package main | ||
|
||
import ( | ||
"context" | ||
"log" | ||
"os" | ||
"time" | ||
|
||
"github.com/spf13/cobra" | ||
"github.com/spf13/pflag" | ||
|
||
"k8s.io/apimachinery/pkg/util/wait" | ||
"k8s.io/klog/v2" | ||
|
||
"github.com/Mellanox/multi-networkpolicy-tc/pkg/utils" | ||
) | ||
|
||
const logFlushFreqFlagName = "log-flush-frequency" | ||
|
||
var logFlushFreq = pflag.Duration(logFlushFreqFlagName, 5*time.Second, "Maximum number of seconds between log flushes") | ||
|
||
// KlogWriter serves as a bridge between the standard log package and the glog package. | ||
type KlogWriter struct{} | ||
|
||
// Write implements the io.Writer interface. | ||
func (writer KlogWriter) Write(data []byte) (n int, err error) { | ||
klog.InfoDepth(1, string(data)) | ||
return len(data), nil | ||
} | ||
|
||
func initLogs(ctx context.Context) { | ||
log.SetOutput(KlogWriter{}) | ||
log.SetFlags(0) | ||
go wait.Until(klog.Flush, *logFlushFreq, ctx.Done()) | ||
} | ||
|
||
func main() { | ||
ctx := utils.SetupSignalHandler() | ||
initLogs(ctx) | ||
defer klog.Flush() | ||
|
||
cmd := &cobra.Command{ | ||
Use: "multi-networkpolicy-tc", | ||
Long: `TBD`, | ||
Run: func(cmd *cobra.Command, args []string) { | ||
klog.Infof("running multi-networkpolicy-tc") | ||
klog.Infof("waiting for stop signal") | ||
<- ctx.Done() | ||
}, | ||
} | ||
|
||
if err := cmd.Execute(); err != nil { | ||
os.Exit(1) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
--- | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: multi-networkpolicy-tc | ||
rules: | ||
- apiGroups: ["k8s.cni.cncf.io"] | ||
resources: | ||
- '*' | ||
verbs: | ||
- '*' | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- pods | ||
- namespaces | ||
verbs: | ||
- list | ||
- watch | ||
- get | ||
- apiGroups: | ||
- "" | ||
- events.k8s.io | ||
resources: | ||
- events | ||
verbs: | ||
- create | ||
- patch | ||
- update | ||
--- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: multi-networkpolicy-tc | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: multi-networkpolicy | ||
subjects: | ||
- kind: ServiceAccount | ||
name: multi-networkpolicy | ||
namespace: kube-system | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: multi-networkpolicy-tc | ||
namespace: kube-system | ||
--- | ||
apiVersion: apps/v1 | ||
kind: DaemonSet | ||
metadata: | ||
name: multi-networkpolicy-tc-ds-amd64 | ||
namespace: kube-system | ||
labels: | ||
tier: node | ||
app: multi-networkpolicy-tc | ||
name: multi-networkpolicy-tc | ||
spec: | ||
selector: | ||
matchLabels: | ||
name: multi-networkpolicy-tc | ||
updateStrategy: | ||
type: RollingUpdate | ||
template: | ||
metadata: | ||
labels: | ||
tier: node | ||
app: multi-networkpolicy-tc | ||
name: multi-networkpolicy-tc | ||
spec: | ||
hostNetwork: true | ||
nodeSelector: | ||
kubernetes.io/arch: amd64 | ||
tolerations: | ||
- operator: Exists | ||
effect: NoSchedule | ||
serviceAccountName: multi-networkpolicy-tc | ||
containers: | ||
- name: multi-networkpolicy-tc | ||
image: nvidia.com/multi-networkpolicy-tc:latest | ||
imagePullPolicy: IfNotPresent | ||
command: ["/usr/bin/multi-networkpolicy-tc"] | ||
args: | ||
- "--pod-rules-path=/var/lib/multi-networkpolicy-tc" | ||
resources: | ||
requests: | ||
cpu: "100m" | ||
memory: "150Mi" | ||
limits: | ||
cpu: "200m" | ||
memory: "300Mi" | ||
securityContext: | ||
privileged: true | ||
capabilities: | ||
add: ["NET_ADMIN"] | ||
volumeMounts: | ||
- name: var-lib-multinetworkpolicy | ||
mountPath: /var/lib/multi-networkpolicy | ||
volumes: | ||
- name: var-lib-multinetworkpolicy | ||
hostPath: | ||
path: /var/lib/multi-networkpolicy |
Oops, something went wrong.