Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] UDN host isolation #4799

Draft
wants to merge 14 commits into
base: master
Choose a base branch
from
Draft

Conversation

npinaeva
Copy link
Member

@npinaeva npinaeva commented Oct 23, 2024

pulls commits from #3709 and #4612
Adds host isolation except for kubelet, open-ports handling for hostnetwork pods.

To enable this feature on a kind cluster, just comment out 71ad044#diff-ea48eab674fe05348e580125fccb19b775e0fd6f6a2d28a2dab5fb382590a16aR1641
I have run new e2es on the fedora rawhide VM, which has the fix

#4800 is supposed to show host-isolation test parts failing on a kind with feature disabled

npinaeva and others added 9 commits October 23, 2024 12:53
setup.

Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Since the NAD API resource name uses arbitrary name and
doesn't match the kind name
('network-attachment-definitions' vs. 'NetworkAttachmentDefinition'),
the underlying API machinery cannot match between the resource and
kind names, causing NAD objects to not reflect in the NAD informer [1].

To overcome this, populate the NAD fakeclient tracker with given NADs
objects following the example on [2].

This is preliminary change to enable simplifying UDN controller
tests, making test setup more simple and eliminate using the NAD
informer directly to create/delete NADs.

[1] https://github.com/ovn-org/ovn-kubernetes/blob/65c79af35b2c22f90c863debefa15c4fb1f088cb/go-controller/vendor/k8s.io/client-go/testing/fixture.go#L341
[2] ovn-org@434b059#diff-ae287d8b2b115068905d4b5bf477d0e8cb6586d271fe872ca3b17acc94f21075R1

Signed-off-by: Or Mergi <ormergi@redhat.com>
Signed-off-by: Dan Winship <danwinship@redhat.com>
(cherry picked from commit 7bad589)
Signed-off-by: Dan Winship <danwinship@redhat.com>
(cherry picked from commit 79b6e3f)
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Authored-by: Dan Winship <danwinship@redhat.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
It allows listening for systemd events, we use it to track kubelet
restarts.

Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
@github-actions github-actions bot added kind/documentation All issues related to documentation area/unit-testing Issues related to adding/updating unit tests area/e2e-testing labels Oct 23, 2024
UDNHostIsolationManager manages the host isolation for user defined
networks.It uses nftables chain "udn-isolation" to only allow
connection to primary UDN pods from kubelet.
It also listens to systemd events to re-apply the rules after kubelet
restart as cgroup matching is used.

Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Replace podIP with Element, add tracking of duplicate elements owned
by different pods.

Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
To allow access to open port from the default hostNetwork pods,
add ntf rules to track icmp and tcp/udp/sctp allowed ports.
Add composed key option to nftPodElementsSet.
Add unit tests for nftPodElementsSet and open port handling.

Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
UDN host isolation requires a kernel fix. Turn it off by default in
ovnkube.sh (aka in our kind cluster). As soon as the fix becomes
available for github runners (and dev environments), this flag will be
removed from ovnkube.sh (and potentially from the code).
This flag only takes effect when network segmentation is enabled.

Add DISABLE_UDN_HOST_ISOLATION env variable to test workflow, that is
set to true.
Skip host isolation tests based on the value.

Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/e2e-testing area/unit-testing Issues related to adding/updating unit tests kind/documentation All issues related to documentation
Projects
Status: Todo
Development

Successfully merging this pull request may close these issues.

3 participants