Support service destination in traceflow

[gran-vmv]

Result example:

    results:
    - node: gran-k8s0-1
      observations:
      - action: Forwarded
        component: SpoofGuard
      - action: Forwarded
        component: LB
        pod: kube-system/antrea-octant-7cb57d66bc-vtvmz
        translatedDstIP: 192.168.0.69
      - action: Forwarded
        component: NetworkPolicy
        componentInfo: EgressRule
        networkPolicy: default/allow-all
      - action: Forwarded
        component: Forwarding
        componentInfo: Output
        tunnelDstIP: 10.176.26.135
      timestamp: 1595490479

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

These commands can only be run by members of the vmware-tanzu organization.

[antoninbas]

As a general comment, make sure that traceflow error messages are "wrapped" appropriately to provide enough context.

[antrea-bot]

Can one of the admins verify this patch?

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

These commands can only be run by members of the vmware-tanzu organization.

[jianjuns]

Humm.. Feel not certain if worthwhile to figure out the Pod from IP. Do you think good enough to use IP to indicate the destination here?

[gran-vmv]

Yes, if a translated IP is a Pod IP, it can be retrieved here.
ob.TranslatedDstIP will exist only when packet is processed by DNAT.

[jianjuns]

I meant there will be costs to watch Pods and build IP -> Pod indexes. So, I feel maybe not worthwhile to translate IP back to Pods.

[gran-vmv]

Pods will be always watched in AntreaController (by NetworkPolicyController), thus the only extra cost is the PodIP index. I feel an additional index is acceptable.

[jianjuns]

Could you share the memory overhead of the new index your saw?
BTW, I know for networkpolicy query, I remember we plan to add Pod IP index too, but still want to avoid obvious mem increase. We already saw some mem issues in scale tests.

[jakesokol1]

If you can send me details of the specific case which worries you, I can add an additional test to networkpolicy_controller_perf_test/controller_query_perf_test to directly test memory consumption.

[gran-vmv]

131.3M v.s. 137.7M sounds ok. But in our scale tests, we saw mem usage of ~10G with 150K Pods and 40K NetworkPolicies. Do you think in that case, the extra index will lead to Gs of more mem consumption?

I think the major different point is that I only added many Pods into cache and didn't touch NetworkPolicy. For NetworkPolicy, many additional elements will be cached such as rules and OVS flows.

[tnqn]

The price of the extra PodIP index is a map like below will be created and maintained when adding/updating/deleting pods. But unlike the Pod index of AddressGroup and AppliedToGroup that could have large number of Pods, each Pod has only 1 IP, the extra overhead is constant.

{
    "1.1.1.1": []string{"ns1/pod1"},
    "1.1.1.2": []string{"ns1/pod2"},
}

BenchmarkAddPortWithPodIPIndex-4          252216              4207 ns/op            1608 B/op         17 allocs/op
BenchmarkAddPortWithoutPodIPIndex-4       408417              3234 ns/op            1144 B/op         12 allocs/op

Given the difference is 3us vs 4us per pod, i.e. 300ms vs 400ms for 100k Pods, I think it should be ok.

[jianjuns]

Ok. But can we add some comments at where we create the IP-Pod index to explain why we add the index and we evaluated the overhead is acceptable?

[gran-vmv]

Added comments to:
pkg/controller/traceflow/controller.go

	// Add IP-Pod index. Each Pod has only 1 IP, the extra overhead is constant and acceptable.
	// @tnqn evaluated the performance without/with IP index is 3us vs 4us per pod, i.e. 300ms vs 400ms for 100k Pods.
	podInformer.Informer().AddIndexers(cache.Indexers{podIPIndex: podIPIndexFunc})

[tnqn]

Doesn't it need to wait for a while if the destination is service? what if the target pod is on another Node? so do IP on another Node case.

[gran-vmv]

Yes. If destination is Service or IP/Pod not on current Node, then verify the tunnel/encap status and wait.
Change
if dstNodeIP != "" || tf.Spec.Destination.Pod == "" {
To
if dstMAC == "" {
And added comments.

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

[gran-vmv]

/test-all

[gran-vmv]

/test-windows-networkpolicy

[gran-vmv]

/test-windows-conformance
/test-windows-networkpolicy

[gran-vmv]

/test-windows-networkpolicy

[gran-vmv]

/test-windows-networkpolicy

[gran-vmv]

/test-windows-networkpolicy

[gran-vmv]

/test-windows-networkpolicy

[gran-vmv]

/test-windows-networkpolicy

[tnqn]

LGTM