Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using VTI devices and Routes to manage VPN connections #80

Open
hhyasdf opened this issue Jan 10, 2023 · 5 comments · Fixed by #107
Open

Using VTI devices and Routes to manage VPN connections #80

hhyasdf opened this issue Jan 10, 2023 · 5 comments · Fixed by #107
Milestone
dataplane-v0.4

Comments

@hhyasdf
Copy link

hhyasdf commented Jan 10, 2023

Raven now use the Subnet-based configuration of Libreswan to create VPN connections, which is strongly rely on the "One-Subnet-One-Node" supposition. This brings troubles when the CNI implimentation don't obay the supposition, many of CNI even makes subnets be able to cross multiple nodes.

Both Libreswan and WireGuard can support a Route-based management method. Using this, maybe raven can only watch ips of Pod object and use them to configure routes (policy route + ipset + iptables mark) instead of rely on the "subnets" of nodes.
@hhyasdf hhyasdf changed the title Using VTI and Routes to manage VPN connections Using VTI device and Routes to manage VPN connections Jan 10, 2023
@hhyasdf hhyasdf changed the title Using VTI device and Routes to manage VPN connections Using VTI devices and Routes to manage VPN connections Jan 10, 2023
@njucjc
Copy link
Member

njucjc commented Jan 10, 2023

cc @BSWANG @DrmagicE @luckymrwang

@BSWANG
Copy link
Collaborator

BSWANG commented Jan 10, 2023

@hhyasdf How to sync the ip of "nodepool"?

  • Watch Pods ip on each node.
  • OR sync the Pods ip of "nodepool" to gateway CR.

@hhyasdf
Copy link
Author

hhyasdf commented Jan 10, 2023

@hhyasdf How to sync the ip of "nodepool"?

  • Watch Pods ip on each node.
  • OR sync the Pods ip of "nodepool" to gateway CR.

Maybe "Watch Pods ip on each node" is fine.

The logic can be, "only Pod ips of local nodepool donnot need to get through the VPN", so only the Pod ips of the nodepool this node belongs to need to be handled.

@rambohe-ch
Copy link
Member

@hhyasdf How to sync the ip of "nodepool"?

  • Watch Pods ip on each node.
  • OR sync the Pods ip of "nodepool" to gateway CR.

Maybe "Watch Pods ip on each node" is fine.

The logic can be, "only Pod ips of local nodepool donnot need to get through the VPN", so only the Pod ips of the nodepool this node belongs to need to be handled.

@hhyasdf This means every raven agent on nodes should list/watch all pods in the cluster? but i am worried that cloud-edge public network traffic will increase greatly.

@hhyasdf
Copy link
Author

hhyasdf commented Jan 10, 2023

@hhyasdf How to sync the ip of "nodepool"?

  • Watch Pods ip on each node.
  • OR sync the Pods ip of "nodepool" to gateway CR.

Maybe "Watch Pods ip on each node" is fine.
The logic can be, "only Pod ips of local nodepool donnot need to get through the VPN", so only the Pod ips of the nodepool this node belongs to need to be handled.

@hhyasdf This means every raven agent on nodes should list/watch all pods in the cluster? but i am worried that cloud-edge public network traffic will increase greatly.

@rambohe-ch Sync the Pods ip of "nodepool" to gateway CR might be a good way to reduce the cloud-edge public network traffic, I mean, both of them are fine.

@njucjc njucjc added this to the dataplane-v0.4 milestone Mar 27, 2023
@njucjc njucjc linked a pull request May 11, 2023 that will close this issue
Feature: use ipset for policy route #107
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
dataplane-v0.4
Development

Successfully merging a pull request may close this issue.

Feature: use ipset for policy route njucjc/raven
4 participants
@BSWANG @njucjc @hhyasdf @rambohe-ch