Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not apply Egress to traffic destined for ServiceCIDRs #5495

Merged
merged 1 commit into from
Sep 20, 2023
Merged

Do not apply Egress to traffic destined for ServiceCIDRs #5495

merged 1 commit into from
Sep 20, 2023

Conversation

tnqn
Copy link
Member

@tnqn tnqn commented Sep 18, 2023

When AntreaProxy is asked to skip some Services or is not running at all, Pod-to-Service traffic would be forwarded to Egress Node and be load-balanced remotely, as opposed to locally, which could incur performance issue and unexpected behaviors.

This patch installs flows to prevent traffic destined for ServiceCIDRs from being SNAT'd.

Fixes #5494

@tnqn tnqn added area/transit/egress Issues or PRs related to Egress (SNAT for traffic egressing the cluster). action/backport Indicates a PR that requires backports. action/release-note Indicates a PR that should be included in release notes. labels Sep 18, 2023
@tnqn tnqn added this to the Antrea v1.14 release milestone Sep 18, 2023
@tnqn
Do not apply Egress to traffic destined for ServiceCIDRs
24b7699 
When AntreaProxy is asked to skip some Services or is not running at
all, Pod-to-Service traffic would be forwarded to Egress Node and be
load-balanced remotely, as opposed to locally, which could incur
performance issue and unexpected behaviors.

This patch installs flows to prevent traffic destined for ServiceCIDRs
from being SNAT'd.

Signed-off-by: Quan Tian <qtian@vmware.com>
@tnqn
Copy link
Member Author

tnqn commented Sep 18, 2023

/test-all
/test-ipv6-all
/test-ipv6-only-all

antoninbas
antoninbas reviewed Sep 18, 2023
View reviewed changes
Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am fine with this change.

However, I wonder if instead, we should install flows for skipServices to the AntreaProxy LB table in OVS, and send the packets directly to the host network (same behavior as when AntreaProxy is disabled). This would avoid adding Service flows to the SNAT table. I am being a bit vague here, since I am not super familiar with the current version of the pipeline. This approach may not make sense or be possible.

@tnqn
Copy link
Member Author

tnqn commented Sep 19, 2023

However, I wonder if instead, we should install flows for skipServices to the AntreaProxy LB table in OVS, and send the packets directly to the host network (same behavior as when AntreaProxy is disabled). This would avoid adding Service flows to the SNAT table. I am being a bit vague here, since I am not super familiar with the current version of the pipeline. This approach may not make sense or be possible.

Thanks for the comment. I thought it over, and tend to keep the current approach for a few reasons, please let me know whether they make sense to you or not:

  1. skipServices is not the only case that can bypass AntreaProxy, services with service.kubernetes.io/service-proxy-name label can also bypass it, we would need to consider both. Excluding all ServiceCIDRs from Egress may be simpler to cover all cases regardless of how AntreaProxy is configured and whether it runs.
  2. We have used the way of exception for Node IPs and user configured exceptCIDRs, it may be easier to understand to keep them in the same place.
  3. Bypassing most stages for specific traffic flows generally adds complexity, needing careful consideration and could cause some problems. For example, it would be impossible to enforce Egress NetworkPolicy or enable logging for Services skipped via skipServices config, service-proxy-name label.
  4. I'm even thinking if it really makes sense to have the current behavior of disabled AntreaProxy. It has several problems: in noEncap/policyOnly mode, Egress NetworkPolicy is not enforced when the Pod accesses ANY destination via Service; in encap mode, Egress NetworkPolicy is not enforced when the Pod accesses external destination/hostNetwork Pod (e.g. kube-apiserver) via Service. If we change to make it go over the pipeline, at least user could configure the service IP or leverage toService peer to enforce Egress NetworkPolicy, though it would be an extra configuration compared with enabled AntreaProxy. We can document it clearly: when AntreaProxy is not enabled or a Service is skipped by AntreaProxy, the Egress rule should use Service-oriented peer instead of Endpoint-oriented peer for Pod-to-Service traffic.

hongliangl
hongliangl reviewed Sep 19, 2023
View reviewed changes
Copy link
Contributor

@hongliangl hongliangl left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall, just a small question posted in the following.

pkg/agent/controller/egress/egress_controller.go
func (c *EgressController) updateServiceCIDRs(stopCh <-chan struct{}) {
timer := time.NewTimer(0)
defer timer.Stop()
<-timer.C // Consume the first tick.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A basic question: why consume the first tick? Is it for testing?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The timer is used for retry. We don't want it to trigger InstallSNATBypassServiceFlows before receiving a service CIDR update, which is destined to fail, so consume the first tick to avoid it.

@antoninbas
Copy link
Contributor

@tnqn thanks for thinking it over, it makes sense to me.
If we ever need to exclude more Service traffic for features in the future, maybe it will make sense at that point to consider a classifier and register mark early in the pipeline

antoninbas
antoninbas approved these changes Sep 19, 2023
View reviewed changes
Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tnqn
Copy link
Member Author

tnqn commented Sep 20, 2023

@tnqn thanks for thinking it over, it makes sense to me. If we ever need to exclude more Service traffic for features in the future, maybe it will make sense at that point to consider a classifier and register mark early in the pipeline

Yes, makes sense.

@tnqn
Copy link
Member Author

tnqn commented Sep 20, 2023

/test-e2e

1 similar comment
@tnqn
Copy link
Member Author

tnqn commented Sep 20, 2023

/test-e2e

@tnqn tnqn merged commit 5faab07 into antrea-io:main Sep 20, 2023
53 of 61 checks passed
@tnqn tnqn deleted the exclude-service-cidr branch September 20, 2023 07:37
This was referenced Sep 20, 2023
Merged
Merged
@xliuxu xliuxu mentioned this pull request Sep 26, 2023
Merged
@tnqn tnqn added the kind/bug Categorizes issue or PR as related to a bug. label Jan 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hongliangl hongliangl hongliangl left review comments

@antoninbas antoninbas antoninbas approved these changes

@jianjuns jianjuns Awaiting requested review from jianjuns

Assignees
No one assigned
Labels
action/backport Indicates a PR that requires backports. action/release-note Indicates a PR that should be included in release notes. area/transit/egress Issues or PRs related to Egress (SNAT for traffic egressing the cluster). kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
Antrea v1.14 release
Development

Successfully merging this pull request may close these issues.

Egress should not be applied to traffic destined for ServiceCIDRs
3 participants
@tnqn @antoninbas @hongliangl