Skip to content

Commit

Permalink
[IPv6] Add support for dual-stack when using kube-proxy for Service (#…
Browse files Browse the repository at this point in the history
…1200)

1. Add a config item for IPv6 Serivce CIDR if using kube-proxy to
   provide Service functions.
2. Output IPv6 traffic from host gateway if its destination is a
   Service address.
3. Use ct_mark to identify Service traffic and output the reply
   packet to the host gateway to ensure the DNAT processing in iptables.
  • Loading branch information
wenyingd committed Oct 26, 2020
1 parent 6ec263c commit 6097bfd
Show file tree
Hide file tree
Showing 20 changed files with 362 additions and 173 deletions.
15 changes: 11 additions & 4 deletions build/yamls/antrea-aks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1033,7 +1033,8 @@ data:
featureGates:
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
# Service traffic. Antrea proxy doesn't support an IPv6 only cluster or a Dual-Stack cluster
# before PR #1102[https://github.com/vmware-tanzu/antrea/pull/1102] is merged.
AntreaProxy: true
# Enable traceflow which provides packet tracing feature to diagnose network issue.
Expand Down Expand Up @@ -1101,6 +1102,12 @@ data:
# for the GRE tunnel type.
#enableIPSecTunnel: false
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
#serviceCIDRv6:
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
Expand Down Expand Up @@ -1175,7 +1182,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-8c5mfk22m2
name: antrea-config-6d5c9b48f6
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -1282,7 +1289,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-8c5mfk22m2
name: antrea-config-6d5c9b48f6
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -1531,7 +1538,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-8c5mfk22m2
name: antrea-config-6d5c9b48f6
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
15 changes: 11 additions & 4 deletions build/yamls/antrea-eks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1033,7 +1033,8 @@ data:
featureGates:
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
# Service traffic. Antrea proxy doesn't support an IPv6 only cluster or a Dual-Stack cluster
# before PR #1102[https://github.com/vmware-tanzu/antrea/pull/1102] is merged.
AntreaProxy: true
# Enable traceflow which provides packet tracing feature to diagnose network issue.
Expand Down Expand Up @@ -1101,6 +1102,12 @@ data:
# for the GRE tunnel type.
#enableIPSecTunnel: false
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
#serviceCIDRv6:
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
Expand Down Expand Up @@ -1175,7 +1182,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-8c5mfk22m2
name: antrea-config-6d5c9b48f6
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -1282,7 +1289,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-8c5mfk22m2
name: antrea-config-6d5c9b48f6
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -1533,7 +1540,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-8c5mfk22m2
name: antrea-config-6d5c9b48f6
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
15 changes: 11 additions & 4 deletions build/yamls/antrea-gke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1033,7 +1033,8 @@ data:
featureGates:
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
# Service traffic. Antrea proxy doesn't support an IPv6 only cluster or a Dual-Stack cluster
# before PR #1102[https://github.com/vmware-tanzu/antrea/pull/1102] is merged.
AntreaProxy: true
# Enable traceflow which provides packet tracing feature to diagnose network issue.
Expand Down Expand Up @@ -1101,6 +1102,12 @@ data:
# for the GRE tunnel type.
#enableIPSecTunnel: false
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
#serviceCIDRv6:
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
Expand Down Expand Up @@ -1175,7 +1182,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-78kch9fmgd
name: antrea-config-hfk68f7d5t
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -1282,7 +1289,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-78kch9fmgd
name: antrea-config-hfk68f7d5t
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -1531,7 +1538,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-78kch9fmgd
name: antrea-config-hfk68f7d5t
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
15 changes: 11 additions & 4 deletions build/yamls/antrea-ipsec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1033,7 +1033,8 @@ data:
featureGates:
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
# Service traffic. Antrea proxy doesn't support an IPv6 only cluster or a Dual-Stack cluster
# before PR #1102[https://github.com/vmware-tanzu/antrea/pull/1102] is merged.
# AntreaProxy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
Expand Down Expand Up @@ -1106,6 +1107,12 @@ data:
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
#serviceCIDR: 10.96.0.0/12
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
#serviceCIDRv6:
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
Expand Down Expand Up @@ -1180,7 +1187,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-96k9447m55
name: antrea-config-986bf6k2mb
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -1296,7 +1303,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-96k9447m55
name: antrea-config-986bf6k2mb
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -1580,7 +1587,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-96k9447m55
name: antrea-config-986bf6k2mb
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
15 changes: 11 additions & 4 deletions build/yamls/antrea.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1033,7 +1033,8 @@ data:
featureGates:
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
# Service traffic. Antrea proxy doesn't support an IPv6 only cluster or a Dual-Stack cluster
# before PR #1102[https://github.com/vmware-tanzu/antrea/pull/1102] is merged.
# AntreaProxy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
Expand Down Expand Up @@ -1106,6 +1107,12 @@ data:
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
#serviceCIDR: 10.96.0.0/12
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
#serviceCIDRv6:
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
Expand Down Expand Up @@ -1180,7 +1187,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-75558f6fff
name: antrea-config-t8m5b49mf8
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -1287,7 +1294,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-75558f6fff
name: antrea-config-t8m5b49mf8
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -1536,7 +1543,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-75558f6fff
name: antrea-config-t8m5b49mf8
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
9 changes: 8 additions & 1 deletion build/yamls/base/conf/antrea-agent.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
featureGates:
# Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
# Service traffic. Antrea proxy doesn't support an IPv6 only cluster or a Dual-Stack cluster
# before PR #1102[https://github.com/vmware-tanzu/antrea/pull/1102] is merged.
# AntreaProxy: false

# Enable traceflow which provides packet tracing feature to diagnose network issue.
Expand Down Expand Up @@ -75,6 +76,12 @@ featureGates:
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
#serviceCIDR: 10.96.0.0/12

# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
# No default value for this field.
#serviceCIDRv6:

# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
Expand Down
7 changes: 7 additions & 0 deletions cmd/antrea-agent/agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,12 @@ func run(o *Options) error {
}

_, serviceCIDRNet, _ := net.ParseCIDR(o.config.ServiceCIDR)
var serviceCIDRNetv6 *net.IPNet
// Todo: use FeatureGate to check if IPv6 is enabled and then read configuration item "ServiceCIDRv6".
if o.config.ServiceCIDRv6 != "" {
_, serviceCIDRNetv6, _ = net.ParseCIDR(o.config.ServiceCIDRv6)
}

_, encapMode := config.GetTrafficEncapModeFromStr(o.config.TrafficEncapMode)
networkConfig := &config.NetworkConfig{
TunnelType: ovsconfig.TunnelType(o.config.TunnelType),
Expand All @@ -126,6 +132,7 @@ func run(o *Options) error {
o.config.HostGateway,
o.config.DefaultMTU,
serviceCIDRNet,
serviceCIDRNetv6,
networkConfig,
features.DefaultFeatureGate.Enabled(features.AntreaProxy))
err = agentInitializer.Initialize()
Expand Down
5 changes: 5 additions & 0 deletions cmd/antrea-agent/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,11 @@ type AgentConfig struct {
// AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
// Default is 10.96.0.0/12
ServiceCIDR string `yaml:"serviceCIDR,omitempty"`
// ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
// cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
// --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
// No default value for this field.
ServiceCIDRv6 string `yaml:"serviceCIDRv6,omitempty"`
// Whether or not to enable IPSec (ESP) encryption for Pod traffic across Nodes. IPSec encryption
// is supported only for the GRE tunnel type. Antrea uses Preshared Key (PSK) for IKE
// authentication. When IPSec tunnel is enabled, the PSK value must be passed to Antrea Agent
Expand Down
8 changes: 7 additions & 1 deletion cmd/antrea-agent/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,13 @@ func (o *Options) validate(args []string) error {
// Validate service CIDR configuration
_, _, err := net.ParseCIDR(o.config.ServiceCIDR)
if err != nil {
return fmt.Errorf("service CIDR %s is invalid", o.config.ServiceCIDR)
return fmt.Errorf("Service CIDR %s is invalid", o.config.ServiceCIDR)
}
if o.config.ServiceCIDRv6 != "" {
_, _, err := net.ParseCIDR(o.config.ServiceCIDRv6)
if err != nil {
return fmt.Errorf("Service CIDR v6 %s is invalid", o.config.ServiceCIDRv6)
}
}
if o.config.TunnelType != ovsconfig.VXLANTunnel && o.config.TunnelType != ovsconfig.GeneveTunnel &&
o.config.TunnelType != ovsconfig.GRETunnel && o.config.TunnelType != ovsconfig.STTTunnel {
Expand Down
7 changes: 5 additions & 2 deletions pkg/agent/agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ type Initializer struct {
hostGateway string // name of gateway port on the OVS bridge
mtu int
serviceCIDR *net.IPNet // K8s Service ClusterIP CIDR
serviceCIDRv6 *net.IPNet // K8s Service ClusterIP CIDR in IPv6
networkConfig *config.NetworkConfig
nodeConfig *config.NodeConfig
enableProxy bool
Expand All @@ -79,6 +80,7 @@ func NewInitializer(
hostGateway string,
mtu int,
serviceCIDR *net.IPNet,
serviceCIDRv6 *net.IPNet,
networkConfig *config.NetworkConfig,
enableProxy bool) *Initializer {
return &Initializer{
Expand All @@ -91,6 +93,7 @@ func NewInitializer(
hostGateway: hostGateway,
mtu: mtu,
serviceCIDR: serviceCIDR,
serviceCIDRv6: serviceCIDRv6,
networkConfig: networkConfig,
enableProxy: enableProxy,
}
Expand Down Expand Up @@ -314,8 +317,8 @@ func (i *Initializer) initOpenFlowPipeline() error {
// from local Pods to any Service address can be forwarded to the host gateway interface
// correctly. Otherwise packets might be dropped by egress rules before they are DNATed to
// backend Pods.
if err := i.ofClient.InstallClusterServiceCIDRFlows(i.serviceCIDR, gatewayOFPort); err != nil {
klog.Errorf("Failed to setup openflow entries for Cluster Service CIDR %s: %v", i.serviceCIDR, err)
if err := i.ofClient.InstallClusterServiceCIDRFlows([]*net.IPNet{i.serviceCIDR, i.serviceCIDRv6}, gatewayOFPort); err != nil {
klog.Errorf("Failed to setup OpenFlow entries for Service CIDRs: %v", err)
return err
}
} else {
Expand Down
Loading

0 comments on commit 6097bfd

Please sign in to comment.