Add TrafficControl API

TrafficControl is a feature which allows mirroring or redirecting the
traffic Pods send or receive. It enables users to monitor and analyze
Pod traffic, and to enforce custom network protections for Pods with
fine-grained control over network traffic.

This patch adds types and CRD for TrafficControl API.

Examples:

1. Mirror Pods (web=app) ingress traffic to a VXLAN tunnel
```
apiVersion: crd.antrea.io/v1alpha2
kind: TrafficControl
metadata:
  name: mirror-web-app
spec:
  appliedTo:
    podSelector:
      matchLabels:
        app: web
  direction: Ingress
  action: Mirror
  targetPort:
    vxlan:
      remoteIP: 1.1.1.1
```

2. Redirect Pods (web=app) traffic in both direction to OVS internal
port firewall0 and expect the traffic to re-enter OVS via another OVS
internal port firewall1 if they are not dropped.
```
apiVersion: crd.antrea.io/v1alpha2
kind: TrafficControl
metadata:
  name: redirect
spec:
  appliedTo:
    podSelector:
      matchLabels:
        role: web
  direction: Ingress
  action: Redirect
  targetPort:
    ovsInternal:
      name: firewall0
  returnPort:
    ovsInternal:
      name: firewall1
```

For antrea-io#3324

Signed-off-by: Quan Tian <[email protected]>

Author: tnqn

build/charts/antrea/conf/antrea-agent.conf

@@ -47,6 +47,9 @@ featureGates:
 # Enable managing external IPs of Services of LoadBalancer type.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}
 
+# Enable mirroring or redirecting the traffic Pods send or receive.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TrafficControl" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -167,6 +167,7 @@ rules:
     resources:
       - externalippools
       - ippools
+      - trafficcontrols
     verbs:
       - get
       - watch

build/yamls/antrea-aks.yml

@@ -85,6 +85,9 @@ data:
     # Enable managing external IPs of Services of LoadBalancer type.
     #  ServiceExternalIP: false
 
+    # Enable mirroring or redirecting the traffic Pods send or receive.
+    #  TrafficControl: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -2493,6 +2496,291 @@ spec:
     shortNames:
       - tf
 ---
+# Source: antrea/templates/crds/trafficcontrol.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: trafficcontrols.crd.antrea.io
+spec:
+  group: crd.antrea.io
+  versions:
+    - name: v1alpha2
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            spec:
+              type: object
+              required:
+                - appliedTo
+                - direction
+                - action
+                - targetPort
+              properties:
+                appliedTo:
+                  type: object
+                  properties:
+                    podSelector:
+                      type: object
+                      properties:
+                        matchExpressions:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              key:
+                                type: string
+                              operator:
+                                enum:
+                                  - In
+                                  - NotIn
+                                  - Exists
+                                  - DoesNotExist
+                                type: string
+                              values:
+                                type: array
+                                items:
+                                  type: string
+                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+                        matchLabels:
+                          x-kubernetes-preserve-unknown-fields: true
+                    namespaceSelector:
+                      type: object
+                      properties:
+                        matchExpressions:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              key:
+                                type: string
+                              operator:
+                                enum:
+                                  - In
+                                  - NotIn
+                                  - Exists
+                                  - DoesNotExist
+                                type: string
+                              values:
+                                type: array
+                                items:
+                                  type: string
+                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
+                        matchLabels:
+                          x-kubernetes-preserve-unknown-fields: true
+                direction:
+                  type: string
+                  enum:
+                    - Ingress
+                    - Egress
+                    - Both
+                action:
+                  type: string
+                  enum:
+                    - Mirror
+                    - Redirect
+                targetPort:
+                  type: object
+                  oneOf:
+                    - required: [ovsInternal]
+                    - required: [device]
+                    - required: [geneve]
+                    - required: [vxlan]
+                    - required: [gre]
+                    - required: [erspan]
+                  properties:
+                    ovsInternal:
+                      type: object
+                      required:
+                        - name
+                      properties:
+                        name:
+                          type: string
+                    device:
+                      type: object
+                      required:
+                        - name
+                      properties:
+                        name:
+                          type: string
+                    geneve:
+                      type: object
+                      required:
+                        - remoteIP
+                      properties:
+                        remoteIP:
+                          type: string
+                          oneOf:
+                            - format: ipv4
+                            - format: ipv6
+                        vni:
+                          type: integer
+                          minimum: 0
+                          maximum: 16777215
+                        destinationPort:
+                          type: integer
+                          minimum: 1
+                          maximum: 65535
+                    vxlan:
+                      type: object
+                      required:
+                        - remoteIP
+                      properties:
+                        remoteIP:
+                          type: string
+                          oneOf:
+                            - format: ipv4
+                            - format: ipv6
+                        vni:
+                          type: integer
+                          minimum: 0
+                          maximum: 16777215
+                        destinationPort:
+                          type: integer
+                          minimum: 1
+                          maximum: 65535
+                    gre:
+                      type: object
+                      required:
+                        - remoteIP
+                      properties:
+                        remoteIP:
+                          type: string
+                          oneOf:
+                            - format: ipv4
+                            - format: ipv6
+                        key:
+                          type: integer
+                          minimum: 0
+                          maximum: 4294967295
+                    erspan:
+                      type: object
+                      required:
+                        - remoteIP
+                        - version
+                      properties:
+                        remoteIP:
+                          type: string
+                          oneOf:
+                            - format: ipv4
+                            - format: ipv6
+                        sessionID:
+                          type: integer
+                          minimum: 0
+                          maximum: 1023
+                        version:
+                          type: integer
+                          enum:
+                            - 1
+                            - 2
+                        index:
+                          type: integer
+                        dir:
+                          type: integer
+                          enum:
+                            - 0
+                            - 1
+                        hardwareID:
+                          type: integer
+                returnPort:
+                  type: object
+                  oneOf:
+                    - required: [ovsInternal]
+                    - required: [device]
+                    - required: [geneve]
+                    - required: [vxlan]
+                    - required: [gre]
+                  properties:
+                    ovsInternal:
+                      type: object
+                      required:
+                        - name
+                      properties:
+                        name:
+                          type: string
+                    device:
+                      type: object
+                      required:
+                        - name
+                      properties:
+                        name:
+                          type: string
+                    geneve:
+                      type: object
+                      required:
+                        - remoteIP
+                      properties:
+                        remoteIP:
+                          type: string
+                          oneOf:
+                            - format: ipv4
+                            - format: ipv6
+                        vni:
+                          type: integer
+                          minimum: 0
+                          maximum: 16777215
+                        destinationPort:
+                          type: integer
+                          minimum: 1
+                          maximum: 65535
+                    vxlan:
+                      type: object
+                      required:
+                        - remoteIP
+                      properties:
+                        remoteIP:
+                          type: string
+                          oneOf:
+                            - format: ipv4
+                            - format: ipv6
+                        vni:
+                          type: integer
+                          minimum: 0
+                          maximum: 16777215
+                        destinationPort:
+                          type: integer
+                          minimum: 1
+                          maximum: 65535
+                    gre:
+                      type: object
+                      required:
+                        - remoteIP
+                      properties:
+                        remoteIP:
+                          type: string
+                          oneOf:
+                            - format: ipv4
+                            - format: ipv6
+                        key:
+                          type: integer
+                          minimum: 0
+                          maximum: 4294967295
+      additionalPrinterColumns:
+        - description: Specifies the direction of traffic that should be matched.
+          jsonPath: .spec.direction
+          name: Direction
+          type: string
+        - description: Specifies the action that should be taken for the traffic.
+          jsonPath: .spec.action
+          name: Action
+          type: string
+        - jsonPath: .metadata.creationTimestamp
+          name: Age
+          type: date
+      subresources:
+        status: {}
+  scope: Cluster
+  names:
+    plural: trafficcontrols
+    singular: trafficcontrol
+    kind: TrafficControl
+    shortNames:
+      - tc
+---
 # Source: antrea/templates/agent/clusterrole.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -2663,6 +2951,7 @@ rules:
     resources:
       - externalippools
       - ippools
+      - trafficcontrols
     verbs:
       - get
       - watch
@@ -3180,7 +3469,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647
+        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
       labels:
         app: antrea
         component: antrea-agent
@@ -3420,7 +3709,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647
+        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
       labels:
         app: antrea
         component: antrea-controller