New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
daemon: Do not require native routing CIDR if ipmasq-agent is enabled #27747
daemon: Do not require native routing CIDR if ipmasq-agent is enabled #27747
Conversation
/test |
There seems to have been some infra related flakes:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
I've left a non-blocking suggestion inline, feel free to ignore that if you think the current version is more readable.
When running with ipmasq-agent-based eBPF masquerading, there should be no need to mandatory require a native routing CIDR, since all CIDRs can be configured via the BPF map instead. This commit therefore does not set the IPV4_SNAT_EXCLUSION_DST_CIDR field if no native routing CIDR is set. Notably, it also does not fall back on the local pod CIDR like we do in regular BPF masquearding, since in many IPAM modes there is no local pod CIDR to begin with. Note that this change is backwards-compatible, because we have a check that ensures that the native routing CIDR is always set if BPF masquerading is enabled. So all existing users of ip-masq-agent already have a native routing CIDR set. The next commit will remove that check and therefore enabling the code path added by this commit. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Cilium's built-in [ipmasq-agent replacement](https://docs.cilium.io/en/v1.14/network/concepts/masquerading/#ebpf-based) acts as a replacement for the native routing CIDR. Therefore, it does not make sense to require the native routing CIDR if the ipmasq-agent is enabled, since the two flags are basically mutually exclusive. The previous commit already prepared the implementation to not set the IPV4_SNAT_EXCLUSION_DST_CIDR in the datapath if the native routing CIDR is absent. In addition, this commit also slightly restructures and aligns the if condition with the error message, to make it a bit easier to read. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
With the previous commit, we removed the restriction that the user must set a native routing CIDR. This commit adjusts the multi-pool workflow to make use of that change (and incidentally also tests that the previous commit via CI). Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
798bae1
to
a2c3da2
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gandro LGTM Nice work Sebastian!
Note: seeing a lot of parallels and similar logic in our codebase related to ipv4/6 handling. Wondering if we could apply generics for these use cases to dry up our code??
Good point. I think there is some experimentation needed first though |
When running with ipmasq-agent-based eBPF masquerading, there should be no need to mandatory require a native routing CIDR, since all CIDRs can be configured via the BPF map instead.
This PR therefore does not set the
IPV4_SNAT_EXCLUSION_DST_CIDR
field if no native routing CIDR is set. Notably, it also does not fall back on the local pod CIDR like we do in regular BPF masquearding, since in many IPAM modes there is no local pod CIDR to begin with.Note that this change is backwards-compatible, because we have a check that ensures that the native routing CIDR is always set if BPF masquerading is enabled. So all existing users of ip-masq-agent already have a native routing CIDR set. This PR also removes that check, thus allowing future uses to not set a native routing CIDR when running with ipmasq-agent based masquerading.