From 0dfdb8d6ecab89e3c112bd57554bf2a4c6a8e378 Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Mon, 29 Jun 2020 10:29:43 -0700 Subject: [PATCH 1/2] For HnsV2 we will only add outbound nat policy for single tenant scenario or if enableSnatForDns is true. --- network/policy/policy_windows.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/network/policy/policy_windows.go b/network/policy/policy_windows.go index b5162e9ef4..abd092881d 100644 --- a/network/policy/policy_windows.go +++ b/network/policy/policy_windows.go @@ -353,10 +353,12 @@ func GetHcnEndpointPolicies(policyType CNIPolicyType, policies []Policy, epInfoD if policy.Type == policyType { var err error var endpointPolicy hcn.EndpointPolicy + var isOutboundNatPolicy bool switch GetPolicyType(policy) { case OutBoundNatPolicy: endpointPolicy, err = GetHcnOutBoundNATPolicy(policy, epInfoData) + isOutboundNatPolicy = true case RoutePolicy: endpointPolicy, err = GetHcnRoutePolicy(policy) case PortMappingPolicy: @@ -371,8 +373,10 @@ func GetHcnEndpointPolicies(policyType CNIPolicyType, policies []Policy, epInfoD return hcnEndPointPolicies, err } - hcnEndPointPolicies = append(hcnEndPointPolicies, endpointPolicy) - log.Printf("Successfully set the policy: %+v", endpointPolicy) + if !(isOutboundNatPolicy && enableMultiTenancy && !enableSnatForDns) { + hcnEndPointPolicies = append(hcnEndPointPolicies, endpointPolicy) + log.Printf("Successfully set the policy: %+v", endpointPolicy) + } } } From 7cff596b05a6ba1046f983bc429ff8f4bc351ebf Mon Sep 17 00:00:00 2001 From: Jaeryn Date: Wed, 15 Jul 2020 10:44:30 -0700 Subject: [PATCH 2/2] adding comments to detail results of determineSnat func --- cni/network/network.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/cni/network/network.go b/cni/network/network.go index 9b93463a6b..e576b004bd 100644 --- a/cni/network/network.go +++ b/cni/network/network.go @@ -1101,7 +1101,6 @@ func determineSnat() (bool, bool, error) { log.Errorf("[cni-net] failed to unmarshal to snatConfig with error %v", retrieveSnatConfigErr) } - } // If we weren't able to retrieve snatConfiguration, query NMAgent @@ -1127,7 +1126,7 @@ func determineSnat() (bool, bool, error) { fp.Write(jsonStr) fp.Close() } else { - log.Printf("[cni-net] failed to save snatConfig") + log.Errorf("[cni-net] failed to save snat settings to %s with error: %+v", snatConfigFile, err) } } } else { @@ -1143,7 +1142,14 @@ func determineSnat() (bool, bool, error) { return snatConfig.EnableSnatForDns, snatConfig.EnableSnatOnHost, retrieveSnatConfigErr } - log.Printf("[cni-net] EnableSnatOnHost set to %t; EnableSnatForDns set to %t", snatConfig.EnableSnatOnHost, snatConfig.EnableSnatForDns) + log.Printf("[cni-net] saved snat settings %+v to %s", snatConfig, snatConfigFile) + if snatConfig.EnableSnatOnHost { + log.Printf("[cni-net] enabling SNAT on container host for outbound connectivity") + } else if snatConfig.EnableSnatForDns { + log.Printf("[cni-net] enabling SNAT on container host for DNS traffic") + } else { + log.Printf("[cni-net] disabling SNAT on container host") + } return snatConfig.EnableSnatForDns, snatConfig.EnableSnatOnHost, nil }