Skip to content

Commit

Permalink
Support Egress using IPs from a separate subnet (#5799)
Browse files Browse the repository at this point in the history 
By default, it's assumed that the IPs allocated from the pool are in the
same subnet as the Node IPs. In some cases, users want to use IPs in
different subnets as Egress IPs. Additionally, users may want to use
VLAN tagging to segment the Egress traffic and the Node traffic.

The commit implements the requirements by introducing an optional field,
`subnetInfo`, to the ExternalIPPool resource. The `subnetInfo` field
contains the subnet attributes of the IPs in this pool. When using a
different subnet:

* `gateway` and `prefixLength` must be set. Antrea will route Egress
  traffic to the specified gateway when the destination is not in the
  same subnet of the Egress IP, otherwise route it to the destination
  directly.

* Optionally, you can specify `vlan` if the underlying network is
  expecting it. Once set, Antrea will tag Egress traffic leaving the
  Egress Node with the specified VLAN ID. Correspondingly, it's
  expected that reply traffic towards these Egress IPs are also tagged
  with the specified VLAN ID when arriving the Egress Node.

The implementation involves VLAN sub-interfaces and policy routing.

* For a given subnet with a VLAN ID, a separate VLAN sub-interface will
  be created to hold the Egress IPs allocated from it. Egress traffic
  and its reply traffic will be sent over and received from the VLAN
  sub-interface for proper tagging and untagging.

* For a given subnet, a separate route table will be created, routing
  the selected Egress traffic to the specified gateway, or to its
  neighbor.

* For multiple Egress IPs associated allocated from the same subnet, a
  separate IP rule will be created for each Egress IP, matching its pkt
  mark and looking up the shared route table.

The feature is gated by the alpha "EgressSeparateSubnet" feature gate.

Signed-off-by: Quan Tian <[email protected]>
  • Loading branch information
@tnqn
tnqn authored Jan 5, 2024
1 parent fd3bb75 commit 43427a1
Show file tree
Hide file tree
Showing 47 changed files with 2,344 additions and 322 deletions.
1 change: 1 addition & 0 deletions .github/workflows/kind.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,7 @@ jobs:
--feature-gates AllAlpha=true,AllBeta=true \
--proxy-all \
--node-ipam \
--extra-vlan \
--multicast
- name: Tar coverage files
run: tar -czf test-e2e-encap-all-features-enabled-coverage.tar.gz test-e2e-encap-all-features-enabled-coverage
Expand Down
3 changes: 3 additions & 0 deletions build/charts/antrea/conf/antrea-agent.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ featureGates:
# Enable Egress traffic shaping.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "EgressTrafficShaping" "default" false) }}

# Allow users to allocate Egress IPs from a different subnet from the default Node subnet.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "EgressSeparateSubnet" "default" false) }}

# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: {{ .Values.ovs.bridgeName | quote }}
Expand Down
19 changes: 19 additions & 0 deletions build/charts/antrea/crds/externalippool.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,25 @@ spec:
oneOf:
- format: ipv4
- format: ipv6
subnetInfo:
type: object
required:
- gateway
- prefixLength
properties:
gateway:
type: string
oneOf:
- format: ipv4
- format: ipv6
prefixLength:
type: integer
minimum: 1
maximum: 127
vlan:
type: integer
minimum: 0
maximum: 4094
nodeSelector:
type: object
properties:
Expand Down
4 changes: 2 additions & 2 deletions build/charts/antrea/templates/webhooks/validating/crdvalidator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,9 @@ webhooks:
namespace: {{ .Release.Namespace }}
path: "/validate/externalippool"
rules:
- operations: ["UPDATE"]
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha2"]
apiVersions: ["v1alpha2", "v1beta1"]
resources: ["externalippools"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
Expand Down
30 changes: 26 additions & 4 deletions build/yamls/antrea-aks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2654,6 +2654,25 @@ spec:
oneOf:
- format: ipv4
- format: ipv6
subnetInfo:
type: object
required:
- gateway
- prefixLength
properties:
gateway:
type: string
oneOf:
- format: ipv4
- format: ipv6
prefixLength:
type: integer
minimum: 1
maximum: 127
vlan:
type: integer
minimum: 0
maximum: 4094
nodeSelector:
type: object
properties:
Expand Down Expand Up @@ -5603,6 +5622,9 @@ data:
# Enable Egress traffic shaping.
# EgressTrafficShaping: false
# Allow users to allocate Egress IPs from a different subnet from the default Node subnet.
# EgressSeparateSubnet: false
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: "br-int"
Expand Down Expand Up @@ -6903,7 +6925,7 @@ spec:
kubectl.kubernetes.io/default-container: antrea-agent
# Automatically restart Pods with a RollingUpdate if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
checksum/config: fe9081d7718e258905728726bb8f3a8d42a332d7f4e0d8faaa9731b3c4b51aa4
labels:
app: antrea
component: antrea-agent
Expand Down Expand Up @@ -7141,7 +7163,7 @@ spec:
annotations:
# Automatically restart Pod if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
checksum/config: fe9081d7718e258905728726bb8f3a8d42a332d7f4e0d8faaa9731b3c4b51aa4
labels:
app: antrea
component: antrea-controller
Expand Down Expand Up @@ -7456,9 +7478,9 @@ webhooks:
namespace: kube-system
path: "/validate/externalippool"
rules:
- operations: ["UPDATE"]
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha2"]
apiVersions: ["v1alpha2", "v1beta1"]
resources: ["externalippools"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
Expand Down
19 changes: 19 additions & 0 deletions build/yamls/antrea-crds.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2641,6 +2641,25 @@ spec:
oneOf:
- format: ipv4
- format: ipv6
subnetInfo:
type: object
required:
- gateway
- prefixLength
properties:
gateway:
type: string
oneOf:
- format: ipv4
- format: ipv6
prefixLength:
type: integer
minimum: 1
maximum: 127
vlan:
type: integer
minimum: 0
maximum: 4094
nodeSelector:
type: object
properties:
Expand Down
30 changes: 26 additions & 4 deletions build/yamls/antrea-eks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2654,6 +2654,25 @@ spec:
oneOf:
- format: ipv4
- format: ipv6
subnetInfo:
type: object
required:
- gateway
- prefixLength
properties:
gateway:
type: string
oneOf:
- format: ipv4
- format: ipv6
prefixLength:
type: integer
minimum: 1
maximum: 127
vlan:
type: integer
minimum: 0
maximum: 4094
nodeSelector:
type: object
properties:
Expand Down Expand Up @@ -5603,6 +5622,9 @@ data:
# Enable Egress traffic shaping.
# EgressTrafficShaping: false
# Allow users to allocate Egress IPs from a different subnet from the default Node subnet.
# EgressSeparateSubnet: false
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: "br-int"
Expand Down Expand Up @@ -6903,7 +6925,7 @@ spec:
kubectl.kubernetes.io/default-container: antrea-agent
# Automatically restart Pods with a RollingUpdate if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
checksum/config: fe9081d7718e258905728726bb8f3a8d42a332d7f4e0d8faaa9731b3c4b51aa4
labels:
app: antrea
component: antrea-agent
Expand Down Expand Up @@ -7142,7 +7164,7 @@ spec:
annotations:
# Automatically restart Pod if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
checksum/config: fe9081d7718e258905728726bb8f3a8d42a332d7f4e0d8faaa9731b3c4b51aa4
labels:
app: antrea
component: antrea-controller
Expand Down Expand Up @@ -7457,9 +7479,9 @@ webhooks:
namespace: kube-system
path: "/validate/externalippool"
rules:
- operations: ["UPDATE"]
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha2"]
apiVersions: ["v1alpha2", "v1beta1"]
resources: ["externalippools"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
Expand Down
30 changes: 26 additions & 4 deletions build/yamls/antrea-gke.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2654,6 +2654,25 @@ spec:
oneOf:
- format: ipv4
- format: ipv6
subnetInfo:
type: object
required:
- gateway
- prefixLength
properties:
gateway:
type: string
oneOf:
- format: ipv4
- format: ipv6
prefixLength:
type: integer
minimum: 1
maximum: 127
vlan:
type: integer
minimum: 0
maximum: 4094
nodeSelector:
type: object
properties:
Expand Down Expand Up @@ -5603,6 +5622,9 @@ data:
# Enable Egress traffic shaping.
# EgressTrafficShaping: false
# Allow users to allocate Egress IPs from a different subnet from the default Node subnet.
# EgressSeparateSubnet: false
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: "br-int"
Expand Down Expand Up @@ -6903,7 +6925,7 @@ spec:
kubectl.kubernetes.io/default-container: antrea-agent
# Automatically restart Pods with a RollingUpdate if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: 3b1758664de8044af1aa7454c64bd1a4911750e562e1ae9375c9c16a335a469d
checksum/config: 997259cac105a193d671880b165e203a9954f33009766df5eceed753509c46b9
labels:
app: antrea
component: antrea-agent
Expand Down Expand Up @@ -7139,7 +7161,7 @@ spec:
annotations:
# Automatically restart Pod if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: 3b1758664de8044af1aa7454c64bd1a4911750e562e1ae9375c9c16a335a469d
checksum/config: 997259cac105a193d671880b165e203a9954f33009766df5eceed753509c46b9
labels:
app: antrea
component: antrea-controller
Expand Down Expand Up @@ -7454,9 +7476,9 @@ webhooks:
namespace: kube-system
path: "/validate/externalippool"
rules:
- operations: ["UPDATE"]
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha2"]
apiVersions: ["v1alpha2", "v1beta1"]
resources: ["externalippools"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
Expand Down
30 changes: 26 additions & 4 deletions build/yamls/antrea-ipsec.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2654,6 +2654,25 @@ spec:
oneOf:
- format: ipv4
- format: ipv6
subnetInfo:
type: object
required:
- gateway
- prefixLength
properties:
gateway:
type: string
oneOf:
- format: ipv4
- format: ipv6
prefixLength:
type: integer
minimum: 1
maximum: 127
vlan:
type: integer
minimum: 0
maximum: 4094
nodeSelector:
type: object
properties:
Expand Down Expand Up @@ -5616,6 +5635,9 @@ data:
# Enable Egress traffic shaping.
# EgressTrafficShaping: false
# Allow users to allocate Egress IPs from a different subnet from the default Node subnet.
# EgressSeparateSubnet: false
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: "br-int"
Expand Down Expand Up @@ -6916,7 +6938,7 @@ spec:
kubectl.kubernetes.io/default-container: antrea-agent
# Automatically restart Pods with a RollingUpdate if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: a34de3efa658ac40c9bde28e08832dd897259fdcf639beab9d4e47531d7da948
checksum/config: 4364ee1520a24d9a465a405536736498119269c0fc81d4dc01e83d7fdd462913
checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
labels:
app: antrea
Expand Down Expand Up @@ -7198,7 +7220,7 @@ spec:
annotations:
# Automatically restart Pod if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: a34de3efa658ac40c9bde28e08832dd897259fdcf639beab9d4e47531d7da948
checksum/config: 4364ee1520a24d9a465a405536736498119269c0fc81d4dc01e83d7fdd462913
labels:
app: antrea
component: antrea-controller
Expand Down Expand Up @@ -7513,9 +7535,9 @@ webhooks:
namespace: kube-system
path: "/validate/externalippool"
rules:
- operations: ["UPDATE"]
- operations: ["CREATE", "UPDATE"]
apiGroups: ["crd.antrea.io"]
apiVersions: ["v1alpha2"]
apiVersions: ["v1alpha2", "v1beta1"]
resources: ["externalippools"]
scope: "Cluster"
admissionReviewVersions: ["v1", "v1beta1"]
Expand Down
Loading

0 comments on commit 43427a1

Please sign in to comment.