Add BGPPolicy API

[hongliangl]

No description provided.

[antoninbas]

Added comments on other parts of the API

[antoninbas]

How does it work exactly? In which Namespace are the secrets defined? I assume they need to be created in the same Namespace as Antrea. Does that mean Antrea will need permissions to read all secrets in the kube-system Namespace (I don't think this is the case today).

[hongliangl]

This is a thoughtful question. I found the corresponding implementation in other CNIs:

1. Users assign a Secret reference in a CR, then create the corresponding Serect to store the password. To read the password, the CRD controller needs the get permission to read the corresponding Secret in the kube-system Namespace.
2. Uses set the base64 coded password in an annotation.

I think we could let users set the based64 coded password in a BGPPolicy CR directly. Though it is not a good practice, it is easy for users to use.

If users want to secure their BGP passwords, they could add a password for a BGP peer to the Serect named antrea-bgp-passwords in the kube-system Namespace (assuming that Antrea is installed in the Namespace).

The secret might be like this:

apiVersion: v1
kind: Secret
metadata:
  name: antrea-bgp-passwords
  namespace: kube-system
type: Opaque
data:
  192.168.1.1-65512: dmVyeS1zZWNyZXQ=
  192.168.1.2-65513: dmVyeS1zZWNyZXQ=

Antrea needs the permission get, maybe watch (to watch the update of the secret)

  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - antrea-bgp-passwords
    verbs:
      - get
      - watch

[antoninbas]

I think we should just support the Secret-based method.
The idea of having a single Secret, with a well-known name, mapping BGP peer IDs to passwords, is fine by me. We can also provide a configuration parameter for users to change the Secret name if they want to.

[rajnkamr]

I think with Pod IPs you meant Pod CIDR here, better to change it to pod CIDR instead

[hongliangl]

The updated Advertisements

[tnqn]

Does it have a default value? If not, it shouldn't be a pointer.

[antoninbas]

IMO, it should be a pointer as long as it is optional, regardless of whether or not there is a non-zero default value. It's easier to stick to that rule.

[tnqn]

I assumed it's not optional, there should always be a ASN?

[antoninbas]

I see your point now.
Yes, there should always be an ASN, but the question is does it make sense to default the ASN to 64512 or should we require users to provide a value every time? @hongliangl if 2 K8s clusters are peering to the same local router, I assume it may create a conflict ? And would there be some conflict if 2 different BGPPolicies in the same cluster (applied to a different subset of Nodes) use the same localASN?

[antoninbas]

Thinking about this some more, I feel like logically it is perfectly valid to use the same ASN across different BGPPolicies and even different K8s clusters, while peering to the same router. I'll let @hongliangl comment but I think the current API version works well.

Edit: if one wants to use eBGP to provide Pod-to-Pod connectivity between 2 K8s cluster connected to the same BGP router, then maybe using different localASNs will be required?

[hongliangl]

if 2 K8s clusters are peering to the same local router, I assume it may create a conflict ?

As long as the Node IPs of these 2 k8s clusters are not the same, it's okay for the local router regardless of the value of the ASN. Ideally, each k8s cluster should be treated as an AS, given its fully meshed network implemented by CNI, and the cluster should be assigned a unique ASN. If two k8s clusters use the same ASN, but the network between them is not fully reachable, for the local router, there might be potential BGP issues (I'm not sure what it might be)

And would there be some conflict if 2 different BGPPolicies in the same cluster (applied to a different subset of Nodes) use the same localASN?

In a k8s cluster, all BGPPolicies should use the same ASN as the description above, but it's okay that every Node has its unique ASN.

[hongliangl]

Edit: if one wants to use eBGP to provide Pod-to-Pod connectivity between 2 K8s cluster connected to the same BGP router, then maybe using different localASNs will be required?

It should work using the same localASN, but it is a little weird. Normally, the traffic within an AS (the source and destination are in the same AS) should only be forwarded in this AS.

[antoninbas]

As long as the Node IPs of these 2 k8s clusters are not the same

Is this a valid case anyway? I guess it is with different VRFs

We are getting into advanced use cases. I do agree that the recommendation should be that 2 clusters connected to the same BGP router should use different localASNs, and we can include that in the documentation.

But to go back to @tnqn's original point, maybe we should err on the side of caution and require users to explicitly provide a private ASN? Then we would ensure that users are well-aware of this parameter and configure it appropriately for their use case. It seems like a very small inconvenience, especially considering the fact that users may need to also configure the uplink router to authorize peering for this ASN (I guess that depends on the uplink router's configuration).
How do you feel about making this a required parameter?

[hongliangl]

But to go back to @tnqn's original point, maybe we should err on the side of caution and require users to explicitly provide a private ASN? Then we would ensure that users are well-aware of this parameter and configure it appropriately for their use case. It seems like a very small inconvenience, especially considering the fact that users may need to also configure the uplink router to authorize peering for this ASN (I guess that depends on the uplink router's configuration).

That makes sense to me. Anyway, when users configure the uplink router, they need to set the BGP peers by specifying peer IPs and ASNs. Maybe it's better for users to set the localASN since it is also needed by the configuration of the uplink router.

[hongliangl]

As long as the Node IPs of these 2 k8s clusters are not the same

Is this a valid case anyway? I guess it is with different VRFs

If I understand correctly, for different VRFs in multiple k8s clusters, and the Nodes in these clusters connect to the same uplink router, the IPs of the Node should not overlap, and then each Node can establish a BGP session with the uplink router. Did I miss some background information on your question?

[tnqn]

I'm not familiar with this, just want to confirm if it's typical to assign a default local ASN and the default number works in most cases?

[hongliangl]

For a K8s cluster, the network is fully reachable and implemented by CNI, and the cluster could be treated as an AS (for traditional network, the network is implemented by IGP protocols like OSPF, EIGRP, etc.).

For multiple K8s clusters, at least the network of each cluster is fully reachable. Ideally, every cluster should be treated as an AS, but it's okay for these clusters to use the same ASN when peering to the same router as long as they don't have overlapped Node IPs.

[hongliangl]

For a K8s cluster, it is also okay that different Nodes use different ASNs to peer to the same router.

[tnqn]

Any reason why these booleans are pointers?

[hongliangl]

See #6009 (comment)

[hongliangl]

I have updated some comments of the spec. I would appreciate it if you could help review them for appropriateness and ease of understanding. @antoninbas @tnqn @luolanzone

[tnqn]

LGTM

[antoninbas]

I think localASN should be added to the required properties after the recent changes?

[hongliangl]

I forgot adding this. Will add it. Thanks for pointing out it.

[antoninbas]

/skip-all

[antoninbas]

@hongliangl please remember to update docs/api.md in a future PR

[hongliangl]

@hongliangl please remember to update docs/api.md in a future PR

Done with #6457