From 494d49d02b5e8552783c08c74f51d67a3b3837da Mon Sep 17 00:00:00 2001 From: Andre Fredette Date: Mon, 18 Nov 2024 13:22:30 -0500 Subject: [PATCH] API for attaching BPF programs inside network namespaces This API addition allows XDP, TC, and TCX BPF programs to be attached to interfaces inside network namespaces. The API from the Network Observability Operator (https://github.com/netobserv/network-observability-operator) was adapted. Signed-off-by: Andre Fredette --- apis/v1alpha1/shared_types.go | 30 ++++- apis/v1alpha1/zz_generated.deepcopy.go | 53 ++++++++ ...bpfman-operator.clusterserviceversion.yaml | 2 +- .../manifests/bpfman.io_bpfapplications.yaml | 114 +++++++++++++++++- bundle/manifests/bpfman.io_tcprograms.yaml | 38 +++++- bundle/manifests/bpfman.io_tcxprograms.yaml | 38 +++++- bundle/manifests/bpfman.io_xdpprograms.yaml | 38 +++++- .../crd/bases/bpfman.io_bpfapplications.yaml | 114 +++++++++++++++++- config/crd/bases/bpfman.io_tcprograms.yaml | 38 +++++- config/crd/bases/bpfman.io_tcxprograms.yaml | 38 +++++- config/crd/bases/bpfman.io_xdpprograms.yaml | 38 +++++- 11 files changed, 527 insertions(+), 14 deletions(-) diff --git a/apis/v1alpha1/shared_types.go b/apis/v1alpha1/shared_types.go index c31bd8eb4..720a73259 100644 --- a/apis/v1alpha1/shared_types.go +++ b/apis/v1alpha1/shared_types.go @@ -21,15 +21,43 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// Identifies interfaces that may be in a network namespace. +type NetnsInterface struct { + // Interfaces contains the interface names to which the BPF program should + // be attached. If empty, all the interfaces in the system are selected, + // except the ones listed in ExcludeInterfaces. An entry enclosed by + // slashes, such as `/br-/`, is matched as a regular expression. Otherwise + // it is matched as a case-sensitive string. + // +optional + Interfaces *[]string `json:"interfaces,omitempty"` + + // ExcludeInterfaces contains the interface names that are excluded from + // selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + // regular expression. Otherwise it is matched as a case-sensitive string. + // +optional + ExcludeInterfaces *[]string `json:"excludeInterfaces,omitempty"` + + // NetworkNamespaces contains a list of network namespaces in which to look + // for the listed interfaces. If empty, all network namespaces in the + // system are selected. + // +optional + NetworkNamespaces *[]string `json:"networknamespaces,omitempty"` +} + // InterfaceSelector defines interface to attach to. // +kubebuilder:validation:MaxProperties=1 // +kubebuilder:validation:MinProperties=1 type InterfaceSelector struct { - // Interfaces refers to a list of network interfaces to attach the BPF + // Interfaces contains a list of network interfaces to attach the BPF // program to. // +optional Interfaces *[]string `json:"interfaces,omitempty"` + // NetnsInterfaces contains a list of network interfaces that may be + // qualified by network namespace. + // +optional + NetnsInterfaces *[]NetnsInterface `json:"netnsinterfaces,omitempty"` + // Attach BPF program to the primary interface on the node. Only 'true' accepted. // +optional PrimaryNodeInterface *bool `json:"primarynodeinterface,omitempty"` diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go index 80f3b52cd..92d609a39 100644 --- a/apis/v1alpha1/zz_generated.deepcopy.go +++ b/apis/v1alpha1/zz_generated.deepcopy.go @@ -668,6 +668,17 @@ func (in *InterfaceSelector) DeepCopyInto(out *InterfaceSelector) { copy(*out, *in) } } + if in.NetnsInterfaces != nil { + in, out := &in.NetnsInterfaces, &out.NetnsInterfaces + *out = new([]NetnsInterface) + if **in != nil { + in, out := *in, *out + *out = make([]NetnsInterface, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + } if in.PrimaryNodeInterface != nil { in, out := &in.PrimaryNodeInterface, &out.PrimaryNodeInterface *out = new(bool) @@ -793,6 +804,48 @@ func (in *KprobeProgramStatus) DeepCopy() *KprobeProgramStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetnsInterface) DeepCopyInto(out *NetnsInterface) { + *out = *in + if in.Interfaces != nil { + in, out := &in.Interfaces, &out.Interfaces + *out = new([]string) + if **in != nil { + in, out := *in, *out + *out = make([]string, len(*in)) + copy(*out, *in) + } + } + if in.ExcludeInterfaces != nil { + in, out := &in.ExcludeInterfaces, &out.ExcludeInterfaces + *out = new([]string) + if **in != nil { + in, out := *in, *out + *out = make([]string, len(*in)) + copy(*out, *in) + } + } + if in.NetworkNamespaces != nil { + in, out := &in.NetworkNamespaces, &out.NetworkNamespaces + *out = new([]string) + if **in != nil { + in, out := *in, *out + *out = make([]string, len(*in)) + copy(*out, *in) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetnsInterface. +func (in *NetnsInterface) DeepCopy() *NetnsInterface { + if in == nil { + return nil + } + out := new(NetnsInterface) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TcProgram) DeepCopyInto(out *TcProgram) { *out = *in diff --git a/bundle/manifests/bpfman-operator.clusterserviceversion.yaml b/bundle/manifests/bpfman-operator.clusterserviceversion.yaml index 59339fa32..f6e836bd7 100644 --- a/bundle/manifests/bpfman-operator.clusterserviceversion.yaml +++ b/bundle/manifests/bpfman-operator.clusterserviceversion.yaml @@ -307,7 +307,7 @@ metadata: capabilities: Basic Install categories: OpenShift Optional containerImage: quay.io/bpfman/bpfman-operator:latest - createdAt: "2024-10-21T11:51:40Z" + createdAt: "2024-11-19T12:24:39Z" features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "true" diff --git a/bundle/manifests/bpfman.io_bpfapplications.yaml b/bundle/manifests/bpfman.io_bpfapplications.yaml index 4f6a53fdd..e3a9d4d09 100644 --- a/bundle/manifests/bpfman.io_bpfapplications.yaml +++ b/bundle/manifests/bpfman.io_bpfapplications.yaml @@ -475,11 +475,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in + a network namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. @@ -598,11 +634,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in + a network namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. @@ -1090,11 +1162,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in + a network namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. diff --git a/bundle/manifests/bpfman.io_tcprograms.yaml b/bundle/manifests/bpfman.io_tcprograms.yaml index ca3dec73e..7f71b8caf 100644 --- a/bundle/manifests/bpfman.io_tcprograms.yaml +++ b/bundle/manifests/bpfman.io_tcprograms.yaml @@ -140,11 +140,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in a network + namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. diff --git a/bundle/manifests/bpfman.io_tcxprograms.yaml b/bundle/manifests/bpfman.io_tcxprograms.yaml index e230c0dac..874d094cc 100644 --- a/bundle/manifests/bpfman.io_tcxprograms.yaml +++ b/bundle/manifests/bpfman.io_tcxprograms.yaml @@ -140,11 +140,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in a network + namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. diff --git a/bundle/manifests/bpfman.io_xdpprograms.yaml b/bundle/manifests/bpfman.io_xdpprograms.yaml index 94ce6b7c4..350a7fc4c 100644 --- a/bundle/manifests/bpfman.io_xdpprograms.yaml +++ b/bundle/manifests/bpfman.io_xdpprograms.yaml @@ -128,11 +128,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in a network + namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. diff --git a/config/crd/bases/bpfman.io_bpfapplications.yaml b/config/crd/bases/bpfman.io_bpfapplications.yaml index 9bc282ef1..cb812fee7 100644 --- a/config/crd/bases/bpfman.io_bpfapplications.yaml +++ b/config/crd/bases/bpfman.io_bpfapplications.yaml @@ -475,11 +475,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in + a network namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. @@ -598,11 +634,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in + a network namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. @@ -1090,11 +1162,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in + a network namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. diff --git a/config/crd/bases/bpfman.io_tcprograms.yaml b/config/crd/bases/bpfman.io_tcprograms.yaml index 29df476c7..cda33b6f1 100644 --- a/config/crd/bases/bpfman.io_tcprograms.yaml +++ b/config/crd/bases/bpfman.io_tcprograms.yaml @@ -140,11 +140,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in a network + namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. diff --git a/config/crd/bases/bpfman.io_tcxprograms.yaml b/config/crd/bases/bpfman.io_tcxprograms.yaml index 5b813f761..1bb388b10 100644 --- a/config/crd/bases/bpfman.io_tcxprograms.yaml +++ b/config/crd/bases/bpfman.io_tcxprograms.yaml @@ -140,11 +140,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in a network + namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted. diff --git a/config/crd/bases/bpfman.io_xdpprograms.yaml b/config/crd/bases/bpfman.io_xdpprograms.yaml index 131fd0435..64e4857b9 100644 --- a/config/crd/bases/bpfman.io_xdpprograms.yaml +++ b/config/crd/bases/bpfman.io_xdpprograms.yaml @@ -128,11 +128,47 @@ spec: properties: interfaces: description: |- - Interfaces refers to a list of network interfaces to attach the BPF + Interfaces contains a list of network interfaces to attach the BPF program to. items: type: string type: array + netnsinterfaces: + description: |- + NetnsInterfaces contains a list of network interfaces that may be + qualified by network namespace. + items: + description: Identifies interfaces that may be in a network + namespace. + properties: + excludeInterfaces: + description: |- + ExcludeInterfaces contains the interface names that are excluded from + selection. An entry enclosed by slashes, such as `/br-/`, is matched as a + regular expression. Otherwise it is matched as a case-sensitive string. + items: + type: string + type: array + interfaces: + description: |- + Interfaces contains the interface names to which the BPF program should + be attached. If empty, all the interfaces in the system are selected, + except the ones listed in ExcludeInterfaces. An entry enclosed by + slashes, such as `/br-/`, is matched as a regular expression. Otherwise + it is matched as a case-sensitive string. + items: + type: string + type: array + networknamespaces: + description: |- + NetworkNamespaces contains a list of network namespaces in which to look + for the listed interfaces. If empty, all network namespaces in the + system are selected. + items: + type: string + type: array + type: object + type: array primarynodeinterface: description: Attach BPF program to the primary interface on the node. Only 'true' accepted.