-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add env parameter to support noEncap without AntreaProxy #3116
Conversation
/test-all |
Codecov Report
@@ Coverage Diff @@
## main #3116 +/- ##
==========================================
- Coverage 60.83% 60.82% -0.01%
==========================================
Files 295 295
Lines 24892 24908 +16
==========================================
+ Hits 15142 15151 +9
- Misses 8095 8102 +7
Partials 1655 1655
Flags with carried forward coverage won't be shown. Click here to find out more.
|
@antoninbas Yes, #2796 already has been closed. |
/test-integration |
/test-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one more comment, otherwise lgtm
When using NoEncap traffic mode without AntreaProxy, Pod-to-Service traffic is handled by kube-proxy (iptables/ipvs) in the root netns. If the Endpoint is not local the DNATed traffic will be output to the physical network directly without going back to OVS for Egress NetworkPolicy enforcement, which breaks basic security functionality. Therefore, we usually do not allow the NoEncap traffic mode without AntreaProxy. But one can bypass this check and force this feature combination to be allowed, by defining the ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY environment variable and setting it to true. This may lead to better performance when using NoEncap if Egress NetworkPolicy enforcement is not required. Signed-off-by: Wenze Gao <wenze.gao@transwarp.io> Signed-off-by: Wu zhengdong <zhengdong.wu@transwarp.io>
/test-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/skip-all I have ran the required checks manually. |
/skip-all |
1 similar comment
/skip-all |
When using NoEncap traffic mode without AntreaProxy, Pod-to-Service
traffic is handled by kube-proxy (iptables/ipvs) in the root netns.
If the Endpoint is not local the DNATed traffic will be output to
the physical network directly without going back to OVS for Egress
NetworkPolicy enforcement, which breaks basic security functionality.
Therefore, we usually do not allow the NoEncap traffic mode without
AntreaProxy. But one can bypass this check and force this feature
combination to be allowed, by defining the ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY
environment variable and setting it to true. This may lead to better
performance when using NoEncap if Egress NetworkPolicy enforcement is
not required.
Signed-off-by: Wenze Gao wenze.gao@transwarp.io
Signed-off-by: Wu zhengdong zhengdong.wu@transwarp.io