bridge: Add option to enable port isolation

Enable bridge CNI plugin setting port-isolation [1] the interface. When port-isolation is enabled, containers connected to the network cannot communicate with each other over the linux-bridge. Communication will be enable depending on the gateway appliance according to its restrictions / policies. For example: in a scenario the env connected to smart switch, enabling port-isolation ensure traffic will go outbound, allowing the smart-switch routing the traffic according to policies. Add "portIsolation" flag to bridge plugin. When true, configure the node interface with port-isolation [1]. Default is false. [1] https://man7.org/linux/man-pages/man8/bridge.8.html (see "isolated" option) Signed-off-by: Or Mergi <ormergi@redhat.com>
2025-01-09 19:35:20 +02:00
parent e4ca66b414
commit 7c122fabb4
2 changed files with 62 additions and 3 deletions
--- a/plugins/main/bridge/bridge_test.go
+++ b/plugins/main/bridge/bridge_test.go
@ -82,6 +82,7 @@ type testCase struct {
 	ipMasqBackend     string
 	macspoofchk       bool
 	disableContIface  bool
+	portIsolation     bool

 	AddErr020 string
 	DelErr020 string
@ -162,6 +163,9 @@ const (
 	disableContainerInterface = `,
    "disableContainerInterface": true`

+	portIsolation = `,
+    "portIsolation": true`
+
 	ipamStartStr = `,
    "ipam": {
        "type":    "host-local"`
@ -266,6 +270,10 @@ func (tc testCase) netConfJSON(dataDir string) string {
 		conf += disableContainerInterface
 	}

+	if tc.portIsolation {
+		conf += portIsolation
+	}
+
 	if !tc.isLayer2 {
 		conf += netDefault
 		if tc.subnet != "" || tc.ranges != nil {
@ -649,6 +657,10 @@ func (tester *testerV10x) cmdAddTest(tc testCase, dataDir string) (types.Result,
 		Expect(link).To(BeAssignableToTypeOf(&netlink.Veth{}))
 		tester.vethName = result.Interfaces[1].Name

+		protInfo, err := netlink.LinkGetProtinfo(link)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(protInfo.Isolated).To(Equal(tc.portIsolation), "link isolation should be on when portIsolation is set")
+
 		// check vlan exist on the veth interface
 		if tc.vlan != 0 {
 			interfaceMap, err := netlink.BridgeVlanList()
@ -2588,6 +2600,36 @@ var _ = Describe("bridge Operations", func() {
 				return nil
 			})).To(Succeed())
 		})
+
+		It(fmt.Sprintf("[%s] when port-isolation is off, should set the veth peer on node with isolation off", ver), func() {
+			Expect(originalNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+				tc := testCase{
+					cniVersion:    ver,
+					portIsolation: false,
+					isLayer2:      true,
+					AddErr020:     "cannot convert: no valid IP addresses",
+					AddErr010:     "cannot convert: no valid IP addresses",
+				}
+				cmdAddDelTest(originalNS, targetNS, tc, dataDir)
+				return nil
+			})).To(Succeed())
+		})
+
+		It(fmt.Sprintf("[%s] when port-isolation is on, should set the veth peer on node with isolation on", ver), func() {
+			Expect(originalNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+				tc := testCase{
+					cniVersion:    ver,
+					portIsolation: true,
+					isLayer2:      true,
+					AddErr020:     "cannot convert: no valid IP addresses",
+					AddErr010:     "cannot convert: no valid IP addresses",
+				}
+				cmdAddDelTest(originalNS, targetNS, tc, dataDir)
+				return nil
+			})).To(Succeed())
+		})
 	}

 	It("check vlan id when loading net conf", func() {