Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance ACNP Service related feature #4261

Merged
merged 1 commit into from
Oct 19, 2022
Merged

Enhance ACNP Service related feature #4261

merged 1 commit into from
Oct 19, 2022

Conversation

GraysonWu
Copy link
Contributor

@GraysonWu GraysonWu commented Sep 30, 2022
edited
Loading

  1. Only load Service GroupID into reg when AntreaPolicy is enabled.

    Service GroupID is only used by AntreaPolicy "toServices"
    and "AppliedTo NodePort Serivces" features for now.

  2. In IngressSecurityClassifierTable, only forward packet to
    AntreaPolicyIngressRuleTable when AntreaPolicy is enabled and
    proxyAll is enabled.

    This forward flow is only used by AntreaPolicy "AppliedTo NodePort
    Services" feature to avoid packets skip
    AntreaPolicyIngressRuleTable, where policy will be enforced, when
    the endpoint of this Service is not on current NodePort Node.

  3. In ACNP appliedTo NodePort Service e2e test, change to add another
    netNS to fake external network.

Signed-off-by: graysonwu [email protected]

@codecov
Copy link

codecov bot commented Sep 30, 2022
edited
Loading

Codecov Report

Merging #4261 (2051562) into main (1e31a78) will increase coverage by 0.25%.
The diff coverage is 44.44%.

❗ Current head 2051562 differs from pull request most recent head 8f3a6c9. Consider uploading reports for the commit 8f3a6c9 to get more accurate results

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #4261      +/-   ##
==========================================
+ Coverage   62.98%   63.23%   +0.25%     
==========================================
  Files         388      388              
  Lines       55129    55155      +26     
==========================================
+ Hits        34721    34877     +156     
+ Misses      17841    17704     -137     
- Partials     2567     2574       +7
Flag Coverage Δ
integration-tests 34.50% <85.71%> (+0.04%) ⬆️
kind-e2e-tests 48.74% <44.44%> (-0.11%) ⬇️
unit-tests 44.96% <11.11%> (+0.42%) ⬆️
Impacted Files Coverage Δ
pkg/agent/controller/networkpolicy/reject.go 72.90% <9.09%> (-4.60%) ⬇️
pkg/agent/openflow/client.go 70.93% <100.00%> (-1.40%) ⬇️
pkg/agent/openflow/pipeline.go 84.67% <100.00%> (+1.17%) ⬆️
pkg/agent/openflow/service.go 91.66% <100.00%> (+0.08%) ⬆️
pkg/controller/externalippool/controller.go 86.16% <0.00%> (-6.25%) ⬇️
pkg/controller/traceflow/controller.go 74.72% <0.00%> (-2.53%) ⬇️
pkg/agent/openflow/multicluster.go 44.85% <0.00%> (-1.87%) ⬇️
...trollers/multicluster/resourceexport_controller.go 78.07% <0.00%> (-1.61%) ⬇️
pkg/agent/util/net.go 52.05% <0.00%> (-1.50%) ⬇️
... and 37 more

@GraysonWu GraysonWu changed the title Enhance ACNP applied to NodePort Service [WIP]Enhance ACNP applied to NodePort Service Sep 30, 2022
@GraysonWu GraysonWu changed the title [WIP]Enhance ACNP applied to NodePort Service Enhance ACNP applied to NodePort Service Sep 30, 2022
wenyingd
wenyingd reviewed Sep 30, 2022
View reviewed changes
Copy link
Contributor

@wenyingd wenyingd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code change LGTM, please pay attention to the test coverage.

hongliangl
hongliangl reviewed Sep 30, 2022
View reviewed changes
test/e2e/antreapolicy_test.go Outdated
ip netns exec %[1]s ip route replace default via %[3]s && \
sleep 3600
`, testNetns, "1.1.1.1", "1.1.1.254", 24)
if err := NewPodBuilder(clientName, data.testNamespace, agnhostImage).OnNode(controlPlaneNodeName()).WithCommand([]string{"sh", "-c", cmd}).InHostNetwork().Privileged().Create(data); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To fake an external client, command should be run in the netns created in the test agnhost container, not the agnhost container itself. For example: ip netns exec test-ns curl 192.168.77.100:30001 (assuming that 192.168.77.100:30001 is a NodePort url).

tnqn
tnqn reviewed Sep 30, 2022
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM except the test issue @hongliangl has pointed out.

@GraysonWu GraysonWu changed the title Enhance ACNP applied to NodePort Service Enhance ACNP Service related feature Sep 30, 2022
@hongliangl
Copy link
Contributor

In E2e tests on a Kind cluster on Linux with all features enabled, the test you updated got failed. In Integration test, you need to update test TestProxyServiceFlows.

@GraysonWu GraysonWu force-pushed the fix-np-apply-to-svc branch 5 times, most recently from a7ddb86 to 8c6a4a0 Compare October 6, 2022 20:31
@GraysonWu
Copy link
Contributor Author

/test-all

@tnqn tnqn added this to the Antrea v1.9 release milestone Oct 11, 2022
@GraysonWu GraysonWu force-pushed the fix-np-apply-to-svc branch 2 times, most recently from 2e50dd5 to 2051562 Compare October 14, 2022 08:13
@GraysonWu
Enhance ACNP Service related feature
8f3a6c9 
1. Only load Service GroupID into reg when AntreaPolicy is enabled.

   Service GroupID is only used by AntreaPolicy "toServices"
   and "AppliedTo NodePort Serivces" features for now.

2. In IngressSecurityClassifierTable, only forward packet to
AntreaPolicyIngressRuleTable when AntreaPolicy is enabled and
proxyAll is enabled.

   This forward flow is only used by AntreaPolicy "AppliedTo NodePort
   Services" feature to avoid packets skip
   AntreaPolicyIngressRuleTable, where policy will be enforced, when
   the endpoint of this Service is not on current NodePort Node.

3. In ACNP appliedTo NodePort Service e2e test, change to add another
netNS to fake external network.

4. Change to use gwOFPort as inPort of reject response for some cases.

Signed-off-by: graysonwu <[email protected]>
@GraysonWu
Copy link
Contributor Author

/test-all

hongliangl
hongliangl reviewed Oct 17, 2022
View reviewed changes
Copy link
Contributor

@hongliangl hongliangl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, and could you help double confirm @tnqn ? Thanks

@GraysonWu GraysonWu requested a review from tnqn October 17, 2022 06:27
tnqn
tnqn approved these changes Oct 18, 2022
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just want to confirm the impact of the PR: it doesn't fix any issue but reduces unnecessary cost when AntreaPolicy is not enabled, right?

@GraysonWu
Copy link
Contributor Author

LGTM. Just want to confirm the impact of the PR: it doesn't fix any issue but reduces unnecessary cost when AntreaPolicy is not enabled, right?

It fixed one issue: when AntreaProxy is enabled and AntreaPolicy is disabled, we can't resubmit packets to AntreaPolicyIngressRuleTable which doesn't exist.
https://github.com/antrea-io/antrea/pull/4261/files#diff-120d06ea0809e1c6293ce9a1f6b2f4bf37d4fba0ec569be913f884aa8cdd4124R2116

@tnqn tnqn added action/backport Indicates a PR that requires backports. action/release-note Indicates a PR that should be included in release notes. labels Oct 19, 2022
@tnqn
Copy link
Member

tnqn commented Oct 19, 2022
edited
Loading

LGTM. Just want to confirm the impact of the PR: it doesn't fix any issue but reduces unnecessary cost when AntreaPolicy is not enabled, right?

It fixed one issue: when AntreaProxy is enabled and AntreaPolicy is disabled, we can't resubmit packets to AntreaPolicyIngressRuleTable which doesn't exist. https://github.com/antrea-io/antrea/pull/4261/files#diff-120d06ea0809e1c6293ce9a1f6b2f4bf37d4fba0ec569be913f884aa8cdd4124R2116

Thanks for the information. Please file an issue or describe the fixed issue in the PR itself for future PRs, otherwise not easy to figure out the severity level and impact of a change. Based on your description, I think we should backport it to maintained releases (1.5 and later).

@tnqn tnqn merged commit 0307eff into antrea-io:main Oct 19, 2022
@GraysonWu
Copy link
Contributor Author

GraysonWu commented Oct 19, 2022
edited
Loading

LGTM. Just want to confirm the impact of the PR: it doesn't fix any issue but reduces unnecessary cost when AntreaPolicy is not enabled, right?

It fixed one issue: when AntreaProxy is enabled and AntreaPolicy is disabled, we can't resubmit packets to AntreaPolicyIngressRuleTable which doesn't exist. https://github.com/antrea-io/antrea/pull/4261/files#diff-120d06ea0809e1c6293ce9a1f6b2f4bf37d4fba0ec569be913f884aa8cdd4124R2116

Thanks for the information. Please file an issue or describe the fixed issue in the PR itself for future PRs, otherwise not easy to figure out the severity level and impact of a change. Based on your description, I think we should backport it to maintained releases (1.5 and later).

Got it. Thanks. Will do it in the future. About backporting, maybe 1.8 should be enough. The issue I mentioned above was introduced by PR #3997.

@GraysonWu GraysonWu mentioned this pull request Oct 19, 2022
Merged
hongliangl pushed a commit to hongliangl/antrea that referenced this pull request Oct 22, 2022
@GraysonWu @hongliangl
Enhance ACNP Service related feature (antrea-io#4261)
0ffc268 
1. Only load Service GroupID into reg when AntreaPolicy is enabled.

   Service GroupID is only used by AntreaPolicy "toServices"
   and "AppliedTo NodePort Serivces" features for now.

2. In IngressSecurityClassifierTable, only forward packet to
AntreaPolicyIngressRuleTable when AntreaPolicy is enabled and
proxyAll is enabled.

   This forward flow is only used by AntreaPolicy "AppliedTo NodePort
   Services" feature to avoid packets skip
   AntreaPolicyIngressRuleTable, where policy will be enforced, when
   the endpoint of this Service is not on current NodePort Node.

3. In ACNP appliedTo NodePort Service e2e test, change to add another
netNS to fake external network.

4. Change to use gwOFPort as inPort of reject response for some cases.

Signed-off-by: graysonwu <[email protected]>
heanlan pushed a commit to heanlan/antrea that referenced this pull request Mar 29, 2023
@GraysonWu @heanlan
Enhance ACNP Service related feature (antrea-io#4261)
2ea06a3 
1. Only load Service GroupID into reg when AntreaPolicy is enabled.

   Service GroupID is only used by AntreaPolicy "toServices"
   and "AppliedTo NodePort Serivces" features for now.

2. In IngressSecurityClassifierTable, only forward packet to
AntreaPolicyIngressRuleTable when AntreaPolicy is enabled and
proxyAll is enabled.

   This forward flow is only used by AntreaPolicy "AppliedTo NodePort
   Services" feature to avoid packets skip
   AntreaPolicyIngressRuleTable, where policy will be enforced, when
   the endpoint of this Service is not on current NodePort Node.

3. In ACNP appliedTo NodePort Service e2e test, change to add another
netNS to fake external network.

4. Change to use gwOFPort as inPort of reject response for some cases.

Signed-off-by: graysonwu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wenyingd wenyingd wenyingd left review comments

@hongliangl hongliangl hongliangl left review comments

@tnqn tnqn tnqn approved these changes

Assignees
No one assigned
Labels
action/backport Indicates a PR that requires backports. action/release-note Indicates a PR that should be included in release notes.
Projects
None yet
Milestone
Antrea v1.9 release
Development

Successfully merging this pull request may close these issues.
4 participants
@GraysonWu @hongliangl @tnqn @wenyingd