Add NodePort support for Antrea Proxy on Linux

[weiqiangt]

Note: To verify this PR, the NodePort support is enabled. The feature gate should be disabled before merging this PR.
Resolves #1463.
Signed-off-by: Weiqiang Tang [email protected]

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-whole-conformance: to trigger all conformance tests on linux.
• /skip-whole-conformance: to skip all conformance tests on linux.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-windows-conformance: to trigger windows conformance tests.
• /skip-windows-conformance: to skip windows conformance tests.
• /test-windows-networkpolicy: to trigger windows networkpolicy tests.
• /skip-windows-networkpolicy: to skip windows networkpolicy tests.
• /test-hw-offload: to trigger ovs hardware offload test.
• /skip-hw-offload: to skip ovs hardware offload test.
• /test-all: to trigger all tests (except whole conformance).
• /skip-all: to skip all tests (except whole conformance).

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (main@1f7775e). Click here to learn what that means.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1471   +/-   ##
=======================================
  Coverage        ?   41.09%           
=======================================
  Files           ?      116           
  Lines           ?    14717           
  Branches        ?        0           
=======================================
  Hits            ?     6048           
  Misses          ?     8148           
  Partials        ?      521           

Flag	Coverage Δ
unit-tests	41.09% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

[weiqiangt]

/test-all

[tnqn]

I haven't finished review. But I did some test based on the patch and found an issue:
When scaling down backend pods, the members in openflow group doesn't change, leading to connectivity issue.

[tnqn]

Have you tried policy route approach? I did an experiment and it worked as we discussed.
If NAT is not likely to be the final solution, better not to add this argument in case compatbility issue in future. We can just use a reserved IP in alpha phase I think.

[jianjuns]

Why we care it must be link-local?

[weiqiangt]

@tnqn, I tried the policy route way.
If the destination is a loopback address we still need to do a DNAT. Considering this is an ALPHA feature for now, we can discuss it more in the future.

[weiqiangt]

@jianjuns, do you think we should use any forwardable address here?

[jianjuns]

I want to understand the current design first. Why IPv4 must be loopback, and IPv6 must not be?

[jianjuns]

Got more understanding after reading the design proposal. I think no need to restrict the IP must be link-local. We can recommend link-local though.

[weiqiangt]

Thanks @jianjuns, updated.

[tnqn]

I mean there are possibilities we don't need to do DNAT in future like the two approaches we have discussed. Even if we still need it for loopback address ( maybe we don't need it for this case as well), I think hardcoding a reserved IP is enough at this stage.
I just want to avoid introducing implementation specific configurations when it's not stable so we don't have the complexity of upgrade (If user set it and we delete it in future, the process will crash).
And it doesn't seem that user can get what the configuration means and how to use it with the current comments.

[weiqiangt]

@tnqn, thanks for the explanation. I removed these two options and made them constant for now.

[jianjuns]

Do you have a design doc for the reviewers to understand the design?

[jianjuns]

Why we care it must be link-local?

[jianjuns]

I feel we should have a separate feature gate to control NodePort by AntreaProxy or not.

[weiqiangt]

Yes, I added a new feature gate AntreaProxyNodePort to control it. Also, I updated the workflow here. The parsing of NodeAddress will go only if both AntreaProxyNodePort and AntreaProxy are enabled.

[weiqiangt]

Do you have a design doc for the reviewers to understand the design?

I attached the issue which includes the design.

[weiqiangt]

I haven't finished review. But I did some test based on the patch and found an issue:
When scaling down backend pods, the members in openflow group doesn't change, leading to connectivity issue.

Thanks @tnqn. I have fixed this issue and added checks in e2e.

[weiqiangt]

/test-all

[weiqiangt]

/test-all

[weiqiangt]

Windows conformance failed due to infrastructure failure, re-trigger it.
/test-windows-conformance

[weiqiangt]

/test-all

[weiqiangt]

/jenkins-ipv6-ds-conformance
/jenkins-ipv6-only-conformance

[jianjuns]

I do not mean to ask for a design change for this PR, but have we considered using TC to redirect traffic (https://man7.org/linux/man-pages/man8/tc-mirred.8.html)? Could it be faster or slower than iptables? @tnqn

[weiqiangt]

/test-all

Jenkins tests failed on some unrelated cases, re-trigger tests to have a double-check.

[k8s.io] InitContainer [NodeConformance] should not start app containers and fail the pod if init containers fail on a RestartNever pod [Conformance]
[k8s.io] InitContainer [NodeConformance] should invoke init containers on a RestartAlways pod [Conformance]
[k8s.io] Security Context When creating a pod with readOnlyRootFilesystem should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance] [Conformance]
[k8s.io] Probing container should be restarted with a exec "cat /tmp/health" liveness probe [NodeConformance] [Conformance]
[k8s.io] Kubelet when scheduling a busybox Pod with hostAliases should write entries to /etc/hosts [LinuxOnly] [NodeConformance] [Conformance]

[weiqiangt]

/test-ipv6-ds-conformance
/test-ipv6-only-conformance

[weiqiangt]

/test-windows-conformance

[jianjuns]

I would suggest not to enable it by default. Even we enable it, it does not provide any value, until we have a solution to remove kube-proxy.
@tnqn @antoninbas

[antoninbas]

Agreed

[tnqn]

This is the plan. I think Weiqiang only enables it for testing. See PR description "To verify this PR, the NodePort support is enabled. The feature gate should be disabled before merging this PR."

[weiqiangt]

Yes, it is enabled only for testing. I will disable it when we're ready to merge.

[jianjuns]

Probably better to move these to setDefaults()? I am fine to keep these two options hardcoded for now, but maybe later we should still make them configurable.

[jianjuns]

Do you remove "s" from "iptables" to IPTable" on purpose? I feel it should be "IPTablesRules".

[jianjuns]

Should we add the flows only when NodePort is enabled?

[jianjuns]

When Node IP is v6, no need to add this flow.

[jianjuns]

I did not see this func is called, but might be my mistake?

[jianjuns]

What you think adding a separate interface for AddNodePortRoute, AddNodePort, and DeleteNodePort, which can have different implementations in Linux (by Route Client) and Windows (by Openflow)? Or maybe on Windows they are not needed at all, as the existing Openflow Client interfaces can already cover these functions?