fix iptables rules and service e2e

kubeovn · Jan 3, 2022 · 36d6b00 · 36d6b00
1 parent 38f60c6
commit 36d6b00
Show file tree

Hide file tree

Showing 12 changed files with 339 additions and 355 deletions.
diff --git a/Makefile b/Makefile
@@ -79,14 +79,13 @@ base-tar-arm64:
 	docker save $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-arm64 -o image-arm64.tar
 
 .PHONY: kind-init
-kind-init:
-	kind delete cluster --name=kube-ovn
+kind-init: kind-clean
 	kube_proxy_mode=ipvs ip_family=ipv4 ha=false single=false j2 yamls/kind.yaml.j2 -o yamls/kind.yaml
 	kind create cluster --config yamls/kind.yaml --name kube-ovn
 	kubectl describe no
 
 .PHONY: kind-init-cluster
-kind-init-cluster:
+kind-init-cluster: kind-clean-cluster
 	kube_proxy_mode=ipvs ip_family=ipv4 ha=false single=true j2 yamls/kind.yaml.j2 -o yamls/kind.yaml
 	kind create cluster --config yamls/kind.yaml --name kube-ovn
 	kind create cluster --config yamls/kind.yaml --name kube-ovn1
@@ -96,37 +95,32 @@ kind-init-cluster:
 	kubectl get no
 
 .PHONY: kind-init-iptables
-kind-init-iptables:
-	kind delete cluster --name=kube-ovn
+kind-init-iptables: kind-clean
 	kube_proxy_mode=iptables ip_family=ipv4 ha=false single=false j2 yamls/kind.yaml.j2 -o yamls/kind.yaml
 	kind create cluster --config yamls/kind.yaml --name kube-ovn
 	kubectl describe no
 
 .PHONY: kind-init-ha
-kind-init-ha:
-	kind delete cluster --name=kube-ovn
+kind-init-ha: kind-clean
 	kube_proxy_mode=ipvs ip_family=ipv4 ha=true single=false j2 yamls/kind.yaml.j2 -o yamls/kind.yaml
 	kind create cluster --config yamls/kind.yaml --name kube-ovn
 	kubectl describe no
 
 .PHONY: kind-init-single
-kind-init-single:
-	kind delete cluster --name=kube-ovn
+kind-init-single: kind-clean
 	kube_proxy_mode=ipvs ip_family=ipv4 ha=false single=true j2 yamls/kind.yaml.j2 -o yamls/kind.yaml
 	kind create cluster --config yamls/kind.yaml --name kube-ovn
 	kubectl describe no
 
 .PHONY: kind-init-ipv6
-kind-init-ipv6:
-	kind delete cluster --name=kube-ovn
-	kube_proxy_mode=iptables ip_family=ipv6 ha=false single=false j2 yamls/kind.yaml.j2 -o yamls/kind.yaml
+kind-init-ipv6: kind-clean
+	kube_proxy_mode=ipvs ip_family=ipv6 ha=false single=false j2 yamls/kind.yaml.j2 -o yamls/kind.yaml
 	kind create cluster --config yamls/kind.yaml --name kube-ovn
 	kubectl describe no
 
 .PHONY: kind-init-dual
-kind-init-dual:
-	kind delete cluster --name=kube-ovn
-	kube_proxy_mode=iptables ip_family=dual ha=false single=false j2 yamls/kind.yaml.j2 -o yamls/kind.yaml
+kind-init-dual: kind-clean
+	kube_proxy_mode=ipvs ip_family=dual ha=false single=false j2 yamls/kind.yaml.j2 -o yamls/kind.yaml
 	kind create cluster --config yamls/kind.yaml --name kube-ovn
 	kubectl describe no
 	docker exec kube-ovn-worker sysctl -w net.ipv6.conf.all.disable_ipv6=0
@@ -287,12 +281,13 @@ kind-reload:
 .PHONY: kind-clean
 kind-clean:
 	kind delete cluster --name=kube-ovn
+	docker ps -a -f name=kube-ovn-e2e --format "{{.ID}}" | while read c; do docker rm -f $$c; done
 
 .PHONY: kind-clean-cluster
 kind-clean-cluster:
 	kind delete cluster --name=kube-ovn
 	kind delete cluster --name=kube-ovn1
-	docker stop ovn-ic-db && docker rm ovn-ic-db
+	docker ps -a -f name=ovn-ic-db --format "{{.ID}}" | while read c; do docker rm -f $$c; done
 
 .PHONY: uninstall
 uninstall:
@@ -309,8 +304,8 @@ lint:
 
 .PHONY: scan
 scan:
-	trivy image --light --exit-code=1 --severity=HIGH --ignore-unfixed kubeovn/kube-ovn:$(RELEASE_TAG)
-	trivy image --light --exit-code=1 --severity=HIGH --ignore-unfixed kubeovn/vpc-nat-gateway:$(RELEASE_TAG)
+	trivy image --light --exit-code=1 --severity=HIGH --ignore-unfixed $(REGISTRY)/kube-ovn:$(RELEASE_TAG)
+	trivy image --light --exit-code=1 --severity=HIGH --ignore-unfixed $(REGISTRY)/vpc-nat-gateway:$(RELEASE_TAG)
 
 .PHONY: ut
 ut:
@@ -320,6 +315,7 @@ ut:
 e2e:
 	$(eval NODE_COUNT = $(shell kind get nodes --name kube-ovn | wc -l))
 	$(eval NETWORK_BRIDGE = $(shell docker inspect -f '{{json .NetworkSettings.Networks.bridge}}' kube-ovn-control-plane))
+	docker run -d --name kube-ovn-e2e --network kind --cap-add=NET_ADMIN $(REGISTRY)/kube-ovn:$(RELEASE_TAG) sleep infinity
 	@if [ '$(NETWORK_BRIDGE)' = 'null' ]; then \
 		kind get nodes --name kube-ovn | while read node; do \
 		docker network connect bridge $$node; \
@@ -369,6 +365,7 @@ e2e-ovn-ic:
 
 .PHONY: e2e-ovn-ebpf
 e2e-ovn-ebpf:
+	docker run -d --name kube-ovn-e2e --network kind --cap-add=NET_ADMIN $(REGISTRY)/kube-ovn:$(RELEASE_TAG) sleep infinity
 	ginkgo -mod=mod -progress -reportPassed --slowSpecThreshold=60 test/e2e-ebpf
 
 .PHONY: clean

diff --git a/dist/images/uninstall.sh b/dist/images/uninstall.sh
@@ -36,6 +36,7 @@ iptables -t filter -D FORWARD -m set --match-set ovn40services src -j ACCEPT
 iptables -t filter -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0
 
 if [ -n "$nodeIPv4" ]; then
+    iptables -t nat -D POSTROUTING ! -s "$nodeIPv4" -m mark --mark 0x4000/0x4000 -j MASQUERADE
     iptables -t nat -D POSTROUTING ! -s "$nodeIPv4" -m set ! --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j MASQUERADE
 fi
 
@@ -62,6 +63,7 @@ ip6tables -t filter -D FORWARD -m set --match-set ovn60services src -j ACCEPT
 ip6tables -t filter -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0
 
 if [ -n "$nodeIPv6" ]; then
+    ip6tables -t nat -D POSTROUTING ! -s "$nodeIPv6" -m mark --mark 0x4000/0x4000 -j MASQUERADE
     ip6tables -t nat -D POSTROUTING ! -s "$nodeIPv6" -m set ! --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j MASQUERADE
 fi
 

diff --git a/go.mod b/go.mod
@@ -32,6 +32,7 @@ require (
 	k8s.io/apimachinery v0.23.1
 	k8s.io/client-go v0.23.1
 	k8s.io/klog/v2 v2.30.0
+	k8s.io/kubernetes v1.23.1
 	k8s.io/sample-controller v0.23.1
 	sigs.k8s.io/controller-runtime v0.11.0
 )
@@ -104,8 +105,11 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/apiextensions-apiserver v0.23.1 // indirect
+	k8s.io/cluster-bootstrap v0.0.0 // indirect
 	k8s.io/component-base v0.23.1 // indirect
+	k8s.io/component-helpers v0.23.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
+	k8s.io/kube-proxy v0.0.0 // indirect
 	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect
 	moul.io/http2curl v1.0.0 // indirect
 	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
@@ -139,5 +143,6 @@ replace (
 	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.23.1
 	k8s.io/metrics => k8s.io/metrics v0.23.1
 	k8s.io/mount-utils => k8s.io/mount-utils v0.23.1
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.23.1
 	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.23.1
 )