Skip to content

Commit

Permalink
Support Internal Traffic Policy in AntreaProxy
Browse files Browse the repository at this point in the history 
InternalTrafficPolicy is introduced in Kubernetes 1.21. Service Internal
Traffic Policy enables internal traffic restrictions to only route
internal traffic to Endpoints within the Node the traffic originated
from. The "internal" traffic here refers to traffic originated from Pod
in the current cluster. This can help to reduce costs and improve
performance.

Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
  • Loading branch information
@hongliangl
hongliangl committed Sep 22, 2021
1 parent e32664e commit 19d01b6
Show file tree
Hide file tree
Showing 11 changed files with 356 additions and 210 deletions.
13 changes: 9 additions & 4 deletions build/yamls/antrea-aks.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless the
# ServiceInternalTrafficPolicy feature gate of kube-apiserver is also enabled. If AntreaProxy is
# not enabled, this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4054,7 +4059,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-dtc759g79k
name: antrea-config-76k6dfccmh
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4125,7 +4130,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-dtc759g79k
value: antrea-config-76k6dfccmh
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4176,7 +4181,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-dtc759g79k
name: antrea-config-76k6dfccmh
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4457,7 +4462,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-dtc759g79k
name: antrea-config-76k6dfccmh
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
13 changes: 9 additions & 4 deletions build/yamls/antrea-eks.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless the
# ServiceInternalTrafficPolicy feature gate of kube-apiserver is also enabled. If AntreaProxy is
# not enabled, this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4054,7 +4059,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-dtc759g79k
name: antrea-config-76k6dfccmh
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4125,7 +4130,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-dtc759g79k
value: antrea-config-76k6dfccmh
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4176,7 +4181,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-dtc759g79k
name: antrea-config-76k6dfccmh
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4459,7 +4464,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-dtc759g79k
name: antrea-config-76k6dfccmh
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
13 changes: 9 additions & 4 deletions build/yamls/antrea-gke.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless the
# ServiceInternalTrafficPolicy feature gate of kube-apiserver is also enabled. If AntreaProxy is
# not enabled, this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4054,7 +4059,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-65f7gf8456
name: antrea-config-4k4k9kmfbg
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4125,7 +4130,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-65f7gf8456
value: antrea-config-4k4k9kmfbg
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4176,7 +4181,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-65f7gf8456
name: antrea-config-4k4k9kmfbg
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4460,7 +4465,7 @@ spec:
path: /home/kubernetes/bin
name: host-cni-bin
- configMap:
name: antrea-config-65f7gf8456
name: antrea-config-4k4k9kmfbg
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
13 changes: 9 additions & 4 deletions build/yamls/antrea-ipsec.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless the
# ServiceInternalTrafficPolicy feature gate of kube-apiserver is also enabled. If AntreaProxy is
# not enabled, this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4059,7 +4064,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-fcd8c2h5b5
name: antrea-config-td8b5dk788
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4139,7 +4144,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-fcd8c2h5b5
value: antrea-config-td8b5dk788
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4190,7 +4195,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-fcd8c2h5b5
name: antrea-config-td8b5dk788
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4506,7 +4511,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-fcd8c2h5b5
name: antrea-config-td8b5dk788
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
13 changes: 9 additions & 4 deletions build/yamls/antrea.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless the
# ServiceInternalTrafficPolicy feature gate of kube-apiserver is also enabled. If AntreaProxy is
# not enabled, this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4059,7 +4064,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-dhb74b822t
name: antrea-config-cd9cm848fc
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4130,7 +4135,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-dhb74b822t
value: antrea-config-cd9cm848fc
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4181,7 +4186,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-dhb74b822t
name: antrea-config-cd9cm848fc
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4462,7 +4467,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-dhb74b822t
name: antrea-config-cd9cm848fc
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/base/conf/antrea-agent.conf
View file
Expand Up @@ -10,6 +10,11 @@ featureGates:
# this flag will not take effect.
# EndpointSlice: false

# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless the
# ServiceInternalTrafficPolicy feature gate of kube-apiserver is also enabled. If AntreaProxy is
# not enabled, this flag will not take effect.
# ServiceInternalTrafficPolicy: false

# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true

Expand Down
7 changes: 4 additions & 3 deletions cmd/antrea-agent/agent.go
View file
Expand Up @@ -202,14 +202,15 @@ func run(o *Options) error {
v4Enabled := config.IsIPv4Enabled(nodeConfig, networkConfig.TrafficEncapMode)
v6Enabled := config.IsIPv6Enabled(nodeConfig, networkConfig.TrafficEncapMode)
proxyAll := o.config.AntreaProxy.ProxyAll
serviceInternalTrafficPolicy := features.DefaultFeatureGate.Enabled(features.ServiceInternalTrafficPolicy)

switch {
case v4Enabled && v6Enabled:
proxier = proxy.NewDualStackProxier(nodeConfig.Name, informerFactory, ofClient, routeClient, nodePortAddressesIPv4, nodePortAddressesIPv6, proxyAll)
proxier = proxy.NewDualStackProxier(nodeConfig.Name, informerFactory, ofClient, routeClient, nodePortAddressesIPv4, nodePortAddressesIPv6, proxyAll, serviceInternalTrafficPolicy)
case v4Enabled:
proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, false, routeClient, nodePortAddressesIPv4, proxyAll)
proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, false, routeClient, nodePortAddressesIPv4, proxyAll, serviceInternalTrafficPolicy)
case v6Enabled:
proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, true, routeClient, nodePortAddressesIPv6, proxyAll)
proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, true, routeClient, nodePortAddressesIPv6, proxyAll, serviceInternalTrafficPolicy)
default:
return fmt.Errorf("at least one of IPv4 or IPv6 should be enabled")
}
Expand Down
35 changes: 24 additions & 11 deletions docs/feature-gates.md
View file
Expand Up @@ -33,17 +33,18 @@ example, to enable `AntreaProxy` on Linux, edit the Agent configuration in the

## List of Available Features

| Feature Name | Component | Default | Stage | Alpha Release | Beta Release | GA Release | Extra Requirements | Notes |
| ----------------------- | ------------------ | ------- | ----- | ------------- | ------------ | ---------- | ------------------ | ----- |
| `AntreaProxy` | Agent | `true` | Beta | v0.8 | v0.11 | N/A | Yes | Must be enabled for Windows. |
| `EndpointSlice` | Agent | `false` | Alpha | v0.13.0 | N/A | N/A | Yes | |
| `AntreaPolicy` | Agent + Controller | `true` | Beta | v0.8 | v1.0 | N/A | No | Agent side config required from v0.9.0+. |
| `Traceflow` | Agent + Controller | `true` | Beta | v0.8 | v0.11 | N/A | Yes | |
| `FlowExporter` | Agent | `false` | Alpha | v0.9 | N/A | N/A | Yes | |
| `NetworkPolicyStats` | Agent + Controller | `true` | Beta | v0.10 | v1.2 | N/A | No | |
| `NodePortLocal` | Agent | `false` | Alpha | v0.13 | N/A | N/A | Yes | Important user-facing change in v1.2.0 |
| `Egress` | Agent + Controller | `false` | Alpha | v1.0 | N/A | N/A | Yes | |
| `NodeIPAM` | Controller | `false` | Alpha | v1.4 | N/A | N/A | Yes | |
| Feature Name | Component | Default | Stage | Alpha Release | Beta Release | GA Release | Extra Requirements | Notes |
| ------------------------------- | ------------------ | ------- | ----- | ------------- | ------------ | ---------- | ------------------ | ----- |
| `AntreaProxy` | Agent | `true` | Beta | v0.8 | v0.11 | N/A | Yes | Must be enabled for Windows. |
| `EndpointSlice` | Agent | `false` | Alpha | v0.13.0 | N/A | N/A | Yes | |
| `ServiceInternalTrafficPolicy` | Agent | `false` | Alpha | v1.4 | N/A | N/A | No | |
| `AntreaPolicy` | Agent + Controller | `true` | Beta | v0.8 | v1.0 | N/A | No | Agent side config required from v0.9.0+. |
| `Traceflow` | Agent + Controller | `true` | Beta | v0.8 | v0.11 | N/A | Yes | |
| `FlowExporter` | Agent | `false` | Alpha | v0.9 | N/A | N/A | Yes | |
| `NetworkPolicyStats` | Agent + Controller | `true` | Beta | v0.10 | v1.2 | N/A | No | |
| `NodePortLocal` | Agent | `false` | Alpha | v0.13 | N/A | N/A | Yes | Important user-facing change in v1.2.0 |
| `Egress` | Agent + Controller | `false` | Alpha | v1.0 | N/A | N/A | Yes | |
| `NodeIPAM` | Controller | `false` | Alpha | v1.4 | N/A | N/A | Yes | |

## Description and Requirements of Features

Expand Down Expand Up @@ -82,6 +83,18 @@ and will not implement Cluster IP functionality as expected.
When using the OVS built-in kernel module (which is the most common case), your
kernel version must be >= 4.6 (as opposed to >= 4.4 without this feature).

### ServiceInternalTrafficPolicy

`ServiceInternalTrafficPolicy` enables internal traffic restrictions to only route internal
traffic to Endpoints within the Node the traffic originated from. The "internal" traffic
here refers to traffic originated from Pods in the current cluster. This can help to reduce
costs and improve performance. Refer to this [link](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/)
for more information.

#### Requirements for this Feature

None

### AntreaPolicy

`AntreaPolicy` enables Antrea ClusterNetworkPolicy and Antrea NetworkPolicy CRDs to be
Expand Down

0 comments on commit 19d01b6

Please sign in to comment.