bpf: Inter-cluster SNAT with ClusterIP global service #24212
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
YutaroHayakawa
added
sig/datapath
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
2 times, most recently
from
6dd5a01
to
8bcaac1
Compare
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
from
8bcaac1
to
f4a939c
Compare
|
/test |
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
from
f4a939c
to
b656676
Compare
|
/test |
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
from
b656676
to
baa2a01
Compare
|
/test |
|
/test-1.26-net-next |
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
from
baa2a01
to
5fa9097
Compare
|
/test |
|
/test-1.26-net-next |
|
/test-1.16-4.19 |
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
from
5d76501
to
1b30eed
Compare
|
/test-1.16-4.19 |
|
/ci-verifier |
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
from
1b30eed
to
26e9ce0
Compare
|
/test-1.16-4.19 |
|
/test-only --focus="K8sDatapathVerifier" |
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
from
a53fba2
to
74d8fc4
Compare
|
/test-only --focus="K8sDatapathVerifier" |
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
from
74d8fc4
to
3277a0a
Compare
|
/test-only --focus="K8sDatapathVerifier" |
|
/test-1.16-4.19 |
|
/test |
Introduce an egress side of the inter-cluster SNAT. The essential parts are as follows. 1. We carry around the ClusterID with mark (for lxc -> overlay redirect) and skb->cb (for tailcalls). 2. We recognize the inter-cluster communication using the ClusterID. If the ClusterID is not 0 and not the same as local ClusterID, then it's inter-cluster communication. 3. To track SNAT mapping, we use per-cluster SNAT map. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
This commit implements the receive path of the cluster mesh with overlapping PodCIDR on service backend side (not a revSNAT path). When the packet comes from tunnel and go to local endpoints, propergate information that the packet comes from tunnel to handle_policy call. It finally reaches to the ct_create for the new connection and records from_tunnel into conntrack entry. So that we can correctly put packets back to tunnel on return path. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
In the reply path of the inter-cluster communication, we lookup the conntrack entry created on the request path. If the conntrack entry has from_tunnel set and if the destination IP address is remote-node IP (we can recognize it by the identity from ipcache), we set tunnel_endpoint to destination IP address (remote-node IP, which should also be a remote tunnel endpoint) and redirect packet to the tunnel device. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Introduce an ingress side of the inter-cluster SNAT. First, we obtain ClusterID from security identity and check if the packet is from the remote cluster. After that, we check the destination IP address and if the IP address is IPV4_INTER_CLUSTER_SNAT, we'll perform revSNAT. We separate the revSNAT logic into tailcall since we hit the complexity limit in the kernel 4.19. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Transfer ClusterID using metadata from overlay, call into handle_policy and lookup per-cluster conntrack map with ingress direction. It should have the entry we created on the egress path. Thus, we do revDNAT for service, bypass ingress policy and reach to the client Pod. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Initialize per-cluster CT/SNAT map when BPF_TEST macro is defined. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Added four new test files to test TCP three-way handshake with inter-cluster SNAT communication. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Disable coverage report for some tests affected by Coverbee's bug. cilium/coverbee#7 Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
YutaroHayakawa
force-pushed
the
yutaro/oss/clustermesh-overlapping-podcidr/datapath
branch
from
c6b9537
to
9a274db
Compare
|
/test |
|
/ci-gke |
|
/gateway-api-conformance-test |
2 similar comments
|
/gateway-api-conformance-test |
|
/gateway-api-conformance-test |
|
@julianwiedmann I resolved your comments. Wrt the 32bit |
|
Now it's ready to merge @nathanjsweet. Please give me 🍏 and if I win the race, please mark this PR |
kaworu
approved these changes
Mar 22, 2023
There was a problem hiding this comment.
Hubble protobuf changes LGTM, will let @nathanjsweet decide on the DropReason enum value race between this PR and #23890.
YutaroHayakawa
added
the
ready-to-merge
7 tasks
pchaigno
reviewed
Mar 24, 2023
maintainer-s-little-helper
bot
removed
the
ready-to-merge
aanm
reviewed
Apr 5, 2023
| @@ -850,7 +861,8 @@ struct ct_entry { | |||
| dsr:1, | |||
| from_l7lb:1, /* Connection is originated from an L7 LB proxy */ | |||
| auth_required:1, | |||
| reserved:6; | |||
| from_tunnel:1, /* Connection is over tunnel */ | |||
There was a problem hiding this comment.
@YutaroHayakawa I noticed that we are missing some visibility information when we are dumping the CT map. Shouldn't we add a "FromTunnel" in here?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement very basic inter-cluster SNAT logic with ClusterIP global service. All the features are hidden behind the conditional macro, so it shouldn't affect the existing code path.
The datapath changes are split into small pieces. Here's a quick guide to how commits are organized.
Client/Egressindicates which code path you're in.