datapath/test: Do not SNAT for WORLD_ID and enable BPF masquerading by default in CI #11426
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brb
added
the
area/CI-improvement
|
Please set the appropriate release note label. |
1 similar comment
|
Please set the appropriate release note label. |
|
test-me-please |
|
test-focus K8sDatapath* |
|
test-me-please |
2 similar comments
|
test-me-please |
|
test-me-please |
nebril
approved these changes
May 11, 2020
|
I might need to fix #11464 before this PR can be merged (otherwise, I might introduce flakes) |
|
Commit 961b375843569b39ae8123d32bced835420c8afe does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
maintainer-s-little-helper
bot
added
the
dont-merge/needs-sign-off
brb
force-pushed
the
pr/brb/ci-bpf-masq-by-default
branch
from
961b375
to
bf48cac
Compare
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-sign-off
|
test-me-please |
brb
force-pushed
the
pr/brb/ci-bpf-masq-by-default
branch
from
bf48cac
to
9740e82
Compare
|
test-me-please |
1 similar comment
|
test-me-please |
brb
force-pushed
the
pr/brb/ci-bpf-masq-by-default
branch
from
4a384a1
to
12b58cb
Compare
|
test-me-please |
brb
changed the title
brb
force-pushed
the
pr/brb/ci-bpf-masq-by-default
branch
from
12b58cb
to
e44ad57
Compare
brb
force-pushed
the
pr/brb/ci-bpf-masq-by-default
branch
from
457d243
to
d304749
Compare
|
retest-net-next |
|
test-focus K8sKubeProxyFree* |
|
test-me-please |
Enable BPF masquerading for the {{4.19,net-next},no-kube-proxy} CI jobs.
Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb
force-pushed
the
pr/brb/ci-bpf-masq-by-default
branch
from
d304749
to
95b44a6
Compare
|
retest-net-next |
qmonnet
approved these changes
May 16, 2020
|
test-focus K8sKubeProxy* |
1 similar comment
|
test-focus K8sKubeProxy* |
Disable the BPF masq in the vxlan tests until PublicInterfaceName is decluttered. The communication between pod and remote node has to be SNAT'd in the case of vxlan, which is currently not feasible, as bpf_netdev is loaded only on PublicInterfaceName. Signed-off-by: Martynas Pumputis <m@lambda.lt>
As we enabled the BPF masq by default, the correct devices (default and private) are already set by DeployCilium(). Signed-off-by: Martynas Pumputis <m@lambda.lt>
Cilium < v1.8 doesn't support multi-dev, so installing e.g. v1.7 with multiple devices (set by default in overwriteHelmOptions()) will crash cilium-agent. Therefore, in the upgrade test use a single device. Signed-off-by: Martynas Pumputis <m@lambda.lt>
As BPF masq is enabled by default, we don't need a dedicated deployments (and test cases) to test the feature. Signed-off-by: Martynas Pumputis <m@lambda.lt>
Unfortunately, we cannot SNAT a packet from a local endpoint only if dst sec id is WORLD_ID. The problem with this is that in the case of an FQDN policy, a world destination can get its own sec id, which makes a packet destined to such target to bypass the check, and bypass the SNAT. To fix this, we SNAT a packet from a local endpoint if dst is neither from native-routing-cidr nor REMOTE_HOST_ID. Signed-off-by: Martynas Pumputis <m@lambda.lt>
Since we changed the SNAT logic in the previous commit, we need to set IPV4_SNAT_EXCLUSION_DST_CIDR (prev. IPV4_NATIVE_ROUTING_CIDR) in any case, otherwise traffic between pods on different nodes will be SNAT'd. Signed-off-by: Martynas Pumputis <m@lambda.lt>
The name of a bpf_netdev object file which is attached to a native
device has changed its name - from "bpf_netdev.o" to
"bpf_netdev_${NATIVE_DEV_IFACE}.o". E.g.:
$ sudo tc filter show dev enp0s8 ingress
filter protocol all pref 1 bpf chain 0
filter protocol all pref 1 bpf chain 0 handle 0x1 bpf_netdev_enp0s8.o:[from-netdev] direct-action not_in_hw id 982 tag feca2ca7f6f80c7e jited
The change of the name broke the removal of bpf_netdev from previously
used native devs.
Fixes: a695f53 ("Endpoint for host")
Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb
force-pushed
the
pr/brb/ci-bpf-masq-by-default
branch
from
95b44a6
to
f99682d
Compare
|
retest-net-next |
|
retest-4.19 |
|
retest-4.9 |
|
retest-runtime |
|
retest-runtime |
|
CI runtime failed: |
|
retest-runtime |
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit msgs.
Depends on #11572 (let's merge this PR, and then close #11572).
Partially_fix #11442