Set DSCP for workload's egress traffic leaving cluster

[mazdakn]

Description

Set DSCP for egress traffic leaving cluster when qos.projectcalico.org/dscp annotation is set on a workload endpoint, i.e. pod.

This PR includes:

• Adding a new type named DSCP that holds numeric values between 0-63 and common string values.
• Libcalico-go changes: Adding the new annotation to workload endpoint.
• Calc graph:
  • Defining a new protobuf message called QosPolicy.
  • conversion from annotation value to QosPolicy for workload endpoints.
• Dataplane:
  • new dataplane manager to watch for workload endpoints and potential assigned QosPolicy.
  • new iptables/nftables action for setting DSCP.
  • new static chain to jump to QoS policy rules in post routing chain of mangle table.
• Felix FVs

The follow up PRs will cover:

• Adding DSCP for host endpoints: Set DSCP for host endpoints #10825
• Optimization in nftables by using verdict map: Nftables: use verdict map for QoS policies #10827
• Adding support in ebpf dataplane:
  • bpf: support for adding DSCP for egress traffic #10881
  • BPF: Set DSCP only for traffic leaving cluster #10934
  • BPF: Allows users to set DSCP on traffic toward hosts/hostendpoints #10997
• Docs: QoS Control: DiffServ tigera/docs#2290

Related issues/PRs

Todos

• Tests
• Documentation
• Release note

Release Note

Set the Differentiated Services Code Point (DSCP) on an endpoint's outgoing network traffic leaving cluster.
This is done by adding "qos.projectcalico.org/dscp" annotation to workloads and host endpoints.

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

• docs-pr-required: This change requires a change to the documentation that has not been completed yet.
• docs-completed: This change has all necessary documentation completed.
• docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

• release-note-required: This PR has user-facing changes. Most PRs should have this label.
• release-note-not-required: This PR has no user-facing changes.

Other optional labels:

• cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
• needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

[Copilot]

Pull Request Overview

This PR adds support for setting DSCP (Differentiated Services Code Point) values on egress traffic in Calico workload endpoints through QoS controls. The implementation allows users to specify DSCP values either through named constants (like "EF", "AF11") or numeric values via Kubernetes annotations.

Key changes:

• Introduces a new DSCP type that supports both string and numeric values
• Adds annotation support for configuring DSCP on workload endpoints
• Updates protobuf definitions and conversion logic to handle DSCP in QoS controls

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
api/pkg/lib/numorstring/dscp.go	New DSCP type implementation with predefined constants and string/numeric support
libcalico-go/lib/backend/k8s/conversion/constants.go	Adds new annotation constant for DSCP configuration
libcalico-go/lib/backend/k8s/conversion/workload_endpoint_default.go	Implements annotation parsing for DSCP values
libcalico-go/lib/apis/v3/workloadendpoint.go	Adds DSCP field to QoSControls struct
felix/proto/felixbackend.proto	Updates protobuf definition to include DSCP field
felix/proto/felixbackend.pb.go	Generated protobuf code with DSCP support
felix/calc/event_sequencer.go	Adds DSCP conversion in model-to-proto transformation