-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EgressIP for OVN-Kubernetes #1484
Conversation
243a379
to
f3d18df
Compare
ed616ed
to
56290e8
Compare
4ad7fd2
to
6d71b0d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for breaking it up into a bunch of commits. It makes it easier to follow for a big patch. Can you also please add a test case for this in the ovn-k8s control plane tests? For example, create an egress IP on a node A, and create a pod on another node B. Verify the packet leaves node A with the correct source IP when going to the internet, and that a response comes back. @nerdalert can help you with creating a test like that if you need some help.
f067507
to
df81ec3
Compare
df81ec3
to
1277cc5
Compare
🤔 /retest |
do you have the full stack trace or the link to the log? |
I see it failed again, so if you click on the red build here in github (or here: https://github.com/ovn-org/ovn-kubernetes/pull/1484/checks?check_run_id=904234163) you should be able to see it |
1277cc5
to
11c4bb4
Compare
@aojea I'm kind of inclined to disable the race detection on testing code on PRs and make it a periodic job. We dont need to test the test code for races on each PR do we? I am all for testing for races in the real ovn-k8s code on PR, but these factory test races seem to just be more of a headache than a help right now. |
I see it now, I think I know the problem 🤔
seems this is a legit race, I'm not hitting it in master
|
11c4bb4
to
e4ff964
Compare
e4ff964
to
3248bc5
Compare
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
…sting Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
rebased and repushed. I couldn't build without fixing go.mod first; it seems to have been broken by the windows service merge (the vendored version of golang.com/x/sys no longer matched what was required in go.mod) |
@alexanderConstantinescu see #1564 for OVN bump |
Antrea: https://github.com/vmware-tanzu/antrea/blob/v0.8.2/docs/policy-only.md https://github.com/vmware-tanzu/antrea/blob/v0.8.2/pkg/agent/openflow/pipeline.go Cilium: https://github.com/cilium/cilium/blob/v1.8.2/bpf/lib/common.h OpenStack: https://github.com/openstack/neutron/blob/16.0.0/doc/source/contributor/internals/openvswitch_firewall.rst#open-vswitch-firewall-driver OpenShift: ovn-org/ovn-kubernetes#1484 Weave: https://github.com/weaveworks/weave/blob/v2.6.5/docs/weavenpc-design.md
Antrea: https://github.com/vmware-tanzu/antrea/blob/v0.8.2/docs/policy-only.md https://github.com/vmware-tanzu/antrea/blob/v0.8.2/pkg/agent/openflow/pipeline.go AWS-VPC-CNI-K8s: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.6.3/pkg/networkutils/network.go Cilium: https://github.com/cilium/cilium/blob/v1.8.2/bpf/lib/common.h OpenShift: ovn-org/ovn-kubernetes#1484 OpenStack: https://github.com/openstack/neutron/blob/16.0.0/doc/source/contributor/internals/openvswitch_firewall.rst#open-vswitch-firewall-driver Weave: https://github.com/weaveworks/weave/blob/v2.6.5/docs/weavenpc-design.md
Antrea: https://github.com/vmware-tanzu/antrea/blob/v0.8.2/docs/policy-only.md https://github.com/vmware-tanzu/antrea/blob/v0.8.2/pkg/agent/openflow/pipeline.go AWS-VPC-CNI-K8s: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.6.3/pkg/networkutils/network.go Cilium: https://github.com/cilium/cilium/blob/v1.8.2/bpf/lib/common.h OpenShift: ovn-org/ovn-kubernetes#1484 OpenStack: https://github.com/openstack/neutron/blob/16.0.0/doc/source/contributor/internals/openvswitch_firewall.rst#open-vswitch-firewall-driver Portmap: https://github.com/containernetworking/plugins/blob/v0.8.6/plugins/meta/portmap/README.md Weave: https://github.com/weaveworks/weave/blob/v2.6.5/docs/weavenpc-design.md
Antrea: https://github.com/vmware-tanzu/antrea/blob/v0.8.2/docs/policy-only.md AWS-VPC-CNI-K8s: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.6.3/pkg/networkutils/network.go Cilium: https://github.com/cilium/cilium/blob/v1.8.2/bpf/lib/common.h OpenShift: ovn-org/ovn-kubernetes#1484 Portmap: https://github.com/containernetworking/plugins/blob/v0.8.6/plugins/meta/portmap/README.md Weave: https://github.com/weaveworks/weave/blob/v2.6.5/docs/weavenpc-design.md
Antrea: https://github.com/vmware-tanzu/antrea/blob/v0.8.2/docs/policy-only.md AWS-VPC-CNI-K8s: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.6.3/pkg/networkutils/network.go Cilium: https://github.com/cilium/cilium/blob/v1.8.2/bpf/lib/common.h OpenShift: ovn-org/ovn-kubernetes#1484 Portmap: https://github.com/containernetworking/plugins/blob/v0.8.6/plugins/meta/portmap/README.md Weave: https://github.com/weaveworks/weave/blob/v2.6.5/docs/weavenpc-design.md
Antrea: https://github.com/vmware-tanzu/antrea/blob/v0.8.2/docs/policy-only.md AWS-VPC-CNI-K8s: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.6.3/pkg/networkutils/network.go Cilium: https://github.com/cilium/cilium/blob/v1.8.2/bpf/lib/common.h OpenShift: ovn-org/ovn-kubernetes#1484 Portmap: https://github.com/containernetworking/plugins/blob/v0.8.6/plugins/meta/portmap/README.md Weave: https://github.com/weaveworks/weave/blob/v2.6.5/docs/weavenpc-design.md
Antrea: https://github.com/vmware-tanzu/antrea/blob/v0.8.2/docs/policy-only.md AWS-VPC-CNI-K8s: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.6.3/pkg/networkutils/network.go Cilium: https://github.com/cilium/cilium/blob/v1.8.2/bpf/lib/common.h OpenShift: ovn-org/ovn-kubernetes#1484 Portmap: https://github.com/containernetworking/plugins/blob/v0.8.6/plugins/meta/portmap/README.md Weave: https://github.com/weaveworks/weave/blob/v2.6.5/docs/weavenpc-design.md
Antrea: https://github.com/vmware-tanzu/antrea/blob/v0.8.2/docs/policy-only.md AWS-VPC-CNI-K8s: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.6.3/pkg/networkutils/network.go Cilium: https://github.com/cilium/cilium/blob/v1.8.2/bpf/lib/common.h OpenShift: ovn-org/ovn-kubernetes#1484 Portmap: https://github.com/containernetworking/plugins/blob/v0.8.6/plugins/meta/portmap/README.md Weave: https://github.com/weaveworks/weave/blob/v2.6.5/docs/weavenpc-design.md
[release-4.12] OCPBUGS-6040: addMasqueradeRoute: fallback to gateway interface IPs
- What this PR does and why is it needed
This PR implements the OpenShift specific feature: "egress IP", for ovn-kubernetes.
In short concerning what this feature does, for those who do not know:
It allows a cluster admin to specify a fixed source IP address for all south -> north traffic, originating from pods/namespaces that the user defines. More detail about the feature is described here: https://github.com/alexanderConstantinescu/enhancements/blob/ovn_egressip/enhancements/network/egressip_for_ovn_kubernetes.md
- Special notes for reviewers
Unfortunately for us, the implementation of this feature depends on the mode ovn-kubernetes is running in. In local gateway mode we will need to use
iptables
to filter the outgoing node traffic on the correct pods, whereas in shared gateway mode it suffices to create NAT rules in OVN for this to happen. Hence the implementation on both master and node's side need to take this into account.This PR has been split into as many logical commits as I saw fit. In general the PR does the following:
This feature can be enabled/disabled using the
egress-ip-enable
flag, in which case the informer is not started and no watchers created - as to not impact the running performance of any ovn-kubernetes instances not wishing to use egress IP.@dcbw @danwinship @girishmg @trozet
- How to verify it
- Description for the changelog