NodePort, LoadBalancer and ClusterIP from k8s Node support for AntreaProxy on Linux (implemented by Linux TC)

[hongliangl]

This PR implements:

• The connection request of NodePort whose client is from remote or
  localhost.
• The connection request of LoadBalancer whose client is from remote
  or localhost.
• The connection request of ClusterIP whose client is from localhost.

For NodePort support, on each interface whose IP addresses can be
NodePort IP addresses, Linux TC is used to redirect the request packets
to Antrea gateway. For response packets, on interface Antrea gateway,
Linux TC is used to redirect the packets back to the interface where
the requests packets are from.

For LoadBalancer support, when client is from remote hosts, on default
route output interface, Linux TC is used to redirect the request
packets to Antrea gateway. For response packets, on interface Antrea
gateway,Linux TC is used to redirect the packets back to the default
route output interface. When client is from localhost, the request
packets are routed to Antrea gateway.

For ClusterIP support, the request packets are routed to Antrea gateway.

To support the Service traffic of above cases, there are main changes of
OVS pipeline.

• Add table serviceConntrackCommitTable 106 to perform SNAT for
  Service traffic.
• Modify table hairpinSNATTable ID from 106 to 108.
• Modify table serviceHairpinTable ID from 29 to 23.
• Add table serviceConntrackTable 24 to transform SNATed connnections.
• Add table serviceClassifierTable 35 to classify the Service traffic.
• Add table serviceDstMacRewriteTable 75 to rewrite destination MAC
  address of response Service packets.

The below cases are supported on:

• IPv4, encap
• IPv6, encap
• IPv4, noEncap

No.	Service	Client	ExternalTrafficPolicy	Endpoint Network	SNAT	AntreaProxy Support	KubeProxy Support
1	NodePort	Remote	Cluster	Pod CIDR	Yes	✔️	✔️
2	NodePort	Remote	Local	Pod CIDR	No	✔️	✔️
3	NodePort	Remote	Cluster	Host	Yes	✔️	✔️
4	NodePort	Remote	Local	Host	No	✔️	✔️
5	NodePort	Localhost	Cluster	Pod CIDR	Yes	✔️	✔️
6	NodePort	Localhost	Local	Pod CIDR	Yes	✔️	✔️
7	NodePort	Localhost	Cluster	Host	Yes	✔️	✔️
8	NodePort	Localhost	Local	Host	Yes	✔️	✔️
9	NodePort	Localhost(127.0.0.1,::1)	Cluster	Pod CIDR	Yes	✔️	✔️
10	NodePort	Localhost(127.0.0.1,::1)	Local	Pod CIDR	Yes	✔️	✔️
11	NodePort	Localhost(127.0.0.1,::1)	Cluster	Host	Yes	✔️	✔️
12	NodePort	Localhost(127.0.0.1,::1)	Local	Host	Yes	✔️	✔️
13	NodePort	Pod (local node)	Cluster	Pod CIDR	Yes	✔️	✔️
14	NodePort	Pod (local node)	Local	Pod CIDR	No	✔️	✔️
15	NodePort	Pod (local node)	Cluster	Host	Yes	✔️	✔️
16	NodePort	Pod (local node)	Local	Host	No	✔️	✔️
17	NodePort	Pod (remote node)	Cluster	Pod CIDR	Yes	✔️	✔️
18	NodePort	Pod (remote node)	Local	Pod CIDR	No	✔️	✔️
19	NodePort	Pod (remote node)	Cluster	Host	Yes	✔️	✔️
20	NodePort	Pod (remote node)	Local	Host	No	✔️	✔️
21	LoadBalancer	Remote	Cluster	Pod CIDR	Yes	✔️	✔️
22	LoadBalancer	Remote	Local	Pod CIDR	No	✔️	✔️
23	LoadBalancer	Remote	Cluster	Host	Yes	✔️	✔️
24	LoadBalancer	Remote	Local	Host	No	✔️	✔️
25	LoadBalancer	Localhost	Cluster	Pod CIDR	Yes	✔️	✔️
26	LoadBalancer	Localhost	Local	Pod CIDR	Yes	✔️	✔️
27	LoadBalancer	Localhost	Cluster	Host	Yes	✔️	✔️
28	LoadBalancer	Localhost	Local	Host	Yes	✔️	✔️
29	LoadBalancer	Pod (local node)	Cluster	Pod CIDR	Yes	✔️	✔️
30	LoadBalancer	Pod (local node)	Local	Pod CIDR	No	✔️	✔️
31	LoadBalancer	Pod (local node)	Cluster	Host	Yes	✔️	✔️
32	LoadBalancer	Pod (local node)	Local	Host	No	✔️	✔️
33	LoadBalancer	Pod (remote node)	Cluster	Pod CIDR	Yes	✔️	✔️
34	LoadBalancer	Pod (remote node)	Local	Pod CIDR	No	✔️	✔️
35	LoadBalancer	Pod (remote node)	Cluster	Host	Yes	✔️	✔️
36	LoadBalancer	Pod (remote node)	Local	Host	No	✔️	✔️
37	ClusterIP	Localhost	\	Pod CIDR	No	✔️	✔️
38	ClusterIP	Localhost(hairpin)	\	Host	Yes	✔️	✔️
39	ClusterIP	Pod	\	Pod CIDR	No	✔️	✔️
40	ClusterIP	Pod(hairpin)	\	Pod CIDR	Yes	✔️	✔️
41	ClusterIP	Pod	\	Host	No	✔️	✔️

Signed-off-by: Hongliang Liu [email protected]

[codecov-commenter]

Codecov Report

Merging #2239 (267b6fb) into main (95a167a) will decrease coverage by 1.76%.
The diff coverage is 14.35%.

@@            Coverage Diff             @@
##             main    #2239      +/-   ##
==========================================
- Coverage   59.67%   57.91%   -1.77%     
==========================================
  Files         281      284       +3     
  Lines       22207    23407    +1200     
==========================================
+ Hits        13253    13555     +302     
- Misses       7546     8398     +852     
- Partials     1408     1454      +46     

Flag	Coverage Δ
kind-e2e-tests	45.20% <12.57%> (-1.47%)	⬇️
unit-tests	41.21% <5.83%> (-1.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/agent.go	50.53% <ø> (+0.31%)	⬆️
pkg/agent/config/node_config.go	100.00% <ø> (ø)
pkg/agent/util/net.go	19.80% <0.00%> (-20.20%)	⬇️
pkg/ovs/openflow/ofctrl_action.go	40.61% <0.00%> (-9.81%)	⬇️
pkg/agent/util/tc/tc_linux.go	2.99% <2.99%> (ø)
pkg/agent/route/route_linux.go	26.32% <3.12%> (-18.10%)	⬇️
pkg/agent/proxy/types/conjcounter.go	6.45% <6.45%> (ø)
pkg/agent/util/tc/types/handlegenerator.go	17.24% <17.24%> (ø)
pkg/agent/openflow/client.go	55.77% <24.39%> (-2.82%)	⬇️
pkg/agent/openflow/pipeline.go	63.38% <26.22%> (-8.30%)	⬇️
... and 52 more

[jianjuns]

Do you have an updated design doc to learn the new design with TC?

[tnqn]

still reviewing..

[jianjuns]

How about: All types of Service traffic will be handled by AntreaProxy?

Maybe list what more are supported compared to disabled.

[wenyingd]

Is it possible to move it under pkg/agent/util ?

[hongliangl]

Yes. @antoninbas suggested the func could be here, so I moved it here.

[wenyingd]

I want to confirm if this switch is hit only in NodePort Service, and the source and destination are the same Node address? If yes, please add comments, otherwise svcIP as source might cause misunderstanding.

[hongliangl]

Thanks for remind, I almost forgot this.

[wenyingd]

I think the 3 flows in this function has the same learn action, is it possible to use a generic function for the learn action. Then it should be easier to change if needed in future.

[hongliangl]

Done.

[wenyingd]

Do you mean Antrea will re-calculate the route target IP block when new ClusterIP added? How shall I understand "when there are enough ClusterIPs"?

[hongliangl]

Maybe this explanation can be better:

// Install ClusterIP route on Node so that ClusterIP can be accessed on Node. Every time a new ClusterIP
// is created, the routing target IP block will be recalculated for expansion to be able to route the new
// created ClusterIP. Deleting a ClusterIP will not shrink the target routing IP block. The Service CIDR
// can be finally calculated after creating enough ClusterIPs.

[wenyingd]

If the implementations for LoadBalancerService are the same on Linux and Windows, maybe move the function to proxier.go?

[hongliangl]

I think it is ok, Windows has one more function, Linux will just hit a ni function.

[wenyingd]

Do you mean IPv4 link local address is included?

[hongliangl]

IPv6 link local is special, its prefix is fe80::/64. It can be only routed. I think it should be as NodePort IP. For IPv4 link local, you mean 169.254.x.x?

[hongliangl]

/test-all

[tnqn]

why don't we need to SNAT hairpin traffic for host network pod? Is it becasue there is another SNAT flow that will do this? If so, can we unify the flows?

[hongliangl]

This flow will never be hit. Another flow is used to do SNAT for hairpin Service traffic from gateway with a different ct_zone. Existing hairpin SNAT for Service from pod is stateless(just modify source IP without ct commit), I think we don't need unify these two flows.

[tnqn]

I don't get why this is specific to the case when sessionAffinity is set. Even if it's not set, isn't the problem there?

[hongliangl]

Due to the previous design, I forget to remove this.

[tnqn]

Although this can work, it makes the implementation a bit complicated with policy routing involved, so I'm thinking whether this is necessary, want to discuss it here:

1. Even it's always expected to preserve client IP for ClusterIP traffic, we still have to SNAT the traffic when it's hairpin case, as well as kube-proxy.
2. Is it a real case that a Service is NodePort type and its Endpoints are host network Pod? If a Pod is host network, a Node cannot hold more than one Pod for this Service so the Pods are unlikely managed by a regular controller like Deployment, ReplicationController, the most common case is DaemonSet Pod running some system service like antrea-agent. If the Pods are running in the host network, there is no point to expose them as a NodePort service which just introduces another hop and occupies another port. For example, the Kubernetes service's own Endpoints are the kube-apiserver Pods but the Service's itself is ClusterIP type and typically a loadbalancer will use the Node IP + kube-apiserver port as the backends directly, not via a NodePort.

Given the above reasons, I feel at least for the first version, we could just SNAT the traffic to be simpler. Then multiple cases can be unified as external Endpoints, and we can have single SNAT flow for all of them. Since this is in very early stage, we can still use this policy routing approach when users have real need of preserving client IP for NodePort services with host network Pods as backends. What do you think? @jianjuns @antoninbas @hongliangl @wenyingd

[jianjuns]

I thought the solution is to use TC to match the pkt mark and redirect traffic - so TC does not work? I would agree policy routing sounds complicated.

I agree your 2) is a valid point. Are we able to check? If it does complicate the implementation, I would second to start with SNAT.

[hongliangl]

I thought the solution is to use TC to match the pkt mark and redirect traffic - so TC does not work? I would agree policy routing sounds complicated.

The implementation of this case has there steps:
Step 1 Mark the first request packet of the connection with pkt mark within OVS pipeline.
Step 2 Mark the first request packet of the connection with ct mark by matching above pkt mark in iptables mangle table.
Step 3 Mark the response packets of the connection with fw mark by matching above ct mark.
Step 4 Packets with above fw mark will be routed to Antrea gateway.

If using TC,
Step 1 is still step 1.
Step 2 cannot be implemented by TC, I didn't found any doc about how to match a pkt mark and make a ct mark.
Step 3 can be implemented by TC. https://man7.org/linux/man-pages/man8/tc-connmark.8.html
Step 4 can be also implemented by TC. https://man7.org/linux/man-pages/man8/tc-fw.8.html

I don't think the implementation with TC is more simple that that with policy routing. In addition, we may need to add more conditions to match the related packets. This design also adds more overhead. For step 4, TC rule will be installed at default interface's egress(after routing decision), then matched packets will be redirected to Antrea gateway. If using policy routing, before routing decision, the output interface is decided.

[jianjuns]

I just want not many ways (e.g. TC for request and policy routing for response) to redirect/route the traffic which will be hard to understand/troubleshoot/maintain. I am kindof leaning towards what Quan suggested to do SNAT first.

[hongliangl]

OK, if we just do SNAT, should we add some comments about the case?

[jianjuns]

Yes, definitely we should comment the behavior, and briefly describe why we choose to do SNAT.

[tnqn]

I think service only determines whether SNAT is required and which IP to SNAT is related to endpoint only, so the comment should be placed to endpoint flow.
Here it could just say NodePort/LoadBalancer traffic should be SNATed.

[tnqn]

structured logging

[tnqn]

Even today, installing all service/endpoints flows takes long time as typically a single flow takes 2ms. I'm a little concerned that the number of the IPs would impact the time and memory. Basically if it originally takes 5s to install all service flows, 10 local IPs will make it 50s, and the memory usage in agent and ovs-vswitchd for service flow will have same impact. Some unusual cases will make this even worse, if we have some external IPs assigned to the Node, or kube-proxy ipvs is enabled at the same time.
Do we have a way to reduce the flows' redundancy?

[hongliangl]

I thought about using a conjunctive flow to reduce the redundancy.

1. Every NodePort IP is clause 1, conj_id is N,
2. NodePort Port is clause 2, conj_id is N, load another register X, the register stores group number.
3. A flow matching conj_id N, and a action of the flow is group: NXM_NX_REGX[].

Unfortunately, above design cannot work. Below explanation is from https://man7.org/linux/man-pages/man7/ovs-actions.7.html

OTHER ACTIONS         top
   The conjunction action
       Syntax:
              conjunction(id, k/n)

       This action allows for sophisticated ``conjunctive match’’ flows.
       Refer to ``Conjunctive Match Fields’’ in ovs-fields(7) for
       details.

       A flow that has one or more conjunction actions may not have any
       other actions except for note actions.

       Conformance:

       Open vSwitch 2.4 introduced the conjunction action and conj_id
       field. They are Open vSwitch extensions to OpenFlow.

@wenyingd , do you have any good ideas?

[hongliangl]

@tnqn I have tried to use conjunction to reduce flow entries, but I failed. The design I tried:

• We need three conjun_id to distinguish NodePort traffic
  • externalTrafficPolicy is Cluster
    • condition 1: nw_dst (all NodePort IPs)
    • condition 2: nodePort port
    • actions: set SNAT reg, generate learn flow.
  • externalTrafficPolicy is Local, client is from remote
    • condition 1: nw_dst (all NodePort IPs)
    • condition 2: nodePort port
    • actions: generate learn flow.
  • externalTrafficPolicy is Local, client is from localhost
    • condition 1: nw_dst, nw_src (all NodePort IPs)
    • condition 2: nodePort port
    • actions: set SNAT reg, generate learn flow.

As we can see, the first two cases have the same condition 1, I have no idea how to do. The flow can be added with different priority, but the lower priority one will never be hit.

For Table 41, I have tried to unify the group action, but it seems that action of group cannot be set by a register.

[jianjuns]

Would you add these comments here or maybe in tunnelClassifierFlow() if that is the place all SNAT flows are added?

[jianjuns]

I thought the solution is to use TC to match the pkt mark and redirect traffic - so TC does not work? I would agree policy routing sounds complicated.

I agree your 2) is a valid point. Are we able to check? If it does complicate the implementation, I would second to start with SNAT.

[jianjuns]

Do not have a good sense a Feature should be always enabled finally. But do you think we can use a Feature Gate to isolate the change, and change it to a config option later?

[hongliangl]

/test-all

[jianjuns]

The name InitService is too generic. If it is for NodePort only, call it InitNodePortRoutes; if it also handles other types, call it InitServiceProxyRoutes.

[hongliangl]

This func will do:

• Remove stale LoadBalancer/ClusterIP route entries
• Add Linux basic filters for NodePort/LoadBalancer
• Add route entry for routing packets whose destination IP is serviceGWHairpinIP to Antrea gateway.

Maybe call it InitServiceProxyConfig?

[jianjuns]

InitServiceProxyConfig sounds good to me.

[jianjuns]

I know existing funcs go this way, but I suggest to change "should add" to "adds". The same for other funcs you added.

[hongliangl]

Thanks for reminding.

[jianjuns]

To be consistent with other funcs, I suggest either add "Routes" to other func names (I know they are TC operations, but that needs not be reflected in the RouteClient interface), or remove "Route" from this func name too.

Probably Route -> Routes, as I assume it might not be a single route entry?

[jianjuns]

Why there is not a func to remove the routes for a ClusterIP Service?

[hongliangl]

To be consistent with other funcs, I suggest either add "Routes" to other func names (I know they are TC operations, but that needs not be reflected in the RouteClient interface), or remove "Route" from this func name too.
Probably Route -> Routes, as I assume it might not be a single route entry?

I don't know if adding the suffix "Routes" to func name will cause misunderstood.

• For funcs AddNodePort/DeleteNodePort, no route entry will be added/deleted, only TC rules.
• For funcs AddLoadBalancer/DeleteLoadBalancer, route entries and TC rules are both added/deleted.
• For func AddClusterIPRoute, only route entry will be added or updated.

I don't know if "Route" is an appropriate suffix for all the above funcs.

Why there is not a func to remove the routes for a ClusterIP Service?

We don't a func to remove the route for a ClusterIP Service. There is alway one route entry for all ClusterIP Services.

• If there is no route entry when a ClusterIP is added, create a route entry for it.
• If current route entry can route the ClusterIP, there is nothing to do.
• If current route cannot route the ClusterIP, replace the current route with a new route entry , and the new route entry 's destination IP block can route the ClusterIP IP.

[jianjuns]

But how if the ClusterIP CIDR is changed and a ClusterIP is no more valid?

[hongliangl]

That's no matter. What we wanted is to calculate the IP block of ClusterIP finally as possible, and this IP block is the destination of the only one routing entry for ClusterIP. Adding a ClusterIP may help enlarge the destination IP block(ClusterIP block) of routing entry.
Delete a ClusterIP is ok, as we want just only one routing entry which is used to route ClusterIP traffic. If we add a ClusterIP, then we create a routing entry for it, and when it is deleted, we delete the routing entry, then there will be lots of routing entries.

[jianjuns]

Ok. Then if we assume CIDR can only be extended we should be ok.

Could you add some comments before the AddClusterRouteIP() implementation in route_linux.go to explain what it does? Actually good to add comments before other RouteClient funcs you added too.

[hongliangl]

Thanks, I'll add some comments.

[jianjuns]

We definitely should not define the constants multiple times. Please define them in a single file, and import from others.

[hongliangl]

How about pkg/agent/config? If in the package, we should add a new file which is only to contain this two variables.

[jianjuns]

pkg/agent/config sounds good to me. Maybe adding to node_config.go is fine too, if we want not to add a new file.

[hongliangl]

I think node_config.go is okay.

[jianjuns]

Question - why we do not put this in InitService(), or why not put InitService() code here? I think the former way is better to avoid passing/checking proxyFull in route and other code.

[hongliangl]

If we put it to InitService, I think we need to write a lot of duplicated code about iptables.

[jianjuns]

Ok, I got the point. Do not have a better idea.

[jianjuns]

Could you add some comments to explain what rules are restored here when AntreaProxyFull is enabled?

[hongliangl]

Got it.

[jianjuns]

I actually feel bad route code needs to understand AntreaProxy logics and things like Service hairpin IP. Ideally we should isolate the logics, to avoid many components need to understand a feature.

Maybe we can say Route Client and OpenflowClient are special and need have feature specific code. But do you have some ideas? Also add @tnqn and @wenyingd to see what they think.

[jianjuns]

Could you add some comments to explain what rules are restored here when AntreaProxyFull is enabled?