-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: Introduce per-cluster conntrack maps #22857
bpf: Introduce per-cluster conntrack maps #22857
Conversation
3e71591
to
b3c2b39
Compare
pkg/maps/ctmap/per_cluster_ctmap.go
Outdated
// key with ClusterID, we chose to create CT map per-cluster. When | ||
// we have a good way of extending global CT maps in the future, we | ||
// should retire this entire file. | ||
type PerClusterCtMap struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PerClusterCTMap
? https://go.dev/talks/2014
pkg/maps/ctmap/per_cluster_ctmap.go
Outdated
) | ||
|
||
// An interface to interact with all per-cluster CT maps | ||
type PerClusterCtMapsIface interface { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Following the Go convention: PerClusterCTMapper
@@ -0,0 +1,199 @@ | |||
// SPDX-License-Identifier: Apache-2.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel free to rename this to per_cluster_ctmap_test.go
. With the removal of the privileged_tests
build tag, privileged tests no longer need to be split into separate files, and the filename is getting rather long.
c.Assert(err, IsNil) | ||
|
||
// Per-cluster CT map depends on the map information | ||
InitMapInfo(option.CTMapEntriesGlobalTCPDefault, option.CTMapEntriesGlobalAnyDefault, true, true, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is already called in ctmap_privileged_test.go:init()
.
@@ -15,6 +15,18 @@ const ( | |||
ClusterIDMax = 255 | |||
) | |||
|
|||
func ValidateClusterID(clusterID uint32) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this change already part of #22875 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but both PRs depend on this change, so let me rebase the branch after the one is merged into the master.
b3c2b39
to
eef31a9
Compare
Applied the fix suggested by Timo. |
/test |
|
To distinguish two same IP addresses belong to the different clusters, we need to extend conntrack maps' keys to contain ClusterID. However, currently it is impossible to change conntrack maps without breaking user's connection. Thus, we'll take a different approach that creates conntrack maps per cluster. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
eef31a9
to
0ebbc7c
Compare
I surrounded the per-cluster CT maps with guard macro And added new maps to ignore list. |
/test |
This is a part of the Cluster Mesh with overlapping PodCIDR support. When the remote cluster has an overlapping PodCIDR, we must identify the remote endpoint using IP + ClusterID. CT is not an exception, so it's ideal for extending the CT map's key with a new ClusterID field. However, the problem is we cannot extend the CT map without breaking users' connections now. Thus, we created a new map-in-map containing the CT maps for each cluster.
This PR only contains basic map definitions and tests. No one uses it. We also don't have GC for per-cluster maps because GC depends on the NAT map. Once I implement per-cluster NAT (it has the same problem), I'll publish another PR for GC.