Skip to content

Commit

Permalink
Merge pull request #922 from openshift-cherrypick-robot/cherry-pick-8…
Browse files Browse the repository at this point in the history 
…86-to-release-4.8

[release-4.8] Bug 2043757:  Fix node connectivity to service backed by egress IP pods
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot committed Feb 9, 2022
2 parents 75436e1 + 7f4343f commit ab65e3a
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 0 deletions.
20 changes: 20 additions & 0 deletions go-controller/pkg/ovn/egressip.go
View file
Expand Up @@ -748,6 +748,7 @@ func (oc *Controller) deleteNodeForEgress(node *v1.Node) error {
func (oc *Controller) initClusterEgressPolicies(nodes []interface{}) {
v4ClusterSubnet, v6ClusterSubnet := getClusterSubnets()
createDefaultNoReroutePodPolicies(v4ClusterSubnet, v6ClusterSubnet)
oc.createDefaultNoRerouteServicePolicies(v4ClusterSubnet, v6ClusterSubnet)
go oc.checkEgressNodesReachability()
}

Expand Down Expand Up @@ -1096,6 +1097,25 @@ func getNodeInternalAddrs(node *v1.Node) (net.IP, net.IP) {
return v4Addr, v6Addr
}

// createDefaultNoRerouteServicePolicies ensures service reachability from the
// host network to any service backed by egress IP matching pods
func (oc *Controller) createDefaultNoRerouteServicePolicies(v4ClusterSubnet, v6ClusterSubnet []*net.IPNet) {
for _, v4Subnet := range v4ClusterSubnet {
_, stderr, err := util.RunOVNNbctl("--may-exist", "lr-policy-add", types.OVNClusterRouter, fmt.Sprintf("%v", types.DefaultNoRereoutePriority),
fmt.Sprintf("ip4.src == %s && ip4.dst == %s", v4Subnet.String(), config.Gateway.V4JoinSubnet), "allow")
if err != nil {
klog.Errorf("Unable to create IPv4 default no-reroute service policy, stderr: %s, err: %v", stderr, err)
}
}
for _, v6Subnet := range v6ClusterSubnet {
_, stderr, err := util.RunOVNNbctl("--may-exist", "lr-policy-add", types.OVNClusterRouter, fmt.Sprintf("%v", types.DefaultNoRereoutePriority),
fmt.Sprintf("ip6.src == %s && ip6.dst == %s", v6Subnet.String(), config.Gateway.V6JoinSubnet), "allow")
if err != nil {
klog.Errorf("Unable to create IPv6 default no-reroute service policy, stderr: %s, err: %v", stderr, err)
}
}
}

// createDefaultNoReroutePodPolicies ensures egress pods east<->west traffic with regular pods,
// i.e: ensuring that an egress pod can still communicate with a regular pod / service backed by regular pods
func createDefaultNoReroutePodPolicies(v4ClusterSubnet, v6ClusterSubnet []*net.IPNet) {
Expand Down
48 changes: 48 additions & 0 deletions go-controller/pkg/ovn/egressip_test.go
View file
Expand Up @@ -254,6 +254,12 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
},
)

fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError(
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

fakeOvn.controller.WatchEgressNodes()
gomega.Eventually(getEgressIPAllocatorSizeSafely).Should(gomega.Equal(2))
gomega.Expect(fakeOvn.controller.eIPC.allocator).To(gomega.HaveKey(node1.Name))
Expand Down Expand Up @@ -402,6 +408,13 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
fmt.Sprintf("ovn-nbctl --timeout=15 set logical_switch_port etor-GR_node1 options:nat-addresses=router"),
},
)

fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError(
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

fakeOvn.controller.WatchEgressNodes()
gomega.Eventually(getEgressIPAllocatorSizeSafely).Should(gomega.Equal(2))
gomega.Expect(fakeOvn.controller.eIPC.allocator).To(gomega.HaveKey(node1.Name))
Expand Down Expand Up @@ -1310,6 +1323,13 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
fmt.Sprintf("ovn-nbctl --timeout=15 set logical_switch_port etor-GR_node2 options:nat-addresses=router"),
},
)

fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError(
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

fakeOvn.controller.WatchEgressNodes()
gomega.Eventually(getEgressIPAllocatorSizeSafely).Should(gomega.Equal(0))
node1.Labels = map[string]string{
Expand Down Expand Up @@ -1382,6 +1402,12 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
return len(fakeOvn.controller.eIPC.allocator)
}

fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError(
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

fakeOvn.controller.WatchEgressNodes()
gomega.Eventually(allocatorItems).Should(gomega.Equal(0))

Expand Down Expand Up @@ -1450,6 +1476,7 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError(
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add ovn_cluster_router 101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.128.0.0/14 allow"),
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

Expand Down Expand Up @@ -1579,8 +1606,10 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,match find logical_router_policy priority=100"),
fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,logical_ip find nat"),
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

fakeOvn.controller.WatchEgressNodes()
fakeOvn.controller.WatchEgressIP()

Expand Down Expand Up @@ -1672,8 +1701,10 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,match find logical_router_policy priority=100"),
fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,logical_ip find nat"),
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

fakeOvn.controller.WatchEgressNodes()
fakeOvn.controller.WatchEgressIP()

Expand Down Expand Up @@ -1797,6 +1828,13 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
fmt.Sprintf("ovn-nbctl --timeout=15 set logical_switch_port etor-GR_node2 options:nat-addresses=router"),
},
)

fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError(
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

fakeOvn.fakeExec.AddFakeCmd(
&ovntest.ExpectedCmd{
Cmd: fmt.Sprintf("ovn-nbctl --timeout=15 --if-exist get logical_router_port rtoj-GR_%s networks", node1.Name),
Expand Down Expand Up @@ -1953,6 +1991,12 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
},
)

fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError(
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

fakeOvn.controller.WatchEgressNodes()
fakeOvn.controller.WatchEgressIP()

Expand Down Expand Up @@ -2035,8 +2079,10 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,match find logical_router_policy priority=100"),
fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,logical_ip find nat"),
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

fakeOvn.controller.WatchEgressNodes()
fakeOvn.controller.WatchEgressIP()

Expand Down Expand Up @@ -2161,6 +2207,7 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError(
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add ovn_cluster_router 101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.128.0.0/14 allow"),
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

Expand Down Expand Up @@ -2300,6 +2347,7 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() {
[]string{
fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,match find logical_router_policy priority=100"),
fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,logical_ip find nat"),
fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet),
},
)

Expand Down

0 comments on commit ab65e3a

Please sign in to comment.