Skip to content

OCPBUGS-55962: Inter advertised UDN isolation configurable #2569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
pperiyasamy wants to merge 2 commits into from
Closed

OCPBUGS-55962: Inter advertised UDN isolation configurable #2569

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
62cf6ec
CARRY: Advertised UDN networks isolation configurable
pperiyasamy May 22, 2025
a10b7b3
CARRY: Implement cleanup logic when loose isolation is enabled
pperiyasamy Jun 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 25 additions & 3 deletions go-controller/pkg/controllermanager/controller_manager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,9 @@ func (cm *ControllerManager) CleanupStaleNetworks(validNetworks ...util.NetInfo)
}
}

if util.IsRouteAdvertisementsEnabled() {
// OCP HACK BEGIN
if util.IsRouteAdvertisementsEnabled() && !util.IsLooseUDNIsolation() {
// OCP HACK END
// Remove stale subnets from the advertised networks address set used for isolation
// NOTE: network reconciliation will take care of removing the subnets for existing networks that are no longer
// advertised.
Expand Down Expand Up @@ -530,7 +532,27 @@ func (cm *ControllerManager) Reconcile(_ string, _, _ util.NetInfo) error {
}

func (cm *ControllerManager) configureAdvertisedNetworkIsolation() error {
// OCP HACK BEGIN
addressSetFactory := addressset.NewOvnAddressSetFactory(cm.nbClient, config.IPv4Mode, config.IPv6Mode)
_, err := addressSetFactory.EnsureAddressSet(ovn.GetAdvertisedNetworkSubnetsAddressSetDBIDs())
return err
if !util.IsLooseUDNIsolation() {
_, err := addressSetFactory.EnsureAddressSet(ovn.GetAdvertisedNetworkSubnetsAddressSetDBIDs())
return err
}
klog.Infof("Ensure global advertised networks addressset and tier-0 drop ACLs are removed in loose UDN isolation mode")
addrSet, _ := addressSetFactory.GetAddressSet(ovn.GetAdvertisedNetworkSubnetsAddressSetDBIDs())
if addrSet == nil {
return nil
}
dropACLIDs := ovn.GetAdvertisedNetworkSubnetsDropACLdbIDs()
dropACLPredicate := libovsdbops.GetPredicate[*nbdb.ACL](dropACLIDs, nil)
dropACLs, _ := libovsdbops.FindACLsWithPredicate(cm.nbClient, dropACLPredicate)
if len(dropACLs) > 0 {
p := func(_ *nbdb.LogicalSwitch) bool { return true }
err := libovsdbops.RemoveACLsFromLogicalSwitchesWithPredicate(cm.nbClient, p, dropACLs...)
if err != nil {
return err
}
}
return addrSet.Destroy()
// OCP HACK END
}
39 changes: 36 additions & 3 deletions go-controller/pkg/ovn/udn_isolation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,25 @@ func BuildAdvertisedNetworkSubnetsDropACL(advertisedNetworkSubnetsAddressSet add
// pass "(ip[4|6].src == <UDN_SUBNET> && ip[4|6].dst == <UDN_SUBNET>)" 1100
// drop "(ip[4|6].src == $<ALL_ADV_SUBNETS> && ip[4|6].dst == $<ALL_ADV_SUBNETS>)" 1050
func (bnc *BaseNetworkController) addAdvertisedNetworkIsolation(nodeName string) error {
// OCP HACK BEGIN
if util.IsLooseUDNIsolation() {
klog.Infof("The network %s is configured with loose isolation mode, so delete tier-0 pass ACL rule if it exists",
bnc.GetNetworkName())
// It is okay to delete only pass ACLs here because drop ACLs for the network and global advertised
// networks addressset are already deleted in controller manager's configureAdvertisedNetworkIsolation
// method.
passACLs, _ := bnc.getPassACLsForAdvertisedNetwork()
if len(passACLs) == 0 {
return nil
}
p := func(sw *nbdb.LogicalSwitch) bool { return sw.Name == bnc.GetNetworkScopedSwitchName(nodeName) }
err := libovsdbops.RemoveACLsFromLogicalSwitchesWithPredicate(bnc.nbClient, p, passACLs...)
if err != nil {
return fmt.Errorf("failed to delete tier-0 pass ACLs for network %s: %w", bnc.GetNetworkName(), err)
}
return nil
}
// OCP HACK END
var passMatches, cidrs []string
var ops []ovsdb.Operation

Expand Down Expand Up @@ -363,6 +382,13 @@ func (bnc *BaseNetworkController) addAdvertisedNetworkIsolation(nodeName string)
// deleteAdvertisedNetworkIsolation deletes advertised network isolation rules from the given node switch.
// It removes the network CIDRs from the global advertised networks addresset together with the ACLs on the node switch.
func (bnc *BaseNetworkController) deleteAdvertisedNetworkIsolation(nodeName string) error {
// OCP HACK BEGIN
if util.IsLooseUDNIsolation() {
klog.Infof("The network %s is configured with loose isolation mode, skip deleting tier-0 drop ACL rule",
bnc.GetNetworkName())
return nil
}
Comment on lines +386 to +390
Copy link
Copy Markdown
Contributor

@jcaamano jcaamano May 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we actually ensure the ACL is not there if start with loose UDN isolation?

// OCP HACK END
addrSet, err := bnc.addressSetFactory.GetAddressSet(GetAdvertisedNetworkSubnetsAddressSetDBIDs())
if err != nil {
return fmt.Errorf("failed to get advertised subnets addresset %s for network %s: %w", GetAdvertisedNetworkSubnetsAddressSetDBIDs(), bnc.GetNetworkName(), err)
Expand All @@ -377,9 +403,7 @@ func (bnc *BaseNetworkController) deleteAdvertisedNetworkIsolation(nodeName stri
return fmt.Errorf("failed to create ovsdb ops for deleting the addresses from %s addresset for network %s: %w", GetAdvertisedNetworkSubnetsAddressSetDBIDs(), bnc.GetNetworkName(), err)
}

passACLIDs := GetAdvertisedNetworkSubnetsPassACLdbIDs(bnc.controllerName, bnc.GetNetworkName(), bnc.GetNetworkID())
passACLPredicate := libovsdbops.GetPredicate[*nbdb.ACL](passACLIDs, nil)
passACLs, err := libovsdbops.FindACLsWithPredicate(bnc.nbClient, passACLPredicate)
passACLs, err := bnc.getPassACLsForAdvertisedNetwork()
if err != nil {
return fmt.Errorf("unable to find the pass ACL for advertised network %s: %w", bnc.GetNetworkName(), err)
}
Expand All @@ -401,3 +425,12 @@ func (bnc *BaseNetworkController) deleteAdvertisedNetworkIsolation(nodeName stri
_, err = libovsdbops.TransactAndCheck(bnc.nbClient, ops)
return err
}

// OCP HACK BEGIN
func (bnc *BaseNetworkController) getPassACLsForAdvertisedNetwork() ([]*nbdb.ACL, error) {
passACLIDs := GetAdvertisedNetworkSubnetsPassACLdbIDs(bnc.controllerName, bnc.GetNetworkName(), bnc.GetNetworkID())
passACLPredicate := libovsdbops.GetPredicate[*nbdb.ACL](passACLIDs, nil)
return libovsdbops.FindACLsWithPredicate(bnc.nbClient, passACLPredicate)
}

// OCP HACK END
11 changes: 11 additions & 0 deletions go-controller/pkg/util/multi_network.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"errors"
"fmt"
"net"
"os"
"reflect"
"strconv"
"strings"
Expand Down Expand Up @@ -1554,3 +1555,13 @@ func ParseNetworkName(networkName string) (udnNamespace, udnName string) {
}
return "", ""
}

// OCP HACK BEGIN
// IsLooseUDNIsolation returns true of `UDN_ISOLATION_MODE` env variable is set to "loose" value.
// In "loose" mode, the network controller skips programming network isolation rules for advertised
// UDN networks and this will allow pod to pod communication among advertised UDN networks.
func IsLooseUDNIsolation() bool {
return os.Getenv("UDN_ISOLATION_MODE") == "loose"
}

// OCP HACK END