-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] UDN host isolation #4799
Draft
npinaeva
wants to merge
14
commits into
ovn-org:master
Choose a base branch
from
npinaeva:udn-isolate-kubelet
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
[WIP] UDN host isolation #4799
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
setup. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Since the NAD API resource name uses arbitrary name and doesn't match the kind name ('network-attachment-definitions' vs. 'NetworkAttachmentDefinition'), the underlying API machinery cannot match between the resource and kind names, causing NAD objects to not reflect in the NAD informer [1]. To overcome this, populate the NAD fakeclient tracker with given NADs objects following the example on [2]. This is preliminary change to enable simplifying UDN controller tests, making test setup more simple and eliminate using the NAD informer directly to create/delete NADs. [1] https://github.com/ovn-org/ovn-kubernetes/blob/65c79af35b2c22f90c863debefa15c4fb1f088cb/go-controller/vendor/k8s.io/client-go/testing/fixture.go#L341 [2] ovn-org@434b059#diff-ae287d8b2b115068905d4b5bf477d0e8cb6586d271fe872ca3b17acc94f21075R1 Signed-off-by: Or Mergi <ormergi@redhat.com>
Signed-off-by: Dan Winship <danwinship@redhat.com> (cherry picked from commit 7bad589)
Signed-off-by: Dan Winship <danwinship@redhat.com> (cherry picked from commit 79b6e3f)
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com> Authored-by: Dan Winship <danwinship@redhat.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
It allows listening for systemd events, we use it to track kubelet restarts. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
github-actions
bot
added
kind/documentation
All issues related to documentation
area/unit-testing
Issues related to adding/updating unit tests
area/e2e-testing
labels
Oct 23, 2024
UDNHostIsolationManager manages the host isolation for user defined networks.It uses nftables chain "udn-isolation" to only allow connection to primary UDN pods from kubelet. It also listens to systemd events to re-apply the rules after kubelet restart as cgroup matching is used. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Replace podIP with Element, add tracking of duplicate elements owned by different pods. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
To allow access to open port from the default hostNetwork pods, add ntf rules to track icmp and tcp/udp/sctp allowed ports. Add composed key option to nftPodElementsSet. Add unit tests for nftPodElementsSet and open port handling. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
UDN host isolation requires a kernel fix. Turn it off by default in ovnkube.sh (aka in our kind cluster). As soon as the fix becomes available for github runners (and dev environments), this flag will be removed from ovnkube.sh (and potentially from the code). This flag only takes effect when network segmentation is enabled. Add DISABLE_UDN_HOST_ISOLATION env variable to test workflow, that is set to true. Skip host isolation tests based on the value. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
npinaeva
force-pushed
the
udn-isolate-kubelet
branch
from
October 23, 2024 14:22
81f7424
to
71ad044
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/e2e-testing
area/unit-testing
Issues related to adding/updating unit tests
kind/documentation
All issues related to documentation
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
pulls commits from #3709 and #4612
Adds host isolation except for kubelet, open-ports handling for hostnetwork pods.
To enable this feature on a kind cluster, just comment out 71ad044#diff-ea48eab674fe05348e580125fccb19b775e0fd6f6a2d28a2dab5fb382590a16aR1641
I have run new e2es on the fedora rawhide VM, which has the fix
#4800 is supposed to show host-isolation test parts failing on a kind with feature disabled