Initial egress connections from Pods go out with node IP rather than Egress IP assigned #3361
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
tnqn
added a commit
to tnqn/antrea
that referenced
this issue
Feb 25, 2022
Previously antrea-controller only included a Pod in an EgressGroup only when its IP has been presented in K8s API. If a Pod tries to access external right after it's up, Node IP will be used as the SNAT IP even when an Egress applying to it has been created because its Pod IP may haven't been reported to K8s API or antrea-controller may haven't included the Pod in the EgressGroup. This patch fixes it by making CNIServer notify EgressController that it has processed CNI ADD request of a Pod, then EgressController can reconcile the corresponding Egress immediately, instead of waiting for the Pod to be reported to K8s API. As NetworkPolicyController relies on that event as well, we introduce a channel implementation which supports multiple subscribers. Fixes antrea-io#3361 Signed-off-by: Quan Tian <qtian@vmware.com>
tnqn
added a commit
to tnqn/antrea
that referenced
this issue
Feb 25, 2022
Previously antrea-controller only included a Pod in an EgressGroup only when its IP has been presented in K8s API. If a Pod tries to access external right after it's up, Node IP will be used as the SNAT IP even when an Egress applying to it has been created because its Pod IP may haven't been reported to K8s API or antrea-controller may haven't included the Pod in the EgressGroup. This patch fixes it by making CNIServer notify EgressController that it has processed CNI ADD request of a Pod, then EgressController can reconcile the corresponding Egress immediately, instead of waiting for the Pod to be reported to K8s API. As NetworkPolicyController relies on that event as well, we introduce a channel implementation which supports multiple subscribers. Fixes antrea-io#3361 Signed-off-by: Quan Tian <qtian@vmware.com>
tnqn
added a commit
to tnqn/antrea
that referenced
this issue
Feb 28, 2022
Previously antrea-controller only included a Pod in an EgressGroup only when its IP has been presented in K8s API. If a Pod tries to access external right after it's up, Node IP will be used as the SNAT IP even when an Egress applying to it has been created because its Pod IP may haven't been reported to K8s API or antrea-controller may haven't included the Pod in the EgressGroup. This patch fixes it by making CNIServer notify EgressController that it has processed CNI ADD request of a Pod, then EgressController can reconcile the corresponding Egress immediately, instead of waiting for the Pod to be reported to K8s API. As NetworkPolicyController relies on that event as well, we introduce a channel implementation which supports multiple subscribers. Fixes antrea-io#3361 Signed-off-by: Quan Tian <qtian@vmware.com>
tnqn
added a commit
to tnqn/antrea
that referenced
this issue
Mar 1, 2022
Previously antrea-controller included a Pod in an EgressGroup only when its IP has been presented in K8s API. If a Pod tries to access external right after it's up, Node IP will be used as the SNAT IP even when an Egress applying to it has been created because its Pod IP may haven't been reported to K8s API or antrea-controller may haven't included the Pod in the EgressGroup. This patch fixes it by making CNIServer notify EgressController that it has processed CNI ADD request of a Pod, then EgressController can reconcile the corresponding Egress immediately, instead of waiting for the Pod to be reported to K8s API. As NetworkPolicyController relies on that event as well, we introduce a channel implementation which supports multiple subscribers. Fixes antrea-io#3361 Signed-off-by: Quan Tian <qtian@vmware.com>
tnqn
added a commit
that referenced
this issue
Mar 2, 2022
Previously antrea-controller included a Pod in an EgressGroup only when its IP has been presented in K8s API. If a Pod tries to access external right after it's up, Node IP will be used as the SNAT IP even when an Egress applying to it has been created because its Pod IP may haven't been reported to K8s API or antrea-controller may haven't included the Pod in the EgressGroup. This patch fixes it by making CNIServer notify EgressController that it has processed CNI ADD request of a Pod, then EgressController can reconcile the corresponding Egress immediately, instead of waiting for the Pod to be reported to K8s API. As NetworkPolicyController relies on that event as well, we introduce a channel implementation which supports multiple subscribers. Fixes #3361 Signed-off-by: Quan Tian <qtian@vmware.com>
tnqn
added a commit
to tnqn/antrea
that referenced
this issue
Mar 2, 2022
Previously antrea-controller included a Pod in an EgressGroup only when its IP has been presented in K8s API. If a Pod tries to access external right after it's up, Node IP will be used as the SNAT IP even when an Egress applying to it has been created because its Pod IP may haven't been reported to K8s API or antrea-controller may haven't included the Pod in the EgressGroup. This patch fixes it by making CNIServer notify EgressController that it has processed CNI ADD request of a Pod, then EgressController can reconcile the corresponding Egress immediately, instead of waiting for the Pod to be reported to K8s API. As NetworkPolicyController relies on that event as well, we introduce a channel implementation which supports multiple subscribers. Fixes antrea-io#3361 Signed-off-by: Quan Tian <qtian@vmware.com>
tnqn
added a commit
that referenced
this issue
Mar 3, 2022
Previously antrea-controller included a Pod in an EgressGroup only when its IP has been presented in K8s API. If a Pod tries to access external right after it's up, Node IP will be used as the SNAT IP even when an Egress applying to it has been created because its Pod IP may haven't been reported to K8s API or antrea-controller may haven't included the Pod in the EgressGroup. This patch fixes it by making CNIServer notify EgressController that it has processed CNI ADD request of a Pod, then EgressController can reconcile the corresponding Egress immediately, instead of waiting for the Pod to be reported to K8s API. As NetworkPolicyController relies on that event as well, we introduce a channel implementation which supports multiple subscribers. Fixes #3361 Signed-off-by: Quan Tian <qtian@vmware.com>
GraysonWu
pushed a commit
to GraysonWu/antrea
that referenced
this issue
Mar 10, 2022
Previously antrea-controller included a Pod in an EgressGroup only when its IP has been presented in K8s API. If a Pod tries to access external right after it's up, Node IP will be used as the SNAT IP even when an Egress applying to it has been created because its Pod IP may haven't been reported to K8s API or antrea-controller may haven't included the Pod in the EgressGroup. This patch fixes it by making CNIServer notify EgressController that it has processed CNI ADD request of a Pod, then EgressController can reconcile the corresponding Egress immediately, instead of waiting for the Pod to be reported to K8s API. As NetworkPolicyController relies on that event as well, we introduce a channel implementation which supports multiple subscribers. Fixes antrea-io#3361 Signed-off-by: Quan Tian <qtian@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
If a Pod tries to access external right after it's up, Node IP will be used as the SNAT IP even when an Egress applying to it has been created.
To Reproduce
Expected
A Pod should use Egress IP as source IP when accessing external in its whole lifycycle consistently when the Egress is created in advance.
Actual behavior
A Pod uses Node IP first, then Egress IP even when the Egress is created in advance.
Versions:
The text was updated successfully, but these errors were encountered: