Support routing to external IPs behind service #2243
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jdn5126
force-pushed
the
from_container_rule
branch
2 times, most recently
from
309c7da
to
0cf7af2
Compare
achevuru
reviewed
Feb 11, 2023
achevuru
reviewed
Feb 11, 2023
achevuru
reviewed
Feb 11, 2023
achevuru
reviewed
Feb 11, 2023
achevuru
reviewed
Feb 11, 2023
achevuru
reviewed
Feb 11, 2023
jdn5126
force-pushed
the
from_container_rule
branch
2 times, most recently
from
68bf466
to
9217208
Compare
achevuru
previously approved these changes
Feb 16, 2023
jdn5126
force-pushed
the
from_container_rule
branch
from
9217208
to
8c86793
Compare
jdn5126
force-pushed
the
from_container_rule
branch
from
8c86793
to
9fb472a
Compare
achevuru
approved these changes
Feb 27, 2023
jdn5126
force-pushed
the
from_container_rule
branch
from
9fb472a
to
e7c67f8
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
bug
Which issue does this PR fix:
#1910
What does this PR do / Why do we need it:
This PR adds a new environment variable,
AWS_EXTERNAL_SERVICE_CIDRS, where customers can specify IPV4 CIDRs outside of VPC that are reachable via service IP. This is necessary to route to these endpoints via service IP from secondary ENIs (#1910).For each CIDR, an IP rule is installed (with a priority higher than the from-container rule) to route to the CIDR via main routing table. An example rule is:
Currently, every time
AWS_EXTERNAL_SERVICE_CIDRSis changed, theaws-nodepod restarts, which is why the implementation for this function is in IPAMD node initialization. In the future, if a ConfigMap is used (#2102 is implemented), then operators will need to manually restart theaws-nodecontainer after modifying the environment variable.If a solution can be implemented one day that dynamically detects this case and ensures proper routing, this environment variable will be deprecated.
If an issue # is not available please add repro steps and logs from IPAMD/CNI showing the issue:
N/A
Testing done on this change:
Unit tests are added to cover new functions. I manually verified functionality and ensured that all existing integration tests pass. I considered adding an integration test case, but decided against it as it would require setting up communication outside of VPC or requiring node IPs to be public, both of which we want to avoid. The unit tests cover that we add and delete the IP rules as expected, and we know that routing works when IP rules are present.
Automation added to e2e:
N/A
Will this PR introduce any new dependencies?:
No
Will this break upgrades or downgrades. Has updating a running cluster been tested?:
This PR will not break upgrades or downgrades. A running cluster has been tested.
Does this change require updates to the CNI daemonset config files to work?:
No
Does this PR introduce any user-facing change?:
Yes
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.