Correct egress IP assignment for egress node IPs #1668
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexanderConstantinescu
force-pushed
the
egressip-node-fix
branch
from
625102e
to
9ebcbf1
Compare
Hm... in openshift-sdn it's not valid to use a node's actual IP as an egress IP. Because the node IP is going to be used for random traffic from other pods on that node, so it's not useful as an identifiable egress IP |
Dohh (insert pic of Homer Simpson) Do we still want to insure ourselves for such a scenario (i.e, user specifies an egress IP which happens to be a cluster node IP), or does that fall under the "don't do that" category? |
|
We should check for it and consider it unsatisfiable/an error, like whatever we do if they request an egress IP that's not in any of the available CIDR ranges. |
alexanderConstantinescu
force-pushed
the
egressip-node-fix
branch
from
9ebcbf1
to
5ce925f
Compare
FYI @danwinship : I've update the PR to do this. |
When an egress IP is specified equaling a node's IP address, we can end up in the situation where the assignment procedure assigns the egress IP to another cluster node, and thus missing the node actually hosting that IP address. This patch thus fixes this by invoking an error during the assignment procedure and triggering an event notifying him/her of this unsupported request. Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
Previously we only logged an error when the specified egress IP was invalid. Having worked on the previous commit I realized that it is more coherent to return an error to the user notifying him/her of this incorrect definition. The risk is that if a user specified multiple egress IPs and one is incorrect and we trigger an event, that this event goes unoticied but causes confusion later on. Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
alexanderConstantinescu
force-pushed
the
egressip-node-fix
branch
from
5ce925f
to
15bb754
Compare
|
@danwinship : could you please take a look at this again? |
danwinship
reviewed
Oct 19, 2020
| func (oc *Controller) isAnyClusterNodeIP(ip net.IP) *eNode { | ||
| for _, eNode := range oc.eIPAllocator { | ||
| if (utilnet.IsIPv6(ip) && eNode.v6IP != nil && eNode.v6IP.Equal(ip)) || | ||
| (!utilnet.IsIPv6(ip) && eNode.v4IP != nil && eNode.v4IP.Equal(ip)) { |
There was a problem hiding this comment.
fwiw just if ip.Equal(eNode.v6IP) || ip.Equal(eNode.v4IP) would work.
| (!utilnet.IsIPv6(eIPC) && eNodes[i].v4Subnet != nil && eNodes[i].v4Subnet.Contains(eIPC)) { | ||
| eNodes[i].tainted, oc.eIPAllocator[eNodes[i].name].allocations[eIPC.String()] = true, true | ||
| if (utilnet.IsIPv6(eIPC) && assignableNodes[i].v6Subnet != nil && assignableNodes[i].v6Subnet.Contains(eIPC)) || | ||
| (!utilnet.IsIPv6(eIPC) && assignableNodes[i].v4Subnet != nil && assignableNodes[i].v4Subnet.Contains(eIPC)) { |
There was a problem hiding this comment.
similarly, could do just
if (assignableNodes[i].v6Subnet != nil && assignableNodes[i].v6Subnet.Contains(eIPC)) ||
(assignableNodes[i].v4Subnet != nil && assignableNodes[i].v4Subnet.Contains(eIPC)) {
You're allowed to ask if an IPv6 subnet contains an IPv4 IP or vice versa. (The answer is just guaranteed to be "no".)
alexanderConstantinescu
added a commit
to alexanderConstantinescu/ovn-kubernetes
that referenced
this pull request
Oct 20, 2020
Now that local gateway mode is removed we can cleanup stuff like modeEgressIP and the likes and just use one data container as a controller for egress IP assignment/setup Signed-off-by: Alexander Constantinescu <aconstan@redhat.com> Cleanup egress IP conditions There were a couple of nits on PR: ovn-org#1668 that I didn't get the chance to fix before it merged. So I am doing that here instead Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
alexanderConstantinescu
added a commit
to alexanderConstantinescu/ovn-kubernetes
that referenced
this pull request
Oct 21, 2020
PR: ovn-org#1668 re-worked the way egress IP assignment is done, taking into account that users do not accidentally assign a node IP as egress IP and screws up cluster networking. However, it introduced a bug, namely: we now have a problem with reconciliation of nodes for egress, ultimately skipping any UPDATE event for nodes. Thus, if ovnkube-node does not label a node in question with k8s.ovn.org/node-primary-ifaddr before ovnkube-master received the ADD for that node, then we never proceed to update our internal data with that node when we receive the UPDATE. This commit fixes that Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
alexanderConstantinescu
added a commit
to alexanderConstantinescu/ovn-kubernetes
that referenced
this pull request
Oct 26, 2020
Now that local gateway mode is removed we can cleanup stuff like modeEgressIP and the likes and just use one data container as a controller for egress IP assignment/setup Signed-off-by: Alexander Constantinescu <aconstan@redhat.com> Cleanup egress IP conditions There were a couple of nits on PR: ovn-org#1668 that I didn't get the chance to fix before it merged. So I am doing that here instead Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
mccv1r0
pushed a commit
to mccv1r0/ovn-kubernetes
that referenced
this pull request
Oct 28, 2020
PR: ovn-org#1668 re-worked the way egress IP assignment is done, taking into account that users do not accidentally assign a node IP as egress IP and screws up cluster networking. However, it introduced a bug, namely: we now have a problem with reconciliation of nodes for egress, ultimately skipping any UPDATE event for nodes. Thus, if ovnkube-node does not label a node in question with k8s.ovn.org/node-primary-ifaddr before ovnkube-master received the ADD for that node, then we never proceed to update our internal data with that node when we receive the UPDATE. This commit fixes that Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
mccv1r0
pushed a commit
to mccv1r0/ovn-kubernetes
that referenced
this pull request
Oct 28, 2020
Now that local gateway mode is removed we can cleanup stuff like modeEgressIP and the likes and just use one data container as a controller for egress IP assignment/setup Signed-off-by: Alexander Constantinescu <aconstan@redhat.com> Cleanup egress IP conditions There were a couple of nits on PR: ovn-org#1668 that I didn't get the chance to fix before it merged. So I am doing that here instead Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
alexanderConstantinescu
added a commit
to alexanderConstantinescu/ovn-kubernetes-1
that referenced
this pull request
Nov 16, 2020
PR: ovn-org/ovn-kubernetes#1668 re-worked the way egress IP assignment is done, taking into account that users do not accidentally assign a node IP as egress IP and screws up cluster networking. However, it introduced a bug, namely: we now have a problem with reconciliation of nodes for egress, ultimately skipping any UPDATE event for nodes. Thus, if ovnkube-node does not label a node in question with k8s.ovn.org/node-primary-ifaddr before ovnkube-master received the ADD for that node, then we never proceed to update our internal data with that node when we receive the UPDATE. This commit fixes that Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
alexanderConstantinescu
added a commit
to alexanderConstantinescu/ovn-kubernetes-1
that referenced
this pull request
Jan 4, 2021
Now that local gateway mode is removed we can cleanup stuff like modeEgressIP and the likes and just use one data container as a controller for egress IP assignment/setup Signed-off-by: Alexander Constantinescu <aconstan@redhat.com> Cleanup egress IP conditions There were a couple of nits on PR: ovn-org/ovn-kubernetes#1668 that I didn't get the chance to fix before it merged. So I am doing that here instead Signed-off-by: Alexander Constantinescu <aconstan@redhat.com>
kyrtapz
pushed a commit
to kyrtapz/ovn-kubernetes
that referenced
this pull request
Sep 25, 2023
…y-pick-1665-to-release-4.13 [release-4.13] OCPBUGS-13170:Fix bug that resulted in routes not be restored to a new vnic
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When writing e2e tests for Egress IP (upcoming PR soon), I realized a mistake made on my part in the assignment procedure, namely: when specifying an egress IP which is a cluster node X's IP address, we might assign it to another node Y in the assignment procedure. This patch thus fixes this by implementing a check and making sure that if the egress IP specified is a cluster node's, that it is also assigned to exactly that node. If that node does not have the egress label, then we do not perform an assignment and notify the user by triggering an event.
Some of the tests in
egressip_test.gowere explicitly wrong and testing and verifying the complete opposite to what they should have....I obviously should have paid more attention to that and not let it slip by./assign @danwinship
- What this PR does and why is it needed
- Special notes for reviewers
- How to verify it
- Description for the changelog