Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-1569

Egress Router redirect mode: multiple destinations

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Undefined
    • None
    • None
    • None
    • None
    • 8
    • SDN Net-Integration Sprint 197
    • 0
    • 0.0

    Description

      The multiple destinations provided as a part of the allowedDestinations field is not working as it used to on OCP4: https://github.com/openshift/images/blob/master/egress/router/egress-router.sh#L70-L109

       

      We need to parse this from the NAD and modify the iptables here to support them:

      https://github.com/openshift/egress-router-cni/blob/master/pkg/macvlan/macvlan.go#L272-L349

       

      Testing:

      1) Created NAD:

      [dsal@bkr-hv02 surya_multiple_destinations]$ cat nad_multiple_destination.yaml 
      ---
      apiVersion: "k8s.cni.cncf.io/v1"
      kind: NetworkAttachmentDefinition
      metadata:
       name: egress-router
      spec:
       config: '{
           "cniVersion": "0.4.0",
           "type": "egress-router",
           "name": "egress-router",
       "ip": {
           "addresses": [
               "10.200.16.10/24"
           ],
           "destinations": [
               "80 tcp 10.100.3.200",
               "8080 tcp 203.0.113.26 80",
               "8443 tcp 203.0.113.26 443"
           ],
           "gateway": "10.200.16.1"
        }
      }'

      2) Created pod:

      [dsal@bkr-hv02  surya_multiple_destinations]$ cat egress-router-pod.yaml 
      ---
      apiVersion: v1
      kind: Pod
      metadata:
        name: egress-router-pod
        annotations:
          k8s.v1.cni.cncf.io/networks: egress-router
      spec:
        containers:
          - name: openshift-egress-router-pod
            command: ["/bin/bash", "-c", "sleep 999999999"]
            image: centos/tools
            securityContext:
              privileged: true
      

      3) Checked IPtables:

      [root@worker-1 core]# iptables-save -t nat 
      Generated by iptables-save v1.8.4 on Mon Feb 1 12:08:05 2021
      *nat
      :PREROUTING ACCEPT [0:0]
      :INPUT ACCEPT [0:0]
      :POSTROUTING ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      -A POSTROUTING -o net1 -j SNAT --to-source 10.200.16.10
      COMMIT # Completed on Mon Feb 1 12:08:05 2021
      
      

      As we can see, only the SNAT rule is added. The DNAT doesn't get picked up because of the syntax difference.

      Attachments

        Activity

          People

            sseethar Surya Seetharaman
            sseethar Surya Seetharaman
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: