Reduce permission of antrea-agent service account

[xliuxu]

Remove the update permission for services/status of antrea-agent
service account. Remove the optimization for ExternalTrafficPolicy
setting to Local cases in ServiceExternalIP feature accordingly.

Signed-off-by: Xu Liu [email protected]

[tnqn]

LGTM

[xliuxu]

@tnqn The e2e test failed because with this change the testing code cannot determine which Node owns the external IP. Most of the test cases will need to check the assigned Node by the hostname field in the status of a Service. I cannot find an easy way to figure out which Node owns the IP as they are not physically assigned. Do you think it is OK to remove all related test cases until we have a new API for assigned Node checking?

[antoninbas]

@tnqn The e2e test failed because with this change the testing code cannot determine which Node owns the external IP. Most of the test cases will need to check the assigned Node by the hostname field in the status of a Service. I cannot find an easy way to figure out which Node owns the IP as they are not physically assigned. Do you think it is OK to remove all related test cases until we have a new API for assigned Node checking?

@xliuxu we don't assign the IP to the transport interface?

[xliuxu]

@antoninbas No. For LB IP of Services, we do not assign IP to any interfaces on the Node. Otherwise, it will conflict with the implementation of proxyAll feature. We use userspace ARP/NDP responders to handle ARP/NDP queries instead.

[tnqn]

@xliuxu we need a way to check which Node owns the IP for troubleshooting anyway. Could we add a antctl get serviceexternalip command to agent mode to dump something like the following? Ideally, every Node should have consistent result eventually. If the result is not consistent, we could use this command/API for troubleshooting too.

NAMESPACE  NAME        EXTERNAL-IP   NODE
default    service-1   1.1.1.1       worker-1
default    service-2   1.1.1.2       worker-2

[xliuxu]

@tnqn Thanks for the suggestion. I have added a new command antctl get serviceexternalip for checking the status of the assigned Node and adjusted the e2e codes.

[codecov-commenter]

Codecov Report

Merging #3691 (fea1ef5) into main (2065919) will decrease coverage by 6.68%.
The diff coverage is 82.19%.

@@            Coverage Diff             @@
##             main    #3691      +/-   ##
==========================================
- Coverage   64.60%   57.91%   -6.69%     
==========================================
  Files         278      393     +115     
  Lines       39640    56425   +16785     
==========================================
+ Hits        25608    32678    +7070     
- Misses      12043    21257    +9214     
- Partials     1989     2490     +501     

Flag	Coverage Δ
e2e-tests	46.09% <80.82%> (?)
integration-tests	38.34% <ø> (?)
kind-e2e-tests	53.30% <80.82%> (+0.27%)	⬆️
unit-tests	43.79% <88.09%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/antctl/antctl.go	50.00% <ø> (ø)
pkg/querier/querier.go	55.00% <ø> (ø)
...nt/apiserver/handlers/serviceexternalip/handler.go	51.85% <51.85%> (ø)
pkg/agent/apiserver/apiserver.go	66.66% <100.00%> (+0.36%)	⬆️
...g/agent/controller/serviceexternalip/controller.go	81.56% <100.00%> (+0.19%)	⬆️
pkg/agent/multicast/mcast_controller.go	45.98% <0.00%> (-21.47%)	⬇️
pkg/controller/networkpolicy/tier.go	50.00% <0.00%> (-5.00%)	⬇️
pkg/controller/serviceexternalip/controller.go	68.67% <0.00%> (-4.82%)	⬇️
...ntroller/networkpolicy/networkpolicy_controller.go	70.17% <0.00%> (-0.88%)	⬇️
pkg/agent/openflow/framework.go	86.27% <0.00%> (-0.73%)	⬇️
... and 138 more

[tnqn]

LGTM overall

[tnqn]

LGTM

[tnqn]

/test-all

[tnqn]

@antoninbas will you take another look?

[antoninbas]

some small comments and questions, but overall LGTM

[antoninbas]

you may want to add the /serviceexternalip URL to the antctl RBAC ClusterRole, just for consistency (and in case someone is using the antctl ServiceAccount token to access antrea APIs directly)

[xliuxu]

added.

[antoninbas]

nit: I think something like this is more elegant:

info := make([]querier.ServiceExternalIPInfo, 0, len(c.externalIPStates))
for k, v := range c.externalIPStates {
    info = append(info, querier.ServiceExternalIPInfo{
        ServiceName: k.Name,
        // ...
    })

[xliuxu]

thanks. updated.

[antoninbas]

is there a reason for making this is a pointer? Based on usage in GetServiceExternalIPStatus, it doesn't seem necessary.

[xliuxu]

It is just for the defer statement to save the externalIPState. I have reverted this change since it is not necessary and can also be achieved by changing the signature of func saveServiceState.

[tnqn]

LGTM

[xliuxu]

@tnqn I just pushed a new commit with a single line change here to fix the e2e error for antctl.

[tnqn]

/test-all
/test-ipv6-all
/test-ipv6-only-all
/test-windows-all

[xliuxu]

/test-networkpolicy
/test-windows-conformance
/test-ipv6-only-networkpolicy
/test-ipv6-e2e

[antoninbas]

@xliuxu please cherry-pick this to release-1.6