-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make externalIP proxying configurable for AntreaProxy #3130
Make externalIP proxying configurable for AntreaProxy #3130
Conversation
Codecov Report
@@ Coverage Diff @@
## main #3130 +/- ##
==========================================
- Coverage 58.28% 51.65% -6.63%
==========================================
Files 297 297
Lines 25308 25311 +3
==========================================
- Hits 14750 13075 -1675
- Misses 8965 10757 +1792
+ Partials 1593 1479 -114
Flags with carried forward coverage won't be shown. Click here to find out more.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
In commit message, ntreaProxy -> AntreaProxy.
pkg/agent/proxy/proxier.go
Outdated
@@ -159,7 +160,7 @@ func (p *proxier) removeStaleServices() { | |||
} | |||
} | |||
// Remove LoadBalancer flows and configurations. | |||
if len(svcInfo.LoadBalancerIPStrings()) > 0 { | |||
if p.proxyExternalIPs && len(svcInfo.LoadBalancerIPStrings()) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just found when we talked about externalIP, we actually referred to loadbalancerIPs, while there is another field in Service's Spec called ExternalIPs
, which Antrea doesn't proxy at the moment but kube-proxy does. We may need to support it in the future. I don't think we need to have a toggle for it as the spec says "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service". But to avoid confusion, should we call the configuration for loadbalancer IPs proxyLoadBalancerIPs
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually opened an issue a while back about supporting ExternalIPs
for ClusterIP Services: #1627
Originally I thought that the proxyExternalIPs
configuration would eventually apply to both (LoadBalancerIPs and ExternalIPs) but thinking about it some more I don't think it makes sense. I'll work on renaming the configuration parameter as you suggested.
@@ -192,6 +192,14 @@ type AntreaProxyConfig struct { | |||
// Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name | |||
// with Namespace (e.g. kube-system/kube-dns) | |||
SkipServices []string `yaml:"skipServices,omitempty"` | |||
// When ProxyExternalIPs is set to false, AntreaProxy no longer load-balances traffic destined to the | |||
// ExternalIPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional | |||
// capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My concern is that: for externalTrafficPolicy of a LoadBalancer Service is Cluster, which means the source IP address of client should be reserved, for the connection whose source is a Pod, and destination is a ExternalIP(Pod-to-ExternalIP traffic mode). I'm a little confused about how the reply packets go back to external LB to guarantee the symmetry of for a connection.
- Request packet path: Pod -> Antrea gateway -> external LB -> Antrea gateway -> Endpoint
- Reply packet path: Endpoint -> Antrea gateway(without SNAT, I think the reply packet will be routed to the Pod since the source IP address of the client is reserved).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for externalTrafficPolicy of a LoadBalancer Service is Cluster, which means the source IP address of client should be reserved
Do you mean when externalTrafficPolicy
is Local, in which case the IP is preserved?
The external Load Balancer must SNAT the traffic, which is typically the case or can be configured (for AVI for example it is the default), in order for the reply traffic to go back through the external LB. That applies regardless of the externalTrafficPolicy
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably @hongliangl means the case LB does not SNAT, e.g. LB is inline and embedded in the gateway? That is quite uncommon though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The external Load Balancer must SNAT the traffic, which is typically the case or can be configured (for AVI for example it is the default), in order for the reply traffic to go back through the external LB. That applies regardless of the externalTrafficPolicy.
If SNAT is performed regardless of the externalTrafficPolicy
, it makes sense.
476c37b
to
596c088
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
A new proxyLoadBalancerIPs configuration parameter is added for AntreaProxy. When set to false, AntreaProxy no longer load-balances traffic destined to the External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. The default behavior is unchanged, i.e. proxyLoadBalancerIPs is true by default. Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. This feature cannot be leveraged by an external Load Balancer that depends on the local proxy (AntreaProxy) being able to load balance traffic destined to the External IP. This is the case for example with MetalLB. However Load Balancers that rely on NodePort / NodePortLocal can leverage this feature. Fixes antrea-io#3121 Signed-off-by: Antonin Bas <abas@vmware.com>
596c088
to
93cf9bd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/test-all |
/skip-all |
/skip-all |
A new proxyExternalIPs configuration parameter is added for
AntreaProxy. When set to false, ntreaProxy no longer load-balances
traffic destined to the ExternalIPs of LoadBalancer Services. This is
useful when the external LoadBalancer provides additional capabilities
(e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic
to be sent to the external LoadBalancer instead of being load-balanced
to an Endpoint directly by AntreaProxy.
The default behavior is unchanged, i.e. proxyExternalIPs is true by
default.
Note that setting ProxyExternalIPs to false usually only makes sense
when ProxyAll is set to true and kube-proxy is removed from the cluser,
otherwise kube-proxy will still load-balance this traffic.
This feature cannot be leveraged by an external Load Balancer that
depends on the local proxy (AntreaProxy) being able to load balance
traffic destined to the ExternalIP. This is the case for example with
MetalLB. However Load Balancers that rely on NodePort / NodePortLocal
can leverage this feature.
Fixes #3121
Signed-off-by: Antonin Bas abas@vmware.com