Skip to content

Commit 3aacd48

Browse files
tamihiromurali-reddy
tamihiro
authored and
murali-reddy
committed
fix clusteripprefixset import policy (#771)
1 parent 803bd90 commit 3aacd48

File tree

2 files changed

+103
-2
lines changed

2 files changed

+103
-2
lines changed

pkg/controllers/routing/bgp_policies.go

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,10 +53,10 @@ func (nrc *NetworkRoutingController) AddPolicies() error {
5353
nrc.bgpServer.AddDefinedSet(clusterIPPrefixSet)
5454
}
5555

56+
iBGPPeers := make([]string, 0)
5657
if nrc.bgpEnableInternal {
5758
// Get the current list of the nodes from the local cache
5859
nodes := nrc.nodeLister.List()
59-
iBGPPeers := make([]string, 0)
6060
for _, node := range nodes {
6161
nodeObj := node.(*v1core.Node)
6262
nodeIP, err := utils.GetNodeIP(nodeObj)
@@ -97,6 +97,17 @@ func (nrc *NetworkRoutingController) AddPolicies() error {
9797
}
9898
}
9999

100+
// a slice of all peers is used as a match condition for reject statement of clusteripprefixset import polcy
101+
allBgpPeers := append(externalBgpPeers, iBGPPeers...)
102+
ns, _ := table.NewNeighborSet(config.NeighborSet{
103+
NeighborSetName: "allpeerset",
104+
NeighborInfoList: allBgpPeers,
105+
})
106+
err = nrc.bgpServer.ReplaceDefinedSet(ns)
107+
if err != nil {
108+
nrc.bgpServer.AddDefinedSet(ns)
109+
}
110+
100111
err = nrc.addExportPolicies()
101112
if err != nil {
102113
return err
@@ -258,7 +269,7 @@ func (nrc *NetworkRoutingController) addExportPolicies() error {
258269
}
259270

260271
// BGP import policies are added so that the following conditions are met:
261-
// - do not import Service VIPs at all, instead traffic to service VIPs should be sent to the gateway and ECMPed from there
272+
// - do not import Service VIPs advertised from any peers, instead each kube-router originates and injects Service VIPs into local rib.
262273
func (nrc *NetworkRoutingController) addImportPolicies() error {
263274
statements := make([]config.Statement, 0)
264275

@@ -267,6 +278,9 @@ func (nrc *NetworkRoutingController) addImportPolicies() error {
267278
MatchPrefixSet: config.MatchPrefixSet{
268279
PrefixSet: "clusteripprefixset",
269280
},
281+
MatchNeighborSet: config.MatchNeighborSet{
282+
NeighborSet: "allpeerset",
283+
},
270284
},
271285
Actions: config.Actions{
272286
RouteDisposition: config.ROUTE_DISPOSITION_REJECT_ROUTE,

pkg/controllers/routing/network_routes_controller_test.go

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1490,6 +1490,7 @@ type PolicyTestCase struct {
14901490
podDefinedSet *config.DefinedSets
14911491
clusterIPDefinedSet *config.DefinedSets
14921492
externalPeerDefinedSet *config.DefinedSets
1493+
allPeerDefinedSet *config.DefinedSets
14931494
exportPolicyStatements []*config.Statement
14941495
importPolicyStatements []*config.Statement
14951496
err error
@@ -1578,6 +1579,17 @@ func Test_AddPolicies(t *testing.T) {
15781579
BgpDefinedSets: config.BgpDefinedSets{},
15791580
},
15801581
&config.DefinedSets{},
1582+
&config.DefinedSets{
1583+
PrefixSets: []config.PrefixSet{},
1584+
NeighborSets: []config.NeighborSet{
1585+
{
1586+
NeighborSetName: "allpeerset",
1587+
NeighborInfoList: []string{},
1588+
},
1589+
},
1590+
TagSets: []config.TagSet{},
1591+
BgpDefinedSets: config.BgpDefinedSets{},
1592+
},
15811593
[]*config.Statement{
15821594
{
15831595
Name: "kube_router_export_stmt0",
@@ -1604,6 +1616,10 @@ func Test_AddPolicies(t *testing.T) {
16041616
PrefixSet: "clusteripprefixset",
16051617
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
16061618
},
1619+
MatchNeighborSet: config.MatchNeighborSet{
1620+
NeighborSet: "allpeerset",
1621+
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
1622+
},
16071623
},
16081624
Actions: config.Actions{
16091625
RouteDisposition: config.ROUTE_DISPOSITION_REJECT_ROUTE,
@@ -1711,6 +1727,17 @@ func Test_AddPolicies(t *testing.T) {
17111727
TagSets: []config.TagSet{},
17121728
BgpDefinedSets: config.BgpDefinedSets{},
17131729
},
1730+
&config.DefinedSets{
1731+
PrefixSets: []config.PrefixSet{},
1732+
NeighborSets: []config.NeighborSet{
1733+
{
1734+
NeighborSetName: "allpeerset",
1735+
NeighborInfoList: []string{"10.10.0.1/32", "10.10.0.2/32"},
1736+
},
1737+
},
1738+
TagSets: []config.TagSet{},
1739+
BgpDefinedSets: config.BgpDefinedSets{},
1740+
},
17141741
[]*config.Statement{
17151742
{
17161743
Name: "kube_router_export_stmt0",
@@ -1753,6 +1780,10 @@ func Test_AddPolicies(t *testing.T) {
17531780
PrefixSet: "clusteripprefixset",
17541781
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
17551782
},
1783+
MatchNeighborSet: config.MatchNeighborSet{
1784+
NeighborSet: "allpeerset",
1785+
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
1786+
},
17561787
},
17571788
Actions: config.Actions{
17581789
RouteDisposition: config.ROUTE_DISPOSITION_REJECT_ROUTE,
@@ -1860,6 +1891,17 @@ func Test_AddPolicies(t *testing.T) {
18601891
TagSets: []config.TagSet{},
18611892
BgpDefinedSets: config.BgpDefinedSets{},
18621893
},
1894+
&config.DefinedSets{
1895+
PrefixSets: []config.PrefixSet{},
1896+
NeighborSets: []config.NeighborSet{
1897+
{
1898+
NeighborSetName: "allpeerset",
1899+
NeighborInfoList: []string{"10.10.0.1/32", "10.10.0.2/32"},
1900+
},
1901+
},
1902+
TagSets: []config.TagSet{},
1903+
BgpDefinedSets: config.BgpDefinedSets{},
1904+
},
18631905
[]*config.Statement{
18641906
{
18651907
Name: "kube_router_export_stmt0",
@@ -1886,6 +1928,10 @@ func Test_AddPolicies(t *testing.T) {
18861928
PrefixSet: "clusteripprefixset",
18871929
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
18881930
},
1931+
MatchNeighborSet: config.MatchNeighborSet{
1932+
NeighborSet: "allpeerset",
1933+
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
1934+
},
18891935
},
18901936
Actions: config.Actions{
18911937
RouteDisposition: config.ROUTE_DISPOSITION_REJECT_ROUTE,
@@ -1996,6 +2042,17 @@ func Test_AddPolicies(t *testing.T) {
19962042
TagSets: []config.TagSet{},
19972043
BgpDefinedSets: config.BgpDefinedSets{},
19982044
},
2045+
&config.DefinedSets{
2046+
PrefixSets: []config.PrefixSet{},
2047+
NeighborSets: []config.NeighborSet{
2048+
{
2049+
NeighborSetName: "allpeerset",
2050+
NeighborInfoList: []string{"10.10.0.1/32", "10.10.0.2/32"},
2051+
},
2052+
},
2053+
TagSets: []config.TagSet{},
2054+
BgpDefinedSets: config.BgpDefinedSets{},
2055+
},
19992056
[]*config.Statement{
20002057
{
20012058
Name: "kube_router_export_stmt0",
@@ -2044,6 +2101,10 @@ func Test_AddPolicies(t *testing.T) {
20442101
PrefixSet: "clusteripprefixset",
20452102
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
20462103
},
2104+
MatchNeighborSet: config.MatchNeighborSet{
2105+
NeighborSet: "allpeerset",
2106+
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
2107+
},
20472108
},
20482109
Actions: config.Actions{
20492110
RouteDisposition: config.ROUTE_DISPOSITION_REJECT_ROUTE,
@@ -2153,6 +2214,17 @@ func Test_AddPolicies(t *testing.T) {
21532214
TagSets: []config.TagSet{},
21542215
BgpDefinedSets: config.BgpDefinedSets{},
21552216
},
2217+
&config.DefinedSets{
2218+
PrefixSets: []config.PrefixSet{},
2219+
NeighborSets: []config.NeighborSet{
2220+
{
2221+
NeighborSetName: "allpeerset",
2222+
NeighborInfoList: []string{"10.10.0.1/32", "10.10.0.2/32"},
2223+
},
2224+
},
2225+
TagSets: []config.TagSet{},
2226+
BgpDefinedSets: config.BgpDefinedSets{},
2227+
},
21562228
[]*config.Statement{
21572229
{
21582230
Name: "kube_router_export_stmt0",
@@ -2195,6 +2267,10 @@ func Test_AddPolicies(t *testing.T) {
21952267
PrefixSet: "clusteripprefixset",
21962268
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
21972269
},
2270+
MatchNeighborSet: config.MatchNeighborSet{
2271+
NeighborSet: "allpeerset",
2272+
MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
2273+
},
21982274
},
21992275
Actions: config.Actions{
22002276
RouteDisposition: config.ROUTE_DISPOSITION_REJECT_ROUTE,
@@ -2280,6 +2356,17 @@ func Test_AddPolicies(t *testing.T) {
22802356
t.Error("unexpected external peer defined set")
22812357
}
22822358

2359+
allPeerDefinedSet, err := testcase.nrc.bgpServer.GetDefinedSet(table.DEFINED_TYPE_NEIGHBOR, "allpeerset")
2360+
if err != nil {
2361+
t.Fatalf("error validating defined sets: %v", err)
2362+
}
2363+
2364+
if !allPeerDefinedSet.Equal(testcase.allPeerDefinedSet) {
2365+
t.Logf("expected all peer defined set: %+v", testcase.allPeerDefinedSet.NeighborSets)
2366+
t.Logf("actual all peer defined set: %+v", allPeerDefinedSet.NeighborSets)
2367+
t.Error("unexpected all peer defined set")
2368+
}
2369+
22832370
checkPolicies(t, testcase, table.POLICY_DIRECTION_EXPORT, table.ROUTE_TYPE_REJECT, testcase.exportPolicyStatements)
22842371
checkPolicies(t, testcase, table.POLICY_DIRECTION_IMPORT, table.ROUTE_TYPE_ACCEPT, testcase.importPolicyStatements)
22852372
})

0 commit comments

Comments
 (0)