Graduate NodePortLocal feature from Alpha to Beta (antrea-io#2924)

NodePortLocal will be graduated to Beta and enabled by default starting
with v1.4.

In order to avoid CPU & memory overhead in the K8s control plane and
in the Antrea Agent, a configuration parameter is provided (in addition
to the feature gate) to control enablement of the feature. All NPL
options (enable and portRange) are grouped under one top-level config
option (nodePortLocal) like we have done for other features. By default,
the feature is disabled and nodePortLocal.enable needs to be set to
true.
Note that eventually the feature gate will go GA and the config option
will be the only way to enable / disable NPL.

On the e2e test side, we follow the same logic as for other Beta
features: if the feature has been disabled, we skip all the relevant
tests that depend on that feature instead of updating the ConfigMap as
part of the test (which is the approach we take for Alpha
features). The NPL e2e tests still need to update the ConfigMap to
enable the feature and change the portRange. This commit changes the
mutateAntreaConfigMap so that the function is a no-op in case there is
no actual change.

Fixes antrea-io#2923

Signed-off-by: Antonin Bas <[email protected]>

build/yamls/antrea-aks.yml

@@ -3849,8 +3849,8 @@ data:
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
-    # Enable NodePortLocal feature to make the pods reachable externally through NodePort
-    #  NodePortLocal: false
+    # Enable NodePortLocal feature to make the Pods reachable externally through NodePort
+    #  NodePortLocal: true
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
@@ -3977,10 +3977,16 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
-    # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
-    # and all Node traffic directed to that port will be forwarded to the Pod.
-    #nplPortRange: 61000-62000
+    nodePortLocal:
+    # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
+    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
+    # gate is also enabled (which is the default).
+    #  enable: false
+    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
+    # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
+    # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
+    # directed to that port will be forwarded to the Pod.
+    #  portRange: 61000-62000
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
@@ -4135,7 +4141,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-dttf6969bm
+  name: antrea-config-2t22kh7hm4
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4206,7 +4212,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-dttf6969bm
+          value: antrea-config-2t22kh7hm4
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4257,7 +4263,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-dttf6969bm
+          name: antrea-config-2t22kh7hm4
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4538,7 +4544,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-dttf6969bm
+          name: antrea-config-2t22kh7hm4
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -3849,8 +3849,8 @@ data:
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
-    # Enable NodePortLocal feature to make the pods reachable externally through NodePort
-    #  NodePortLocal: false
+    # Enable NodePortLocal feature to make the Pods reachable externally through NodePort
+    #  NodePortLocal: true
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
@@ -3977,10 +3977,16 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
-    # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
-    # and all Node traffic directed to that port will be forwarded to the Pod.
-    #nplPortRange: 61000-62000
+    nodePortLocal:
+    # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
+    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
+    # gate is also enabled (which is the default).
+    #  enable: false
+    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
+    # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
+    # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
+    # directed to that port will be forwarded to the Pod.
+    #  portRange: 61000-62000
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
@@ -4135,7 +4141,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-dttf6969bm
+  name: antrea-config-2t22kh7hm4
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4206,7 +4212,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-dttf6969bm
+          value: antrea-config-2t22kh7hm4
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4257,7 +4263,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-dttf6969bm
+          name: antrea-config-2t22kh7hm4
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4540,7 +4546,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-dttf6969bm
+          name: antrea-config-2t22kh7hm4
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -3849,8 +3849,8 @@ data:
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
-    # Enable NodePortLocal feature to make the pods reachable externally through NodePort
-    #  NodePortLocal: false
+    # Enable NodePortLocal feature to make the Pods reachable externally through NodePort
+    #  NodePortLocal: true
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
@@ -3977,10 +3977,16 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
-    # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
-    # and all Node traffic directed to that port will be forwarded to the Pod.
-    #nplPortRange: 61000-62000
+    nodePortLocal:
+    # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
+    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
+    # gate is also enabled (which is the default).
+    #  enable: false
+    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
+    # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
+    # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
+    # directed to that port will be forwarded to the Pod.
+    #  portRange: 61000-62000
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
@@ -4135,7 +4141,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-2f6h926k9h
+  name: antrea-config-fgt5gkhtf5
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4206,7 +4212,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-2f6h926k9h
+          value: antrea-config-fgt5gkhtf5
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4257,7 +4263,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-2f6h926k9h
+          name: antrea-config-fgt5gkhtf5
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4541,7 +4547,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-2f6h926k9h
+          name: antrea-config-fgt5gkhtf5
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -3849,8 +3849,8 @@ data:
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
-    # Enable NodePortLocal feature to make the pods reachable externally through NodePort
-    #  NodePortLocal: false
+    # Enable NodePortLocal feature to make the Pods reachable externally through NodePort
+    #  NodePortLocal: true
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
@@ -3982,10 +3982,16 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
-    # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
-    # and all Node traffic directed to that port will be forwarded to the Pod.
-    #nplPortRange: 61000-62000
+    nodePortLocal:
+    # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
+    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
+    # gate is also enabled (which is the default).
+    #  enable: false
+    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
+    # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
+    # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
+    # directed to that port will be forwarded to the Pod.
+    #  portRange: 61000-62000
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
@@ -4140,7 +4146,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-7chtf92g54
+  name: antrea-config-7499thbtth
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4220,7 +4226,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-7chtf92g54
+          value: antrea-config-7499thbtth
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4271,7 +4277,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-7chtf92g54
+          name: antrea-config-7499thbtth
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4587,7 +4593,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-7chtf92g54
+          name: antrea-config-7499thbtth
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -3849,8 +3849,8 @@ data:
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
-    # Enable NodePortLocal feature to make the pods reachable externally through NodePort
-    #  NodePortLocal: false
+    # Enable NodePortLocal feature to make the Pods reachable externally through NodePort
+    #  NodePortLocal: true
 
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
@@ -3982,10 +3982,16 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
-    # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
-    # and all Node traffic directed to that port will be forwarded to the Pod.
-    #nplPortRange: 61000-62000
+    nodePortLocal:
+    # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
+    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
+    # gate is also enabled (which is the default).
+    #  enable: false
+    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
+    # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
+    # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
+    # directed to that port will be forwarded to the Pod.
+    #  portRange: 61000-62000
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
@@ -4140,7 +4146,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-5985d9c7h2
+  name: antrea-config-7ddkdg8fcf
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4211,7 +4217,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-5985d9c7h2
+          value: antrea-config-7ddkdg8fcf
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4262,7 +4268,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-5985d9c7h2
+          name: antrea-config-7ddkdg8fcf
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4543,7 +4549,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-5985d9c7h2
+          name: antrea-config-7ddkdg8fcf
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-agent.conf

@@ -13,8 +13,8 @@ featureGates:
 # Enable traceflow which provides packet tracing feature to diagnose network issue.
 #  Traceflow: true
 
-# Enable NodePortLocal feature to make the pods reachable externally through NodePort
-#  NodePortLocal: false
+# Enable NodePortLocal feature to make the Pods reachable externally through NodePort
+#  NodePortLocal: true
 
 # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
 # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
@@ -146,10 +146,16 @@ egress:
 # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
 #idleFlowExportTimeout: "15s"
 
-# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
-# whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
-# and all Node traffic directed to that port will be forwarded to the Pod.
-#nplPortRange: 61000-62000
+nodePortLocal:
+# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
+# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
+# gate is also enabled (which is the default).
+#  enable: false
+# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
+# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
+# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
+# directed to that port will be forwarded to the Pod.
+#  portRange: 61000-62000
 
 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
 # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.

cmd/antrea-agent/agent.go

@@ -122,7 +122,7 @@ func run(o *Options) error {
 	_, encapMode := config.GetTrafficEncapModeFromStr(o.config.TrafficEncapMode)
 	_, encryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.TrafficEncryptionMode)
 	if o.config.EnableIPSecTunnel {
-		klog.Warning("enableIPSecTunnel is deprecated, use trafficEncryptionMode instead.")
+		klog.InfoS("enableIPSecTunnel is deprecated, use trafficEncryptionMode instead.")
 		encryptionMode = config.TrafficEncryptionModeIPSec
 	}
 	networkConfig := &config.NetworkConfig{
@@ -347,11 +347,12 @@ func run(o *Options) error {
 	}
 
 	// Start the NPL agent.
-	if features.DefaultFeatureGate.Enabled(features.NodePortLocal) {
+	if features.DefaultFeatureGate.Enabled(features.NodePortLocal) && o.config.NodePortLocal.Enable {
 		nplController, err := npl.InitializeNPLAgent(
 			k8sClient,
 			informerFactory,
-			o.config.NPLPortRange,
+			o.nplStartPort,
+			o.nplEndPort,
 			nodeConfig.Name)
 		if err != nil {
 			return fmt.Errorf("failed to start NPL agent: %v", err)