-
Notifications
You must be signed in to change notification settings - Fork 372
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Egress Policy #667
Comments
Have you considered multiple interfaces/networks Nodes can be connected to ? Will I be able to pick which interface/network I can SNAT from ? |
Yes, mentioned multiple interfaces in the "NodePool CRD" section. But as other ideas described in the proposal, I have no detailed design yet, and we might need to look into the details. |
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment, or this will be closed in 180 days |
@jianjuns I'm working on this and have some questions want to discuss with you:
|
|
|
|
In the first version, we require users to manually configure SNAT IPs on the Nodes. In a SNATPolicy, a particular SNAT IP can be specified for the selected Pods, and antrea-controller will publish the SNATPolicy to the Nodes on which the selected Pods run. The OVS flow changes include:
iptables rules: |
@tnqn : let me know what you think ^^ |
@jianjuns the proposal LGTM, one question about configuring SNAT IP and publishing SNATPolicy: |
@tnqn : I think each Node can discover all local IPs, and based on that decide whether or not to perform SNAT locally or tunnel to the SNAT IP. Do you have extra thoughts on the 1st version scope, like should we do IPv4 only or not? |
I assume agent will need to treat all local IPs as potential SNAT IPs and configure openflows, allocate mark IDs, and configure iptables rules for them. Could it lead to many unnecessary configurations? For example, when kube-proxy ipvs mode is used, all service IPs will be configured on a network interface, there might be other cases that we are not aware of in production? |
Do we have some way to filter IPs and assume we have a reasonable set of IPs to care about? Another way is to watch all SNAT policies and know the IPs can be used. |
I think filtering IPs approach might be not clean and become complex to adapt all scenarios. Using SNATPolicy as source of truth sounds good to me. Is this the first version scope in your mind:
|
Yes, that is what I am thinking. Do you think it can save some work if we start from IPv4 and Linux (not much to support Windows too)? |
I feel the main work to support IPv6 is more about testing as the design doesn't sound address family specific, while I'm not sure the extra work to support windows given that it doesn't use iptables to do SNAT. I would lean to support dual-stack and only for Linux in the first version. |
Windows is even easier? As we do SNAT with OVS only. But the same as IPv6, there will be work for testing. If our target is 0.14, I think we can just do IPv4 on Linux. |
Sure, IPv4 on Linux sounds good to me. |
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment, or this will be closed in 180 days |
I am going to close this. Other more specialized issues can be created to address gaps in the implementation: Windows, noEncap, etc. |
Describe what you are trying to solve
Egress and SNAT policies implementation of Antrea - being able to control egress Nodes and SNAT IPs of Pod egress traffic (from Pods to external network).
Describe the solution you have in mind
Just put some high level ideas here.
Egress policy definition
EgressPolicy CRD
We might introduce an EgressPolicy CRD that:
We might prioritize selecting a single Namespace or Service.
IPPool CRD
We could add a CRD to define an IP pool. Besides SNAT, it could be used for Pod IPAM too.
NodePool CRD
We could add a CRD to define the set of Nodes that can act as egress Nodes. For simplicity, we might start from a single egress Node pool.
There could be multiple interfaces on a Node. We might need to support configuring which interface to use for egress.
Egress IP management
Discovery of Node IPs
Antrea Agent auto-discovers all interfaces and their IPs, and probably saves the information to a CRD like NodeInfo.
Then user can use any of the discovered IP to define EgressPolicy.
Auto IP assignment by Controller
Antrea Controller can automatically assign a SNAT IP to a Node from a configured NodePool.
HA and failover
When the SNAT IP is assigned to Nodes by Controller, we might further support failover of the SNAT IP - moving the SNAT IP to a new Node when the current Node fails. There could be two possible approaches:
Decision by Controller
When the Node fails, Controller should move the IP to another available Node.
To avoid conflicts of the old and new egress Nodes (e.g. the old Node loses connection to K8s API or Controller, but is still active and can serve egress traffic in datapath), we might introduce some conflict detection mechanism. For example, the new Node tries to ping the old Node (SNAT IP) to see if it is still active and reachable.
Limitations:
Active/standby Nodes
Controller selects a pair of active/standby Nodes for each SNAT IP. Active/standby Nodes use a distributed protocol to decide the active Node and even replicate connection state.
One possible solution in Linux is to leverage conntrackd and keepalived.
If we can assume all SNAT IPs can be reachable from every Node, the implementation could be simpler, as the source Nodes need not to know the SNAT IP is available on which Node, but just tunnels/routes the packets to the SNAT IP. If this is not the case (for example, SNAT IPs are in a separate network from the Node network, and are assigned to extra NICs of a specific set of Nodes act as egress Nodes), we need some way to notify all Nodes about the current active egress Node for a SNAT IP, either through Controller or K8s API which then again require Controller or K8s API must be available in the failover case, another distributed protocol.
Data path design
The source Node forwards (through tunnel or routing in noEncap or hybrid mode) the egress packets to the egress Node, and egress Node SNAT the packets with the assigned SNAT IP.
The text was updated successfully, but these errors were encountered: