adding a new workflow to validate the FlexibleIPAM feature #6879
Conversation
KMAnju-2021
force-pushed
the
add-cncf-runners
branch
from
ccdc56f to
ef95db6
Compare
KMAnju-2021
force-pushed
the
add-cncf-runners
branch
22 times, most recently
from
33a2b50 to
9486da3
Compare
KMAnju-2021
changed the title
KMAnju-2021
force-pushed
the
add-cncf-runners
branch
7 times, most recently
from
f9401e7 to
d1ba24e
Compare
| mkdir log | ||
| mkdir test-ipam-e2e-coverage | ||
| ANTREA_LOG_DIR=$PWD/log ANTREA_COV_DIR=$PWD/test-ipam-e2e-coverage ./ci/kind/test-e2e-kind.sh \ | ||
| --encap-mode noEncap \ |
There was a problem hiding this comment.
I would avoid adding this, as this will anyway be the case when providing --flexible-ipam
There was a problem hiding this comment.
if we will not provide --encap-mode noEncap then it will take default mode encap and in generate-manifest.sh script it will override the value after flexible-ipam check.
ci/kind/kind-setup.sh
Outdated
| @@ -300,6 +300,18 @@ function configure_vlan_subnets { | |||
| docker_run_with_host_net iptables -t filter -A FORWARD -i ${vlan_interfaces[j]} -o ${vlan_interfaces[i]} -j ACCEPT | |||
| done | |||
| done | |||
|
|
|||
| # Adding ipset rules to prevent SNAT based on flexibleIPAM e2e tests | |||
There was a problem hiding this comment.
remove this comment and add a more verbose and accurate one for each of the 2 iptables rules below.
In particular, this comment is not accurate for the second iptables rules.
ci/kind/kind-setup.sh
Outdated
| docker_run_with_host_net ipset list excluded_subnets | ||
|
|
||
| docker_run_with_host_net iptables -t nat -I POSTROUTING 1 ! -o $bridge_interface -s 192.168.240.0/24 -m set --match-set excluded_subnets dst -j RETURN | ||
| docker_run_with_host_net iptables -t nat -A POSTROUTING ! -o $bridge_interface -s 10.244.0.0/16 -m set ! --match-set excluded_subnets dst -j MASQUERADE |
There was a problem hiding this comment.
when using FlexibleIPAM, noSNAT is set to true and Antrea will not perform SNAT for Pod traffic
this rule seems to counteract that behavior, by reestablishing SNAT for regular Pods (which use the default Pod CIDR). Can you explain why it is needed?
There was a problem hiding this comment.
what I observe that when we create kind network then docker will add corresponding default NAT rule in the iptables:
`Chain POSTROUTING (policy ACCEPT 887 packets, 63828 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 0 -- * !br-053bd7f613f8 192.168.240.0/24 0.0.0.0/0
0 0 MASQUERADE 0 -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE 6 -- * * 192.168.240.2 192.168.240.2 tcp dpt:6443`
and because of that it's performing SNAT for the case:#6237, and failing tests, to prevent that i added two NAT rules.
There was a problem hiding this comment.
I don't think that's answering my question.
The purpose of the first rule is to prevent SNAT between VLANs and I understand that. The second rule on the other hand is forcing SNAT for "regular" (NodeIPAM) Pods, so I am asking you to clarify why it's needed with a comment. I'm assuming something like this is correct:
With FlexibleIPAM, Antrea SNAT is disabled (noSNAT: true) so Pods don't have access to the external network by default (including regular / NodeIPAM Pods). With our configuration, Docker will already perform SNAT for FlexibleIPAM Pods. However, we need a custom SNAT rule for regular Pods.
I am not sure that the Pods really need access to the external network, but maybe some tests break without this?
KMAnju-2021
force-pushed
the
add-cncf-runners
branch
19 times, most recently
from
934cf91 to
66bcec4
Compare
Signed-off-by: KMAnju-2021 <[email protected]>
KMAnju-2021
force-pushed
the
add-cncf-runners
branch
from
66bcec4 to
3b36534
Compare
#6887