BPF MASQ for veth mode and ip-masq-agent

[brb]

This PR is the same as #10878, but minus the multi-dev NodePort and the tests. I've created it for easier reviewing. Once it's merged, I will open a PR for the rest.

• Removes BPF MASQ from ipvlan.
• BPF MASQ for veth mode (ipv4-only).
• BPF ip-masq-agent.

The follow-up TODO: #11018.

Fix #10229
Fix #9922

Add BPF masquerading for veth mode
Add BPF-based ip-masq-agent

@joestringer I believe you have already reviewed all the changes in this PR.

[brb]

test-me-please

[brb]

test-me-please

[coveralls]

Coverage increased (+0.005%) to 44.607% when pulling 892cefb on pr/brb/bpf-masq-and-agent into 4e17dfe on master.

[joestringer]

Just minor nits in addition to previous feedback, LGTM.

[joestringer]

I note that the inability to restore will cause daemon crash here. On the flip side, if there's a problem with the config we will instead just put the controller into an error state and still successfully run the daemon. Not sure if that's specifically thought through or just the most convenient way to represent those errors?

I can't think of a specific failure case that would cause this to be a problem, just seems slightly mismatched in the representation of the errors. Probably restore won't fail anyway, it just requires the ability to create the map (incl. the resource limits stuff) + ability to dump a (potentially empty) map.

[brb]

That's intended.

If the restore fails, then it's a good indicator that something is wrong with a system (e.g. the resource limit), and it's OK for cilium-agent not to start. Otherwise, we might risk introducing subtle changes in behavior which could be difficult for a user to debug.

Meanwhile, crashing a cluster network due to a syntax error in a ip-masq-agent config file or inability to update the related BPF map is IMHO too dangerous.

[joestringer]

Overall I think this can come down to two different user approaches: There are some users that would prefer things crash/break as soon as any failure occurs so that they can deal with them. Other users will prefer that things just work, and log a message describing why things are not 100% so that they can follow up later.

In general I think in Cilium if there is a pure user input mismatch (eg daemon config options) we are crashing out early to signal to the user that Cilium is misconfigured and will not operate correctly. I think this is fine as it is most likely to occur when the user first configures Cilium or first attempts upgrade; and it's purely functional on a set of provided parameters. This state from the configmap is probably similar "user input" which we should validate clearly, but I'm still mulling it over. The weird part I point out above is that if a user customizes the configmap while Cilium is running and misconfigures it, then Cilium will continue running happily (admittedly with a warning log). Next time Cilium is restarted, it will go into crashloopbackoff because of this input validation. If they don't test properly then they may inadvertently set Cilium up to crash out on one day, then only find out days/weeks later when restarting Cilium (or worst case when Cilium crashes). At that point a misconfiguration can lead to a wider Cilium outage.

When we get into potential transient errors particularly for areas like this which are not pure connectivity or pure security, it gets a little less clear when Cilium should crash out. Crashing the Cilium daemon can cause DNS connectivity issues for instance if the user runs FQDN policy. So if we're getting away from "this is the first time the user runs Cilium in this setup" then I think we should err on the side of reporting an error through normal mechanisms (eg log a warning; that will also show up in metrics via the 'number of warnings/errors' metric) and continuing with functionality disabled.

[brb]

. If they don't test properly then they may inadvertently set Cilium up to crash out on one day, then only find out days/weeks later when restarting Cilium

That's a very valid concern.

I think we should err on the side of reporting an error through normal mechanisms (eg log a warning

Agreed. I've changed restore() to log an error instead of crashing.

[brb]

test-me-please

[brb]

test-me-please

[brb]

Hmm, hitting K8sDatapathConfig ManagedEtcd Check connectivity with managed etcd.

[brb]

test-me-please

[christarazi]

Looks good!

[aanm]

Why aren't we enabling this by default for new instalations?

[brb]

Once we have enough confidence about this feature, I'm happy to enable this by default;-)

[aanm]

@brb so when will we have confidence about it? Does this mean the feature is in beta? If it's not enabled for new installations will anyone use it?

[brb]

Let's discuss it during the next meeting.

[aanm]

This requires a warning somewhere in the docs or in helm generation, the ip-masq-agent config map needs to be set in the same namespace where Cilium is running.

[brb]

Good point, I will mention it in the docs.

[aanm]

what about json?

[brb]

Will add it in the follow-up!

[aanm]

[2] Use something similar as

cilium/pkg/clustermesh/config.go

Lines 33 to 57 in 47531ad

	type configDirectoryWatcher struct {
	watcher *fsnotify.Watcher
	lifecycle clusterLifecycle
	path string
	stop chan struct{}
	}
	func createConfigDirectoryWatcher(path string, lifecycle clusterLifecycle) (*configDirectoryWatcher, error) {
	watcher, err := fsnotify.NewWatcher()
	if err != nil {
	return nil, err
	}
	if err := watcher.Add(path); err != nil {
	watcher.Close()
	return nil, err
	}
	return &configDirectoryWatcher{
	watcher: watcher,
	path: path,
	lifecycle: lifecycle,
	stop: make(chan struct{}),
	}, nil
	}

[brb]

Both you and @joestringer asked me about this (https://github.com/cilium/cilium/pull/10878/files#r409979845). I could implement it in the follow-up, but do you really think that's worth increasing the complexity of ip-masq-agent? I expect the config files to be relatively simple.

[aanm]

Yes, it's one less flag that we have and we won't wait at least 60 seconds until changes are enforced. They will be done as soon kubelet has the files locally.

[brb]

Is it OK if I do it in the follow-up?

[brb]

Added to the follow-up items.

[aanm]

This won't be required if [2] is done instead.

[aanm]

Assuming all follow up items are done.

[joestringer]

Oh, one more point here. Did you consider the ordering between add/delete here?

Recent similar BPF map updates changes in policy side have shown that the ordering can impact datapath availability, see #10936

EDIT: To be explicit, I mean to say: If someone updates the configmap, will we cause connectivity issues / misrouted traffic temporarily during the update because of the ordering between deletes and adds?

[brb]

I changed the order so that adds happen before deletes just to make new CIDRs available a bit quicker.

The ordering won't have any effect on established connections. However, if there is a connection which previously was masqueraded, and after the CIDR update it's no longer a subject to masquerading, then the egressing packets from the pod after the update won't be masqueraded, and thus it will be dropped. If it's an issue, we can always add a lookup in the BPF (S)NAT map when deciding whether the masquerading is needed. But that would come with a performance penalty in the fastpath.

[borkmann]

Just small things on bpf datapath side, once resolved lgtm. ipv6 support is missing and should probably be added to the follow-ups. The snat engine supports ipv6 and we do it in nodeport snat as well, so we should also do it for the masq agent.

[brb]

@borkmann

What if REMOTE_NODE_ID is not used and the other endpoints also have HOST_ID?

Hmm, good question. I assumed that new deployments will have it enabled. If it's disabled, perhaps it's safe to check for HOST_ID instead, as a packet hitting this check is intended to leave the current node. I've added this item to the follow-up list.

Should this still be defined(hybrid) && !defined(masquerade) given the latter is not enabled by default anyway? Otherwise we'd snat unnecessarily here.

The removal of the check should not make DSR to be SNAT'd. After my PR is merged, nodeport_nat_ipv4_needed() is called only with dir=NAT_DIR_EGRESS, i.e. for packets which leave a node. In the case of DSR, the helper function is called for the following packets (SNAT is not done for all of them):

• Forwarded request from a client to a remote node.
• Reply from a remote endpoint to a middle node (on the remote node).

And it won't be called for the following packet which would be a subject to SNAT:

• Reply from a local endpoint to a client (because ..._NODEPORT_REVNAT sets MARK_MAGIC_SNAT_DONE which makes the packet to bypass the helper function).

Also, if we missed a case and DSR would have been SNAT'd, I believe that the CI tests would catch it, as we do the source IP addr validation.

[brb]

test-me-please

[borkmann]

@borkmann

What if REMOTE_NODE_ID is not used and the other endpoints also have HOST_ID?

Hmm, good question. I assumed that new deployments will have it enabled. If it's disabled, perhaps it's safe to check for HOST_ID instead, as a packet hitting this check is intended to leave the current node. I've added this item to the follow-up list.

Yeah, I think HOST_ID check should suffice here since there's a prior check on !(ep->flags & ENDPOINT_F_HOST). So this should only be remote addresses iiuc.

[brb]

CI hit the #10763 flake.

[brb]

test-me-please

[brb]

CI failed:

[2020-04-30T14:04:40.154Z] echo "docker push cilium/docker-plugin:latest-amd64"
[2020-04-30T14:04:40.154Z] docker push cilium/docker-plugin:latest-amd64
[2020-04-30T14:04:40.154Z] build -f hubble-relay.Dockerfile -t "cilium/hubble-relay:latest" .
[2020-04-30T14:04:40.154Z] /bin/bash: build: command not found
[2020-04-30T14:04:40.154Z] Makefile:290: recipe for target 'docker-hubble-relay-image' failed
[2020-04-30T14:04:40.154Z] make: *** [docker-hubble-relay-image] Error 127

[brb]

test-me-please

[qmonnet]

test-me-please

[joestringer]

Code has approvals for all codeowners, and GKE check is not required. Merging.