-
Notifications
You must be signed in to change notification settings - Fork 114
/
ipam.go
930 lines (789 loc) · 29.9 KB
/
ipam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
// Copyright (c) 2018 Cisco and/or its affiliates.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at:
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package ipam
import (
"bytes"
"fmt"
"math/big"
"net"
"sort"
"strings"
"sync"
"github.com/apparentlymart/go-cidr/cidr"
cnisb "github.com/containernetworking/cni/pkg/types/current"
"github.com/contiv/vpp/plugins/contivconf"
"github.com/contiv/vpp/plugins/contivconf/config"
controller "github.com/contiv/vpp/plugins/controller/api"
nodemodel "github.com/contiv/vpp/plugins/ksr/model/node"
podmodel "github.com/contiv/vpp/plugins/ksr/model/pod"
"github.com/contiv/vpp/plugins/nodesync"
"github.com/go-errors/errors"
"github.com/ligato/cn-infra/infra"
"github.com/ligato/cn-infra/rpc/rest"
"github.com/ligato/cn-infra/servicelabel"
)
const (
// sequence ID reserved for the gateway in POD IP subnet (cannot be assigned to any POD)
podGatewaySeqID = 1
// sequence ID reserved for VPP-end of the VPP to host interconnect
hostInterconnectInVPPIPSeqID = 1
// sequence ID reserved for host(Linux)-end of the VPP to host interconnect
hostInterconnectInLinuxIPSeqID = 2
)
// IPAM plugin implements IP address allocation for Contiv.
type IPAM struct {
Deps
mutex sync.RWMutex
excludedIPsfromNodeSubnet []net.IP // IPs from the NodeInterconnect Subnet that should not be assigned
/********** POD related variables **********/
// IP subnet from which individual POD networks are allocated, this is subnet for all PODs across all nodes
podSubnetAllNodes *net.IPNet
// IP subnet prefix for all PODs on this node (given by nodeID), podSubnetAllNodes + nodeID ==<computation>==> podSubnetThisNode
podSubnetThisNode *net.IPNet
// gateway IP address for PODs on this node (given by nodeID)
podSubnetGatewayIP net.IP
/********** maps to convert between Pod and the assigned IP **********/
// pool of assigned POD IP addresses
assignedPodIPs map[string]*podIPAllocation
// pod -> allocated IP address
podToIP map[podmodel.ID]*podIPInfo
// counter denoting last assigned pod IP address
lastPodIPAssigned int
/********** VSwitch related variables **********/
// IP subnet used across all nodes for VPP to host Linux stack interconnect
hostInterconnectSubnetAllNodes *net.IPNet
// IP subnet used by this node (given by nodeID) for VPP to host Linux stack interconnect,
// hostInterconnectSubnetAllNodes + nodeID ==<computation>==> hostInterconnectSubnetThisNode
hostInterconnectSubnetThisNode *net.IPNet
// IP address for virtual ethernet's VPP-end on this node
hostInterconnectIPInVpp net.IP
// IP address for virtual ethernet's host(Linux)-end on this node
hostInterconnectIPInLinux net.IP
/********** node related variables **********/
// IP subnet used for for inter-node connections
nodeInterconnectSubnet *net.IPNet
// IP subnet used for for inter-node VXLAN
vxlanSubnet *net.IPNet
// IP subnet used to allocate ClusterIPs for a service
serviceCIDR *net.IPNet
}
// podIPAllocation represents allocation of an IP address from the IPAM pool.
// It holds the information about the pod and the interface to which this allocation belongs.
type podIPAllocation struct {
pod podmodel.ID // pod ID
mainIP bool // true if this is a main pod IP
customIfName string // empty if mainIP == false
customIfNetwork string // empty if mainIP == false
}
// podIPInfo holds the IP address allocation info related to a pod.
type podIPInfo struct {
mainIP net.IP // IP address of the main interface
customIfIPs map[string]net.IP // custom interface name + network to IP address map
}
// Deps lists dependencies of the IPAM plugin.
type Deps struct {
infra.PluginDeps
NodeSync nodesync.API
ContivConf contivconf.API
ServiceLabel servicelabel.ReaderAPI
EventLoop controller.EventLoop
HTTPHandlers rest.HTTPHandlers
}
// Init initializes the REST handlers of the plugin.
func (i *IPAM) Init() (err error) {
// register REST handlers
i.registerRESTHandlers()
return nil
}
// HandlesEvent selects any Resync event.
// - any Resync event
// - NodeUpdate for the current node if external IPAM is in use (may trigger PodCIDRChange)
func (i *IPAM) HandlesEvent(event controller.Event) bool {
if event.Method() != controller.Update {
return true
}
if i.ContivConf.GetIPAMConfig().UseExternalIPAM {
if nodeUpdate, isNodeUpdate := event.(*nodesync.NodeUpdate); isNodeUpdate {
return nodeUpdate.NodeName == i.ServiceLabel.GetAgentLabel()
}
}
// unhandled event
return false
}
// Resync resynchronizes IPAM against the configuration and Kubernetes state data.
// A set of already allocated pod IPs is updated.
func (i *IPAM) Resync(event controller.Event, kubeStateData controller.KubeStateData,
resyncCount int, txn controller.ResyncOperations) (err error) {
// return any error as fatal
defer func() {
if err != nil {
err = controller.NewFatalError(err)
}
}()
// Normally it should not be needed to resync the set of allocated pod IP
// addresses in the run-time - local pod should not be added/deleted without
// the agent knowing about it. But if we are healing after an error, reload
// the state of IPAM just in case.
// In case that external IPAM is in use, we need to resync on POD CIDR change.
_, isHealingResync := event.(*controller.HealingResync)
_, isPodCIDRChange := event.(*PodCIDRChange)
if resyncCount > 1 && !isHealingResync && !isPodCIDRChange {
return nil
}
nodeID := i.NodeSync.GetNodeID()
// exclude gateway from the set of allocated node IPs
i.excludedIPsfromNodeSubnet = []net.IP{}
defaultGW := i.ContivConf.GetStaticDefaultGW()
gw := defaultGW.To4()
if gw == nil {
gw = defaultGW.To16()
}
if len(gw) > 0 {
i.excludedIPsfromNodeSubnet = []net.IP{gw}
}
// initialize subnets based on the configuration
ipamConfig := i.ContivConf.GetIPAMConfig()
subnets := &ipamConfig.CustomIPAMSubnets
if ipamConfig.ContivCIDR != nil {
subnets, err = dissectContivCIDR(ipamConfig)
if err != nil {
return err
}
}
if err := i.initializePods(kubeStateData, subnets, nodeID); err != nil {
return err
}
if err := i.initializeVPPHost(subnets, nodeID); err != nil {
return err
}
i.serviceCIDR = ipamConfig.ServiceCIDR
i.nodeInterconnectSubnet = subnets.NodeInterconnectCIDR
i.vxlanSubnet = subnets.VxlanCIDR
// resync allocated IP addresses
networkPrefix := new(big.Int).SetBytes(i.podSubnetThisNode.IP)
for _, podProto := range kubeStateData[podmodel.PodKeyword] {
pod := podProto.(*podmodel.Pod)
// ignore pods deployed on other nodes or without IP address
podIPAddress := net.ParseIP(pod.IpAddress)
if podIPAddress == nil || !i.podSubnetThisNode.Contains(podIPAddress) {
continue
}
// register address as already allocated
addr := new(big.Int).SetBytes(podIPAddress)
podID := podmodel.ID{Name: pod.Name, Namespace: pod.Namespace}
i.assignedPodIPs[podIPAddress.String()] = &podIPAllocation{
pod: podID,
mainIP: true,
}
i.podToIP[podID] = &podIPInfo{
mainIP: podIPAddress,
customIfIPs: map[string]net.IP{},
}
// TODO: resync of customIfIPs
diff := int(addr.Sub(addr, networkPrefix).Int64())
if i.lastPodIPAssigned < diff {
i.lastPodIPAssigned = diff
}
}
i.Log.Infof("IPAM state after startup RESYNC: "+
"excludedIPsfromNodeSubnet=%v, podSubnetAllNodes=%v, podSubnetThisNode=%v, "+
"podSubnetGatewayIP=%v, hostInterconnectSubnetAllNodes=%v, "+
"hostInterconnectSubnetThisNode=%v, hostInterconnectIPInVpp=%v, hostInterconnectIPInLinux=%v, "+
"nodeInterconnectSubnet=%v, vxlanSubnet=%v, serviceCIDR=%v, "+
"assignedPodIPs=%+v, podToIP=%v, lastPodIPAssigned=%v",
i.excludedIPsfromNodeSubnet, i.podSubnetAllNodes, i.podSubnetThisNode,
i.podSubnetGatewayIP, i.hostInterconnectSubnetAllNodes,
i.hostInterconnectSubnetThisNode, i.hostInterconnectIPInVpp, i.hostInterconnectIPInLinux,
i.nodeInterconnectSubnet, i.vxlanSubnet, i.serviceCIDR,
i.assignedPodIPs, i.podToIP, i.lastPodIPAssigned)
return
}
// initializePodsIPAM initializes POD-related variables.
func (i *IPAM) initializePods(kubeStateData controller.KubeStateData, config *contivconf.CustomIPAMSubnets, nodeID uint32) (err error) {
err = i.initializePodSubnets(kubeStateData, config, nodeID)
if err != nil {
return
}
i.podSubnetGatewayIP, err = cidr.Host(i.podSubnetThisNode, podGatewaySeqID)
if err != nil {
return nil
}
i.lastPodIPAssigned = 1
i.assignedPodIPs = make(map[string]*podIPAllocation)
i.podToIP = make(map[podmodel.ID]*podIPInfo)
return nil
}
// initializePodsIPAM initializes POD-related variables.
func (i *IPAM) initializePodSubnets(kubeStateData controller.KubeStateData, config *contivconf.CustomIPAMSubnets, nodeID uint32) (err error) {
i.podSubnetAllNodes = config.PodSubnetCIDR
thisNodePodCIDR := ""
// if external IPAM is in use, try to look up for this node's POD CIDR in k8s state data
if i.ContivConf.GetIPAMConfig().UseExternalIPAM {
nodeName := i.ServiceLabel.GetAgentLabel()
for _, k8sNodeProto := range kubeStateData[nodemodel.NodeKeyword] {
k8sNode := k8sNodeProto.(*nodemodel.Node)
if k8sNode.Name == nodeName {
thisNodePodCIDR = k8sNode.Pod_CIDR
break
}
}
i.Log.Infof("This node POD CIDR: %s", thisNodePodCIDR)
}
if thisNodePodCIDR != "" {
// pod subnet as detected
_, i.podSubnetThisNode, err = net.ParseCIDR(thisNodePodCIDR)
if err != nil {
return
}
} else {
// pod subnet based on node ID
i.podSubnetThisNode, err = dissectSubnetForNode(
i.podSubnetAllNodes, config.PodSubnetOneNodePrefixLen, nodeID)
if err != nil {
return
}
}
return nil
}
// initializeVPPHost initializes VPP-host interconnect-related variables.
func (i *IPAM) initializeVPPHost(config *contivconf.CustomIPAMSubnets, nodeID uint32) (err error) {
i.hostInterconnectSubnetAllNodes = config.VPPHostSubnetCIDR
i.hostInterconnectSubnetThisNode, err = dissectSubnetForNode(
i.hostInterconnectSubnetAllNodes, config.VPPHostSubnetOneNodePrefixLen, nodeID)
if err != nil {
return
}
i.hostInterconnectIPInVpp, err = cidr.Host(i.hostInterconnectSubnetThisNode, hostInterconnectInVPPIPSeqID)
if err != nil {
return
}
i.hostInterconnectIPInLinux, err = cidr.Host(i.hostInterconnectSubnetThisNode, hostInterconnectInLinuxIPSeqID)
if err != nil {
return
}
return
}
// Update handles NodeUpdate event in case that external IPAM is in use.
func (i *IPAM) Update(event controller.Event, txn controller.UpdateOperations) (changeDescription string, err error) {
if nodeUpdate, isNodeUpdate := event.(*nodesync.NodeUpdate); isNodeUpdate {
if nodeUpdate.NodeName == i.ServiceLabel.GetAgentLabel() {
if nodeUpdate.NewState.PodCIDR != nodeUpdate.PrevState.PodCIDR {
i.EventLoop.PushEvent(&PodCIDRChange{
LocalPodCIDR: nodeUpdate.NewState.PodCIDR,
})
i.Log.Infof("Sent PodCIDRChange event to the event loop for PodCIDRChange")
}
}
}
return "", nil
}
// Revert is NOOP - never called.
func (i *IPAM) Revert(event controller.Event) error {
return nil
}
// NodeIPAddress computes IP address of the node based on the provided node ID.
func (i *IPAM) NodeIPAddress(nodeID uint32) (net.IP, *net.IPNet, error) {
i.mutex.RLock()
defer i.mutex.RUnlock()
nodeIP, err := i.computeNodeIPAddress(nodeID)
if err != nil {
return net.IP{}, nil, err
}
maskSize, bits := i.nodeInterconnectSubnet.Mask.Size()
mask := net.CIDRMask(maskSize, bits)
ip := make([]byte, len(nodeIP))
copy(ip, nodeIP)
nodeIPNetwork := &net.IPNet{
IP: net.IP(ip).Mask(mask),
Mask: mask,
}
return nodeIP, nodeIPNetwork, nil
}
// VxlanIPAddress computes IP address of the VXLAN interface based on the provided node ID.
func (i *IPAM) VxlanIPAddress(nodeID uint32) (net.IP, *net.IPNet, error) {
i.mutex.RLock()
defer i.mutex.RUnlock()
vxlanIP, err := i.computeVxlanIPAddress(nodeID)
if err != nil {
return net.IP{}, nil, err
}
maskSize, _ := i.vxlanSubnet.Mask.Size()
mask := net.CIDRMask(maskSize, addrLenFromNet(i.vxlanSubnet))
vxlanNetwork := &net.IPNet{
IP: newIP(vxlanIP).Mask(mask),
Mask: mask,
}
return vxlanIP, vxlanNetwork, nil
}
// HostInterconnectIPInVPP provides the IP address for the VPP-end of the VPP-to-host
// interconnect.
func (i *IPAM) HostInterconnectIPInVPP() net.IP {
i.mutex.RLock()
defer i.mutex.RUnlock()
return newIP(i.hostInterconnectIPInVpp)
}
// HostInterconnectIPInLinux provides the IP address of the host(Linux)-end of the VPP to host interconnect.
func (i *IPAM) HostInterconnectIPInLinux() net.IP {
i.mutex.RLock()
defer i.mutex.RUnlock()
return newIP(i.hostInterconnectIPInLinux)
}
// HostInterconnectSubnetThisNode returns vswitch network used to connect VPP to its host Linux Stack
// on this node.
func (i *IPAM) HostInterconnectSubnetThisNode() *net.IPNet {
i.mutex.RLock()
defer i.mutex.RUnlock()
return newIPNet(i.hostInterconnectSubnetThisNode)
}
// HostInterconnectSubnetAllNodes returns vswitch base subnet used to connect VPP
// to its host Linux Stack on all nodes.
func (i *IPAM) HostInterconnectSubnetAllNodes() *net.IPNet {
i.mutex.RLock()
defer i.mutex.RUnlock()
return newIPNet(i.hostInterconnectSubnetAllNodes)
}
// HostInterconnectSubnetOtherNode returns VPP-host network of another node identified by nodeID.
func (i *IPAM) HostInterconnectSubnetOtherNode(nodeID uint32) (*net.IPNet, error) {
i.mutex.RLock()
defer i.mutex.RUnlock()
oneNodePrefixLen, _ := i.hostInterconnectSubnetThisNode.Mask.Size()
vSwitchNetworkIPPrefix, err := dissectSubnetForNode(
i.hostInterconnectSubnetAllNodes, uint8(oneNodePrefixLen), nodeID)
if err != nil {
return nil, err
}
return newIPNet(vSwitchNetworkIPPrefix), nil
}
// PodSubnetAllNodes returns POD subnet that is a base subnet for all PODs of all nodes.
func (i *IPAM) PodSubnetAllNodes() *net.IPNet {
i.mutex.RLock()
defer i.mutex.RUnlock()
return newIPNet(i.podSubnetAllNodes)
}
// PodSubnetThisNode returns POD network for the current node (given by nodeID given at IPAM creation).
func (i *IPAM) PodSubnetThisNode() *net.IPNet {
i.mutex.RLock()
defer i.mutex.RUnlock()
return newIPNet(i.podSubnetThisNode)
}
// PodSubnetOtherNode returns the POD network of another node identified by nodeID.
func (i *IPAM) PodSubnetOtherNode(nodeID uint32) (*net.IPNet, error) {
i.mutex.RLock()
defer i.mutex.RUnlock()
oneNodePrefixLen, _ := i.podSubnetThisNode.Mask.Size()
podSubnetThisNode, err := dissectSubnetForNode(
i.podSubnetAllNodes, uint8(oneNodePrefixLen), nodeID)
if err != nil {
return nil, err
}
return newIPNet(podSubnetThisNode), nil
}
// NodeIDFromPodIP returns node ID from provided POD IP address.
func (i *IPAM) NodeIDFromPodIP(podIP net.IP) (uint32, error) {
i.mutex.RLock()
defer i.mutex.RUnlock()
if !i.podSubnetAllNodes.Contains(podIP) {
return 0, fmt.Errorf("pod IP %v not from pod subnet %v", podIP, i.podSubnetAllNodes)
}
subnet := i.podSubnetAllNodes.IP
if !isIPv6Net(i.podSubnetAllNodes) {
podIP = podIP.To4()
subnet = subnet.To4()
}
ip := new(big.Int).SetBytes(podIP)
podSubnetAllNodes := new(big.Int).SetBytes(subnet)
addrLen := addrLenFromNet(i.podSubnetThisNode)
oneNodePrefixLen, _ := i.podSubnetThisNode.Mask.Size()
// zero pod subnet prefix for all nodes
ip.Xor(ip, podSubnetAllNodes)
// shift right to get rid of the node addressing part
ip.Rsh(ip, uint(addrLen-oneNodePrefixLen))
return uint32(ip.Uint64()), nil
}
// ServiceNetwork returns range allocated for services.
func (i *IPAM) ServiceNetwork() *net.IPNet {
i.mutex.RLock()
defer i.mutex.RUnlock()
return newIPNet(i.serviceCIDR)
}
// PodGatewayIP returns gateway IP address of the POD subnet of this node.
func (i *IPAM) PodGatewayIP() net.IP {
i.mutex.RLock()
defer i.mutex.RUnlock()
return newIP(i.podSubnetGatewayIP)
}
// NatLoopbackIP returns the IP address of a virtual loopback, used to route traffic
// between clients and services via VPP even if the source and destination are the same
// IP addresses and would otherwise be routed locally.
func (i *IPAM) NatLoopbackIP() net.IP {
i.mutex.RLock()
defer i.mutex.RUnlock()
// Last unicast IP from the pod subnet is used as NAT-loopback.
_, broadcastIP := cidr.AddressRange(i.podSubnetThisNode)
return cidr.Dec(broadcastIP)
}
// AllocatePodIP tries to allocate IP address for the given pod.
func (i *IPAM) AllocatePodIP(podID podmodel.ID, ipamType string, ipamData string) (net.IP, error) {
i.mutex.Lock()
defer i.mutex.Unlock()
if i.ContivConf.GetIPAMConfig().UseExternalIPAM {
// allocate IP using external IPAM
return i.allocateExternalPodIP(podID, ipamType, ipamData)
}
// check whether IP is already allocated
allocation, found := i.podToIP[podID]
if found && allocation.mainIP != nil {
return allocation.mainIP, nil
}
// allocate an IP
ip, err := i.allocateIP()
if err != nil {
i.Log.Errorf("Unable to allocate main pod IP: %v", err)
return nil, err
}
// store the allocation internally
i.assignedPodIPs[ip.String()] = &podIPAllocation{
pod: podID,
mainIP: true,
}
if _, found := i.podToIP[podID]; !found {
i.podToIP[podID] = &podIPInfo{
customIfIPs: map[string]net.IP{},
}
}
i.podToIP[podID].mainIP = ip
i.logAssignedPodIPPool()
return ip, nil
}
// AllocatePodCustomIfIP tries to allocate custom IP address for the given interface of a given pod.
func (i *IPAM) AllocatePodCustomIfIP(podID podmodel.ID, ifName, network string) (net.IP, error) {
i.mutex.Lock()
defer i.mutex.Unlock()
// allocate an IP
ip, err := i.allocateIP()
if err != nil {
i.Log.Errorf("Unable to allocate pod custom interface IP: %v", err)
return nil, err
}
// store the allocation internally
i.assignedPodIPs[ip.String()] = &podIPAllocation{
pod: podID,
mainIP: false,
customIfName: ifName,
customIfNetwork: network,
}
if _, found := i.podToIP[podID]; !found {
i.podToIP[podID] = &podIPInfo{
customIfIPs: map[string]net.IP{},
}
}
i.podToIP[podID].customIfIPs[customIfID(ifName, network)] = ip
i.logAssignedPodIPPool()
return ip, nil
}
// allocateExternalPodIP allocates IP address for the given pod using the external IPAM.
func (i *IPAM) allocateExternalPodIP(podID podmodel.ID, ipamType string, ipamData string) (net.IP, error) {
i.Log.Debugf("IPAM type=%s data: %s", ipamType, ipamData)
// parse the external IPAM result
ipamResult := &cnisb.IPConfig{}
err := ipamResult.UnmarshalJSON([]byte(ipamData))
if err != nil {
return nil, fmt.Errorf("error by unmarshalling external IPAM result: %v", err)
}
// save allocated IP to POD mapping
ip := ipamResult.Address.IP
i.podToIP[podID] = &podIPInfo{
mainIP: ip,
}
i.Log.Infof("Assigned new pod IP %v for POD ID %v", ip, podID)
return ip, nil
}
// allocateIP allocates a new IP from the main po IP pool.
func (i *IPAM) allocateIP() (net.IP, error) {
last := i.lastPodIPAssigned + 1
// iterate over all possible IP addresses for pod network prefix
// start from the last assigned and take first available IP
prefixBits, totalBits := i.podSubnetThisNode.Mask.Size()
// get the maximum sequence ID available in the provided range; the last valid unicast IP is used as "NAT-loopback"
podBitSize := uint(totalBits - prefixBits)
// IPAM currently support up to 2^63 pods
if podBitSize >= 64 {
podBitSize = 63
}
maxSeqID := (1 << podBitSize) - 2
for j := last; j < maxSeqID; j++ {
ipForAssign, success := i.tryToAllocateIP(j, i.podSubnetThisNode)
if success {
i.lastPodIPAssigned = j
return ipForAssign, nil
}
}
// iterate from the range start until lastPodIPAssigned
for j := 1; j < last; j++ { // zero ending IP is reserved for network => skip seqID=0
ipForAssign, success := i.tryToAllocateIP(j, i.podSubnetThisNode)
if success {
i.lastPodIPAssigned = j
return ipForAssign, nil
}
}
return nil, fmt.Errorf("no IP address is free for allocation in the subnet %v", i.podSubnetThisNode)
}
// tryToAllocatePodIP checks whether the IP at the given index is available.
func (i *IPAM) tryToAllocateIP(index int, networkPrefix *net.IPNet) (assignedIP net.IP, success bool) {
if index == podGatewaySeqID {
return nil, false // gateway IP address can't be assigned as pod
}
ip, err := cidr.Host(networkPrefix, index)
if err != nil {
return nil, false
}
if _, found := i.assignedPodIPs[ip.String()]; found {
return nil, false // ignore already assigned IP addresses
}
i.Log.Infof("Assigned new pod IP %s", ip)
return ip, true
}
// GetPodIP returns the allocated pod IP, together with the mask.
// Returns nil if the pod does not have allocated IP address.
func (i *IPAM) GetPodIP(podID podmodel.ID) *net.IPNet {
i.mutex.Lock()
defer i.mutex.Unlock()
allocation, found := i.podToIP[podID]
if !found {
return nil
}
addrLen := addrLenFromNet(i.podSubnetThisNode)
return &net.IPNet{IP: allocation.mainIP, Mask: net.CIDRMask(addrLen, addrLen)}
}
// GetPodCustomIfIP returns the allocated custom interface pod IP, together with the mask.
// Returns nil if the pod does not have allocated custom interface IP address.
func (i *IPAM) GetPodCustomIfIP(podID podmodel.ID, ifName, network string) *net.IPNet {
i.mutex.Lock()
defer i.mutex.Unlock()
allocation, found := i.podToIP[podID]
if !found {
return nil
}
if ip, found := allocation.customIfIPs[customIfID(ifName, network)]; found {
addrLen := addrLenFromNet(i.podSubnetThisNode)
return &net.IPNet{IP: ip, Mask: net.CIDRMask(addrLen, addrLen)}
}
return nil
}
// GetPodFromIP returns the pod information related to the allocated pod IP.
// found is false if the provided IP address has not been allocated to any local pod.
func (i *IPAM) GetPodFromIP(podIP net.IP) (podID podmodel.ID, found bool) {
i.mutex.Lock()
defer i.mutex.Unlock()
allocation, found := i.assignedPodIPs[podIP.String()]
if found {
return allocation.pod, true
}
return podID, false
}
// ReleasePodIPs releases the pod IP address making it available for new PODs.
func (i *IPAM) ReleasePodIPs(podID podmodel.ID) error {
i.mutex.Lock()
defer i.mutex.Unlock()
allocation, found := i.podToIP[podID]
if !found {
i.Log.Warnf("Unable to find IP for pod %v", podID)
return nil
}
delete(i.podToIP, podID)
i.Log.Infof("Released IP %v for pod ID %v", allocation.mainIP, podID)
if i.ContivConf.GetIPAMConfig().UseExternalIPAM {
// no further processing for external IPAM
return nil
}
delete(i.assignedPodIPs, allocation.mainIP.String())
for _, ip := range allocation.customIfIPs {
delete(i.assignedPodIPs, ip.String())
}
i.logAssignedPodIPPool()
return nil
}
// GetIPAMConfigForJSON returns actual (contivCIDR dissected
// into ranges, if used) IPAM configuration
func (i *IPAM) GetIPAMConfigForJSON() *config.IPAMConfig {
c := i.ContivConf.GetIPAMConfigForJSON()
res := &config.IPAMConfig{
UseExternalIPAM: c.UseExternalIPAM,
ContivCIDR: c.ContivCIDR,
ServiceCIDR: c.ServiceCIDR,
DefaultGateway: c.DefaultGateway,
NodeInterconnectDHCP: c.NodeInterconnectDHCP,
NodeInterconnectCIDR: i.nodeInterconnectSubnet.String(),
PodSubnetCIDR: i.PodSubnetAllNodes().String(),
VPPHostSubnetCIDR: i.HostInterconnectSubnetAllNodes().String(),
}
if i.vxlanSubnet != nil {
res.VxlanCIDR = i.vxlanSubnet.String()
}
s, _ := i.PodSubnetThisNode().Mask.Size()
res.PodSubnetOneNodePrefixLen = uint8(s)
s, _ = i.HostInterconnectSubnetThisNode().Mask.Size()
res.VPPHostSubnetOneNodePrefixLen = uint8(s)
return res
}
// BsidForServicePolicy creates a valid SRv6 binding SID for given k8s service IP addresses <serviceIPs>. This sid
// should be used only for k8s service policy
func (i *IPAM) BsidForServicePolicy(serviceIPs []net.IP) net.IP {
// get lowest ip from service IP addresses
var ip net.IP
if len(serviceIPs) == 0 {
ip = net.ParseIP("::1").To16()
} else {
sort.Slice(serviceIPs, func(i, j int) bool {
return bytes.Compare(serviceIPs[i], serviceIPs[j]) < 0
})
ip = serviceIPs[0].To16()
}
return i.computeSID(ip, i.ContivConf.GetIPAMConfig().SRv6Settings.ServicePolicyBSIDSubnetCIDR)
}
// SidForServiceHostLocalsid creates a valid SRv6 SID for service locasid leading to host on the current node. Created SID
// doesn't depend on anything and is the same for each node, because there is only one way how to get to host in each
// node and localsid have local significance (their sid don't have to be globally unique)
func (i *IPAM) SidForServiceHostLocalsid() net.IP {
return i.computeSID(net.ParseIP("::1"), i.ContivConf.GetIPAMConfig().SRv6Settings.ServiceHostLocalSIDSubnetCIDR)
}
// SidForServicePodLocalsid creates a valid SRv6 SID for service locasid leading to pod backend. The SID creation is
// based on backend IP <backendIP>.
func (i *IPAM) SidForServicePodLocalsid(backendIP net.IP) net.IP {
return i.computeSID(backendIP, i.ContivConf.GetIPAMConfig().SRv6Settings.ServicePodLocalSIDSubnetCIDR)
}
// SidForNodeToNodePodLocalsid creates a valid SRv6 SID for locasid that is part of node-to-node Srv6 tunnel and
// outputs packets to pod VRF table.
func (i *IPAM) SidForNodeToNodePodLocalsid(nodeIP net.IP) net.IP {
return i.computeSID(nodeIP, i.ContivConf.GetIPAMConfig().SRv6Settings.NodeToNodePodLocalSIDSubnetCIDR)
}
// SidForNodeToNodeHostLocalsid creates a valid SRv6 SID for locasid that is part of node-to-node Srv6 tunnel and
// outputs packets to main VRF table.
func (i *IPAM) SidForNodeToNodeHostLocalsid(nodeIP net.IP) net.IP {
return i.computeSID(nodeIP, i.ContivConf.GetIPAMConfig().SRv6Settings.NodeToNodeHostLocalSIDSubnetCIDR)
}
// SidForServiceNodeLocalsid creates a valid SRv6 SID for service locasid serving as intermediate step in policy segment list.
func (i *IPAM) SidForServiceNodeLocalsid(nodeIP net.IP) net.IP {
return i.computeSID(nodeIP, i.ContivConf.GetIPAMConfig().SRv6Settings.ServiceNodeLocalSIDSubnetCIDR)
}
// BsidForNodeToNodePodPolicy creates a valid SRv6 SID for policy that is part of node-to-node Srv6 tunnel and routes traffic to pod VRF table
func (i *IPAM) BsidForNodeToNodePodPolicy(nodeIP net.IP) net.IP {
return i.computeSID(nodeIP, i.ContivConf.GetIPAMConfig().SRv6Settings.NodeToNodePodPolicySIDSubnetCIDR) // bsid = binding sid -> using the same util method
}
// BsidForNodeToNodeHostPolicy creates a valid SRv6 SID for policy that is part of node-to-node Srv6 tunnel and routes traffic to main VRF table
func (i *IPAM) BsidForNodeToNodeHostPolicy(nodeIP net.IP) net.IP {
return i.computeSID(nodeIP, i.ContivConf.GetIPAMConfig().SRv6Settings.NodeToNodeHostPolicySIDSubnetCIDR) // bsid = binding sid -> using the same util method
}
// computeSID creates SID by applying network prefix from <prefixNetwork> to IP <ip>
func (i *IPAM) computeSID(ip net.IP, prefixNetwork *net.IPNet) net.IP {
ip = ip.To16()
sid := net.IP(make([]byte, 16))
for i := range ip {
sid[i] = ip[i] & ^prefixNetwork.Mask[i] | prefixNetwork.IP[i]
}
return sid
}
// Close is NOOP.
func (i *IPAM) Close() error {
return nil
}
// dissectSubnetForNode dissects a smaller chunk from a given subnet to be used
// exclusively by the node of the given ID.
func dissectSubnetForNode(subnetCIDR *net.IPNet, oneNodePrefixLen uint8, nodeID uint32) (nodeSubnet *net.IPNet, err error) {
// checking correct prefix sizes
subnetPrefixLen, _ := subnetCIDR.Mask.Size()
if oneNodePrefixLen <= uint8(subnetPrefixLen) {
err = fmt.Errorf("prefix length for one node (%v) must be higher "+
"than the cluster-wide subnet prefix length (%v) ",
oneNodePrefixLen, subnetPrefixLen)
return
}
newBits := int(oneNodePrefixLen) - subnetPrefixLen
num := int(nodeID)
// the biggest num is assigned subnet with 0
if num == (1 << uint(newBits)) {
num = 0
}
return cidr.Subnet(subnetCIDR, newBits, num)
}
// logAssignedPodIPPool logs assigned POD IPs.
func (i *IPAM) logAssignedPodIPPool() {
i.Log.Debugf("Current pool of assigned pod IP addresses: %v", i.assignedPodIPs)
}
// computeNodeIPAddress computes IP address of node based on the given node ID.
func (i *IPAM) computeNodeIPAddress(nodeID uint32) (net.IP, error) {
if i.nodeInterconnectSubnet == nil {
return nil, errors.New("nodeInterconnectCIDR is undefined")
}
addrLen := addrLenFromNet(i.nodeInterconnectSubnet)
// trimming nodeID if its place in IP address is narrower than actual uint8 size
subnetPrefixLen, _ := i.nodeInterconnectSubnet.Mask.Size()
nodePartBitSize := addrLen - subnetPrefixLen
nodeIPPart, err := convertToNodeIPPart(nodeID, uint8(nodePartBitSize))
if err != nil {
return nil, err
}
// nodeIPPart equal to 0 is not valid for IP address
if nodeIPPart == 0 {
return nil, fmt.Errorf("no free address for nodeID %v", nodeID)
}
computedIP, err := cidr.Host(i.nodeInterconnectSubnet, int(nodeIPPart))
if err != nil {
return nil, err
}
// skip excluded IPs (gateway or other invalid address)
for _, ex := range i.excludedIPsfromNodeSubnet {
if bytes.Compare(ex, computedIP) <= 0 {
computedIP = cidr.Inc(computedIP)
}
}
return computedIP, nil
}
// computeVxlanIPAddress computes IP address of the VXLAN interface based on the given node ID.
func (i *IPAM) computeVxlanIPAddress(nodeID uint32) (net.IP, error) {
addrLen := addrLenFromNet(i.vxlanSubnet)
subnetPrefixLen, _ := i.vxlanSubnet.Mask.Size()
nodePartBitSize := addrLen - subnetPrefixLen
nodeIPPart, err := convertToNodeIPPart(nodeID, uint8(nodePartBitSize))
if err != nil {
return nil, err
}
// nodeIPpart equal to 0 is not valid for IP address
if nodeIPPart == 0 {
return nil, fmt.Errorf("no free address for nodeID %v", nodeID)
}
// combining it to get result IP address
computedIP, err := cidr.Host(i.vxlanSubnet, int(nodeIPPart))
if err != nil {
return nil, err
}
return computedIP, nil
}
func isIPv6Net(network *net.IPNet) bool {
return strings.Contains(network.String(), ":")
}
func addrLenFromNet(network *net.IPNet) int {
addrLen := net.IPv4len * 8
if isIPv6Net(network) {
addrLen = net.IPv6len * 8
}
return addrLen
}
// customIfID returns custom interface identifier string
func customIfID(ifName, network string) string {
if network == "" {
return ifName
}
return ifName + "/" + network
}