istio · SchSeba · Feb 28, 2019
diff --git a/cmd/istio-cni/main_test.go b/cmd/istio-cni/main_test.go
@@ -242,6 +242,25 @@ func TestCmdAddExcludePod(t *testing.T) {
 	}
 }
 
+func TestCmdAddWithKubevirtInterfaces(t *testing.T) {
+	defer resetGlobalTestVariables()
+
+	setupRedirect = mockNsenterRedirect
+	testAnnotations[kubevirtInterfacesKey] = "net1,net2"
+	testContainers = []string{"mockContainer"}
+
+	testCmdAdd(t)
+
+	value, ok := testAnnotations[kubevirtInterfacesKey]
+	if !ok {
+		t.Fatalf("expected kubevirtInterfaces annotation to exist")
+	}
+
+	if value != testAnnotations[kubevirtInterfacesKey] {
+		t.Fatalf(fmt.Sprintf("expected kubevirtInterfaces annotation to equals %s", testAnnotations[kubevirtInterfacesKey]))
+	}
+}
+
 func TestCmdAddInvalidK8sArgsKeyword(t *testing.T) {
 	defer resetGlobalTestVariables()
 

diff --git a/cmd/istio-cni/redirect.go b/cmd/istio-cni/redirect.go
@@ -35,6 +35,7 @@ const (
 	defaultRedirectIPCidr        = "*"
 	defaultRedirectExcludeIPCidr = ""
 	defaultRedirectExcludePort   = defaultProxyStatusPort
+	defaultKubevirtInterfaces    = ""
 
 	includeIPCidrsKey = "traffic.sidecar.istio.io/includeOutboundIPRanges"
 	excludeIPCidrsKey = "traffic.sidecar.istio.io/excludeOutboundIPRanges"
@@ -43,30 +44,34 @@ const (
 
 	sidecarInterceptModeKey = "sidecar.istio.io/interceptionMode"
 	sidecarPortListKey      = "status.sidecar.istio.io/port"
+
+	kubevirtInterfacesKey = "traffic.sidecar.istio.io/kubevirtInterfaces"
 )
 
 var (
 	annotationRegistry = map[string]*annotationParam{
-		"inject":         {injectAnnotationKey, "", alwaysValidFunc},
-		"status":         {sidecarStatusKey, "", alwaysValidFunc},
-		"redirectMode":   {sidecarInterceptModeKey, defaultRedirectMode, validateInterceptionMode},
-		"ports":          {sidecarPortListKey, "", validatePortList},
-		"includeIPCidrs": {includeIPCidrsKey, defaultRedirectIPCidr, validateCIDRListWithWildcard},
-		"excludeIPCidrs": {excludeIPCidrsKey, defaultRedirectExcludeIPCidr, validateCIDRList},
-		"includePorts":   {includePortsKey, "", validatePortListWithWildcard},
-		"excludePorts":   {excludePortsKey, defaultRedirectExcludePort, validatePortList},
+		"inject":             {injectAnnotationKey, "", alwaysValidFunc},
+		"status":             {sidecarStatusKey, "", alwaysValidFunc},
+		"redirectMode":       {sidecarInterceptModeKey, defaultRedirectMode, validateInterceptionMode},
+		"ports":              {sidecarPortListKey, "", validatePortList},
+		"includeIPCidrs":     {includeIPCidrsKey, defaultRedirectIPCidr, validateCIDRListWithWildcard},
+		"excludeIPCidrs":     {excludeIPCidrsKey, defaultRedirectExcludeIPCidr, validateCIDRList},
+		"includePorts":       {includePortsKey, "", validatePortListWithWildcard},
+		"excludePorts":       {excludePortsKey, defaultRedirectExcludePort, validatePortList},
+		"kubevirtInterfaces": {kubevirtInterfacesKey, defaultKubevirtInterfaces, alwaysValidFunc},
 	}
 )
 
 // Redirect -- the istio-cni redirect object
 type Redirect struct {
-	targetPort     string
-	redirectMode   string
-	noRedirectUID  string
-	includeIPCidrs string
-	includePorts   string
-	excludeIPCidrs string
-	excludePorts   string
+	targetPort         string
+	redirectMode       string
+	noRedirectUID      string
+	includeIPCidrs     string
+	includePorts       string
+	excludeIPCidrs     string
+	excludePorts       string
+	kubevirtInterfaces string
 
 	logger *logrus.Entry
 }
@@ -224,6 +229,11 @@ func NewRedirect(ports []string, annotations map[string]string, logger *logrus.E
 		logger.Errorf("Annotation value error for value %s; annotationFound = %t: %v",
 			"excludePorts", isFound, valErr)
 	}
+	isFound, redir.kubevirtInterfaces, valErr = getAnnotationOrDefault("kubevirtInterfaces", annotations)
+	if valErr != nil {
+		logger.Errorf("Annotation value error for value %s; annotationFound = %t: %v",
+			"kubevirtInterfaces", isFound, valErr)
+	}
 
 	return redir, nil
 }
@@ -249,6 +259,7 @@ func (rdrct *Redirect) doRedirect(netns string) error {
 		"-b", rdrct.includePorts,
 		"-d", rdrct.excludePorts,
 		"-x", rdrct.excludeIPCidrs,
+		"-k", rdrct.kubevirtInterfaces,
 	}
 	logrus.WithFields(logrus.Fields{
 		"nsenterArgs": nsenterArgs,

diff --git a/tools/deb/istio-iptables.sh b/tools/deb/istio-iptables.sh
@@ -46,6 +46,9 @@ function usage() {
   echo '  -x: Comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all '
   # shellcheck disable=SC2016
   echo '      outbound traffic (i.e. "*") is being redirected (default to $ISTIO_SERVICE_EXCLUDE_CIDR).'
+  echo '  -k: Comma separated list of virtual interfaces whose inbound traffic (from VM)'
+  echo '      will be treated as outbound (optional)'
+  # shellcheck disable=SC2016
   echo ''
   # shellcheck disable=SC2016
   echo 'Using environment variables in $ISTIO_SIDECAR_CONFIG (default: /var/lib/istio/envoy/sidecar.env)'
@@ -88,8 +91,9 @@ INBOUND_PORTS_INCLUDE=${ISTIO_INBOUND_PORTS-}
 INBOUND_PORTS_EXCLUDE=${ISTIO_LOCAL_EXCLUDE_PORTS-}
 OUTBOUND_IP_RANGES_INCLUDE=${ISTIO_SERVICE_CIDR-}
 OUTBOUND_IP_RANGES_EXCLUDE=${ISTIO_SERVICE_EXCLUDE_CIDR-}
+KUBEVIRT_INTERFACES=
 
-while getopts ":p:u:g:m:b:d:i:x:h" opt; do
+while getopts ":p:u:g:m:b:d:i:x:k:h" opt; do
   case ${opt} in
     p)
       PROXY_PORT=${OPTARG}
@@ -115,6 +119,9 @@ while getopts ":p:u:g:m:b:d:i:x:h" opt; do
     x)
       OUTBOUND_IP_RANGES_EXCLUDE=${OPTARG}
       ;;
+    k)
+      KUBEVIRT_INTERFACES=${OPTARG}
+      ;;
     h)
       usage
       exit 0
@@ -195,6 +202,7 @@ echo "INBOUND_PORTS_INCLUDE=${INBOUND_PORTS_INCLUDE}"
 echo "INBOUND_PORTS_EXCLUDE=${INBOUND_PORTS_EXCLUDE}"
 echo "OUTBOUND_IP_RANGES_INCLUDE=${OUTBOUND_IP_RANGES_INCLUDE}"
 echo "OUTBOUND_IP_RANGES_EXCLUDE=${OUTBOUND_IP_RANGES_EXCLUDE}"
+echo "KUBEVIRT_INTERFACES=${KUBEVIRT_INTERFACES}"
 echo
 
 INBOUND_CAPTURE_PORT=${INBOUND_CAPTURE_PORT:-$PROXY_PORT}
@@ -347,13 +355,24 @@ if [ -n "${OUTBOUND_IP_RANGES_EXCLUDE}" ]; then
   done
 fi
 
+for internalInterface in ${KUBEVIRT_INTERFACES}; do
+    iptables -t nat -I PREROUTING 1 -i "${internalInterface}" -j RETURN
+done
+
 # Apply outbound IP inclusions.
 if [ "${OUTBOUND_IP_RANGES_INCLUDE}" == "*" ]; then
   # Wildcard specified. Redirect all remaining outbound traffic to Envoy.
   iptables -t nat -A ISTIO_OUTPUT -j ISTIO_REDIRECT
+  for internalInterface in ${KUBEVIRT_INTERFACES}; do
+    iptables -t nat -I PREROUTING 1 -i "${internalInterface}" -j ISTIO_REDIRECT
+  done
+
 elif [ -n "${OUTBOUND_IP_RANGES_INCLUDE}" ]; then
   # User has specified a non-empty list of cidrs to be redirected to Envoy.
   for cidr in ${OUTBOUND_IP_RANGES_INCLUDE}; do
+    for internalInterface in ${KUBEVIRT_INTERFACES}; do
+        iptables -t nat -I PREROUTING 1 -i "${internalInterface}" -d "${cidr}" -j ISTIO_REDIRECT
+    done
     iptables -t nat -A ISTIO_OUTPUT -d "${cidr}" -j ISTIO_REDIRECT
   done
   # All other traffic is not redirected.