Support Service loadBalancerSourceRanges in AntreaProxy

[hongliangl]

Fix #5493

This commit introduces support for loadBalancerSourceRanges for LoadBalancer
Services.

Here is an example of a LoadBalancer Service configuration allowing access
from specific CIDRs:

apiVersion: v1
kind: Service
metadata:
  name: sample-loadbalancer-source-ranges
spec:
  selector:
    app: web
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: LoadBalancer
  loadBalancerSourceRanges:
    - "192.168.77.0/24"
    - "192.168.78.0/24"
status:
  loadBalancer:
    ingress:
      - ip: 192.168.77.150

[New] Here are the corresponding flows:

1. table=ServiceMark, priority=200,tcp,nw_src=192.168.77.0/24,nw_dst=192.168.77.150,tp_dst=80 actions=set_field:0x20000000/0x60000000->reg4",
2. table=ServiceMark, priority=200,tcp,nw_src=192.168.78.0/24,nw_dst=192.168.77.150,tp_dst=80 actions=set_field:0x20000000/0x60000000->reg4",
3. table=ServiceMark, priority=190,tcp,nw_dst=192.168.77.150,tp_dst=80 actions=set_field:0x40000000/0x60000000->reg4",
4. table=ServiceLB, priority=200,tcp,reg4=0x0x20010000/0x0x60070000,nw_dst=192.168.77.150,tp_dst=80 actions=set_field:0x200/0x200->reg0,set_field:0x20000/0x70000->reg4,set_field:0xe->reg7,group:14
5. table=ServiceLB, priority=190,reg4=0x40000000/0x60000000 actions=drop

• Flow 1 is to match packets from allowed CIDR 192.168.77.0/24, marking them with
  LoadBalancerSourceRangesAllowRegMark.
• Flow 2 is similar to flow 1 but for CIDR 192.168.78.0/24.
• Flow 3 is to match packets not from allowed CIDRs, marking with
  LoadBalancerSourceRangesDropRegMark.
• Flow 4 is to match allowed packets with LoadBalancerSourceRangesAllowRegMark and
  perform load balancing.
• Flow 5 is to match not allowed packets with LoadBalancerSourceRangesDropRegMark and
  drop.

[github-actions]

This PR is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days

[hongliangl]

@tnqn @wenyingd @antoninbas Could you help have a look at this PR? Thanks a lot

[antoninbas]

I did a quick review, but @tnqn and @wenyingd should definitely take a look if possible.

I wonder if we should have some e2e test coverage for this?
One edge case I can think of would be a NodePort Service with loadBalancerSourceRanges; according to the kube-proxy code base, loadBalancerSourceRanges should not apply to NodePort traffic.

[antoninbas]

I am probably missing something obvious, but what is the point of setting LoadBalancerSourceRangesRegMark in flows 3 and 4? If the source IP doesn't fall in the correct range, we mark the packet for rejection in flow 5, so it doesn't seem that we need to remember that the source IP was in the correct range?

[hongliangl]

I have updated the commit message. Maybe it can help.

[antoninbas]

Does this match the kube-proxy behavior? I took a quick look and it seems that even when traffic comes from local Pods, loadBalancerSourceRanges is enforced

https://github.com/kubernetes/kubernetes/blob/8119e57c070d21f2a7ff37fa7b02f7f74331e393/pkg/proxy/iptables/proxier_test.go#L2192-L2205

I may be misunderstanding the comment / implementation

[hongliangl]

You are right. Since K8s 1.25, the Pod CIDR is not allowed by default. I have updated the implementation.

[hongliangl]

I wonder if we should have some e2e test coverage for this?

Added

One edge case I can think of would be a NodePort Service with loadBalancerSourceRanges; according to the kube-proxy code base, loadBalancerSourceRanges should not apply to NodePort traffic.

In the current implementation, loadBalancerSourceRanges only applies to LoadBalancer ingress IPs.

[wenyingd]

When reading the CR example, the thought in my mind is to use OVS conjunction, do you think that works?

[hongliangl]

In current design, we can leverage most code of pkg/agent/proxier.go and pkg/agent/openflow. For example, like InstallServiceFlows in pkg/agent/openflow/client.go, installing a single ClusterIP, LoadBalancerIP, externalIP or NodePort of a Service. If we use conjunction, at least we may add a new function or enhance InstallServiceFlows to install multiple LoadBalancerIPs. Besides, we may also need a conjunction id allocator.

[wenyingd]

For the packets that don't locate in the source range, is the "Drop" action or "Reject" action expected?

[hongliangl]

Drop is expected, as kube-proxy's behavior.

[wenyingd]

ditto, does it need to be scope with condition proxyLoadBalancerIPs==true?

[hongliangl]

No, the function will be call in pkg/agent/proxier.go when proxyLoadBalancerIPs==true.

[wenyingd]

We didn't introduce any register mark for LoadBalancer traffic with the check on the source range, and we don't add mark on the packet via the flows built in this function, so maybe remove word "Mark" from the function name? Or rename it as loadBalancerSourceRangesValidateFlows?

[hongliangl]

I have changed the designed back because I found the drop action doesn't take effect. For example:

table=1, priority=200,ip actions=resubmit(,2),resubmit(,3),resubmit(,4),resubmit(,5)
table=2, priority=0, actions=goto_tables:3
table=3, priority=190,tcp,nw_dst=169.254.169.1,tp_dst=8080 actions=drop
table=4, priority=0,actions=load:0x1->NXM_NX_REG4[19]
table=5, ......

In above flows, the packet destined for 169.254.169.1 matched by the flow in table 3 will not be dropped when I made some tests.

[antrea-bot]

Can one of the admins verify this patch?