Skip to content

Commit

Permalink
NodePort, LoadBalancer and ClusterIP full support for AntreaProxy on …
Browse files Browse the repository at this point in the history
…Linux

For NodePort support, an ipset is used to store NodePort IP, port and
transparent protocol in an entry IP:port,protocol. Then an iptables
entry is used to match the ipset as destination and perform DNAT with
a virtual IP. For DNAT'd packets, a routing entry is used to route
them to Antrea gateway.

For LoadBalancer support, a routing entry will be created for every
ingress IP to route the packets from remote or localhost to Antrea
gateway.

For ClusterIP support, a routing entry is always used to route the
packets of all ClusterIPs to Antrea gateway. when a new ClusterIP is
created, the destination IP block of the routing entry might be
extended to include the ClusterIP address.

To support the Service traffic of above cases, the main changes of
OVS pipeline include:
- Change table serviceHairpinTable ID from 29 to 23.
- Change table hairpinSNATTable ID from 106 to 108.
- Add table serviceConntrackTable 24 to transform SNAT'd connections.
- Add table serviceClassifierTable 35 to classify Service traffic.
- Add table serviceConntrackCommitTable 106 to perform SNAT for Service
  traffic.

Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
Co-authored-by: Weiqiang Tang <tangweiqiang@hotmail.com>
  • Loading branch information
hongliangl and weiqiangt committed Sep 15, 2021
1 parent dad38e9 commit c3705b8
Show file tree
Hide file tree
Showing 56 changed files with 2,594 additions and 564 deletions.
65 changes: 64 additions & 1 deletion .github/workflows/kind.yml
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,69 @@ jobs:
path: log.tar.gz
retention-days: 30

test-e2e-encap-proxy-all:
name: E2e tests on a Kind cluster on Linux with AntreaProxy all Service support
needs: [ build-antrea-coverage-image, build-flow-aggregator-coverage-image ]
runs-on: [ ubuntu-latest ]
steps:
- name: Free disk space
# https://github.com/actions/virtual-environments/issues/709
run: |
sudo apt-get clean
df -h
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: 1.17
- name: Download Antrea image from previous job
uses: actions/download-artifact@v1
with:
name: antrea-ubuntu-cov
- name: Download Flow Aggregator image from previous job
uses: actions/download-artifact@v1
with:
name: flow-aggregator-cov
- name: Load Antrea image
run: |
docker load -i antrea-ubuntu-cov/antrea-ubuntu.tar
docker load -i flow-aggregator-cov/flow-aggregator.tar
- name: Install Kind
run: |
curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-$(uname)-amd64
chmod +x ./kind
sudo mv kind /usr/local/bin
- name: Run e2e tests
run: |
mkdir log
mkdir test-e2e-encap-proxy-all-coverage
ANTREA_LOG_DIR=$PWD/log ANTREA_COV_DIR=$PWD/test-e2e-encap-proxy-all-coverage ./ci/kind/test-e2e-kind.sh --encap-mode encap --proxy-all --coverage --skip mode-irrelevant
- name: Tar coverage files
run: tar -czf test-e2e-encap-proxy-all-coverage.tar.gz test-e2e-encap-proxy-all-coverage
- name: Upload coverage for test-e2e-encap-proxy-all-coverage
uses: actions/upload-artifact@v2
with:
name: test-e2e-encap-proxy-all-coverage
path: test-e2e-encap-proxy-all-coverage.tar.gz
retention-days: 30
- name: Codecov
uses: codecov/codecov-action@v1
with:
token: ${{ secrets.CODECOV_TOKEN }}
file: '*.cov.out*'
flags: kind-e2e-tests
name: codecov-test-e2e-encap-proxy-all
directory: test-e2e-encap-proxy-all-coverage
- name: Tar log files
if: ${{ failure() }}
run: tar -czf log.tar.gz log
- name: Upload test log
uses: actions/upload-artifact@v2
if: ${{ failure() }}
with:
name: e2e-kind-encap-proxy-all.tar.gz
path: log.tar.gz
retention-days: 30

test-e2e-noencap:
name: E2e tests on a Kind cluster on Linux (noEncap)
needs: [build-antrea-coverage-image, build-flow-aggregator-coverage-image]
Expand Down Expand Up @@ -456,7 +519,7 @@ jobs:
# yet.
artifact-cleanup:
name: Delete uploaded images
needs: [build-antrea-coverage-image, build-flow-aggregator-coverage-image, test-e2e-encap, test-e2e-encap-no-proxy, test-e2e-noencap, test-e2e-hybrid, test-e2e-encap-no-np, test-netpol-tmp, validate-prometheus-metrics-doc]
needs: [build-antrea-coverage-image, build-flow-aggregator-coverage-image, test-e2e-encap, test-e2e-encap-no-proxy, test-e2e-encap-proxy-all, test-e2e-noencap, test-e2e-hybrid, test-e2e-encap-no-np, test-netpol-tmp, validate-prometheus-metrics-doc]
if: ${{ always() && (needs.build-antrea-coverage-image.result == 'success' || needs.build-flow-aggregator-coverage-image.result == 'success') }}
runs-on: [ubuntu-latest]
steps:
Expand Down
21 changes: 17 additions & 4 deletions build/yamls/antrea-aks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3922,6 +3922,19 @@ data:
# If there are multiple IP addresses configured on the interface, the first one is used.
# The interface configured with Node IP is used if this parameter is not set.
#transportInterface:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
# ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
# regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
#proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
#nodePortAddresses: []
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
Expand Down Expand Up @@ -4028,7 +4041,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-886tmkcf7h
name: antrea-config-2cg6khh44b
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4099,7 +4112,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-886tmkcf7h
value: antrea-config-2cg6khh44b
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4150,7 +4163,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-886tmkcf7h
name: antrea-config-2cg6khh44b
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4431,7 +4444,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-886tmkcf7h
name: antrea-config-2cg6khh44b
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
21 changes: 17 additions & 4 deletions build/yamls/antrea-eks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3922,6 +3922,19 @@ data:
# If there are multiple IP addresses configured on the interface, the first one is used.
# The interface configured with Node IP is used if this parameter is not set.
#transportInterface:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
# ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
# regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
#proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
#nodePortAddresses: []
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
Expand Down Expand Up @@ -4028,7 +4041,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-886tmkcf7h
name: antrea-config-2cg6khh44b
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4099,7 +4112,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-886tmkcf7h
value: antrea-config-2cg6khh44b
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4150,7 +4163,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-886tmkcf7h
name: antrea-config-2cg6khh44b
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4433,7 +4446,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-886tmkcf7h
name: antrea-config-2cg6khh44b
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
21 changes: 17 additions & 4 deletions build/yamls/antrea-gke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3922,6 +3922,19 @@ data:
# If there are multiple IP addresses configured on the interface, the first one is used.
# The interface configured with Node IP is used if this parameter is not set.
#transportInterface:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
# ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
# regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
#proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
#nodePortAddresses: []
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
Expand Down Expand Up @@ -4028,7 +4041,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-7b5cffbt26
name: antrea-config-kh429k9mg7
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4099,7 +4112,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-7b5cffbt26
value: antrea-config-kh429k9mg7
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4150,7 +4163,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-7b5cffbt26
name: antrea-config-kh429k9mg7
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4434,7 +4447,7 @@ spec:
path: /home/kubernetes/bin
name: host-cni-bin
- configMap:
name: antrea-config-7b5cffbt26
name: antrea-config-kh429k9mg7
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
21 changes: 17 additions & 4 deletions build/yamls/antrea-ipsec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3927,6 +3927,19 @@ data:
# If there are multiple IP addresses configured on the interface, the first one is used.
# The interface configured with Node IP is used if this parameter is not set.
#transportInterface:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
# ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
# regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
#proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
#nodePortAddresses: []
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
Expand Down Expand Up @@ -4033,7 +4046,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-ct4b8f8t4h
name: antrea-config-f8ktc7gg2c
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4113,7 +4126,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-ct4b8f8t4h
value: antrea-config-f8ktc7gg2c
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4164,7 +4177,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-ct4b8f8t4h
name: antrea-config-f8ktc7gg2c
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4480,7 +4493,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-ct4b8f8t4h
name: antrea-config-f8ktc7gg2c
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
21 changes: 17 additions & 4 deletions build/yamls/antrea.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3927,6 +3927,19 @@ data:
# If there are multiple IP addresses configured on the interface, the first one is used.
# The interface configured with Node IP is used if this parameter is not set.
#transportInterface:
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
# ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
# regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
#proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
#nodePortAddresses: []
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
Expand Down Expand Up @@ -4033,7 +4046,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-fhh5d26dg8
name: antrea-config-48bgbgd97b
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4104,7 +4117,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-fhh5d26dg8
value: antrea-config-48bgbgd97b
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4155,7 +4168,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-fhh5d26dg8
name: antrea-config-48bgbgd97b
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4436,7 +4449,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-fhh5d26dg8
name: antrea-config-48bgbgd97b
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
13 changes: 13 additions & 0 deletions build/yamls/base/conf/antrea-agent.conf
Original file line number Diff line number Diff line change
Expand Up @@ -164,3 +164,16 @@ wireGuard:
# If there are multiple IP addresses configured on the interface, the first one is used.
# The interface configured with Node IP is used if this parameter is not set.
#transportInterface:

# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
# ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
# regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy
# feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
#proxyAll: false
# A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
# (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
# Note that the option is only valid when proxyAll is true.
#nodePortAddresses: []
Loading

0 comments on commit c3705b8

Please sign in to comment.