Skip to content

[Swift] Add snat rule to host IP for IMDS for CNS IPAM #988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 3, 2021
Merged

[Swift] Add snat rule to host IP for IMDS for CNS IPAM #988

merged 2 commits into from
Sep 3, 2021

Conversation

@thatmattlong
Copy link
Collaborator

@thatmattlong thatmattlong commented Sep 2, 2021
edited
Loading

Reason for Change:

Let Pods query IMDS when CNS is doing the IPAM (when IPs come from secondary IPs of NC)

Requirements:

Notes:

rbtr
rbtr reviewed Sep 2, 2021
View reviewed changes
iptables/iptables.go
const (
AzureDNS = "168.63.129.16"
AzureDNS = "168.63.129.16"
AzureIMDS = "169.254.169.254"
Copy link
Collaborator

@rbtr rbtr Sep 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idk what this is for, specifically, but should we do it for the whole link-local block?

Copy link
Collaborator Author

@thatmattlong thatmattlong Sep 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is specifically to allow http traffic to the metadata service from pods. Since NCs are considered "secondary interfaces" and there is an explicit deny rule on the host to drop http traffic from secondary interfaces. So really we only want to snat traffic to this one IP against the host IP , since it gets dropped otherwise. For the rest of link-local there is no explicit deny rule so no need to snat.

tamilmani1989
tamilmani1989 reviewed Sep 2, 2021
View reviewed changes
cni/network/invoker_cns.go
// https://github.com/Azure/AgentBaker/pull/367/files
podTrafficAccept := fmt.Sprintf(" -m iprange ! --dst-range 168.63.129.16-168.63.129.16 -s %s ", ncSubnetPrefix.String())
snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.ncPrimaryIP)
snatHostIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.hostPrimaryIP)
Copy link
Member

@tamilmani1989 tamilmani1989 Sep 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add a comment what the rule is?

Copy link
Collaborator Author

@thatmattlong thatmattlong Sep 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

tamilmani1989
tamilmani1989 approved these changes Sep 2, 2021
View reviewed changes
Copy link
Member

@tamilmani1989 tamilmani1989 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@rbtr rbtr merged commit 2e6a5f6 into Azure:master Sep 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rbtr rbtr rbtr left review comments

@tamilmani1989 tamilmani1989 tamilmani1989 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thatmattlong @tamilmani1989 @rbtr