diff --git a/go-controller/pkg/ovn/egressip.go b/go-controller/pkg/ovn/egressip.go index 33714f1d6b..0c9be16e0d 100644 --- a/go-controller/pkg/ovn/egressip.go +++ b/go-controller/pkg/ovn/egressip.go @@ -748,6 +748,7 @@ func (oc *Controller) deleteNodeForEgress(node *v1.Node) error { func (oc *Controller) initClusterEgressPolicies(nodes []interface{}) { v4ClusterSubnet, v6ClusterSubnet := getClusterSubnets() createDefaultNoReroutePodPolicies(v4ClusterSubnet, v6ClusterSubnet) + oc.createDefaultNoRerouteServicePolicies(v4ClusterSubnet, v6ClusterSubnet) go oc.checkEgressNodesReachability() } @@ -1096,6 +1097,25 @@ func getNodeInternalAddrs(node *v1.Node) (net.IP, net.IP) { return v4Addr, v6Addr } +// createDefaultNoRerouteServicePolicies ensures service reachability from the +// host network to any service backed by egress IP matching pods +func (oc *Controller) createDefaultNoRerouteServicePolicies(v4ClusterSubnet, v6ClusterSubnet []*net.IPNet) { + for _, v4Subnet := range v4ClusterSubnet { + _, stderr, err := util.RunOVNNbctl("--may-exist", "lr-policy-add", types.OVNClusterRouter, fmt.Sprintf("%v", types.DefaultNoRereoutePriority), + fmt.Sprintf("ip4.src == %s && ip4.dst == %s", v4Subnet.String(), config.Gateway.V4JoinSubnet), "allow") + if err != nil { + klog.Errorf("Unable to create IPv4 default no-reroute service policy, stderr: %s, err: %v", stderr, err) + } + } + for _, v6Subnet := range v6ClusterSubnet { + _, stderr, err := util.RunOVNNbctl("--may-exist", "lr-policy-add", types.OVNClusterRouter, fmt.Sprintf("%v", types.DefaultNoRereoutePriority), + fmt.Sprintf("ip6.src == %s && ip6.dst == %s", v6Subnet.String(), config.Gateway.V6JoinSubnet), "allow") + if err != nil { + klog.Errorf("Unable to create IPv6 default no-reroute service policy, stderr: %s, err: %v", stderr, err) + } + } +} + // createDefaultNoReroutePodPolicies ensures egress pods east<->west traffic with regular pods, // i.e: ensuring that an egress pod can still communicate with a regular pod / service backed by regular pods func createDefaultNoReroutePodPolicies(v4ClusterSubnet, v6ClusterSubnet []*net.IPNet) { diff --git a/go-controller/pkg/ovn/egressip_test.go b/go-controller/pkg/ovn/egressip_test.go index f270a77110..db265f75d8 100644 --- a/go-controller/pkg/ovn/egressip_test.go +++ b/go-controller/pkg/ovn/egressip_test.go @@ -254,6 +254,12 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { }, ) + fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError( + []string{ + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), + }, + ) + fakeOvn.controller.WatchEgressNodes() gomega.Eventually(getEgressIPAllocatorSizeSafely).Should(gomega.Equal(2)) gomega.Expect(fakeOvn.controller.eIPC.allocator).To(gomega.HaveKey(node1.Name)) @@ -402,6 +408,13 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { fmt.Sprintf("ovn-nbctl --timeout=15 set logical_switch_port etor-GR_node1 options:nat-addresses=router"), }, ) + + fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError( + []string{ + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), + }, + ) + fakeOvn.controller.WatchEgressNodes() gomega.Eventually(getEgressIPAllocatorSizeSafely).Should(gomega.Equal(2)) gomega.Expect(fakeOvn.controller.eIPC.allocator).To(gomega.HaveKey(node1.Name)) @@ -1310,6 +1323,13 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { fmt.Sprintf("ovn-nbctl --timeout=15 set logical_switch_port etor-GR_node2 options:nat-addresses=router"), }, ) + + fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError( + []string{ + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), + }, + ) + fakeOvn.controller.WatchEgressNodes() gomega.Eventually(getEgressIPAllocatorSizeSafely).Should(gomega.Equal(0)) node1.Labels = map[string]string{ @@ -1382,6 +1402,12 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { return len(fakeOvn.controller.eIPC.allocator) } + fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError( + []string{ + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), + }, + ) + fakeOvn.controller.WatchEgressNodes() gomega.Eventually(allocatorItems).Should(gomega.Equal(0)) @@ -1450,6 +1476,7 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError( []string{ fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add ovn_cluster_router 101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.128.0.0/14 allow"), + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), }, ) @@ -1579,8 +1606,10 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { []string{ fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,match find logical_router_policy priority=100"), fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,logical_ip find nat"), + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), }, ) + fakeOvn.controller.WatchEgressNodes() fakeOvn.controller.WatchEgressIP() @@ -1672,8 +1701,10 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { []string{ fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,match find logical_router_policy priority=100"), fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,logical_ip find nat"), + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), }, ) + fakeOvn.controller.WatchEgressNodes() fakeOvn.controller.WatchEgressIP() @@ -1797,6 +1828,13 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { fmt.Sprintf("ovn-nbctl --timeout=15 set logical_switch_port etor-GR_node2 options:nat-addresses=router"), }, ) + + fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError( + []string{ + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), + }, + ) + fakeOvn.fakeExec.AddFakeCmd( &ovntest.ExpectedCmd{ Cmd: fmt.Sprintf("ovn-nbctl --timeout=15 --if-exist get logical_router_port rtoj-GR_%s networks", node1.Name), @@ -1953,6 +1991,12 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { }, ) + fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError( + []string{ + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), + }, + ) + fakeOvn.controller.WatchEgressNodes() fakeOvn.controller.WatchEgressIP() @@ -2035,8 +2079,10 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { []string{ fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,match find logical_router_policy priority=100"), fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,logical_ip find nat"), + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), }, ) + fakeOvn.controller.WatchEgressNodes() fakeOvn.controller.WatchEgressIP() @@ -2161,6 +2207,7 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { fakeOvn.fakeExec.AddFakeCmdsNoOutputNoError( []string{ fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add ovn_cluster_router 101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.128.0.0/14 allow"), + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), }, ) @@ -2300,6 +2347,7 @@ var _ = ginkgo.Describe("OVN master EgressIP Operations", func() { []string{ fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,match find logical_router_policy priority=100"), fmt.Sprintf("ovn-nbctl --timeout=15 --format=csv --data=bare --no-heading --columns=_uuid,external_ids,logical_ip find nat"), + fmt.Sprintf("ovn-nbctl --timeout=15 --may-exist lr-policy-add %s %v ip4.src == 10.128.0.0/14 && ip4.dst == %s allow", types.OVNClusterRouter, types.DefaultNoRereoutePriority, config.Gateway.V4JoinSubnet), }, )