PNI for Calico on Windows on RKE2

[sirredbeard]

No description provided.

[phillipsj]

I have tested PNI and it works as expected here is how I test.

1. Created a Custom RKE2 cluster using 1.22.5+rke2r2 with project network isolation

2. Created two projects called project1 and project2. I then created a namespace in each project with the same name as the project.
   

3. Deployed nginx and IIS webserver pods in both projects.
   

4. Execed into every pod in each project and verify that they can curl the default webpage.
   
   
   
   

5. Execed into a pod in a different project and ensure it can't curl default webpage of either pod in the other other project.
   
   

@sirredbeard @rosskirkpat @luthermonson @slickwarren @sgapanovich @sowmyav27

[phillipsj]

@sowmyav27 @sirredbeard this was assigned to Vlad.

[slickwarren]

using 2.6.4-rc2, I was able to verify that PNI for Calico is working by doing the following (3etcd, 2cp, 3linux workers, 2windows workers with windows version 2022, k8s v1.22.6+rke2r1):

• when deploying the custom cluster, enable PNI
• add windows nodes
• create 2 projects, p1 and p2
• for each project, create a namespace with same name as project
• create a linux workload (nginx) scheduled on a linux worker for each namespace
• create a windows workload (iis windows servercore) for each namespace

tests:

• linux pods in p1 can curl any workload in p1 -- pass
• windows pods in p1 can curl any workload in p1 -- fail windows pods were only able to curl their own IP
  • also tested deploying a 2nd windows pod here to see if it was a windows -> linux issue, but windows -> windows also doesn't work
• linux/windows in p1 can NOT curl any workload from p2 -- pass
  (and vice versa for p2 was tested).

@phillipsj can you confirm that the windows behavior is expected?
*

[phillipsj]

@slickwarren Windows pods should have been able to curl other Windows pods and Linux pods. I performed my testing using 2019. 2022 does have bugs in the kernel that would impact this testing.

[phillipsj]

@slickwarren I just created a cluster using Rancher 2.64-rc2 and RKE2 1.22.6 with Windows 2019 and Windows 2022 worker nodes. I was able to access a web page from the following checking both Windows 2019 and Windows 2022:

• linux -> windows
• linux -> linux
• windows -> linux
• windows -> windows
  
  

The upstream bug isn't causing this issue. This leaves me to believe that one of these three are causing the issue:

• Windows Firewall is enabled on a server
• Source/Destination isn't checked in AWS
• AWS Security Group

[slickwarren]

tested the following on v2.6.4-rc2:

• provision custom cluster v1.22.6+rke2r1
  • add 2 windows worker nodes, v2022, to the cluster
  • for windows nodes, manually disable firewall, source/destination
• create 2 projects, each with 1 namespace each
• deploy a windows and linux workload in each of the new projects
  tested windows <-> linux for each of the following:
• ensure that windows workloads are able to curl pods in the same project -- pass
• ensure that windows workloads cannot curl pods in other projects -- pass
• ensure that linux workloads are able to curl pods in the same project -- pass
• ensure that linux workloads cannot curl pods in other projects -- pass