-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump network-policy-api dependency to v0.1.5 #6353
base: main
Are you sure you want to change the base?
Conversation
f049c78
to
e13d0e6
Compare
6c7d3eb
to
e53325f
Compare
Previously released version still contain go.mod dependency to k8s.io/kubernetes, which should be removed. In addition, there are following changes made in network-policy-api: - sameLabels and notSameLabels are deprecated to make way for the future tenancy based API - Because of the removal of these fields, admission control of the ANP and BANP resources are no longer required - Peers are split into AdminNetworkPolicyIngress/EgressPeer since there will be a fqdn field added specifically for the egress peer - Minor changes in terms of nesting of pod/ns selectors Antrea implementation has been updated to reflect those changes. Signed-off-by: Dyanngg <dingyang@vmware.com>
e53325f
to
ae629ff
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to clarify: you are intentionally keeping the /validate/anp
and /validate/banp
validation endpoints in the Antrea APIServer?
antrea/pkg/apiserver/apiserver.go
Lines 314 to 315 in 8a4682c
s.Handler.NonGoRestfulMux.HandleFunc("/validate/anp", webhook.HandlerForValidateFunc(v.Validate)) | |
s.Handler.NonGoRestfulMux.HandleFunc("/validate/banp", webhook.HandlerForValidateFunc(v.Validate)) |
I think this is the right thing to do, as some users may be using an old Antrea YAML manifest with a newer Antrea container image. But maybe we should add a comment to apiserver.go to indicate why we have these paths registered, but we are not actually performing any validation?
BTW, the upstream API changes break backwards-compatibility, but I assume it was intentional (Alpha API)? Even then, it would have been nice to have an API version bump upstream (v1alpha2). I wonder if we should add a note in our own release notes for v2.1 about this breaking change. Not bumping up the API version upstream makes it difficult to track which "version" is implemented by a given version of a network plugin such as Antrea.
--organization=antrea-io -project=antrea -url=https://github.com/antrea-io/antrea -version=v2.0 \ | ||
--additional-info=https://github.com/antrea-io/antrea/actions/workflows/kind.yml \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious to know what these 4 flags are for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So that we can generate a conformance report and put it upstream like https://github.com/kubernetes-sigs/network-policy-api/blob/main/conformance/reports/v0.1.2/ovn-kubernetes.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do you want to handle the version though? Because technically, the version being tested here is unreleased when this is run as part of CI.
What you could do if you want is use an environment variable, that can be set when calling this script, and would otherwise default to the contents of the VERSION
file (which is at the root of the repository). Then you would add a new Github workflow that can be run on demand (workflow_dispatch
trigger) and would run the tests for a specific released Antrea version (version string to be provided as a workflow input). The workflow would upload the generated compliance report as an artifact for convenient download, and could even be run automatically for new Antrea releases.
I think that's the right approach. but it could be done in a later PR. For now I would just recommend implementing part of this proposal:
- add VERSION environment variable or command-line flag
- if provided, install the specified Antrea version and use the provided version value as
-version
- if not provided, keep the current behavior, but use the contents of the
VERSION
file ($(head -n1 $ROOT_DIR/VERSION)
) for-version
- if provided, install the specified Antrea version and use the provided version value as
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do. I'll update this PR once the network-policy-api cuts a v2.0 release, which is going to happen very soon
@@ -265,7 +225,8 @@ func banpActionToCRDAction(action v1alpha1.BaselineAdminNetworkPolicyRuleAction) | |||
} | |||
|
|||
func (n *NetworkPolicyController) processAdminNetworkPolicy(anp *v1alpha1.AdminNetworkPolicy) (*antreatypes.NetworkPolicy, map[string]*antreatypes.AppliedToGroup, map[string]*antreatypes.AddressGroup) { | |||
appliedToPerRule := anpHasNamespaceLabelRule(anp) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why did we have this function call before, given that this case was not supported?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah they shouldn't really be there, admission webhook would reject any policies that have these fields
Yes I'll also add a TODO to have these removed at some point.
Agreed |
This PR is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days |
Previously released version mistakenly contains go.mod dependency to
k8s.io/kubernetes, which should be removed.
In addition, there are following changes made in network-policy-api:
future tenancy based API
there will be a fqdn field added specifically for the egress peer
Antrea implementation has been updated to reflect those changes.