Add env parameter to support noEncap without AntreaProxy(#2600)

NoEncap mode can make the traffic output to physical network directly. When antrea proxy is disable, traffic won't go back to OVS for Egress NetworkPolicy enforcement, it breaks the basic security function, we can force support NoEncap without antrea proxy by using ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY environment parameter for performance. Signed-off-by: Wenze Gao <wenze.gao@transwarp.io> Signed-off-by: Wu zhengdong <zhengdong.wu@transwarp.io>
antrea-io · Dec 10, 2021 · a2787e5 · a2787e5
1 parent e32664e
commit a2787e5
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 1 deletion.
diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go
@@ -27,6 +27,7 @@ import (
 	"antrea.io/antrea/pkg/agent/config"
 	"antrea.io/antrea/pkg/apis"
 	"antrea.io/antrea/pkg/cni"
+	"antrea.io/antrea/pkg/util/env"
 	"antrea.io/antrea/pkg/features"
 	"antrea.io/antrea/pkg/ovs/ovsconfig"
 	"antrea.io/antrea/pkg/util/flowexport"
@@ -135,9 +136,17 @@ func (o *Options) validate(args []string) error {
 	}
 
 	if encapMode.SupportsNoEncap() {
-		if !features.DefaultFeatureGate.Enabled(features.AntreaProxy) {
+		// When use NoEncap traffic mode without Antrea Proxy, Pod-to-Service traffic is handled by iptables/ipvs in
+		// root netns, if the endpoint is not local the DNATed traffic will be output to physical network directly
+		// without going back to OVS for Egress NetworkPolicy enforcement, which breaks basic security functionality.
+		// It is not allowed to use in principle, But can force support NoEncap with ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY
+		// environment parameter for performance.
+		if !features.DefaultFeatureGate.Enabled(features.AntreaProxy) && !env.GetAllowNoEncapWithoutAntreaProxy() {
 			return fmt.Errorf("TrafficEncapMode %s requires AntreaProxy to be enabled", o.config.TrafficEncapMode)
 		}
+		if env.GetAllowNoEncapWithoutAntreaProxy(){
+			klog.Warningf("NoEncap traffic mode has been allowed without Antrea Proxy.")
+		}
 		if encryptionMode != config.TrafficEncryptionModeNone {
 			return fmt.Errorf("TrafficEncryptionMode %s may only be enabled in %s mode", encryptionMode, config.TrafficEncapModeEncap)
 		}

diff --git a/docs/noencap-hybrid-modes.md b/docs/noencap-hybrid-modes.md
@@ -9,6 +9,29 @@ are in different subnets, but does not encapsulate when the source and the
 destination Nodes are in the same subnet. This document describes how to
 configure Antrea with the `NoEncap` and `Hybrid` modes.
 
+`NoEncap` and `Hybrid` traffic modes of Antrea are currently only supported with
+Antrea-proxy for the basic security function, we can force support `NoEncap` and
+`Hybrid` traffic modes without Antrea-proxy by using `ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY`
+environment parameter in Antrea Agent. For example:
+
+```yaml
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: antrea-agent
+  labels:
+    component: antrea-agent
+spec:
+  containers:
+    - name: antrea-agent
+      ... ...
+      env:
+        - name: ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY
+          value: "true"
+      ... ...
+```
+
 ## Hybrid Mode
 
 Let us start from `Hybrid` mode which is simpler to configure. `Hybrid` mode

diff --git a/pkg/util/env/env.go b/pkg/util/env/env.go
@@ -33,6 +33,8 @@ const (
 	antreaCloudEKSEnvKey = "ANTREA_CLOUD_EKS"
 
 	defaultAntreaNamespace = "kube-system"
+
+	allowNoEncapWithoutAntreaProxyEnvKey = "ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY"
 )
 
 // GetNodeName returns the node's name used in Kubernetes, based on the priority:
@@ -121,3 +123,8 @@ func GetAntreaNamespace() string {
 	}
 	return namespace
 }
+
+// GetAllowNoEncapWithoutAntreaProxy returns the status if can use noEncap or hybrid traffic mode without AntreaProxy.
+func GetAllowNoEncapWithoutAntreaProxy() bool {
+	return getBoolEnvVar(allowNoEncapWithoutAntreaProxyEnvKey, false)
+}