Document Egress feature

[tnqn]

For #1924

[antoninbas]

LGTM

I think I would just recommend clarifying what "IP configured on one Node" means by just saying that it means an IP assign to an arbitrary interface of the Node (and that it is unrelated to the Node Addresses in the K8s API).

I know this is more of an implementation detail, but since this is our only documentation for this so far, do you think we should add a sentence about how egress traffic will be forwarded on the overlay to the Node configured with the egress IP?

[antoninbas]

s/could only/can only

[tnqn]

done, thanks

[jianjuns]

Hybrid mode should work too? Even noEncap and policyOnly if we tunnel egress traffic, and reduce MTU.

[tnqn]

Sure, updated the doc to say it's just "currently" not supported.

[jianjuns]

For IPv4 cluster, it must be IPv4; for IPv6 it must be IPv6.
Do we support dual-stack?

[tnqn]

In theory it supports dual-stack but I haven't verified it.

[jianjuns]

Hybrid mode should work too? Even noEncap and policyOnly if we tunnel egress traffic, and reduce MTU.

[antoninbas]

The IP must be assigned to an arbitrary interface of one Node, and one Node only

[jianjuns]

Do we assume we need an another user doc? There can be other details to add. For example, the IP must be reachable from all Nodes (as we tunnel to that IP).

[antoninbas]

If this is a requirement we should list here. I'm unfamiliar with the implementation so I was assuming we were tunneling using the K8s Node IP, not the SNAT IP.

Another more detailed document (with a diagram for example) may be useful, but it's fine to tackle that after the release IMO.

[tnqn]

Added the requirement about reachability, agree we could have a separate doc to describe the implementation later.

[jianjuns]

So you believe it does not work for hybrid now? I thought it should work.

[tnqn]

I think it again and agree it should work. I could test it later and update the doc after verifying it.

[jianjuns]

Sounds good!

[tnqn]

@jianjuns It didn't work for two Nodes in same subnet in hybrid case. The reason is:

1. After the request packet is tunneled to the Egress Node and sent to its host network, reverse path filtering will drop the packet as the traffic comes from antrea-gw0 while it's on a route of one physical interface like eth0. rp_filter is set to strict mode in some distributions like ubuntu. Changing it to loose mode can resolve this.
2. After the reply packet is received on the Egress Node, it will output the packet to the physical interface that has route to the Pod network, e.g. eth0, instead of antrea-gw0, leading to asymmetric path.

I will file an issue to discuss how to make it work for hybrid mode, and maybe route mode together. For this release, guess we don't have time to support it for hybrid mode. Do you agree?

[jianjuns]

Got it. Let us think about any solution. I think the feature can be useful for hybrid mode and encap mode too.

[tnqn]

sure

[jianjuns]

/skip-all

[tnqn]

Appended a newline at end of file to fix "Verify docs and spelling"

[tnqn]

/skip-all