Add annotations to report the Node gateway IPs and restrict traffic t…

…hrough them Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
antrea-io · Mar 3, 2022 · 6f3842f · 6f3842f
1 parent af7025a
commit 6f3842f
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 18 deletions.
diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go
@@ -641,6 +641,20 @@ func (i *Initializer) setupGatewayInterface() error {
 		return err
 	}
 
+	// Update the Node Antrea gateway IP address in Node's annotation.
+	gwIPv4Addr, gwIPv6Addr := i.nodeConfig.GatewayConfig.IPv4, i.nodeConfig.GatewayConfig.IPv6
+	klog.InfoS("Updating Node gateway addresses annotation")
+	var ips []string
+	if gwIPv4Addr != nil {
+		ips = append(ips, gwIPv4Addr.String())
+	}
+	if gwIPv6Addr != nil {
+		ips = append(ips, gwIPv6Addr.String())
+	}
+	if err := i.patchNodeAnnotations(i.nodeConfig.Name, types.NodeAntreaGWAddressAnnotationKey, strings.Join(ips, ",")); err != nil {
+		return err
+	}
+
 	return nil
 }
 

diff --git a/pkg/agent/controller/noderoute/node_route_controller.go b/pkg/agent/controller/noderoute/node_route_controller.go
@@ -17,7 +17,6 @@ package noderoute
 import (
 	"fmt"
 	"net"
-	"strings"
 	"time"
 
 	"github.com/containernetworking/plugins/pkg/ip"
@@ -765,21 +764,12 @@ func getNodeMAC(node *corev1.Node) (net.HardwareAddr, error) {
 }
 
 func (c *Controller) getNodeTransportAddrs(node *corev1.Node) (*utilip.DualStackIPs, error) {
-	var transportAddrs = new(utilip.DualStackIPs)
 	if c.networkConfig.TransportIface != "" || len(c.networkConfig.TransportIfaceCIDRs) > 0 {
-		transportAddrsStr := node.Annotations[types.NodeTransportAddressAnnotationKey]
-		if transportAddrsStr != "" {
-			for _, addr := range strings.Split(transportAddrsStr, ",") {
-				peerNodeAddr := net.ParseIP(addr)
-				if peerNodeAddr == nil {
-					return nil, fmt.Errorf("invalid annotation for transport-address on Node %s: %s", node.Name, transportAddrsStr)
-				}
-				if peerNodeAddr.To4() == nil {
-					transportAddrs.IPv6 = peerNodeAddr
-				} else {
-					transportAddrs.IPv4 = peerNodeAddr
-				}
-			}
+		transportAddrs, err := k8s.GetNodeAddressFromAnnotations(node, types.NodeTransportAddressAnnotationKey)
+		if err != nil {
+			return nil, err
+		}
+		if transportAddrs != nil {
 			return transportAddrs, nil
 		}
 		klog.InfoS("Transport address is not found, using NodeIP instead", "node", node.Name)

diff --git a/pkg/agent/types/annotations.go b/pkg/agent/types/annotations.go
@@ -21,6 +21,9 @@ const (
 	// NodeTransportAddressAnnotationKey represents the key of the interface's IP addresses on which the Node transfers Pod traffic in the Annotations of the Node.
 	NodeTransportAddressAnnotationKey string = "node.antrea.io/transport-addresses"
 
+	// NodeAntreaGWAddressAnnotationKey represents the key of the antrea gateway interface's IP addresses in the Annotations of the Node.
+	NodeAntreaGWAddressAnnotationKey string = "node.antrea.io/gateway-addresses"
+
 	// NodeWireGuardPublicAnnotationKey represents the key of the Node's WireGuard public key in the Annotations of the Node.
 	NodeWireGuardPublicAnnotationKey string = "node.antrea.io/wireguard-public-key"
 

diff --git a/pkg/apis/controlplane/types.go b/pkg/apis/controlplane/types.go
@@ -70,7 +70,7 @@ type ExternalEntityReference struct {
 	Namespace string
 }
 
-// GroupMember represents an resource member to be populated in Groups.
+// GroupMember represents a resource member to be populated in Groups.
 type GroupMember struct {
 	// Pod maintains the reference to the Pod.
 	Pod *PodReference

diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go
@@ -24,6 +24,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
 
+	"antrea.io/antrea/pkg/agent/types"
 	"antrea.io/antrea/pkg/apis/controlplane"
 	crdv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1"
 	"antrea.io/antrea/pkg/controller/grouping"
@@ -311,7 +312,15 @@ func nodeIPChanged(oldNode, newNode *v1.Node) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	return reflect.DeepEqual(newIPs, oldIPs), nil
+	oldNodeGWIPs, err := k8s.GetNodeAddressFromAnnotations(oldNode, types.NodeAntreaGWAddressAnnotationKey)
+	if err != nil {
+		return false, err
+	}
+	newNodeGWIPs, err := k8s.GetNodeAddressFromAnnotations(newNode, types.NodeAntreaGWAddressAnnotationKey)
+	if err != nil {
+		return false, err
+	}
+	return !reflect.DeepEqual(newIPs, oldIPs) || !reflect.DeepEqual(oldNodeGWIPs, newNodeGWIPs), nil
 }
 
 func (c *NetworkPolicyController) updateNode(oldObj, newObj interface{}) {

diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go
@@ -44,6 +44,7 @@ import (
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
 
+	types2 "antrea.io/antrea/pkg/agent/types"
 	"antrea.io/antrea/pkg/apis/controlplane"
 	secv1alpha1 "antrea.io/antrea/pkg/apis/crd/v1alpha1"
 	"antrea.io/antrea/pkg/apis/crd/v1alpha2"
@@ -1034,7 +1035,7 @@ func (n *NetworkPolicyController) processNextAppliedToGroupWorkItem() bool {
 }
 
 // syncAddressGroup retrieves all the internal NetworkPolicies which have a
-// reference to this AddressGroup and updates it's Pod IPAddresses set to
+// reference to this AddressGroup and updates its Pod IPAddresses set to
 // reflect the current state of affected GroupMembers based on the GroupSelector.
 func (n *NetworkPolicyController) syncAddressGroup(key string) error {
 	startTime := time.Now()
@@ -1187,6 +1188,16 @@ func nodeToGroupMember(node *v1.Node) *controlplane.GroupMember {
 	if nodeIPs.IPv6 != nil {
 		member.IPs = append(member.IPs, ipStrToIPAddress(nodeIPs.IPv6.String()))
 	}
+	gwIPs, err := k8s.GetNodeAddressFromAnnotations(node, types2.NodeAntreaGWAddressAnnotationKey)
+	if err != nil {
+		return nil
+	}
+	if nodeIPs.IPv4 != nil {
+		member.IPs = append(member.IPs, ipStrToIPAddress(gwIPs.IPv4.String()))
+	}
+	if nodeIPs.IPv6 != nil {
+		member.IPs = append(member.IPs, ipStrToIPAddress(gwIPs.IPv6.String()))
+	}
 	return member
 }
 

diff --git a/pkg/util/k8s/node.go b/pkg/util/k8s/node.go
@@ -17,6 +17,7 @@ package k8s
 import (
 	"fmt"
 	"net"
+	"strings"
 
 	v1 "k8s.io/api/core/v1"
 
@@ -57,3 +58,26 @@ func GetNodeAddrs(node *v1.Node) (*ip.DualStackIPs, error) {
 	}
 	return nodeAddrs, nil
 }
+
+// GetNodeAddressFromAnnotations gets available IPs from the Node Annotation, the annotations are set by Antrea, includes
+// NodeTransportAddressAnnotationKey string = "node.antrea.io/transport-addresses"
+// NodeAntreaGWAddressAnnotationKey string = "node.antrea.io/gateway-addresses"
+func GetNodeAddressFromAnnotations(node *v1.Node, annotationKey string) (*ip.DualStackIPs, error) {
+	var ipAddrs = new(ip.DualStackIPs)
+	annotationAddrsStr := node.Annotations[annotationKey]
+	if annotationAddrsStr != "" {
+		for _, addr := range strings.Split(annotationAddrsStr, ",") {
+			peerNodeAddr := net.ParseIP(addr)
+			if peerNodeAddr == nil {
+				return nil, fmt.Errorf("invalid annotation for ip-address on Node %s: %s", node.Name, annotationAddrsStr)
+			}
+			if peerNodeAddr.To4() == nil {
+				ipAddrs.IPv6 = peerNodeAddr
+			} else {
+				ipAddrs.IPv4 = peerNodeAddr
+			}
+		}
+		return ipAddrs, nil
+	}
+	return nil, nil
+}