Add env parameter to support noEncap without AntreaProxy #3116
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Jexf
changed the title
|
/test-all |
Codecov Report
@@ Coverage Diff @@
## main #3116 +/- ##
==========================================
- Coverage 60.83% 60.82% -0.01%
==========================================
Files 295 295
Lines 24892 24908 +16
==========================================
+ Hits 15142 15151 +9
- Misses 8095 8102 +7
Partials 1655 1655
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
@antoninbas Yes, #2796 already has been closed. |
|
/test-integration |
antoninbas
reviewed
Dec 13, 2021
|
/test-all |
antoninbas
reviewed
Dec 14, 2021
antoninbas
reviewed
Dec 15, 2021
When using NoEncap traffic mode without AntreaProxy, Pod-to-Service traffic is handled by kube-proxy (iptables/ipvs) in the root netns. If the Endpoint is not local the DNATed traffic will be output to the physical network directly without going back to OVS for Egress NetworkPolicy enforcement, which breaks basic security functionality. Therefore, we usually do not allow the NoEncap traffic mode without AntreaProxy. But one can bypass this check and force this feature combination to be allowed, by defining the ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY environment variable and setting it to true. This may lead to better performance when using NoEncap if Egress NetworkPolicy enforcement is not required. Signed-off-by: Wenze Gao <wenze.gao@transwarp.io> Signed-off-by: Wu zhengdong <zhengdong.wu@transwarp.io>
|
/test-all |
|
/skip-all I have ran the required checks manually. |
|
/skip-all |
1 similar comment
|
/skip-all |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using NoEncap traffic mode without AntreaProxy, Pod-to-Service
traffic is handled by kube-proxy (iptables/ipvs) in the root netns.
If the Endpoint is not local the DNATed traffic will be output to
the physical network directly without going back to OVS for Egress
NetworkPolicy enforcement, which breaks basic security functionality.
Therefore, we usually do not allow the NoEncap traffic mode without
AntreaProxy. But one can bypass this check and force this feature
combination to be allowed, by defining the ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY
environment variable and setting it to true. This may lead to better
performance when using NoEncap if Egress NetworkPolicy enforcement is
not required.
Signed-off-by: Wenze Gao wenze.gao@transwarp.io
Signed-off-by: Wu zhengdong zhengdong.wu@transwarp.io