type verdict

kubernetes-sigs · Nov 22, 2024 · e8118fd · e8118fd
1 parent 9677179
commit e8118fd
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 20 deletions.
diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go
@@ -311,14 +311,17 @@ type Controller struct {
 	interceptor interceptor
 }
 
+//go:generate stringer -type=Verdict
+type Verdict int
+
 // Verdicts
 const (
-	Drop = iota
+	Drop Verdict = iota
 	Accept
 )
 
 type interceptor interface {
-	Run(context.Context, func(Packet) int) error
+	Run(context.Context, func(Packet) Verdict) error
 	Sync(ctx context.Context, podV4IPs, podV6IPs sets.Set[string]) error
 	Stop(ctx context.Context)
 }
@@ -357,7 +360,7 @@ func (c *Controller) Run(ctx context.Context) error {
 
 	// Parse the packet and check if it should be accepted
 	// Packets should be evaludated independently in each direction
-	fn := func(packet Packet) int {
+	fn := func(packet Packet) Verdict {
 
 		startTime := time.Now()
 
@@ -367,7 +370,7 @@ func (c *Controller) Run(ctx context.Context) error {
 			processingTime := float64(time.Since(startTime).Microseconds())
 			packetProcessingHist.WithLabelValues(string(packet.proto), string(packet.family)).Observe(processingTime)
 			packetProcessingSum.Observe(processingTime)
-			verdictStr := verdictString(verdict)
+			verdictStr := verdict.String()
 			packetCounterVec.WithLabelValues(string(packet.proto), string(packet.family), verdictStr).Inc()
 			logger.V(2).Info("Finished syncing packet", "id", packet.Id, "duration", time.Since(startTime), "verdict", verdictStr)
 		}()
@@ -391,19 +394,6 @@ func (c *Controller) Run(ctx context.Context) error {
 	return nil
 }
 
-// verifctString coverts nfqueue int vericts to strings for metrics/logging
-// it does not cover all of them because we should only use a subset.
-func verdictString(verdict int) string {
-	switch verdict {
-	case Drop:
-		return "drop"
-	case Accept:
-		return "accept"
-	default:
-		return "unknown"
-	}
-}
-
 // evaluatePacket evalute the network policies using the following order:
 // 1. AdminNetworkPolicies in Egress for the source Pod/IP
 // 2. NetworkPolicies in Egress (if needed) for the source Pod/IP

diff --git a/pkg/networkpolicy/verdict_string.go b/pkg/networkpolicy/verdict_string.go
diff --git a/pkg/nfqinterceptor/nfqinterceptor.go b/pkg/nfqinterceptor/nfqinterceptor.go
@@ -76,7 +76,7 @@ func (n *nfqInterceptor) Stop(ctx context.Context) {
 	}
 }
 
-func (n *nfqInterceptor) Run(ctx context.Context, renderVerdict func(networkpolicy.Packet) int) error {
+func (n *nfqInterceptor) Run(ctx context.Context, renderVerdict func(networkpolicy.Packet) networkpolicy.Verdict) error {
 	logger := klog.FromContext(ctx)
 	registerMetrics(ctx)
 	go wait.UntilWithContext(ctx, func(ctx context.Context) {
@@ -136,13 +136,13 @@ func (n *nfqInterceptor) Run(ctx context.Context, renderVerdict func(networkpoli
 		packet, err := networkpolicy.ParsePacket(*a.Payload)
 		if err != nil {
 			logger.Error(err, "Can not process packet, applying default policy", "id", *a.PacketID, "failOpen", n.FailOpen)
-			nf.SetVerdict(packet.Id, verdict)
+			nf.SetVerdict(packet.Id, int(verdict))
 			return 0
 		}
 		packet.Id = *a.PacketID
 		verdict = renderVerdict(packet)
 		// log error and return default if not Accept or Drop?
-		nf.SetVerdict(packet.Id, verdict)
+		nf.SetVerdict(packet.Id, int(verdict))
 		return 0
 	}
 	// Register your function to listen on nflog group 100