Skip to content

Commit

Permalink
Add TrafficControl API
Browse files Browse the repository at this point in the history 
TrafficControl is a feature which allows mirroring or redirecting the
traffic Pods send or receive. It enables users to monitor and analyze
Pod traffic, and to enforce custom network protections for Pods with
fine-grained control over network traffic.

This patch adds types and CRD for TrafficControl API.

Examples:

1. Mirror Pods (web=app) ingress traffic to a VXLAN tunnel
```
apiVersion: crd.antrea.io/v1alpha2
kind: TrafficControl
metadata:
  name: mirror-web-app
spec:
  appliedTo:
    podSelector:
      matchLabels:
        app: web
  direction: Ingress
  action: Mirror
  targetPort:
    vxlan:
      remoteIP: 1.1.1.1
```

2. Redirect Pods (web=app) traffic in both direction to OVS internal
port firewall0 and expect the traffic to re-enter OVS via another OVS
internal port firewall1 if they are not dropped.
```
apiVersion: crd.antrea.io/v1alpha2
kind: TrafficControl
metadata:
  name: redirect
spec:
  appliedTo:
    podSelector:
      matchLabels:
        role: web
  direction: Ingress
  action: Redirect
  targetPort:
    ovsInternal:
      name: firewall0
  returnPort:
    ovsInternal:
      name: firewall1
```

For #3324

Signed-off-by: Quan Tian <qtian@vmware.com>
  • Loading branch information
@tnqn
tnqn committed Apr 26, 2022
1 parent 70bbcb8 commit 6c63252
Show file tree
Hide file tree
Showing 20 changed files with 2,295 additions and 10 deletions.
3 changes: 3 additions & 0 deletions build/charts/antrea/conf/antrea-agent.conf
View file
Expand Up @@ -47,6 +47,9 @@ featureGates:
# Enable managing external IPs of Services of LoadBalancer type.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}

# Enable mirroring or redirecting the traffic Pods send or receive.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TrafficControl" "default" false) }}

# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: {{ .Values.ovs.bridgeName | quote }}
Expand Down
1 change: 1 addition & 0 deletions build/charts/antrea/templates/agent/clusterrole.yaml
View file
Expand Up @@ -167,6 +167,7 @@ rules:
resources:
- externalippools
- ippools
- trafficcontrols
verbs:
- get
- watch
Expand Down
293 changes: 291 additions & 2 deletions build/yamls/antrea-aks.yml
View file
Expand Up @@ -85,6 +85,9 @@ data:
# Enable managing external IPs of Services of LoadBalancer type.
# ServiceExternalIP: false
# Enable mirroring or redirecting the traffic Pods send or receive.
# TrafficControl: false
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: "br-int"
Expand Down Expand Up @@ -2493,6 +2496,291 @@ spec:
shortNames:
- tf
---
# Source: antrea/templates/crds/trafficcontrol.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: trafficcontrols.crd.antrea.io
spec:
group: crd.antrea.io
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- appliedTo
- direction
- action
- targetPort
properties:
appliedTo:
type: object
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
direction:
type: string
enum:
- Ingress
- Egress
- Both
action:
type: string
enum:
- Mirror
- Redirect
targetPort:
type: object
oneOf:
- required: [ovsInternal]
- required: [device]
- required: [geneve]
- required: [vxlan]
- required: [gre]
- required: [erspan]
properties:
ovsInternal:
type: object
required:
- name
properties:
name:
type: string
device:
type: object
required:
- name
properties:
name:
type: string
geneve:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
vxlan:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
gre:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
key:
type: integer
minimum: 0
maximum: 4294967295
erspan:
type: object
required:
- remoteIP
- version
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
sessionID:
type: integer
minimum: 0
maximum: 1023
version:
type: integer
enum:
- 1
- 2
index:
type: integer
dir:
type: integer
enum:
- 0
- 1
hardwareID:
type: integer
returnPort:
type: object
oneOf:
- required: [ovsInternal]
- required: [device]
- required: [geneve]
- required: [vxlan]
- required: [gre]
properties:
ovsInternal:
type: object
required:
- name
properties:
name:
type: string
device:
type: object
required:
- name
properties:
name:
type: string
geneve:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
vxlan:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
gre:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
key:
type: integer
minimum: 0
maximum: 4294967295
additionalPrinterColumns:
- description: Specifies the direction of traffic that should be matched.
jsonPath: .spec.direction
name: Direction
type: string
- description: Specifies the action that should be taken for the traffic.
jsonPath: .spec.action
name: Action
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources:
status: {}
scope: Cluster
names:
plural: trafficcontrols
singular: trafficcontrol
kind: TrafficControl
shortNames:
- tc
---
# Source: antrea/templates/agent/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
Expand Down Expand Up @@ -2663,6 +2951,7 @@ rules:
resources:
- externalippools
- ippools
- trafficcontrols
verbs:
- get
- watch
Expand Down Expand Up @@ -3180,7 +3469,7 @@ spec:
kubectl.kubernetes.io/default-container: antrea-agent
# Automatically restart Pods with a RollingUpdate if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647
checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
labels:
app: antrea
component: antrea-agent
Expand Down Expand Up @@ -3420,7 +3709,7 @@ spec:
annotations:
# Automatically restart Pod if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: cb46b22ec258614e4df2cc06aaaba03d2a3ecd008de23288dbdce9cd3cc68647
checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
labels:
app: antrea
component: antrea-controller
Expand Down

0 comments on commit 6c63252

Please sign in to comment.