-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] UDN host isolation #4799
base: master
Are you sure you want to change the base?
[WIP] UDN host isolation #4799
Commits on Oct 23, 2024
-
Call PrepareTestConfig for healthcheck tests to ensure consistent
setup. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 4579ac0 - Browse repository at this point
Copy the full SHA 4579ac0View commit details -
kind.sh fix: delete kind cluster with given name instead of "ovn".
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for d8970fd - Browse repository at this point
Copy the full SHA d8970fdView commit details -
utils,fake client: Populate NAD fake-client tracker
Since the NAD API resource name uses arbitrary name and doesn't match the kind name ('network-attachment-definitions' vs. 'NetworkAttachmentDefinition'), the underlying API machinery cannot match between the resource and kind names, causing NAD objects to not reflect in the NAD informer [1]. To overcome this, populate the NAD fakeclient tracker with given NADs objects following the example on [2]. This is preliminary change to enable simplifying UDN controller tests, making test setup more simple and eliminate using the NAD informer directly to create/delete NADs. [1] https://github.com/ovn-org/ovn-kubernetes/blob/65c79af35b2c22f90c863debefa15c4fb1f088cb/go-controller/vendor/k8s.io/client-go/testing/fixture.go#L341 [2] ovn-org@434b059#diff-ae287d8b2b115068905d4b5bf477d0e8cb6586d271fe872ca3b17acc94f21075R1 Signed-off-by: Or Mergi <ormergi@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 7b5e7c5 - Browse repository at this point
Copy the full SHA 7b5e7c5View commit details -
Make sure nftables binaries are available everywhere
Signed-off-by: Dan Winship <danwinship@redhat.com> (cherry picked from commit 7bad589)
Configuration menu - View commit details
-
Copy full SHA for d14702e - Browse repository at this point
Copy the full SHA d14702eView commit details -
Import knftables package, add pkg/node/nftables/
Signed-off-by: Dan Winship <danwinship@redhat.com> (cherry picked from commit 79b6e3f)
Configuration menu - View commit details
-
Copy full SHA for b6e6a22 - Browse repository at this point
Copy the full SHA b6e6a22View commit details -
Add testing util for nftables.
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com> Authored-by: Dan Winship <danwinship@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 3a04944 - Browse repository at this point
Copy the full SHA 3a04944View commit details -
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for afc7567 - Browse repository at this point
Copy the full SHA afc7567View commit details -
Bump knftables version to the master
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for b6f4d65 - Browse repository at this point
Copy the full SHA b6f4d65View commit details -
Mount systemd/private to the ovnkube containers.
It allows listening for systemd events, we use it to track kubelet restarts. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e9fcdf8 - Browse repository at this point
Copy the full SHA e9fcdf8View commit details -
Add host isolation for UDN pods.
UDNHostIsolationManager manages the host isolation for user defined networks.It uses nftables chain "udn-isolation" to only allow connection to primary UDN pods from kubelet. It also listens to systemd events to re-apply the rules after kubelet restart as cgroup matching is used. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for ba13572 - Browse repository at this point
Copy the full SHA ba13572View commit details -
node UDN isolation: make nft container more generic.
Replace podIP with Element, add tracking of duplicate elements owned by different pods. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for af88109 - Browse repository at this point
Copy the full SHA af88109View commit details -
node UDN isolation: handle open ports annotation on UDN pods.
To allow access to open port from the default hostNetwork pods, add ntf rules to track icmp and tcp/udp/sctp allowed ports. Add composed key option to nftPodElementsSet. Add unit tests for nftPodElementsSet and open port handling. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 2aff0d5 - Browse repository at this point
Copy the full SHA 2aff0d5View commit details -
host isolation, open ports: add e2e
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for a3f6743 - Browse repository at this point
Copy the full SHA a3f6743View commit details -
Add option to disable udn-host-isolation.
UDN host isolation requires a kernel fix. Turn it off by default in ovnkube.sh (aka in our kind cluster). As soon as the fix becomes available for github runners (and dev environments), this flag will be removed from ovnkube.sh (and potentially from the code). This flag only takes effect when network segmentation is enabled. Add DISABLE_UDN_HOST_ISOLATION env variable to test workflow, that is set to true. Skip host isolation tests based on the value. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 71ad044 - Browse repository at this point
Copy the full SHA 71ad044View commit details