set iBGP export policies only if its enabled (#453)

andrewsykim · murali-reddy · commit 5e4ca2922b99 · 2018-06-04T19:06:09.000+07:00
diff --git a/pkg/controllers/routing/export_policies.go b/pkg/controllers/routing/export_policies.go
@@ -14,7 +14,7 @@ import (
 //
 // - by default export of all routes from the RIB to the neighbour's is denied, and explicity statements are added i
 //   to permit the desired routes to be exported
-// - each node is allowed to advertise its assigned pod CIDR's to all of its iBGP peer neighbours with same ASN
+// - each node is allowed to advertise its assigned pod CIDR's to all of its iBGP peer neighbours with same ASN if --enable-ibgp=true
 // - each node is allowed to advertise its assigned pod CIDR's to all of its external BGP peer neighbours
 //   only if --advertise-pod-cidr flag is set to true
 // - each node is NOT allowed to advertise its assigned pod CIDR's to all of its external BGP peer neighbours
@@ -66,40 +66,42 @@ func (nrc *NetworkRoutingController) addExportPolicies() error {
 
 	statements := make([]config.Statement, 0)
 
-	// Get the current list of the nodes from the local cache
-	nodes := nrc.nodeLister.List()
-	iBGPPeers := make([]string, 0)
-	for _, node := range nodes {
-		nodeObj := node.(*v1core.Node)
-		nodeIP, err := utils.GetNodeIP(nodeObj)
+	if nrc.bgpEnableInternal {
+		// Get the current list of the nodes from the local cache
+		nodes := nrc.nodeLister.List()
+		iBGPPeers := make([]string, 0)
+		for _, node := range nodes {
+			nodeObj := node.(*v1core.Node)
+			nodeIP, err := utils.GetNodeIP(nodeObj)
+			if err != nil {
+				return fmt.Errorf("Failed to find a node IP: %s", err)
+			}
+			iBGPPeers = append(iBGPPeers, nodeIP.String())
+		}
+		iBGPPeerNS, _ := table.NewNeighborSet(config.NeighborSet{
+			NeighborSetName:  "iBGPpeerset",
+			NeighborInfoList: iBGPPeers,
+		})
+		err = nrc.bgpServer.ReplaceDefinedSet(iBGPPeerNS)
 		if err != nil {
-			return fmt.Errorf("Failed to find a node IP: %s", err)
+			nrc.bgpServer.AddDefinedSet(iBGPPeerNS)
 		}
-		iBGPPeers = append(iBGPPeers, nodeIP.String())
-	}
-	iBGPPeerNS, _ := table.NewNeighborSet(config.NeighborSet{
-		NeighborSetName:  "iBGPpeerset",
-		NeighborInfoList: iBGPPeers,
-	})
-	err = nrc.bgpServer.ReplaceDefinedSet(iBGPPeerNS)
-	if err != nil {
-		nrc.bgpServer.AddDefinedSet(iBGPPeerNS)
-	}
-	// statement to represent the export policy to permit advertising node's pod CIDR
-	statements = append(statements,
-		config.Statement{
-			Conditions: config.Conditions{
-				MatchPrefixSet: config.MatchPrefixSet{
-					PrefixSet: "podcidrprefixset",
+		// statement to represent the export policy to permit advertising node's pod CIDR
+		statements = append(statements,
+			config.Statement{
+				Conditions: config.Conditions{
+					MatchPrefixSet: config.MatchPrefixSet{
+						PrefixSet: "podcidrprefixset",
+					},
+					MatchNeighborSet: config.MatchNeighborSet{
+						NeighborSet: "iBGPpeerset",
+					},
 				},
-				MatchNeighborSet: config.MatchNeighborSet{
-					NeighborSet: "iBGPpeerset",
+				Actions: config.Actions{
+					RouteDisposition: config.ROUTE_DISPOSITION_ACCEPT_ROUTE,
 				},
-			},
-			Actions: config.Actions{
-				RouteDisposition: config.ROUTE_DISPOSITION_ACCEPT_ROUTE,
-			},
-		})
+			})
+	}
 
 	externalBgpPeers := make([]string, 0)
 	if len(nrc.globalPeerRouters) != 0 {
diff --git a/pkg/controllers/routing/network_routes_controller_test.go b/pkg/controllers/routing/network_routes_controller_test.go
@@ -1151,12 +1151,13 @@ func Test_addExportPolicies(t *testing.T) {
 		{
 			"has nodes and services",
 			&NetworkRoutingController{
-				clientset:        fake.NewSimpleClientset(),
-				hostnameOverride: "node-1",
-				bgpFullMeshMode:  false,
-				bgpServer:        gobgp.NewBgpServer(),
-				activeNodes:      make(map[string]bool),
-				nodeAsnNumber:    100,
+				clientset:         fake.NewSimpleClientset(),
+				hostnameOverride:  "node-1",
+				bgpFullMeshMode:   false,
+				bgpEnableInternal: true,
+				bgpServer:         gobgp.NewBgpServer(),
+				activeNodes:       make(map[string]bool),
+				nodeAsnNumber:     100,
 			},
 			[]*v1core.Node{
 				{
@@ -1251,11 +1252,12 @@ func Test_addExportPolicies(t *testing.T) {
 		{
 			"has nodes, services with external peers",
 			&NetworkRoutingController{
-				clientset:        fake.NewSimpleClientset(),
-				hostnameOverride: "node-1",
-				bgpFullMeshMode:  false,
-				bgpServer:        gobgp.NewBgpServer(),
-				activeNodes:      make(map[string]bool),
+				clientset:         fake.NewSimpleClientset(),
+				hostnameOverride:  "node-1",
+				bgpFullMeshMode:   false,
+				bgpEnableInternal: true,
+				bgpServer:         gobgp.NewBgpServer(),
+				activeNodes:       make(map[string]bool),
 				globalPeerRouters: []*config.NeighborConfig{
 					{
 						NeighborAddress: "10.10.0.1",
@@ -1382,6 +1384,125 @@ func Test_addExportPolicies(t *testing.T) {
 			},
 			nil,
 		},
+		{
+			"has nodes, services with external peers and iBGP disabled",
+			&NetworkRoutingController{
+				clientset:         fake.NewSimpleClientset(),
+				hostnameOverride:  "node-1",
+				bgpFullMeshMode:   false,
+				bgpEnableInternal: false,
+				bgpServer:         gobgp.NewBgpServer(),
+				activeNodes:       make(map[string]bool),
+				globalPeerRouters: []*config.NeighborConfig{
+					{
+						NeighborAddress: "10.10.0.1",
+					},
+					{
+						NeighborAddress: "10.10.0.2",
+					},
+				},
+				nodeAsnNumber: 100,
+			},
+			[]*v1core.Node{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "node-1",
+						Annotations: map[string]string{
+							"kube-router.io/node.asn": "100",
+						},
+					},
+					Status: v1core.NodeStatus{
+						Addresses: []v1core.NodeAddress{
+							{
+								Type:    v1core.NodeInternalIP,
+								Address: "10.0.0.1",
+							},
+						},
+					},
+					Spec: v1core.NodeSpec{
+						PodCIDR: "172.20.0.0/24",
+					},
+				},
+			},
+			[]*v1core.Service{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "svc-1",
+					},
+					Spec: v1core.ServiceSpec{
+						Type:        "ClusterIP",
+						ClusterIP:   "10.0.0.1",
+						ExternalIPs: []string{"1.1.1.1"},
+					},
+				},
+			},
+			&config.DefinedSets{
+				PrefixSets: []config.PrefixSet{
+					{
+						PrefixSetName: "podcidrprefixset",
+						PrefixList: []config.Prefix{
+							{
+								IpPrefix:        "172.20.0.0/24",
+								MasklengthRange: "24..24",
+							},
+						},
+					},
+				},
+				NeighborSets:   []config.NeighborSet{},
+				TagSets:        []config.TagSet{},
+				BgpDefinedSets: config.BgpDefinedSets{},
+			},
+			&config.DefinedSets{
+				PrefixSets: []config.PrefixSet{
+					{
+						PrefixSetName: "clusteripprefixset",
+						PrefixList: []config.Prefix{
+							{
+								IpPrefix:        "1.1.1.1/32",
+								MasklengthRange: "32..32",
+							},
+							{
+								IpPrefix:        "10.0.0.1/32",
+								MasklengthRange: "32..32",
+							},
+						},
+					},
+				},
+				NeighborSets:   []config.NeighborSet{},
+				TagSets:        []config.TagSet{},
+				BgpDefinedSets: config.BgpDefinedSets{},
+			},
+			&config.DefinedSets{
+				PrefixSets: []config.PrefixSet{},
+				NeighborSets: []config.NeighborSet{
+					{
+						NeighborSetName:  "externalpeerset",
+						NeighborInfoList: []string{"10.10.0.1/32", "10.10.0.2/32"},
+					},
+				},
+				TagSets:        []config.TagSet{},
+				BgpDefinedSets: config.BgpDefinedSets{},
+			},
+			[]*config.Statement{
+				{
+					Name: "kube_router_stmt0",
+					Conditions: config.Conditions{
+						MatchPrefixSet: config.MatchPrefixSet{
+							PrefixSet:       "clusteripprefixset",
+							MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
+						},
+						MatchNeighborSet: config.MatchNeighborSet{
+							NeighborSet:     "externalpeerset",
+							MatchSetOptions: config.MATCH_SET_OPTIONS_RESTRICTED_TYPE_ANY,
+						},
+					},
+					Actions: config.Actions{
+						RouteDisposition: config.ROUTE_DISPOSITION_ACCEPT_ROUTE,
+					},
+				},
+			},
+			nil,
+		},
 	}
 
 	for _, testcase := range testcases {
