Skip to content

Commit 1165a8c

Browse files
anfredetteanfredette
authored
Add support for attaching TCX, TC and XDP programs inside containers. (#345)
* Add ContainerSelector to tc, tcx, and xdp programs * Add netns support for TCX, TC and XDP programs. GetPrimaryNodeInterface() only finds the primary "node" interface, which may or may not be the name of the primary interface inside of a container. Signed-off-by: Andre Fredette <[email protected]>
1 parent 07f9ef1 commit 1165a8c

28 files changed

+1561
-285
lines changed

apis/v1alpha1/tcProgram_types.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,12 @@ type TcProgramInfo struct {
6161
// Selector to determine the network interface (or interfaces)
6262
InterfaceSelector InterfaceSelector `json:"interfaceselector"`
6363

64+
// Containers identifes the set of containers in which to attach the eBPF
65+
// program. If Containers is not specified, the BPF program will be attached
66+
// in the root network namespace.
67+
// +optional
68+
Containers *ContainerSelector `json:"containers"`
69+
6470
// Priority specifies the priority of the tc program in relation to
6571
// other programs of the same type with the same attach point. It is a value
6672
// from 0 to 1000 where lower values have higher precedence.

apis/v1alpha1/tcxProgram_types.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,12 @@ type TcxProgramInfo struct {
5858
// Selector to determine the network interface (or interfaces)
5959
InterfaceSelector InterfaceSelector `json:"interfaceselector"`
6060

61+
// Containers identifes the set of containers in which to attach the eBPF
62+
// program. If Containers is not specified, the BPF program will be attached
63+
// in the root network namespace.
64+
// +optional
65+
Containers *ContainerSelector `json:"containers"`
66+
6167
// Direction specifies the direction of traffic the tcx program should
6268
// attach to for a given network device.
6369
// +kubebuilder:validation:Enum=ingress;egress

apis/v1alpha1/xdpProgram_types.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,12 @@ type XdpProgramInfo struct {
5959
// Selector to determine the network interface (or interfaces)
6060
InterfaceSelector InterfaceSelector `json:"interfaceselector"`
6161

62+
// Containers identifes the set of containers in which to attach the eBPF
63+
// program. If Containers is not specified, the BPF program will be attached
64+
// in the root network namespace.
65+
// +optional
66+
Containers *ContainerSelector `json:"containers"`
67+
6268
// Priority specifies the priority of the bpf program in relation to
6369
// other programs of the same type with the same attach point. It is a value
6470
// from 0 to 1000 where lower values have higher precedence.

apis/v1alpha1/zz_generated.deepcopy.go

Lines changed: 15 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

bundle/manifests/bpfman-operator.clusterserviceversion.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -307,7 +307,7 @@ metadata:
307307
capabilities: Basic Install
308308
categories: OpenShift Optional
309309
containerImage: quay.io/bpfman/bpfman-operator:latest
310-
createdAt: "2024-11-01T20:38:03Z"
310+
createdAt: "2024-12-06T14:27:05Z"
311311
features.operators.openshift.io/cnf: "false"
312312
features.operators.openshift.io/cni: "false"
313313
features.operators.openshift.io/csi: "true"

bundle/manifests/bpfman.io_bpfapplications.yaml

Lines changed: 204 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -459,6 +459,74 @@ spec:
459459
BpfFunctionName is the name of the function that is the entry point for the BPF
460460
program
461461
type: string
462+
containers:
463+
description: |-
464+
Containers identifes the set of containers in which to attach the eBPF
465+
program. If Containers is not specified, the BPF program will be attached
466+
in the root network namespace.
467+
properties:
468+
containernames:
469+
description: |-
470+
Name(s) of container(s). If none are specified, all containers in the
471+
pod are selected.
472+
items:
473+
type: string
474+
type: array
475+
namespace:
476+
default: ""
477+
description: Target namespaces.
478+
type: string
479+
pods:
480+
description: |-
481+
Target pods. This field must be specified, to select all pods use
482+
standard metav1.LabelSelector semantics and make it empty.
483+
properties:
484+
matchExpressions:
485+
description: matchExpressions is a list of label
486+
selector requirements. The requirements are ANDed.
487+
items:
488+
description: |-
489+
A label selector requirement is a selector that contains values, a key, and an operator that
490+
relates the key and values.
491+
properties:
492+
key:
493+
description: key is the label key that the
494+
selector applies to.
495+
type: string
496+
operator:
497+
description: |-
498+
operator represents a key's relationship to a set of values.
499+
Valid operators are In, NotIn, Exists and DoesNotExist.
500+
type: string
501+
values:
502+
description: |-
503+
values is an array of string values. If the operator is In or NotIn,
504+
the values array must be non-empty. If the operator is Exists or DoesNotExist,
505+
the values array must be empty. This array is replaced during a strategic
506+
merge patch.
507+
items:
508+
type: string
509+
type: array
510+
x-kubernetes-list-type: atomic
511+
required:
512+
- key
513+
- operator
514+
type: object
515+
type: array
516+
x-kubernetes-list-type: atomic
517+
matchLabels:
518+
additionalProperties:
519+
type: string
520+
description: |-
521+
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
522+
map is equivalent to an element of matchExpressions, whose key field is "key", the
523+
operator is "In", and the values array contains only "value". The requirements are ANDed.
524+
type: object
525+
type: object
526+
x-kubernetes-map-type: atomic
527+
required:
528+
- pods
529+
type: object
462530
direction:
463531
description: |-
464532
Direction specifies the direction of traffic the tc program should
@@ -582,6 +650,74 @@ spec:
582650
BpfFunctionName is the name of the function that is the entry point for the BPF
583651
program
584652
type: string
653+
containers:
654+
description: |-
655+
Containers identifes the set of containers in which to attach the eBPF
656+
program. If Containers is not specified, the BPF program will be attached
657+
in the root network namespace.
658+
properties:
659+
containernames:
660+
description: |-
661+
Name(s) of container(s). If none are specified, all containers in the
662+
pod are selected.
663+
items:
664+
type: string
665+
type: array
666+
namespace:
667+
default: ""
668+
description: Target namespaces.
669+
type: string
670+
pods:
671+
description: |-
672+
Target pods. This field must be specified, to select all pods use
673+
standard metav1.LabelSelector semantics and make it empty.
674+
properties:
675+
matchExpressions:
676+
description: matchExpressions is a list of label
677+
selector requirements. The requirements are ANDed.
678+
items:
679+
description: |-
680+
A label selector requirement is a selector that contains values, a key, and an operator that
681+
relates the key and values.
682+
properties:
683+
key:
684+
description: key is the label key that the
685+
selector applies to.
686+
type: string
687+
operator:
688+
description: |-
689+
operator represents a key's relationship to a set of values.
690+
Valid operators are In, NotIn, Exists and DoesNotExist.
691+
type: string
692+
values:
693+
description: |-
694+
values is an array of string values. If the operator is In or NotIn,
695+
the values array must be non-empty. If the operator is Exists or DoesNotExist,
696+
the values array must be empty. This array is replaced during a strategic
697+
merge patch.
698+
items:
699+
type: string
700+
type: array
701+
x-kubernetes-list-type: atomic
702+
required:
703+
- key
704+
- operator
705+
type: object
706+
type: array
707+
x-kubernetes-list-type: atomic
708+
matchLabels:
709+
additionalProperties:
710+
type: string
711+
description: |-
712+
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
713+
map is equivalent to an element of matchExpressions, whose key field is "key", the
714+
operator is "In", and the values array contains only "value". The requirements are ANDed.
715+
type: object
716+
type: object
717+
x-kubernetes-map-type: atomic
718+
required:
719+
- pods
720+
type: object
585721
direction:
586722
description: |-
587723
Direction specifies the direction of traffic the tcx program should
@@ -1082,6 +1218,74 @@ spec:
10821218
BpfFunctionName is the name of the function that is the entry point for the BPF
10831219
program
10841220
type: string
1221+
containers:
1222+
description: |-
1223+
Containers identifes the set of containers in which to attach the eBPF
1224+
program. If Containers is not specified, the BPF program will be attached
1225+
in the root network namespace.
1226+
properties:
1227+
containernames:
1228+
description: |-
1229+
Name(s) of container(s). If none are specified, all containers in the
1230+
pod are selected.
1231+
items:
1232+
type: string
1233+
type: array
1234+
namespace:
1235+
default: ""
1236+
description: Target namespaces.
1237+
type: string
1238+
pods:
1239+
description: |-
1240+
Target pods. This field must be specified, to select all pods use
1241+
standard metav1.LabelSelector semantics and make it empty.
1242+
properties:
1243+
matchExpressions:
1244+
description: matchExpressions is a list of label
1245+
selector requirements. The requirements are ANDed.
1246+
items:
1247+
description: |-
1248+
A label selector requirement is a selector that contains values, a key, and an operator that
1249+
relates the key and values.
1250+
properties:
1251+
key:
1252+
description: key is the label key that the
1253+
selector applies to.
1254+
type: string
1255+
operator:
1256+
description: |-
1257+
operator represents a key's relationship to a set of values.
1258+
Valid operators are In, NotIn, Exists and DoesNotExist.
1259+
type: string
1260+
values:
1261+
description: |-
1262+
values is an array of string values. If the operator is In or NotIn,
1263+
the values array must be non-empty. If the operator is Exists or DoesNotExist,
1264+
the values array must be empty. This array is replaced during a strategic
1265+
merge patch.
1266+
items:
1267+
type: string
1268+
type: array
1269+
x-kubernetes-list-type: atomic
1270+
required:
1271+
- key
1272+
- operator
1273+
type: object
1274+
type: array
1275+
x-kubernetes-list-type: atomic
1276+
matchLabels:
1277+
additionalProperties:
1278+
type: string
1279+
description: |-
1280+
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1281+
map is equivalent to an element of matchExpressions, whose key field is "key", the
1282+
operator is "In", and the values array contains only "value". The requirements are ANDed.
1283+
type: object
1284+
type: object
1285+
x-kubernetes-map-type: atomic
1286+
required:
1287+
- pods
1288+
type: object
10851289
interfaceselector:
10861290
description: Selector to determine the network interface
10871291
(or interfaces)

0 commit comments

Comments
 (0)