Remove incorrect AntreaProxy warning on Windows (#6242)

The code was logging an incorrect warning about AntreaProxy being disabled. This is is because checkUnsupportedFeatures was in charge of the check, but o.enableAntreaProxy is set later in the validation chain. To avoid the issue, we introduce a new function for platform-specific checks, validateConfigForPlatform, which runs after all other validations and after all fields in the Options struct have been set. We also replace the warning message with an error message (but we do not fail Agent initialization) and we add a check for proxyAll. Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
antrea-io · Apr 19, 2024 · 064922c · 064922c
1 parent b52d946
commit 064922c
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go
@@ -604,6 +604,12 @@ func (o *Options) validateK8sNodeOptions() error {
 		return fmt.Errorf("failed to validate secondary network config: %v", err)
 	}
 
+	// Unlike checkUnsupportedFeatures, validateConfigForPlatform runs after all validations and
+	// after all fields in the Options struct have been initialized (e.g., enableProxy).
+	if err := o.validateConfigForPlatform(); err != nil {
+		return err
+	}
+
 	return nil
 }
 

diff --git a/cmd/antrea-agent/options_linux.go b/cmd/antrea-agent/options_linux.go
@@ -25,3 +25,8 @@ func (o *Options) checkUnsupportedFeatures() error {
 	// All features are supported on a Linux Node.
 	return nil
 }
+
+func (o *Options) validateConfigForPlatform() error {
+	// No additional validations for Linux Nodes.
+	return nil
+}
diff --git a/cmd/antrea-agent/options_windows.go b/cmd/antrea-agent/options_windows.go
@@ -64,8 +64,24 @@ func (o *Options) checkUnsupportedFeatures() error {
 		return fmt.Errorf("unsupported features on Windows: {%s}", strings.Join(unsupported, ", "))
 	}
 
+	return nil
+}
+
+func (o *Options) validateConfigForPlatform() error {
+	// AntreaProxy with proxyAll is required on Windows.
+	// The userspace kube-proxy mode (only mode compatible with the Antrea Agent on Windows) was
+	// removed in K8s v1.26, hence the requirement for proxyAll.
+	// Even prior to that, AntreaProxy was required for correct NetworkPolicy enforcement for
+	// Service traffic.
+	// While we do not fail initialization at the moment, there should be no valid use case for
+	// Antrea on Windows without AntreaProxy + proxyAll.
 	if !o.enableAntreaProxy {
-		klog.Warning("AntreaProxy is not enabled. NetworkPolicies might not be enforced correctly for Service traffic!")
+		klog.ErrorS(nil, "AntreaProxy is disabled, Service traffic is unlikely to work as expected")
+		return nil
+	}
+	if !o.config.AntreaProxy.ProxyAll {
+		klog.ErrorS(nil, "AntreaProxy proxyAll is disabled, Service traffic is unlikely to work as expected")
+		return nil
 	}
 	return nil
 }