-
Notifications
You must be signed in to change notification settings - Fork 805
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NetworkChaos: Add support for ports in external targets #2932
NetworkChaos: Add support for ports in external targets #2932
Conversation
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
Welcome @miedzinski! |
Codecov Report
@@ Coverage Diff @@
## master #2932 +/- ##
==========================================
+ Coverage 37.92% 38.19% +0.27%
==========================================
Files 105 105
Lines 9108 9182 +74
==========================================
+ Hits 3454 3507 +53
- Misses 5344 5366 +22
+ Partials 310 309 -1
Continue to review full report at Codecov.
|
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
Hi @miedzinski , thanks for your contribution! That's an awesome feature! But this PR is really huge, and it would still break the API of Chaos Mesh (with podnetworkchaos). So I am afraid this PR would not be merged recently. Currently, the design of NetworkChaos does not care about the port thing, it is designed on the Network Layer(IP Layer). If we want to filter the network traffic with ports(actually it's not difficult with iptables and current code base), we should change our design with at least Transport Layer(consider some protocol, TCP/UDP/...). It would make huge changes to the design of NetworkChaos. I think we would better draft an RFC into rfcs before we do that. How do you think about it? @miedzinski |
@STRRL, thanks for your response. You're right there is a problem with backward compatibility of PodNetworkChaos, but I think it's something we can solve:
This way all CRDs are unchanged. There is also a change to protobufs - if you think these shouldn't be changed too, then I can move parsing and resolving external targets to chaos daemon. That would additionally solve a TODO comment. Regarding the RFC process, this is something I'd rather avoid if possible. Filtering traffic by ports is crucial for adoption of Chaos Mesh in my organization, but we definitely don't intend to make huge changes to design of experiments at this point. I don't think the L3 vs L4 is also an issue, because NetworkChaos already resolves hostnames and that's Application Layer. Please let me know if you're okay with changes I suggested. |
We only consider "backward compatibility" now. We could accept appending more fields with default values. But renaming/deleting fields is NOT preferred. I have another idea based on your suggestion. We could extend const (
IPSetTypeHashIP IPSetType = "hash:ip"
IPSetTypeHashIPPort IPSetType = "hash:ip,port"
IPSetTypeListNet IPSetType = "list:net"
// other IPSet types that we need
)
// RawIPSet represents an ipset on specific pod
type RawIPSet struct {
// The name of set ipset
Name string `json:"name"`
IPSetType IPSetType `json:"ipsetType"`
// The contents of ipset.
// Only available when IPSetType is IPSetTypeHashIP
Cidrs []string `json:"cidrs"`
// The contents of ipset.
// Only available when IPSetType is IPSetTypeHashIPPort
CidrAndPorts []CidrAndPort `json:"cidrAndPorts"`
// The contents of ipset.
// Only available when IPSetType is IPSetTypeListNet
SetNames []string `json:"setNames"`
// The name and namespace of the source network chaos
RawRuleSource `json:",inline"`
} We would append three ordered before: [{
"setName": "chaos1_set_tgt",
"netPortName": "chaos1_netPort_tgt",
"netName": "chaos1_net_tgt",
"cidrs": [
{
"cidr": "1.1.1.1",
"port": 53
},
{
"cidr": "1.2.3.4",
"port": 0
}
]
}] after: [
{
"name": "chaos1_ipport_tgt",
"type": "hash:ip,port",
"cidrAndPorts": [
{
"cidr": "1.1.1.1",
"port": 53
}
]
},
{
"name": "chaos1_ip_tgt",
"type": "hash:ip",
"cidrs": [
"1.2.3.4"
]
},
{
"name": "chaos1_set_tgt",
"type": "list:set",
"setName": [
"chaos1_ipport_tgt",
"chaos1_ip_tgt"
]
}
] What do you think about it? @miedzinski |
That's a good solution too. I'll send a patch in the next few days. |
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
/cc @STRRL |
There is still one field removed from protobuf, but I believe this is not an issue, isn't it? If yes, I can remove a |
It's not an issue. But I still prefer to keep the same layout to |
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
@STRRL done! Now we're only adding new fields. |
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
dstIpset := ipset.BuildIPSet(targetPods, externalCidrs, networkchaos, string(tcType[0:2])+ipSetPostFix, m.Source) | ||
impl.Log.Info("apply traffic control with filter", "sources", m.Source, "ipset", dstIpset) | ||
dstSetIPSet, dstOtherIPSets := ipset.BuildIPSets(targetPods, externalCidrs, networkchaos, string(tcType[0:2])+ipSetPostFix, m.Source) | ||
impl.Log.Info("apply traffic control with filter", "sources", m.Source, "ipset", dstSetIPSet) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should print the whole ipset
info at this log.
netPortName := GenerateIPSetName(networkchaos, "netport_"+namePostFix) | ||
|
||
cidrs := []string{} | ||
cidrandPorts := []v1alpha1.CidrAndPort{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/cidrandPorts/cidrAndPorts/g
// CidrAndPort represents CIDR and port pair | ||
type CidrAndPort struct { | ||
Cidr string `json:"cidr"` | ||
|
||
// +kubebuilder:validation:Minimum=1 | ||
// +kubebuilder:validation:Maximum=65535 | ||
Port uint16 `json:"port"` | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also append fields to introduce protocol, like tcp
, udp
or icmp
. When specify ipset rule without protocol, it would only specify with tcp
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
example usage like 192.168.1.1,udp:53
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is something I'd rather avoid right now for a couple of reasons:
- This PR is already huge. Filtering by protocols needs more changes to IP sets and/or iptables rules.
- Adding a support for filtering by protocols is outside the scope of this PR.
- Defaulting to TCP would break backward compatibility. As of now Chaos Mesh is protocol agnostic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got that!
@@ -94,10 +94,10 @@ func (iptables *iptablesClient) setIptablesChain(chain *pb.Chain) error { | |||
var matchPart string | |||
var interfaceMatcher string | |||
if chain.Direction == pb.Chain_INPUT { | |||
matchPart = "src" | |||
matchPart = "src,dst" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need this modification? If I'm not wrong, it means this chain applies, iff both the source and destination are in the ipset, which seems not to be what we want?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This means it must match a pair of source IP address and destination port. Please refer to man iptables-extensions - section set, --match-set
parameter and man ipset - section introduction, set dimensions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need more documentation to describe it but it still makes sense:
- with
action: delay/loss/...
(which requirestc
) anddirection: from
,externalTargets
would not works - with
action: partition
,direction: from
,externalTagets: [10.96.0.0/16:8080]
, if would drop any packet from10.96.0.0/16
to<pod-ip>:8080
.
Hi @miedzinski , could you please append an entry in section |
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
@STRRL Done! |
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
db07013
to
4a7e373
Compare
/run-e2e-tests |
Signed-off-by: Dominik Miedziński <dominik.miedzinski@allegro.pl>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Thanks for your contribution! 🤩
/cc @YangKeao |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/merge |
This pull request has been accepted and is ready to merge. Commit hash: dd92f71
|
@miedzinski: Your PR was out of date, I have automatically updated it for you. At the same time I will also trigger all tests for you: /run-all-tests If the CI test fails, you just re-trigger the test that failed and the bot will merge the PR for you after the CI passes. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository. |
/run-e2e-tests |
Signed-off-by: Dominik Miedziński dominik.miedzinski@allegro.pl
What problem does this PR solve?
This PR adds support for declaring ports in external targets in NetworkChaos experiments.
What's changed and how it works?
Chaos-daemon now creates 3 IP sets in pods:
hash:net
(same as before),hash:net,port
(allowing for testing ip and port pairs) andlist:set
that combines them. Iptables rules now reference thelist:set
IP set.There are changes to PodNetworkChaos, but NetworkChaos remains unchanged and there's no need to update dashboard.
Related changes
chaos-mesh/website
Dashboard UI
Checklist
Tests
Side effects
Release note