Add EgressGroup API and Controller #1965
Conversation
tnqn
force-pushed
the
egress-controlplane
branch
from
6655a8f
to
178405b
Compare
tnqn
force-pushed
the
egress-controlplane
branch
2 times, most recently
from
67a05e1
to
8d715b1
Compare
tnqn
force-pushed
the
egress-controlplane
branch
from
8d715b1
to
0cdfef9
Compare
Codecov Report
@@ Coverage Diff @@
## main #1965 +/- ##
==========================================
- Coverage 65.40% 64.89% -0.51%
==========================================
Files 197 201 +4
Lines 17192 17428 +236
==========================================
+ Hits 11244 11310 +66
- Misses 4778 4945 +167
- Partials 1170 1173 +3
Flags with carried forward coverage won't be shown. Click here to find out more.
|
tnqn
force-pushed
the
egress-controlplane
branch
3 times, most recently
from
6e22f26
to
d8dab17
Compare
tnqn
force-pushed
the
egress-controlplane
branch
3 times, most recently
from
3d50cdd
to
0f6830c
Compare
tnqn
changed the title
tnqn
force-pushed
the
egress-controlplane
branch
2 times, most recently
from
7e1326d
to
27747ee
Compare
build/yamls/base/crds.yml
Outdated
| served: true | ||
| storage: true | ||
| schema: | ||
| openAPIV3Schema: |
There was a problem hiding this comment.
We should add some validation here? Like SNAT IP is required, and its format.
There was a problem hiding this comment.
Sure, I added this only for testing. Do you plan to include it in #1433? I think either that one or the last patch making the whole feature work should include it.
There was a problem hiding this comment.
I plan to merge CRD types first. What you think?
| ) | ||
|
|
||
| // EgressGroup describes a set of GroupMembers to apply Egress to. | ||
| type EgressGroup struct { |
There was a problem hiding this comment.
We cannot share a group struct with NetworkPolicy? If in future that is possible, maybe give a generic name for it, like AppliedGroup?
There was a problem hiding this comment.
It could share it with NetworkPolicy. I didn't do it to avoid touching NetworkPolicy stuff in this PR. If you prefer, I could move AppliedToGroup from networkpolicy.go to group.go in this PR and reuse it. You mean AppliedGroup or AppliedToGroup?
There was a problem hiding this comment.
I meant AppliedToGroup. If you want to reduce the change, we can refactor later - not much time left for this release.
There was a problem hiding this comment.
Do you think we can rename it to AppliedToGroup if later we want to unify with NetworkPolicy AppliedToGroup?
There was a problem hiding this comment.
Yes, it can. Should we do it when unifying with NetworkPolicy AppliedToGroup to avoid confusion that the API is named EgressGroup while its stored struct is AppliedToGroup?
There was a problem hiding this comment.
How about adding a comment here.
| // The previous version of the stored EgressGroup. | ||
| PrevGroup *types.EgressGroup | ||
| // The current version of the transferred EgressGroup, which will be used in Added events. | ||
| CurrObject *controlplane.EgressGroup |
There was a problem hiding this comment.
I might have missed something, but I did not see CurrObject/PrevObject are used in the code of this PR?
There was a problem hiding this comment.
Thanks for catching it. They are not needed. I forgot to remove them, so do PatchObject.
| // install its SNAT rule right after the Pod's CNI request is processed, which just requires a notification from | ||
| // CNIServer to the agent's EgressController. However the current notification mechanism (the entityUpdate | ||
| // channel) allows only single consumer. Once it allows multiple consumers, we can change the condition to | ||
| // include scheduled Pods that have no IPs. |
| curEgress := cur.(*egressv1alpha1.Egress) | ||
| klog.Infof("Processing Egress %s UPDATE event with selector (%s)", curEgress.Name, curEgress.Spec.AppliedTo) | ||
| // Do nothing if AppliedTo doesn't change. | ||
| if reflect.DeepEqual(oldEgress.Spec.AppliedTo, curEgress.Spec.AppliedTo) { |
There was a problem hiding this comment.
Do you think we can optimize by defining our own comparison funcs for AppliedTo?
build/yamls/base/crds.yml
Outdated
| served: true | ||
| storage: true | ||
| schema: | ||
| openAPIV3Schema: |
There was a problem hiding this comment.
Sure, I added this only for testing. Do you plan to include it in #1433? I think either that one or the last patch making the whole feature work should include it.
| ) | ||
|
|
||
| // EgressGroup describes a set of GroupMembers to apply Egress to. | ||
| type EgressGroup struct { |
There was a problem hiding this comment.
It could share it with NetworkPolicy. I didn't do it to avoid touching NetworkPolicy stuff in this PR. If you prefer, I could move AppliedToGroup from networkpolicy.go to group.go in this PR and reuse it. You mean AppliedGroup or AppliedToGroup?
| // The previous version of the stored EgressGroup. | ||
| PrevGroup *types.EgressGroup | ||
| // The current version of the transferred EgressGroup, which will be used in Added events. | ||
| CurrObject *controlplane.EgressGroup |
There was a problem hiding this comment.
Thanks for catching it. They are not needed. I forgot to remove them, so do PatchObject.
| curEgress := cur.(*egressv1alpha1.Egress) | ||
| klog.Infof("Processing Egress %s UPDATE event with selector (%s)", curEgress.Name, curEgress.Spec.AppliedTo) | ||
| // Do nothing if AppliedTo doesn't change. | ||
| if reflect.DeepEqual(oldEgress.Spec.AppliedTo, curEgress.Spec.AppliedTo) { |
tnqn
force-pushed
the
egress-controlplane
branch
2 times, most recently
from
cc9483e
to
cc651cb
Compare
tnqn
force-pushed
the
egress-controlplane
branch
from
cc651cb
to
93cf251
Compare
|
/test-all |
This patch adds a controlplane API which provides List, Get, and Watch interface for EgressGroups. antrea-agents consume the API to get the Pods to which an Egress applies. Each agent only receives Pods running on its own Node.
tnqn
force-pushed
the
egress-controlplane
branch
from
93cf251
to
73f53ca
Compare
|
/test-all |
|
/test-integration |
This patch adds a controlplane API which provides List, Get, and Watch interface for EgressGroups. antrea-agents consume the API to get the Pods to which an Egress applies. Each agent only receives Pods running on its own Node.
For #1924