feat(services): support ipMode Proxy for LoadBalancer ingresses

 This implements support for KEP-1860. When a LoadBalancer ingress has ipMode set to 'Proxy', kube-router will skip adding the IP to the local IPVS table and will not hijack the traffic. If ipMode is 'VIP' or unset, the current behavior is maintained.

Fixes #2014

Author: 1fabi0

pkg/controllers/proxy/network_services_controller.go

@@ -915,7 +915,7 @@ func (nsc *NetworkServicesController) buildServicesInfo() serviceInfoMap {
 			}
 			copy(svcInfo.clusterIPs, svc.Spec.ClusterIPs)
 			for _, lbIngress := range svc.Status.LoadBalancer.Ingress {
-				if len(lbIngress.IP) > 0 {
+				if len(lbIngress.IP) > 0 && (lbIngress.IPMode == nil || *lbIngress.IPMode != v1.LoadBalancerIPModeProxy) {
 					svcInfo.loadBalancerIPs = append(svcInfo.loadBalancerIPs, lbIngress.IP)
 				}
 			}

pkg/controllers/proxy/network_services_controller_test.go

@@ -47,6 +47,8 @@ func TestNetworkServicesController_syncIpvsServices(t *testing.T) {
 	// Default traffic policies used in tests
 	intTrafficPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
 	extTrafficPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
+	lbIPModeProxy := v1core.LoadBalancerIPModeProxy
+	lbIPModeVIP := v1core.LoadBalancerIPModeVIP
 
 	tests := []struct {
 		name                     string
@@ -184,6 +186,69 @@ func TestNetworkServicesController_syncIpvsServices(t *testing.T) {
 				"2.2.2.2:6:8080:false:rr",
 			},
 		},
+		{
+			name: "service with loadbalancer IPs where ipMode is Proxy (should be skipped)",
+			service: &v1core.Service{
+				ObjectMeta: metav1.ObjectMeta{Name: "svc-1"},
+				Spec: v1core.ServiceSpec{
+					Type:                  "LoadBalancer",
+					ClusterIP:             "10.0.0.1",
+					ExternalIPs:           []string{"1.1.1.1", "2.2.2.2"},
+					InternalTrafficPolicy: &intTrafficPolicyCluster,
+					ExternalTrafficPolicy: extTrafficPolicyCluster,
+					Ports: []v1core.ServicePort{
+						{Name: "port-1", Protocol: "TCP", Port: 8080},
+					},
+				},
+				Status: v1core.ServiceStatus{
+					LoadBalancer: v1core.LoadBalancerStatus{
+						Ingress: []v1core.LoadBalancerIngress{
+							{IP: "10.255.0.1", IPMode: &lbIPModeProxy},
+							{IP: "10.255.0.2", IPMode: &lbIPModeProxy},
+						},
+					},
+				},
+			},
+			endpointSlice: &discoveryv1.EndpointSlice{},
+			expectedIPs:   []string{"10.0.0.1", "1.1.1.1", "2.2.2.2"},
+			expectedServices: []string{
+				"10.0.0.1:6:8080:false:rr",
+				"1.1.1.1:6:8080:false:rr",
+				"2.2.2.2:6:8080:false:rr",
+			},
+		},
+		{
+			name: "service with mixed loadbalancer IPs (one Proxy, one VIP)",
+			service: &v1core.Service{
+				ObjectMeta: metav1.ObjectMeta{Name: "svc-1"},
+				Spec: v1core.ServiceSpec{
+					Type:                  "LoadBalancer",
+					ClusterIP:             "10.0.0.1",
+					ExternalIPs:           []string{"1.1.1.1", "2.2.2.2"},
+					InternalTrafficPolicy: &intTrafficPolicyCluster,
+					ExternalTrafficPolicy: extTrafficPolicyCluster,
+					Ports: []v1core.ServicePort{
+						{Name: "port-1", Protocol: "TCP", Port: 8080},
+					},
+				},
+				Status: v1core.ServiceStatus{
+					LoadBalancer: v1core.LoadBalancerStatus{
+						Ingress: []v1core.LoadBalancerIngress{
+							{IP: "10.255.0.1", IPMode: &lbIPModeProxy},
+							{IP: "10.255.0.2", IPMode: &lbIPModeVIP},
+						},
+					},
+				},
+			},
+			endpointSlice: &discoveryv1.EndpointSlice{},
+			expectedIPs:   []string{"10.0.0.1", "1.1.1.1", "2.2.2.2", "10.255.0.2"},
+			expectedServices: []string{
+				"10.0.0.1:6:8080:false:rr",
+				"1.1.1.1:6:8080:false:rr",
+				"2.2.2.2:6:8080:false:rr",
+				"10.255.0.2:6:8080:false:rr",
+			},
+		},
 		{
 			name: "node has endpoints for service",
 			service: &v1core.Service{

pkg/controllers/routing/ecmp_vip.go

@@ -341,7 +341,7 @@ func (nrc *NetworkRoutingController) getLoadBalancerIPs(svc *v1core.Service) []s
 		// skip headless services
 		if !utils.ClusterIPIsNoneOrBlank(svc.Spec.ClusterIP) {
 			for _, lbIngress := range svc.Status.LoadBalancer.Ingress {
-				if len(lbIngress.IP) > 0 {
+				if len(lbIngress.IP) > 0 && (lbIngress.IPMode == nil || *lbIngress.IPMode != v1core.LoadBalancerIPModeProxy) {
 					loadBalancerIPList = append(loadBalancerIPList, lbIngress.IP)
 				}
 			}

pkg/controllers/routing/ecmp_vip_test.go

@@ -32,6 +32,8 @@ var (
 	testClusterExtTrafPol = v1core.ServiceExternalTrafficPolicyCluster
 	testLocalIntTrafPol   = v1core.ServiceInternalTrafficPolicyLocal
 	testClusterIntTrafPol = v1core.ServiceInternalTrafficPolicyCluster
+	testIpModeProxy	      = v1core.LoadBalancerIPModeProxy
+	testIpModeVIP	      = v1core.LoadBalancerIPModeVIP
 	testNodeIPv4          = "10.1.0.1"
 	testNodeIPv6          = "2001:db8:42:2::1"
 )
@@ -901,6 +903,36 @@ func Test_getVIPsForService(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "skip loadbalancer IPs with ipMode Proxy",
+			nrc: &NetworkRoutingController{
+				advertiseClusterIP:      true,
+				advertiseExternalIP:     true,
+				advertiseLoadBalancerIP: true,
+				krNode: &utils.LocalKRNode{
+					KRNode: utils.KRNode{
+						PrimaryIP:     net.ParseIP(testNodeIPv4),
+						NodeIPv4Addrs: map[v1core.NodeAddressType][]net.IP{v1core.NodeInternalIP: {net.ParseIP(testNodeIPv4)}},
+					},
+				},
+			},
+			serviceAdvertisedIPs: []*ServiceAdvertisedIPs{
+				{
+					service:       getLoadBalancerProxySvc(),
+					endpoints:     getContainsLocalIPv4EPs(),
+					advertisedIPs: []string{"10.0.0.1", "1.1.1.1"},
+					withdrawnIPs:  []string{},
+					annotations:   nil,
+				},
+				{
+					service:       getLoadBalancerMixedIPModeSvc(),
+					endpoints:     getContainsLocalIPv4EPs(),
+					advertisedIPs: []string{"10.0.0.1", "1.1.1.1", "10.0.255.2"},
+					withdrawnIPs:  []string{},
+					annotations:   nil,
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {
@@ -1031,6 +1063,54 @@ func getLoadBalancerSvc() *v1core.Service {
 	}
 }
 
+func getLoadBalancerProxySvc() *v1core.Service {
+	return &v1core.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "svc-loadbalancer-proxy",
+			Namespace: "default",
+		},
+		Spec: v1core.ServiceSpec{
+			Type:                  LoadBalancerST,
+			ClusterIP:             "10.0.0.1",
+			ExternalIPs:           []string{"1.1.1.1"},
+			InternalTrafficPolicy: &testClusterIntTrafPol,
+			ExternalTrafficPolicy: testClusterExtTrafPol,
+		},
+		Status: v1core.ServiceStatus{
+			LoadBalancer: v1core.LoadBalancerStatus{
+				Ingress: []v1core.LoadBalancerIngress{
+					{IP: "10.0.255.1", IPMode: &testIpModeProxy},
+					{IP: "10.0.255.2", IPMode: &testIpModeProxy},
+				},
+			},
+		},
+	}
+}
+
+func getLoadBalancerMixedIPModeSvc() *v1core.Service {
+	return &v1core.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "svc-loadbalancer-mixed",
+			Namespace: "default",
+		},
+		Spec: v1core.ServiceSpec{
+			Type:                  LoadBalancerST,
+			ClusterIP:             "10.0.0.1",
+			ExternalIPs:           []string{"1.1.1.1"},
+			InternalTrafficPolicy: &testClusterIntTrafPol,
+			ExternalTrafficPolicy: testClusterExtTrafPol,
+		},
+		Status: v1core.ServiceStatus{
+			LoadBalancer: v1core.LoadBalancerStatus{
+				Ingress: []v1core.LoadBalancerIngress{
+					{IP: "10.0.255.1", IPMode: &testIpModeProxy},
+					{IP: "10.0.255.2", IPMode: &testIpModeVIP},
+				},
+			},
+		},
+	}
+}
+
 func getContainsLocalIPv4EPs() *discoveryv1.EndpointSlice {
 	return &discoveryv1.EndpointSlice{
 		Endpoints: []discoveryv1.Endpoint{