Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add global except list for egress to avoid SNAT #2749

Merged
merged 1 commit into from
Oct 25, 2021
Merged

Add global except list for egress to avoid SNAT #2749

merged 1 commit into from
Oct 25, 2021

Conversation

leonstack
Copy link
Contributor

For some environment, some destination(not podCIDR/svcCIDR) can be
communicate with each other directly for better network performance,
we should avoid SNAT for such destination.

Signed-off-by: Yang Li yang.li@transwarp.io

@leonstack leonstack force-pushed the except_list branch 3 times, most recently from c5a5781 to 00a59f8 Compare September 13, 2021 03:09
@leonstack
Copy link
Contributor Author

/test-all

@leonstack
Copy link
Contributor Author

/test-ipv6

@leonstack
Copy link
Contributor Author

/test-e2e

1 similar comment
@leonstack
Copy link
Contributor Author

/test-e2e

@leonstack
Copy link
Contributor Author

/test-all

@leonstack
Copy link
Contributor Author

@tnqn hi, can you help review this MR...

tnqn
tnqn reviewed Sep 14, 2021
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leonstack Thanks for the PR, I have some comments.

build/yamls/base/conf/antrea-agent.conf Outdated Show resolved Hide resolved
cmd/antrea-agent/agent.go Outdated Show resolved Hide resolved
pkg/agent/config/node_config.go Outdated Show resolved Hide resolved
pkg/agent/openflow/client.go Outdated Show resolved Hide resolved
pkg/agent/openflow/pipeline.go Outdated Show resolved Hide resolved
@leonstack
Copy link
Contributor Author

/test-all

tnqn
tnqn reviewed Sep 16, 2021
View reviewed changes
cmd/antrea-agent/config.go Show resolved Hide resolved
pkg/agent/config/node_config.go Show resolved Hide resolved
pkg/agent/openflow/pipeline.go Show resolved Hide resolved
test/integration/agent/openflow_test.go Outdated Show resolved Hide resolved
build/yamls/base/conf/antrea-agent.conf Show resolved Hide resolved
build/yamls/base/conf/antrea-agent.conf Outdated Show resolved Hide resolved
@tnqn
Copy link
Member

tnqn commented Sep 16, 2021

For some environment, some destination(not podCIDR/svcCIDR) can be
communicate with each other directly for better network performance,

How about:

For some environment, Pod can communicate with some destination 
(not podCIDR/svcCIDR) directly for better network performance,

@leonstack leonstack force-pushed the except_list branch 2 times, most recently from 247cde8 to 9a5337f Compare September 17, 2021 08:01
@leonstack
Copy link
Contributor Author

/test-all

@leonstack
Copy link
Contributor Author

For some environment, some destination(not podCIDR/svcCIDR) can be
communicate with each other directly for better network performance,

How about:

For some environment, Pod can communicate with some destination 
(not podCIDR/svcCIDR) directly for better network performance,

Good suggestion, I have fixed it.

jianjuns
jianjuns reviewed Sep 22, 2021
View reviewed changes
Copy link
Contributor

@jianjuns jianjuns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This implementation does not work for Windows? Could we add Windows support too? It might be required for running Antrea on GKE Windows.

@leonstack
Copy link
Contributor Author

This implementation does not work for Windows? Could we add Windows support too? It might be required for running Antrea on GKE Windows.

HI, like @tnqn said, Egress feature is not supported on Windows yet: https://github.com/antrea-io/antrea/blob/main/docs/feature-gates.md#requirements-for-this-feature-6
We can add Windows support in another issue

@jianjuns
Copy link
Contributor

This implementation does not work for Windows? Could we add Windows support too? It might be required for running Antrea on GKE Windows.

HI, like @tnqn said, Egress feature is not supported on Windows yet: https://github.com/antrea-io/antrea/blob/main/docs/feature-gates.md#requirements-for-this-feature-6
We can add Windows support in another issue

We need a way to bypass the default SNAT / masquerade on Windows. I am fine to have a separate PR for that. But we need it. @wenyingd @lzhecheng

tnqn
tnqn reviewed Oct 18, 2021
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leonstack Antrea 1.4 code freeze is this week, could you resolve the conflict and address the remaining comment if this is supposed to be included?

build/yamls/base/conf/antrea-agent.conf Outdated Show resolved Hide resolved
@tnqn tnqn mentioned this pull request Oct 19, 2021
Closed
@leonstack leonstack force-pushed the except_list branch 2 times, most recently from 22ab277 to 6521b29 Compare October 22, 2021 06:36
@leonstack
Copy link
Contributor Author

leonstack commented Oct 22, 2021
edited
Loading

@tnqn Hi, I have fixed the conflict and the remaining comment, please help review again~

@leonstack
Copy link
Contributor Author

/test-all

@codecov-commenter
Copy link

codecov-commenter commented Oct 22, 2021
edited
Loading

Codecov Report

Merging #2749 (5a7d220) into main (6ea909a) will increase coverage by 12.05%.
The diff coverage is 22.22%.

Impacted file tree graph

@@             Coverage Diff             @@
##             main    #2749       +/-   ##
===========================================
+ Coverage   40.63%   52.69%   +12.05%     
===========================================
  Files         158      283      +125     
  Lines       19907    23824     +3917     
===========================================
+ Hits         8089    12553     +4464     
+ Misses      11044     9875     -1169     
- Partials      774     1396      +622
Flag Coverage Δ
kind-e2e-tests 32.33% <22.22%> (?)
unit-tests 40.57% <0.00%> (-0.07%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/agent/config/node_config.go 100.00% <ø> (+63.63%) ⬆️
pkg/agent/openflow/pipeline.go 57.44% <0.00%> (+34.92%) ⬆️
pkg/agent/openflow/client.go 48.44% <37.50%> (+24.34%) ⬆️
pkg/agent/agent.go 51.86% <50.00%> (+30.40%) ⬆️
pkg/agent/controller/egress/egress_controller.go 38.32% <0.00%> (-1.47%) ⬇️
pkg/apiserver/handlers/webhook/mutation_labels.go 24.71% <0.00%> (ø)
...t/informers/externalversions/security/interface.go 100.00% <0.00%> (ø)
pkg/agent/route/route_linux.go 28.16% <0.00%> (ø)
pkg/legacyapis/core/v1alpha2/register.go 80.00% <0.00%> (ø)
pkg/legacyapis/stats/install/install.go 100.00% <0.00%> (ø)
... and 210 more

@leonstack leonstack changed the title Add global except list for egress to avoid SNAT (#2707) Add global except list for egress to avoid SNAT Oct 22, 2021
tnqn
tnqn reviewed Oct 22, 2021
View reviewed changes
build/yamls/antrea-aks.yml Outdated Show resolved Hide resolved
@leonstack leonstack force-pushed the except_list branch 2 times, most recently from de47f98 to affc90e Compare October 22, 2021 07:46
@leonstack
Copy link
Contributor Author

/test-conformance

@leonstack
Copy link
Contributor Author

/test-e2e

@leonstack
Copy link
Contributor Author

/test-networkpolicy

@leonstack
Copy link
Contributor Author 

--- FAIL: TestFlowAggregator (230.49s)
    --- FAIL: TestFlowAggregator/IPv4 (115.23s)
        --- FAIL: TestFlowAggregator/IPv4/IntraNodeFlows (18.21s)
        --- FAIL: TestFlowAggregator/IPv4/IntraNodeDenyConnIngressANP (6.45s)
        --- FAIL: TestFlowAggregator/IPv4/IntraNodeDenyConnEgressANP (2.77s)
        --- FAIL: TestFlowAggregator/IPv4/IntraNodeDenyConnNP (8.03s)

Hi @tnqn, some cases failed in Kind/E2e test, I'm not sure these cases have any relationship for this PR.

@leonstack
Copy link
Contributor Author

/test-all

leonstack added a commit to leonstack/antrea that referenced this pull request Oct 22, 2021
@leonstack
Add global except list for egress to avoid SNAT (antrea-io#2749)
fae1187 
For some environment, some destination(not podCIDR/svcCIDR) can be
communicate with each other directly for better network performance,
we should avoid SNAT for such destination.

Signed-off-by: Yang Li <yang.li@transwarp.io>
@leonstack
Copy link
Contributor Author

/test-networkpolicy
/test-e2e
/test-conformance

@leonstack
Copy link
Contributor Author

@tnqn Hi, the required check all passed, could you help to review this PR again:-)

jianjuns
jianjuns reviewed Oct 22, 2021
View reviewed changes
Copy link
Contributor

@jianjuns jianjuns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

build/yamls/base/conf/antrea-agent.conf Outdated Show resolved Hide resolved
@leonstack
Add global except list for egress to avoid SNAT (antrea-io#2749)
5a7d220 
For some environment, some destination(not podCIDR/svcCIDR) can be
communicate with each other directly for better network performance,
we should avoid SNAT for such destination.

Signed-off-by: Yang Li <yang.li@transwarp.io>
@leonstack
Copy link
Contributor Author

/test-conformance
/test-e2e
/test-networkpolicy

@leonstack
Copy link
Contributor Author

/test-all

@tnqn
Copy link
Member

tnqn commented Oct 25, 2021

/test-integration

tnqn
tnqn approved these changes Oct 25, 2021
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tnqn tnqn merged commit 2718266 into antrea-io:main Oct 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jianjuns jianjuns jianjuns left review comments

@Jexf Jexf Jexf left review comments

@tnqn tnqn tnqn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@leonstack @tnqn @jianjuns @codecov-commenter @Jexf