Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] UDN host isolation #4799

Draft
wants to merge 14 commits into
base: master
Choose a base branch
from
Draft

[WIP] UDN host isolation #4799

wants to merge 14 commits into from

Conversation

npinaeva
Copy link
Member

@npinaeva npinaeva commented Oct 23, 2024
edited
Loading

pulls commits from #3709 and #4612
Adds host isolation except for kubelet, open-ports handling for hostnetwork pods.

To enable this feature on a kind cluster, just comment out 71ad044#diff-ea48eab674fe05348e580125fccb19b775e0fd6f6a2d28a2dab5fb382590a16aR1641
I have run new e2es on the fedora rawhide VM, which has the fix

#4800 is supposed to show host-isolation test parts failing on a kind with feature disabled

npinaeva and others added 9 commits October 23, 2024 12:53
@npinaeva
Call PrepareTestConfig for healthcheck tests to ensure consistent
4579ac0 
setup.

Signed-off-by: Nadia Pinaeva <[email protected]>
@npinaeva
kind.sh fix: delete kind cluster with given name instead of "ovn".
d8970fd 
Signed-off-by: Nadia Pinaeva <[email protected]>
@ormergi @npinaeva
utils,fake client: Populate NAD fake-client tracker
7b5e7c5 
Since the NAD API resource name uses arbitrary name and
doesn't match the kind name
('network-attachment-definitions' vs. 'NetworkAttachmentDefinition'),
the underlying API machinery cannot match between the resource and
kind names, causing NAD objects to not reflect in the NAD informer [1].

To overcome this, populate the NAD fakeclient tracker with given NADs
objects following the example on [2].

This is preliminary change to enable simplifying UDN controller
tests, making test setup more simple and eliminate using the NAD
informer directly to create/delete NADs.

[1] https://github.com/ovn-org/ovn-kubernetes/blob/65c79af35b2c22f90c863debefa15c4fb1f088cb/go-controller/vendor/k8s.io/client-go/testing/fixture.go#L341
[2] ovn-org@434b059#diff-ae287d8b2b115068905d4b5bf477d0e8cb6586d271fe872ca3b17acc94f21075R1

Signed-off-by: Or Mergi <[email protected]>
@danwinship @npinaeva
Make sure nftables binaries are available everywhere
d14702e 
Signed-off-by: Dan Winship <[email protected]>
(cherry picked from commit 7bad589)
@danwinship @npinaeva
Import knftables package, add pkg/node/nftables/
b6e6a22 
Signed-off-by: Dan Winship <[email protected]>
(cherry picked from commit 79b6e3f)
@npinaeva
Add testing util for nftables.
3a04944 
Signed-off-by: Nadia Pinaeva <[email protected]>
Authored-by: Dan Winship <[email protected]>
@npinaeva
vendor in systemd listener
afc7567 
Signed-off-by: Nadia Pinaeva <[email protected]>
@npinaeva
Bump knftables version to the master
b6f4d65 
Signed-off-by: Nadia Pinaeva <[email protected]>
@npinaeva
Mount systemd/private to the ovnkube containers.
e9fcdf8 
It allows listening for systemd events, we use it to track kubelet
restarts.

Signed-off-by: Nadia Pinaeva <[email protected]>
@github-actions github-actions bot added kind/documentation All issues related to documentation area/unit-testing Issues related to adding/updating unit tests area/e2e-testing labels Oct 23, 2024
@npinaeva npinaeva mentioned this pull request Oct 23, 2024
Draft
@npinaeva
Add host isolation for UDN pods.
ba13572 
UDNHostIsolationManager manages the host isolation for user defined
networks.It uses nftables chain "udn-isolation" to only allow
connection to primary UDN pods from kubelet.
It also listens to systemd events to re-apply the rules after kubelet
restart as cgroup matching is used.

Signed-off-by: Nadia Pinaeva <[email protected]>
@npinaeva
node UDN isolation: make nft container more generic.
af88109 
Replace podIP with Element, add tracking of duplicate elements owned
by different pods.

Signed-off-by: Nadia Pinaeva <[email protected]>
@npinaeva
node UDN isolation: handle open ports annotation on UDN pods.
2aff0d5 
To allow access to open port from the default hostNetwork pods,
add ntf rules to track icmp and tcp/udp/sctp allowed ports.
Add composed key option to nftPodElementsSet.
Add unit tests for nftPodElementsSet and open port handling.

Signed-off-by: Nadia Pinaeva <[email protected]>
@npinaeva
host isolation, open ports: add e2e
a3f6743 
Signed-off-by: Nadia Pinaeva <[email protected]>
@npinaeva
Add option to disable udn-host-isolation.
71ad044 
UDN host isolation requires a kernel fix. Turn it off by default in
ovnkube.sh (aka in our kind cluster). As soon as the fix becomes
available for github runners (and dev environments), this flag will be
removed from ovnkube.sh (and potentially from the code).
This flag only takes effect when network segmentation is enabled.

Add DISABLE_UDN_HOST_ISOLATION env variable to test workflow, that is
set to true.
Skip host isolation tests based on the value.

Signed-off-by: Nadia Pinaeva <[email protected]>
@tssurya tssurya added the feature/user-defined-network-segmentation All PRs related to User defined network segmentation label Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/e2e-testing area/unit-testing Issues related to adding/updating unit tests feature/user-defined-network-segmentation All PRs related to User defined network segmentation kind/documentation All issues related to documentation
Projects
OVN Kubernetes Project
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@npinaeva @tssurya @ormergi @danwinship