Support more traffic modes for Multi-cluster Gateway #4407
Conversation
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
cbf4317
to
21e451b
Compare
Codecov Report
@@ Coverage Diff @@
## main #4407 +/- ##
==========================================
- Coverage 69.83% 68.03% -1.81%
==========================================
Files 401 404 +3
Lines 59529 60278 +749
==========================================
- Hits 41575 41013 -562
- Misses 15142 16453 +1311
Partials 2812 2812
*This pull request uses carry forward flags. Click here to find out more.
|
luolanzone
force-pushed
the
mc-policyonly-routes
branch
2 times, most recently
from
ac9547d
to
810bdd6
Compare
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
810bdd6
to
120d9e7
Compare
multicluster/controllers/multicluster/resourceexport_controller.go
Outdated
Show resolved
Hide resolved
luolanzone
force-pushed
the
mc-policyonly-routes
branch
3 times, most recently
from
d7d6c06
to
08eae28
Compare
|
Will improve the unit test after cniserver package's UT #4348 is merged |
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
08eae28
to
b40fd4c
Compare
|
In commit message: responsible to do the following things -> responsible for the following in a general Node -> on a regular Node to minus the tunnel overhead -> with the tunnel header size deducted. |
multicluster/controllers/multicluster/resourceexport_controller.go
Outdated
Show resolved
Hide resolved
multicluster/controllers/multicluster/resourceexport_controller.go
Outdated
Show resolved
Hide resolved
luolanzone
force-pushed
the
mc-policyonly-routes
branch
3 times, most recently
from
21ebeda
to
234b02e
Compare
luolanzone
changed the title
luolanzone
force-pushed
the
mc-policyonly-routes
branch
2 times, most recently
from
d3e1729
to
6e38b7e
Compare
luolanzone
force-pushed
the
mc-policyonly-routes
branch
2 times, most recently
from
ed50fad
to
c0916d9
Compare
|
@luolanzone : my last commit changed the validation logic to ignore Multi-cluster options if the Multicluster feature gate is disabled, to be consistent with other features. You need to rebase and change the validation and agent init code too. |
|
@jianjuns sure, I will re-base first, thanks for the reminder. |
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
c0916d9
to
b4a2186
Compare
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
a00a36b
to
ff78c5b
Compare
|
/test-multicluster-e2e |
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
ff78c5b
to
f15ba00
Compare
cmd/antrea-agent/agent.go
Outdated
| mcClient, | ||
| gwInformer, | ||
| ciImportInformer, | ||
| mcInformerFactoryWithOption, |
There was a problem hiding this comment.
Why change it? I think the previous code that injects gwInformer and ciImportInformer explicitly is better:
- It's clear the controller has dependencies on Gateway and ClusterInfoImport.
- It follows the principle of least privilege.
- The gatewayInformer can be shared with mcPodRouteController.
There was a problem hiding this comment.
I was feeling the parameters are too long, and trying to reduce the number. Added them back.
cmd/antrea-agent/agent.go
Outdated
| ofClient, | ||
| ovsBridgeClient, | ||
| ifaceStore, | ||
| nodeConfig, | ||
| mcNamespace, | ||
| o.config.Multicluster.Namespace, |
There was a problem hiding this comment.
why it still needs to pass the namespace when the lister only contains objects in this namespace?
luolanzone
force-pushed
the
mc-policyonly-routes
branch
2 times, most recently
from
1c2a591
to
f215a36
Compare
| } | ||
|
|
||
| if ciImp.Namespace != c.namespace { | ||
| klog.ErrorS(errors.New("received unexpected object"), "enqueueClusterInfoImport can't process event", "obj", obj) |
|
|
||
| podIP := pod.Status.PodIP | ||
| podName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name} | ||
| cachedPodIP, exists := c.getPodNameIPCache(podName) |
There was a problem hiding this comment.
I think we don't need this cache. The Pod update event has the old Pod information. The old Pod IP is already known. A single enqueuePod callback is not suitable here.
For add and delete event, the handler should just enqueue the PodIP if it's not empty and not HostNetwork.
For update event, the handler should check if PodIP or HostIP changes. If yes, it should enqueue old PodIP and new PodIP, or just new PodIP if it doesn't change.
There was a problem hiding this comment.
Yeah, the only usage seems to check if flows are installed for any Pod to call UninstallMulticlusterPodFlows() in syncGateway(). Maybe that is not necessary, and we can instead optimize a little to first check if the flow cache is empty or not in UninstallMulticlusterPodFlows() or deleteAllFlows.
There was a problem hiding this comment.
deleteFlows called by UninstallMulticlusterPodFlows already has this optimization (do nothing if cache is empty)
pkg/agent/openflow/client.go
Outdated
| delAllFlows = append(delAllFlows, delFlows...) | ||
| cache.Delete(key) |
There was a problem hiding this comment.
it should be done after the operation succeeds only, otherwise the cache will be inconsistent if it fails
pkg/agent/openflow/multicluster.go
Outdated
| // This generates the flow to forward cross-cluster request packets based | ||
| // on Pod IP. | ||
| return L3ForwardingTable.ofTable.BuildFlow(priorityNormal). |
There was a problem hiding this comment.
I was asking why it must use another rule to process this packet instead of the existing rule installed for in-cluster traffic. I now got it's because the VNI. I guess this should still use higher priority, otherwise packets may hit the other rule which doesn't encapsulate packet.
There was a problem hiding this comment.
You are right, updated it to priorityHigh
|
|
||
| podIP := pod.Status.PodIP | ||
| podName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name} | ||
| cachedPodIP, exists := c.getPodNameIPCache(podName) |
There was a problem hiding this comment.
Yeah, the only usage seems to check if flows are installed for any Pod to call UninstallMulticlusterPodFlows() in syncGateway(). Maybe that is not necessary, and we can instead optimize a little to first check if the flow cache is empty or not in UninstallMulticlusterPodFlows() or deleteAllFlows.
| podIP := pod.Status.PodIP | ||
| podName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name} | ||
| cachedPodIP, exists := c.getPodNameIPCache(podName) | ||
| if !exists && (podIP == "" || pod.Spec.HostNetwork) { |
There was a problem hiding this comment.
As Quan said you should pass both old and new Pod to this func, and check both (exists && !HostNetwork && podIP != "" && nodeIP != ""), and something like:
- !isOldValid && !newValid: return
- !isOldValid: Add(newPodIP)
- !isNewValid: Add(oldPodIP)
- if oldPodIP != newPodIP: Add(newPodIP) Add(newPodIP)
- if oldNodeIP != newNodeIP: Add(newPodIP)
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
f215a36
to
4e43cba
Compare
|
/test-multicluster-e2e |
luolanzone
force-pushed
the
mc-policyonly-routes
branch
2 times, most recently
from
4e14b49
to
ccf17e0
Compare
|
|
||
| podIP := pod.Status.PodIP | ||
| podName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name} | ||
| cachedPodIP, exists := c.getPodNameIPCache(podName) |
There was a problem hiding this comment.
deleteFlows called by UninstallMulticlusterPodFlows already has this optimization (do nothing if cache is empty)
| mcClient mcclientset.Interface | ||
| ovsBridgeClient ovsconfig.OVSBridgeClient | ||
| ofClient openflow.Client | ||
| interfaceStore interfacestore.InterfaceStore | ||
| nodeConfig *config.NodeConfig | ||
| podQueue workqueue.RateLimitingInterface | ||
| gwQueue workqueue.RateLimitingInterface | ||
| podInformer cache.SharedIndexInformer | ||
| podLister corelisters.PodLister | ||
| gwInformer cache.SharedIndexInformer | ||
| gwLister mclisters.GatewayLister | ||
| // podWorkersStarted is a boolean which tracks if the Pod flow controller has been started. | ||
| podWorkersStarted bool | ||
| podWorkersStartedMutex sync.RWMutex | ||
| podWorkerStopCh chan struct{} |
There was a problem hiding this comment.
There are a few attributes never used, please clean them up and remove from the constructor.
There was a problem hiding this comment.
Removed, thanks.
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
ccf17e0
to
a71b642
Compare
|
/test-multicluster-e2e |
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
a71b642
to
be7e924
Compare
| // traffic will not go through tunnels in those modes. | ||
| type MCPodRouteController struct { | ||
| k8sClient kubernetes.Interface | ||
| mcClient mcclientset.Interface |
|
/test-all |
In order to support multi-cluster traffic when the member cluster is deployed with networkPolicyOnly, noEcap or hybrid mode, antrea-agent will be responsible for the following things: 1. Create tunnel interface `antrea-tun0` for cross-cluster traffic 2. Watch all Pods on the Gateway and set up one rule per Pod in L3Fowarding table as long as the Pod is running on a regular Node instead of the Gateway. 3. Update container interface's MTU with the tunnel header size deducted. Signed-off-by: Lan Luo <luola@vmware.com>
luolanzone
force-pushed
the
mc-policyonly-routes
branch
from
be7e924
to
cb53264
Compare
|
/test-all |
In order to support multi-cluster traffic when the member cluster is deployed with networkPolicyOnly, noEcap or hybrid mode, antrea-agent will be responsible for the following things: 1. Create tunnel interface `antrea-tun0` for cross-cluster traffic 2. Watch all Pods on the Gateway and set up one rule per Pod in L3Fowarding table as long as the Pod is running on a regular Node instead of the Gateway. 3. Update container interface's MTU with the tunnel header size deducted. Signed-off-by: Lan Luo <luola@vmware.com>
In order to support multi-cluster traffic when the member cluster is deployed with networkPolicyOnly, noEncap and hybrid mode, antrea-agent will be responsible for the following:
antrea-tun0for cross-cluster trafficFor #4383
The change is based on PR #4508, please review the top commit, thanks.
Signed-off-by: Lan Luo luola@vmware.com