Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow additional CIDRs to be excluded from SNAT #520

Merged
merged 4 commits into from
Jul 11, 2019
Merged

Allow additional CIDRs to be excluded from SNAT #520

merged 4 commits into from
Jul 11, 2019

Conversation

totahuanocotl
Copy link
Contributor

@totahuanocotl totahuanocotl commented Jul 3, 2019
edited
Loading

Connects to #469

Introduces a mechanism to provide an exclusion list of CIDRs that should
not be SNATed.

Adds an environment variable AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS to
provide a comma separated list of ipv4 CIDRs to exclude from SNAT.
The value of this environment variable will only be use when
AWS_VPC_K8S_CNI_EXTERNALSNAT is false.

The SNAT exclusion CIDRs will be used to:

  • Generate iptable rules to prevent SNATing for packets directed to
    the excluded CIDRs
  • Generate ip rule entries to route packets directed to the excluded
    CIDRs through the pod's eni. This configuration is done both at the
    cni plugin level via the rpc_handler, and the runtime network api.

Given that the list of excluded CIDRs may vary by configuration it was
necessary to include a mechanism to clean up stale SNAT rules. If a
CIDR is removed from the exclusion list, the corresponding iptable
rule will be removed as well, and the chain will be adjusted.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Co-authored-by: @rewiko
Co-authored-by: @yorg1st

@totahuanocotl totahuanocotl force-pushed the add-exclusion-snat-cidrs-to-allow-direct-communication-to-others-network branch from 21a8a6a to 65aa823 Compare July 4, 2019 09:51
@totahuanocotl
Allow additional CIDRs to be excluded from SNAT
b30f2ba 
Introduces a mechanism to provide an exclusion list of CIDRs that should
not be SNATed.

Adds an environment variable `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` to
provide a comma separated list of ipv4 CIDRs to exclude from SNAT.
The value of this environment variable will only be use when
`AWS_VPC_K8S_CNI_EXTERNALSNAT` is false.

The SNAT exclusion CIDRs will be used to:
- Generate `iptable` rules to prevent SNATing for packets directed to
the excluded CIDRs
- Generate `ip rule` entries to route packets directed to the excluded
CIDRs through the pod's `eni`. These configuration is done both at the
`cni` plugin level via the `rpc_handler`, and the runtime `network` api.

Given that the list of excluded CIDRs may vary by configuration it was
necessary to include a mechanism to clean up stale SNAT rules. If a
CIDR is removed from the exclusion list, the corresponding `iptable`
rule will be removed as well, and the chain will be adjusted.

Connects aws#469

Co-authored-by: @rewiko
Co-authored-by: @yorg1st
@totahuanocotl totahuanocotl force-pushed the add-exclusion-snat-cidrs-to-allow-direct-communication-to-others-network branch from 65aa823 to b30f2ba Compare July 4, 2019 09:52
@totahuanocotl
Copy link
Contributor Author

totahuanocotl commented Jul 8, 2019
edited
Loading

Hi @mogren , do you think this PR could be looked at?
We are quite interested in this feature.

mogren
mogren suggested changes Jul 10, 2019
View reviewed changes
Copy link
Contributor

@mogren mogren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, thanks a lot for adding this.

Just a few small nitpicks to fix and I'd be happy to merge it.

pkg/networkutils/network.go Outdated Show resolved Hide resolved
pkg/networkutils/network.go Show resolved Hide resolved
pkg/networkutils/network.go Outdated Show resolved Hide resolved
pkg/networkutils/network_test.go Show resolved Hide resolved
pkg/networkutils/network_test.go Show resolved Hide resolved
README.md Show resolved Hide resolved
pkg/networkutils/network.go Show resolved Hide resolved
pkg/networkutils/network.go Outdated Show resolved Hide resolved
@mogren mogren added this to the v1.6 milestone Jul 10, 2019
@totahuanocotl
Address PR review comments
773c7cb
@totahuanocotl
Fix typo in SNAT chain rules' comment
783dfcb
@totahuanocotl
Add formatting targets to Makefile
5355b90 
`format` applies formatting to the project's go files.
`check-format` checks that no files require formatting; if they do it
will fail the command.

It adds the `check-format` target to the travis build so that CI fails
if files are not properly formatted.
mogren
mogren approved these changes Jul 11, 2019
View reviewed changes
Copy link
Contributor

@mogren mogren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks again!

@mogren mogren merged commit a4b14eb into aws:master Jul 11, 2019
@mogren mogren mentioned this pull request Jul 11, 2019
Closed
@totahuanocotl
Copy link
Contributor Author

Thanks @mogren !

@mogren mogren mentioned this pull request Aug 2, 2019
Closed
This was referenced Sep 18, 2019
Merged
Closed
This was referenced Sep 28, 2019
Closed
Closed
@tanguyfalconnet tanguyfalconnet mentioned this pull request Sep 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mogren mogren mogren approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
v1.6
Development

Successfully merging this pull request may close these issues.
2 participants
@totahuanocotl @mogren