Skip to content

Commit

Permalink
Support Internal Traffic Policy in AntreaProxy
Browse files Browse the repository at this point in the history 
InternalTrafficPolicy is introduced in Kubernetes 1.21. Service Internal
Traffic Policy enables internal traffic restrictions to only route
internal traffic to Endpoints within the Node the traffic originated
from. The "internal" traffic here refers to traffic originated from Pod
in the current cluster. This can help to reduce costs and improve
performance.

Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
  • Loading branch information
@hongliangl
hongliangl committed Sep 16, 2021
1 parent e32664e commit 5994fee
Show file tree
Hide file tree
Showing 11 changed files with 283 additions and 169 deletions.
13 changes: 9 additions & 4 deletions build/yamls/antrea-aks.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless that feature gateway
# ServiceInternalTrafficPolicy of Kubernetes APIServer is set as enabled. If AntreaProxy is not enabled,
# this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4054,7 +4059,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-dtc759g79k
name: antrea-config-4k8284md8c
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4125,7 +4130,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-dtc759g79k
value: antrea-config-4k8284md8c
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4176,7 +4181,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-dtc759g79k
name: antrea-config-4k8284md8c
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4457,7 +4462,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-dtc759g79k
name: antrea-config-4k8284md8c
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
13 changes: 9 additions & 4 deletions build/yamls/antrea-eks.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless that feature gateway
# ServiceInternalTrafficPolicy of Kubernetes APIServer is set as enabled. If AntreaProxy is not enabled,
# this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4054,7 +4059,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-dtc759g79k
name: antrea-config-4k8284md8c
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4125,7 +4130,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-dtc759g79k
value: antrea-config-4k8284md8c
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4176,7 +4181,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-dtc759g79k
name: antrea-config-4k8284md8c
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4459,7 +4464,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-dtc759g79k
name: antrea-config-4k8284md8c
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
13 changes: 9 additions & 4 deletions build/yamls/antrea-gke.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless that feature gateway
# ServiceInternalTrafficPolicy of Kubernetes APIServer is set as enabled. If AntreaProxy is not enabled,
# this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4054,7 +4059,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-65f7gf8456
name: antrea-config-4g6c87t272
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4125,7 +4130,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-65f7gf8456
value: antrea-config-4g6c87t272
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4176,7 +4181,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-65f7gf8456
name: antrea-config-4g6c87t272
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4460,7 +4465,7 @@ spec:
path: /home/kubernetes/bin
name: host-cni-bin
- configMap:
name: antrea-config-65f7gf8456
name: antrea-config-4g6c87t272
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
13 changes: 9 additions & 4 deletions build/yamls/antrea-ipsec.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless that feature gateway
# ServiceInternalTrafficPolicy of Kubernetes APIServer is set as enabled. If AntreaProxy is not enabled,
# this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4059,7 +4064,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-fcd8c2h5b5
name: antrea-config-t6td8mhh77
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4139,7 +4144,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-fcd8c2h5b5
value: antrea-config-t6td8mhh77
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4190,7 +4195,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-fcd8c2h5b5
name: antrea-config-t6td8mhh77
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4506,7 +4511,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-fcd8c2h5b5
name: antrea-config-t6td8mhh77
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
13 changes: 9 additions & 4 deletions build/yamls/antrea.yml
View file
Expand Up @@ -3773,6 +3773,11 @@ data:
# this flag will not take effect.
# EndpointSlice: false
# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless that feature gateway
# ServiceInternalTrafficPolicy of Kubernetes APIServer is set as enabled. If AntreaProxy is not enabled,
# this flag will not take effect.
# ServiceInternalTrafficPolicy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true
Expand Down Expand Up @@ -4059,7 +4064,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-dhb74b822t
name: antrea-config-2tm2m9h7ck
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -4130,7 +4135,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-dhb74b822t
value: antrea-config-2tm2m9h7ck
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -4181,7 +4186,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-dhb74b822t
name: antrea-config-2tm2m9h7ck
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4462,7 +4467,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-dhb74b822t
name: antrea-config-2tm2m9h7ck
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
5 changes: 5 additions & 0 deletions build/yamls/base/conf/antrea-agent.conf
View file
Expand Up @@ -10,6 +10,11 @@ featureGates:
# this flag will not take effect.
# EndpointSlice: false

# Enables ServiceInternalTrafficPolicy in AntreaProxy. Don't enable this feature unless that feature gateway
# ServiceInternalTrafficPolicy of Kubernetes APIServer is set as enabled. If AntreaProxy is not enabled,
# this flag will not take effect.
# ServiceInternalTrafficPolicy: false

# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: true

Expand Down
7 changes: 4 additions & 3 deletions cmd/antrea-agent/agent.go
View file
Expand Up @@ -202,14 +202,15 @@ func run(o *Options) error {
v4Enabled := config.IsIPv4Enabled(nodeConfig, networkConfig.TrafficEncapMode)
v6Enabled := config.IsIPv6Enabled(nodeConfig, networkConfig.TrafficEncapMode)
proxyAll := o.config.AntreaProxy.ProxyAll
svcInternalTrafficPolicy := features.DefaultFeatureGate.Enabled(features.ServiceInternalTrafficPolicy)

switch {
case v4Enabled && v6Enabled:
proxier = proxy.NewDualStackProxier(nodeConfig.Name, informerFactory, ofClient, routeClient, nodePortAddressesIPv4, nodePortAddressesIPv6, proxyAll)
proxier = proxy.NewDualStackProxier(nodeConfig.Name, informerFactory, ofClient, routeClient, nodePortAddressesIPv4, nodePortAddressesIPv6, proxyAll, svcInternalTrafficPolicy)
case v4Enabled:
proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, false, routeClient, nodePortAddressesIPv4, proxyAll)
proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, false, routeClient, nodePortAddressesIPv4, proxyAll, svcInternalTrafficPolicy)
case v6Enabled:
proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, true, routeClient, nodePortAddressesIPv6, proxyAll)
proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, true, routeClient, nodePortAddressesIPv6, proxyAll, svcInternalTrafficPolicy)
default:
return fmt.Errorf("at least one of IPv4 or IPv6 should be enabled")
}
Expand Down
30 changes: 19 additions & 11 deletions docs/feature-gates.md
View file
Expand Up @@ -33,17 +33,18 @@ example, to enable `AntreaProxy` on Linux, edit the Agent configuration in the

## List of Available Features

| Feature Name | Component | Default | Stage | Alpha Release | Beta Release | GA Release | Extra Requirements | Notes |
| ----------------------- | ------------------ | ------- | ----- | ------------- | ------------ | ---------- | ------------------ | ----- |
| `AntreaProxy` | Agent | `true` | Beta | v0.8 | v0.11 | N/A | Yes | Must be enabled for Windows. |
| `EndpointSlice` | Agent | `false` | Alpha | v0.13.0 | N/A | N/A | Yes | |
| `AntreaPolicy` | Agent + Controller | `true` | Beta | v0.8 | v1.0 | N/A | No | Agent side config required from v0.9.0+. |
| `Traceflow` | Agent + Controller | `true` | Beta | v0.8 | v0.11 | N/A | Yes | |
| `FlowExporter` | Agent | `false` | Alpha | v0.9 | N/A | N/A | Yes | |
| `NetworkPolicyStats` | Agent + Controller | `true` | Beta | v0.10 | v1.2 | N/A | No | |
| `NodePortLocal` | Agent | `false` | Alpha | v0.13 | N/A | N/A | Yes | Important user-facing change in v1.2.0 |
| `Egress` | Agent + Controller | `false` | Alpha | v1.0 | N/A | N/A | Yes | |
| `NodeIPAM` | Controller | `false` | Alpha | v1.4 | N/A | N/A | Yes | |
| Feature Name | Component | Default | Stage | Alpha Release | Beta Release | GA Release | Extra Requirements | Notes |
| ------------------------------- | ------------------ | ------- | ----- | ------------- | ------------ | ---------- | ------------------ | ----- |
| `AntreaProxy` | Agent | `true` | Beta | v0.8 | v0.11 | N/A | Yes | Must be enabled for Windows. |
| `EndpointSlice` | Agent | `false` | Alpha | v0.13.0 | N/A | N/A | Yes | |
| `ServiceInternalTrafficPolicy` | Agent | `false` | Alpha | v1.4 | N/A | N/A | No | |
| `AntreaPolicy` | Agent + Controller | `true` | Beta | v0.8 | v1.0 | N/A | No | Agent side config required from v0.9.0+. |
| `Traceflow` | Agent + Controller | `true` | Beta | v0.8 | v0.11 | N/A | Yes | |
| `FlowExporter` | Agent | `false` | Alpha | v0.9 | N/A | N/A | Yes | |
| `NetworkPolicyStats` | Agent + Controller | `true` | Beta | v0.10 | v1.2 | N/A | No | |
| `NodePortLocal` | Agent | `false` | Alpha | v0.13 | N/A | N/A | Yes | Important user-facing change in v1.2.0 |
| `Egress` | Agent + Controller | `false` | Alpha | v1.0 | N/A | N/A | Yes | |
| `NodeIPAM` | Controller | `false` | Alpha | v1.4 | N/A | N/A | Yes | |

## Description and Requirements of Features

Expand Down Expand Up @@ -82,6 +83,13 @@ and will not implement Cluster IP functionality as expected.
When using the OVS built-in kernel module (which is the most common case), your
kernel version must be >= 4.6 (as opposed to >= 4.4 without this feature).

### ServiceInternalTrafficPolicy

`ServiceInternalTrafficPolicy` enables internal traffic restrictions to only route internal
traffic to Endpoints within the Node the traffic originated from. The "internal" traffic
here refers to traffic originated from Pods in the current cluster. This can help to reduce
costs and improve performance.

### AntreaPolicy

`AntreaPolicy` enables Antrea ClusterNetworkPolicy and Antrea NetworkPolicy CRDs to be
Expand Down

0 comments on commit 5994fee

Please sign in to comment.