policy: Add NetworkPolicyResourcesDiscoveryService

Add new cilium/versioned.h generic container for transactional selector
updates.

Add a new NetworkPolicyResourceDiscoveryService that implements delta
updates for policies and selectors, and where policies refer to selectors
by their resource name.

NPRDS adds a top-level oneof wrapper that wraps either a Selector or a
NetworkPolicy. NetworkPolicy definition is shared with NPDS, but
PortNetworkPolicyRule adds a new selectors field that is only used with
NPRDS.

Store the latest desired ConfigSource in the policy map and use it for:
- initial policy map subscription
- re-subscription when connection under current subscription is terminated
- a healthy network policy stream is not disrupted

This should work for Cilium Agent upgrades and downgrades, as the agent
expresses the desired mode, and listens for both.

Clear the resource map on a first update on a new stream. This fixes NACK
cases where further updates on the stream would have IP collisions with
resources that were kept from the previous stream.

Stream generation accounting has to be shared between NPDS and NPRDS
streams, so that the handoff works as designed, but no other xDS
protocols (e.g., NPHDS) should interfere with the stream generation
accounting. Solve this by defining the stream generation number as a
static member of NetworkPolicyMapImpl and updating it from the already
established transport connected/closed callbacks.

Switch to delta mode eagerly when we have evidence that the agent is
capable, but switch to SotW mode only when xDS stream transport had
failed to connect or closes.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>

Author: jrajahalme

cilium/BUILD

@@ -28,6 +28,17 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "versioned_lib",
+    hdrs = ["versioned.h"],
+    repository = "@envoy",
+    deps = [
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/container:flat_hash_set",
+        "@envoy//source/common/common:assert_lib",
+    ],
+)
+
 envoy_cc_library(
     name = "network_policy_lib",
     srcs = [
@@ -45,6 +56,7 @@ envoy_cc_library(
         "//cilium:conntrack_lib",
         "//cilium:grpc_subscription_lib",
         "//cilium:ipcache_lib",
+        "//cilium:versioned_lib",
         "//cilium/api:npds_cc_proto",
         "@envoy//envoy/singleton:manager_interface",
         "@envoy//source/common/common:logger_lib",

cilium/api/npds.proto

@@ -17,6 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Network policy management and NPDS]
 
 // Each resource name is a network policy identifier.
+// Deprecated: This service will be removed when Cilium 1.20 is the oldest supported release.
 service NetworkPolicyDiscoveryService {
   option (envoy.annotations.resource).type = "cilium.NetworkPolicy";
 
@@ -33,6 +34,32 @@ service NetworkPolicyDiscoveryService {
   }
 }
 
+// Policy and selector resource names are exact-match identifiers in delta NPDS.
+service NetworkPolicyResourceDiscoveryService {
+  option (envoy.annotations.resource).type = "cilium.NetworkPolicyResource";
+
+  rpc DeltaNetworkPolicyResources(stream envoy.service.discovery.v3.DeltaDiscoveryRequest)
+      returns (stream envoy.service.discovery.v3.DeltaDiscoveryResponse) {
+  }
+}
+
+// A delta NPDS resource that carries either an endpoint policy or a shared selector.
+message NetworkPolicyResource {
+  oneof resource {
+    NetworkPolicy policy = 1;
+    Selector selector = 2;
+  }
+}
+
+// A shared set of remote identities referenced by selector resource name.
+// Unlike the old state-of-the-world remote identity lists, an empty selector
+// matches nothing.
+message Selector {
+  // The set of numeric remote security IDs selected by this selector.
+  // If empty, this selector selects no remote identities.
+  repeated uint32 remote_identities = 1;
+}
+
 // A network policy that is enforced by a filter on the network flows to/from
 // associated hosts.
 message NetworkPolicy {
@@ -153,6 +180,12 @@ message PortNetworkPolicyRule {
   // Optional. If not specified, any remote host is matched by this predicate.
   repeated uint32 remote_policies = 7;
 
+  // Optional selector resource names that can be resolved to shared remote
+  // policy sets in delta NPDS.
+  // Selector references are matched by exact selector resource name.
+  // Optional. If not specified, any remote host is matched by this predicate.
+  repeated string selectors = 11;
+
   // Optional downstream TLS context. If present, the incoming connection must
   // be a TLS connection.
   TLSContext downstream_tls_context = 3;

cilium/bpf_metadata.cc

@@ -285,6 +285,8 @@ Config::Config(const ::cilium::BpfMetadata& config,
             [&context, config_source = config_source_] {
               return std::make_shared<Cilium::NetworkPolicyMap>(context, config_source, true);
             });
+    // update desired config source on the map
+    npmap_->setConfigSource(config_source_);
   }
 }
 

cilium/grpc_subscription.cc

@@ -87,7 +87,7 @@ TypeUrlToServiceMap* buildTypeUrlToServiceMap() {
   // https://www.mail-archive.com/protobuf@googlegroups.com/msg04540.html.
   for (absl::string_view name : {
            "cilium.NetworkPolicyDiscoveryService",
-           //"cilium.NetworkPolicyResourceDiscoveryService",
+           "cilium.NetworkPolicyResourceDiscoveryService",
            "cilium.NetworkPolicyHostsDiscoveryService",
        }) {
     const auto* service_desc =