Implement Antrea proxy #772
Conversation
|
Thanks for your PR. The following commands are available:
These commands can only be run by members of the vmware-tanzu organization. |
|
/test-conformance |
|
/test-networkpolicy |
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
3 times, most recently
from
296b664
to
d522aa7
Compare
|
/test-windows-conformance |
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
5 times, most recently
from
7fb5813
to
a33d19c
Compare
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
from
a33d19c
to
c207764
Compare
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
from
c207764
to
042161e
Compare
|
/test-all |
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
from
042161e
to
14db0c5
Compare
|
/test-all |
|
@weiqiangt @jianjuns just wanted to check if the plan was to enable this mode unconditionally starting with the next Antrea release (0.8.0)? Or have a config switch (temporarily or permanently) to enable / disable the feature? Personally I am fine with enabling unconditionally, I don't if a user would have as a requirement that kube-proxy must be used. This is relevant to @srikartati who is working on conntrack polling for IPFix flow information export. |
Just to be specific.. looking at supporting Pod-to-Service flows/connections as IPFIX flow records. |
I suggest to add a config option, and maybe keep the default to upstream kube-proxy for Linux nodes, until we are confident on the quality and have enough tests. |
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
5 times, most recently
from
5b55336
to
c97d15a
Compare
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
from
a0f6639
to
1f7353d
Compare
| # Enable antrea proxy which provides ServiceLB for in-cluster services in antrea agent. | ||
| # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on | ||
| # Service traffic. | ||
| # AntreaProxy: false |
There was a problem hiding this comment.
I feel ok to add relatively mature features to the yamls but not all features. Creating a separate doc sounds good.
pkg/agent/proxy/proxier.go
Outdated
| serviceConfig *config.ServiceConfig | ||
| // endpointsChanges and serviceChanges contains all changes to endpoints and | ||
| // services that happened since last syncProxyRules call. For a single object, | ||
| // changes are accumulated, i.e. previous is state from before all of them, |
There was a problem hiding this comment.
Maybe you should add the comments about previous/current to endpointsChanges struct or endpointsChangesTracker funcs. Hard to understand from here.
| k8sproxy "github.com/vmware-tanzu/antrea/third_party/proxy" | ||
| ) | ||
|
|
||
| type endpointsChange struct { |
There was a problem hiding this comment.
I think you should add more comments to this file for structs and funcs. Not easy to understand the code without enough comments.
| endpointsConfig *config.EndpointsConfig | ||
| serviceConfig *config.ServiceConfig | ||
| // endpointsChanges and serviceChanges contains all changes to endpoints and | ||
| // services that happened since last syncProxyRules call. For a single object, |
There was a problem hiding this comment.
I think it would be much better if you can add some comments to explain the event sequence before syncProxyRules.
|
/test-windows-networkpolicy |
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
from
1f7353d
to
d82e51e
Compare
|
/test-all |
|
/test-networkpolicy |
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
from
d82e51e
to
c7ab11b
Compare
|
@weiqiangt the PR description about enableProxy is out of date, could you update? |
|
/test-all |
|
/test-all |
|
/test-conformance |
|
/test-e2e |
pkg/agent/openflow/pipeline.go
Outdated
| endpointIP := net.ParseIP(endpoint.IP()).To4() | ||
| ipVal := binary.BigEndian.Uint32(endpointIP) | ||
| portVal := uint16(endpointPort) | ||
| // TODO: use goto_table instead. |
There was a problem hiding this comment.
maybe a comment to this effect would have been nice
pkg/agent/openflow/client.go
Outdated
| // affinityTimeout is not zero, it also installs the flow which has a learn | ||
| // action to maintain the LB decision. | ||
| // The group with the groupID must be installed before, otherwise the | ||
| // installation will be failed. |
There was a problem hiding this comment.
s/will be failed/will fail
pkg/agent/proxy/endpoints.go
Outdated
|
|
||
| // endpointsChangesTracker tracks Endpoints changes. | ||
| type endpointsChangesTracker struct { | ||
| // hostname is used to tell whether the Endpoint locates on current Node. |
pkg/agent/proxy/endpoints.go
Outdated
|
|
||
| // OnEndpointUpdate updates given Service's Endpoints change map based on the | ||
| // <previous, current> Endpoints pair. It returns true if items changed, | ||
| // otherwise return false. |
There was a problem hiding this comment.
s/return false/it returns false
pkg/agent/proxy/endpoints.go
Outdated
| } | ||
|
|
||
| // endpointsToEndpointsMap translates single Endpoints object to EndpointsMap. | ||
| // This function is used for incremental updated of EndpointsMap. |
pkg/agent/proxy/proxier.go
Outdated
| // endpointsChanges and serviceChanges contains all changes to endpoints and | ||
| // services that happened since last syncProxyRules call. For a single object, | ||
| // changes are accumulated. Once both endpointsChanges and serviceChanges | ||
| // had been synced, syncProxyRules will start syncing rules to the OVS. |
There was a problem hiding this comment.
| // had been synced, syncProxyRules will start syncing rules to the OVS. | |
| // have been synced, syncProxyRules will start syncing rules to OVS. | |
pkg/agent/proxy/proxier.go
Outdated
| serviceChanges *serviceChangesTracker | ||
| // syncProxyRulesMutex protects internal caches and states. | ||
| syncProxyRulesMutex sync.Mutex | ||
| // serviceMap stores services we expected to be installed. |
pkg/agent/proxy/proxier.go
Outdated
| serviceMap k8sproxy.ServiceMap | ||
| // serviceInstalledMap stores services we actually installed. | ||
| serviceInstalledMap k8sproxy.ServiceMap | ||
| // endpointsMap stores endpoints we expected to be installed. |
test/e2e/proxy_test.go
Outdated
| } | ||
| defer teardownTest(t, data) | ||
|
|
||
| if enabled, err := proxyEnabled(data); err != nil { |
There was a problem hiding this comment.
maybe define skipIfProxyDisabled(t, data) in this file to reduce verbosity of this test and the subsequent ones
| ) | ||
|
|
||
| func proxyEnabled(data *TestData) (bool, error) { | ||
| key := "resubmit(,40),resubmit(,41)" |
There was a problem hiding this comment.
as a follow-up to an earlier comment I made, there is already a GetAntreaConfigMap method defined for e2e tests, but I am not sure it's a much better solution than what you are doing at the moment
There was a problem hiding this comment.
If we use the configmap method, then we will need to parse the config.
For now, I prefer to keep the current code.
In the future, as we may add more experimental features, we can have a particular function to retrieve featuregayte options in e2e tests. How do you think about this?
pkg/agent/proxy/endpoints.go
Outdated
| return endpointsMap | ||
| } | ||
|
|
||
| // Update updates an EndpointsMap base on current changes and returns stale |
Co-authored-by: Quan Tian <[email protected]> Signed-off-by: Weiqiang TANG <[email protected]>
weiqiangt
force-pushed
the
weiqiangt/antrea-proxy
branch
from
c7ab11b
to
6a82265
Compare
|
/test-all |
|
/test-conformance |
|
/test-windows-networkpolicy |
Signed-off-by: Weiqiang TANG <[email protected]>
Signed-off-by: Weiqiang TANG <[email protected]>
AntreaProxyoption in FeatureGate for enabling Antrea proxy in the antrea agent. The default value for Linux is false while a Windows one is true.Fixes #463.
Signed-off-by: Weiqiang TANG [email protected]