Support service.kubernetes.io/service-proxy-name label in AntreaProxy (…

…#4973) The service.kubernetes.io/service-proxy-name label was initially intended to offload the kube-proxy from handling all Services already handled by a service mesh. AntreaProxy should honor the service.kubernetes.io/service-proxy-name label, which means that if the label is defined in a Service, AntreaProxy must not handle the Service. Refer to this link https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2447-Make-kube-proxy-service-abstraction-optional for more information. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
antrea-io · Jun 28, 2023 · 647fb06 · 647fb06
1 parent 5c55f17
commit 647fb06
Show file tree

Hide file tree

Showing 17 changed files with 353 additions and 103 deletions.
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -44,6 +44,7 @@ Kubernetes: `>= 1.16.0-0`
 | antreaProxy.nodePortAddresses | list | `[]` | String array of values which specifies the host IPv4/IPv6 addresses for NodePort. By default, all host addresses are used. |
 | antreaProxy.proxyAll | bool | `false` | Proxy all Service traffic, for all Service types, regardless of where it comes from. |
 | antreaProxy.proxyLoadBalancerIPs | bool | `true` | When set to false, AntreaProxy no longer load-balances traffic destined to the External IPs of LoadBalancer Services. |
+| antreaProxy.serviceProxyName | string | `""` | The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set, then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set, then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label, but ignore Services with the label no matter what is the value. |
 | antreaProxy.skipServices | list | `[]` | List of Services which should be ignored by AntreaProxy. |
 | clientCAFile | string | `""` | File path of the certificate bundle for all the signers that is recognized for incoming client certificates. |
 | cni.hostBinPath | string | `"/opt/cni/bin"` | Installation path of CNI binaries on the host. |

diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -342,6 +342,11 @@ antreaProxy:
   # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
   # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
   proxyLoadBalancerIPs: {{ .proxyLoadBalancerIPs }}
+  # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
+  # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
+  # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
+  # but ignore Services with the label no matter what is the value.
+  serviceProxyName: {{ .serviceProxyName | quote }}
 {{- end }}
 
 # IPsec tunnel related configurations.

diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -135,6 +135,12 @@ antreaProxy:
   # -- When set to false, AntreaProxy no longer load-balances traffic destined
   # to the External IPs of LoadBalancer Services.
   proxyLoadBalancerIPs: true
+  # -- The value of the "service.kubernetes.io/service-proxy-name" label for
+  # AntreaProxy to match. If it is set, then AntreaProxy will only handle Services
+  # with the label that equals the provided value. If it is not set, then AntreaProxy
+  # will only handle Services without the "service.kubernetes.io/service-proxy-name"
+  # label, but ignore Services with the label no matter what is the value.
+  serviceProxyName: ""
 
 nodeIPAM:
   # -- Enable Node IPAM in Antrea

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -3291,6 +3291,11 @@ data:
       # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
       # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
       proxyLoadBalancerIPs: true
+      # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
+      # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
+      # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
+      # but ignore Services with the label no matter what is the value.
+      serviceProxyName: ""
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -4380,7 +4385,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 994e75167f0126a535cea63fc65a5ab86361648a20bcacb06d3c588f06f6e5f6
+        checksum/config: 720e2b412e83992caf5874a01e67507617e079b896796e588c92fd75c9e06ad6
       labels:
         app: antrea
         component: antrea-agent
@@ -4621,7 +4626,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 994e75167f0126a535cea63fc65a5ab86361648a20bcacb06d3c588f06f6e5f6
+        checksum/config: 720e2b412e83992caf5874a01e67507617e079b896796e588c92fd75c9e06ad6
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -3291,6 +3291,11 @@ data:
       # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
       # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
       proxyLoadBalancerIPs: true
+      # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
+      # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
+      # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
+      # but ignore Services with the label no matter what is the value.
+      serviceProxyName: ""
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -4380,7 +4385,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 994e75167f0126a535cea63fc65a5ab86361648a20bcacb06d3c588f06f6e5f6
+        checksum/config: 720e2b412e83992caf5874a01e67507617e079b896796e588c92fd75c9e06ad6
       labels:
         app: antrea
         component: antrea-agent
@@ -4622,7 +4627,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 994e75167f0126a535cea63fc65a5ab86361648a20bcacb06d3c588f06f6e5f6
+        checksum/config: 720e2b412e83992caf5874a01e67507617e079b896796e588c92fd75c9e06ad6
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -3291,6 +3291,11 @@ data:
       # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
       # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
       proxyLoadBalancerIPs: true
+      # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
+      # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
+      # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
+      # but ignore Services with the label no matter what is the value.
+      serviceProxyName: ""
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -4380,7 +4385,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 04761c3e699fa0f59516b557f366049b0f1acf2f390d94e6753ee017cdffcfd9
+        checksum/config: 46b91206a96d91e7e4861f20fa0e255ed660cf96e796116e562061efc09fdfcc
       labels:
         app: antrea
         component: antrea-agent
@@ -4619,7 +4624,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 04761c3e699fa0f59516b557f366049b0f1acf2f390d94e6753ee017cdffcfd9
+        checksum/config: 46b91206a96d91e7e4861f20fa0e255ed660cf96e796116e562061efc09fdfcc
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -3304,6 +3304,11 @@ data:
       # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
       # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
       proxyLoadBalancerIPs: true
+      # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
+      # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
+      # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
+      # but ignore Services with the label no matter what is the value.
+      serviceProxyName: ""
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -4393,7 +4398,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 6b902d5d6e9a2c0e2fde41aedf349eeee38d4530330381b01849815211ad1dd8
+        checksum/config: f7e797321f4228539c43945a503637bcabf4d4eee4f3d5393ba9e69a778a0916
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -4678,7 +4683,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 6b902d5d6e9a2c0e2fde41aedf349eeee38d4530330381b01849815211ad1dd8
+        checksum/config: f7e797321f4228539c43945a503637bcabf4d4eee4f3d5393ba9e69a778a0916
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-windows.yml b/build/yamls/antrea-windows.yml
@@ -143,6 +143,11 @@ data:
       # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
       # apiserver directly.
       #proxyAll: false
+      # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
+      # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
+      # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
+      # but ignore Services with the label no matter what is the value.
+      serviceProxyName: ""
 
     nodePortLocal:
     # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
@@ -172,7 +177,7 @@ kind: ConfigMap
 metadata:
   labels:
     app: antrea
-  name: antrea-windows-config-hth2gk6b96
+  name: antrea-windows-config-cmccc6hbb4
   namespace: kube-system
 ---
 apiVersion: apps/v1
@@ -260,7 +265,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-windows-config-hth2gk6b96
+          name: antrea-windows-config-cmccc6hbb4
         name: antrea-windows-config
       - configMap:
           defaultMode: 420

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -3291,6 +3291,11 @@ data:
       # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
       # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
       proxyLoadBalancerIPs: true
+      # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
+      # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
+      # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
+      # but ignore Services with the label no matter what is the value.
+      serviceProxyName: ""
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -4380,7 +4385,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 1bc87d7d5b568beb91ad2b29510cb5cff3613c68e51fb82abdf545046767f679
+        checksum/config: 520e5bfad080176d9e77896e35756f8f947a1777817847cad27c764ecf6e3bec
       labels:
         app: antrea
         component: antrea-agent
@@ -4619,7 +4624,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 1bc87d7d5b568beb91ad2b29510cb5cff3613c68e51fb82abdf545046767f679
+        checksum/config: 520e5bfad080176d9e77896e35756f8f947a1777817847cad27c764ecf6e3bec
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/windows/base/conf/antrea-agent.conf b/build/yamls/windows/base/conf/antrea-agent.conf
@@ -125,6 +125,11 @@ antreaProxy:
   # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
   # apiserver directly.
   #proxyAll: false
+  # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
+  # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
+  # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
+  # but ignore Services with the label no matter what is the value.
+  serviceProxyName: ""
 
 nodePortLocal:
 # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To

diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go
@@ -374,42 +374,39 @@ func run(o *Options) error {
 		)
 	}
 
+	v4Enabled := networkConfig.IPv4Enabled
+	v6Enabled := networkConfig.IPv6Enabled
+
 	var groupCounters []proxytypes.GroupCounter
 	groupIDUpdates := make(chan string, 100)
 	v4GroupIDAllocator := openflow.NewGroupAllocator(false)
 	v4GroupCounter := proxytypes.NewGroupCounter(v4GroupIDAllocator, groupIDUpdates)
+	if v4Enabled {
+		groupCounters = append(groupCounters, v4GroupCounter)
+	}
 	v6GroupIDAllocator := openflow.NewGroupAllocator(true)
 	v6GroupCounter := proxytypes.NewGroupCounter(v6GroupIDAllocator, groupIDUpdates)
+	if v6Enabled {
+		groupCounters = append(groupCounters, v6GroupCounter)
+	}
 
-	v4Enabled := networkConfig.IPv4Enabled
-	v6Enabled := networkConfig.IPv6Enabled
 	var proxier proxy.Proxier
 	if features.DefaultFeatureGate.Enabled(features.AntreaProxy) {
-		proxyAll := o.config.AntreaProxy.ProxyAll
-		skipServices := o.config.AntreaProxy.SkipServices
-		proxyLoadBalancerIPs := *o.config.AntreaProxy.ProxyLoadBalancerIPs
-
-		switch {
-		case v4Enabled && v6Enabled:
-			proxier, err = proxy.NewDualStackProxier(nodeConfig.Name, k8sClient, informerFactory, ofClient, routeClient, nodePortAddressesIPv4, nodePortAddressesIPv6, proxyAll, skipServices, proxyLoadBalancerIPs, v4GroupCounter, v6GroupCounter, enableMulticlusterGW)
-			if err != nil {
-				return fmt.Errorf("error when creating dual-stack proxier: %v", err)
-			}
-			groupCounters = append(groupCounters, v4GroupCounter, v6GroupCounter)
-		case v4Enabled:
-			proxier, err = proxy.NewProxier(nodeConfig.Name, k8sClient, informerFactory, ofClient, false, routeClient, nodePortAddressesIPv4, proxyAll, skipServices, proxyLoadBalancerIPs, v4GroupCounter, enableMulticlusterGW)
-			if err != nil {
-				return fmt.Errorf("error when creating v4 proxier: %v", err)
-			}
-			groupCounters = append(groupCounters, v4GroupCounter)
-		case v6Enabled:
-			proxier, err = proxy.NewProxier(nodeConfig.Name, k8sClient, informerFactory, ofClient, true, routeClient, nodePortAddressesIPv6, proxyAll, skipServices, proxyLoadBalancerIPs, v6GroupCounter, enableMulticlusterGW)
-			if err != nil {
-				return fmt.Errorf("error when creating v6 proxier: %v", err)
-			}
-			groupCounters = append(groupCounters, v6GroupCounter)
-		default:
-			return fmt.Errorf("at least one of IPv4 or IPv6 should be enabled")
+		proxier, err = proxy.NewProxier(nodeConfig.Name,
+			k8sClient,
+			ofClient,
+			routeClient,
+			v4Enabled,
+			v6Enabled,
+			nodePortAddressesIPv4,
+			nodePortAddressesIPv6,
+			o.config.AntreaProxy,
+			v4GroupCounter,
+			v6GroupCounter,
+			enableMulticlusterGW,
+			informerFactory)
+		if err != nil {
+			return fmt.Errorf("error when creating proxier: %v", err)
 		}
 	}