Add support for short-circuiting in AntreaProxy #4815
Conversation
There was a problem hiding this comment.
@hongliangl I think you should first have a clear description to explain what it tries to do for better understanding. The term short-circuiting is too obscure. Even a few weeks ago we had totally different understandings about it, and I'm not sure if we reach a consensus yet before I take a deep look at the code, not to mention other reviewers.
hongliangl
force-pushed
the
20230328-short-circuit
branch
2 times, most recently
from
988c0a5
to
e6b33de
Compare
hongliangl
force-pushed
the
20230328-short-circuit
branch
from
e6b33de
to
29a1a29
Compare
hongliangl
added
area/proxy
hongliangl
force-pushed
the
20230328-short-circuit
branch
from
29a1a29
to
8675f47
Compare
|
@hongliangl : the commit is "Add support for ExternalIP in AntreaProxy"? Have you pushed the right commit? |
hongliangl
force-pushed
the
20230328-short-circuit
branch
from
8675f47
to
8af63ce
Compare
I pushed wrong git commit. I just updated it. |
hongliangl
force-pushed
the
20230328-short-circuit
branch
2 times, most recently
from
1326571
to
0f3fc2b
Compare
|
@hongliangl I would suggest to remove |
hongliangl
force-pushed
the
20230328-short-circuit
branch
4 times, most recently
from
194f5db
to
133d264
Compare
|
@hongliangl I think NodePort should respect ExternalTrafficPolicy according to https://github.com/kubernetes/kubernetes/blob/122a459dcbf7b2317ac5bd3793ed94a400bd4a77/staging/src/k8s.io/api/core/v1/types.go#L4746-L4749 |
Since it has the definition in API comment, we should implement proxy as it describes. |
hongliangl
force-pushed
the
20230328-short-circuit
branch
from
133d264
to
34f157d
Compare
hongliangl
force-pushed
the
20230328-short-circuit
branch
2 times, most recently
from
cff9001
to
3f0a45c
Compare
|
The dependency has been merged, could you rebase? |
Sure, I'll rebase it right now. |
hongliangl
force-pushed
the
20230328-short-circuit
branch
from
3f0a45c
to
4ac17e1
Compare
hongliangl
force-pushed
the
20230328-short-circuit
branch
from
4ac17e1
to
29a8b10
Compare
hongliangl
force-pushed
the
20230328-short-circuit
branch
2 times, most recently
from
3184f14
to
6eaf6b0
Compare
hongliangl
force-pushed
the
20230328-short-circuit
branch
from
6eaf6b0
to
fff3c66
Compare
|
|
||
| clientIP, err := probeClientIPFromPod(data, pod, busyboxContainerName, url) | ||
| require.NoError(t, err, errMsg) | ||
| require.Equal(t, clientIP, expectedClientIPs[idx]) |
There was a problem hiding this comment.
Is the clientIP expected to change?
There was a problem hiding this comment.
For non-host-network Endpoint, the clientIP should be always the same (source Pod IP), but for host-network Endpoint, if the Endpoint is on local host-network, the clientIP should be the source Pod IP; if the Endpoint is on a remote Node, the clientIP will be the transparent interface IP. In this test, we have two host-network Endpoint, and both of them can be selected even when ExternalTrafficPolicy is Local for client from Pod.
There was a problem hiding this comment.
It should be Node IP. For example, if the Endpoint is a host network on another Node, the packet will be forwarded to local Node host network, then will be SNATed to remote Node. The SNATed IP should be the local Node IP.
There was a problem hiding this comment.
OK, it seems the SNAT is not necessary but I understand it's not related to the PR.
There was a problem hiding this comment.
For example, assuming that there are two Nodes:
Node A: 192.168.77.100, Pod CIDR 10.10.0.0/24
Node B: 192.168.77.101, Pod CIDR 10.10.1.0/24
Service: 10.96.0.9:8080, two Endpoints, 192.168.77.100:8080, 192.168.77.101:8080
Pod on Node A: 10.10.0.10
Previously, if externalTrafficPolicy is Local, for Pod -> Service, only Endpoint 192.168.77.100:8080 will be selected, and the clientIP is 10.10.0.10. Now, Endpoint 192.168.77.101:8080 could be also selected. If so:
- on Pod network: 10.10.0.10 -> 10.96.0.9
- on host network: 10.10.0.10 -> 192.168.77.101
- to make sure that the reply packets can be returned correctly, on network between Nodes: 192.168.77.100 -> 192.168.77.101, then the clientIP is 192.168.77.100. As a result, the clientIP is not certain. It could be 10.10.0.10 or 192.168.77.100.
|
/test-all |
Short-circuiting is used to ensure that the traffic from Pod/Node clients to external addresses behaves the same way as the traffic from external clients to external addresses. External clients do not need to consider which Nodes have local Endpoints, as the load balancer handles this for them. However, for Pod/Node clients, when the externalTrafficPolicy of the Service is set to "Local", it will not work on Nodes without an Endpoint. With this PR, even when the externalTrafficPolicy is set to "Local", Pod/Node clients without local Endpoints can still work by selecting Endpoints from the cluster. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
force-pushed
the
20230328-short-circuit
branch
from
fff3c66
to
8caa6ec
Compare
@tnqn only renamed a variable, no other changes. |
|
/test-all |
|
/test-windows-proxyall-e2e |
|
/test-windows-conformance |
|
Thanks for merging this PR. |
Short-circuiting is used to ensure that the traffic from Pod/Node clients to external addresses behaves the same way as the traffic from external clients to external addresses. External clients do not need to consider which Nodes have local Endpoints, as the load balancer handles this for them. However, for Pod/Node clients, when the externalTrafficPolicy of the Service is set to "Local", it will not work on Nodes without an Endpoint. With this PR, even when the externalTrafficPolicy is set to "Local", Pod/Node clients without local Endpoints can still work by selecting Endpoints from the cluster. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
Short-circuiting is used to ensure that the traffic from Pod/Node clients to
external addresses behaves the same way as the traffic from external clients to
external addresses.
External clients do not need to consider which Nodes have local Endpoints, as the
load balancer handles this for them. However, for Pod/Node clients, when the
externalTrafficPolicy of the Service is set to "Local", it will not work on Nodes
without an Endpoint. With this PR, even when the externalTrafficPolicy is set
to "Local", Pod/Node clients without local Endpoints can still work by selecting
Endpoints from the cluster.