coordinator should only set rp_filter for pod not the node

Signed-off-by: cyclinder <qifeng.guo@daocloud.io>
spidernet-io · Aug 21, 2024 · d7df0d4 · d7df0d4
1 parent a5a29e1
commit d7df0d4
Show file tree

Hide file tree

Showing 25 changed files with 98 additions and 24 deletions.
diff --git a/api/v1/agent/models/coordinator_config.go b/api/v1/agent/models/coordinator_config.go
diff --git a/api/v1/agent/openapi.yaml b/api/v1/agent/openapi.yaml
@@ -336,7 +336,7 @@ definitions:
  type: string
  hostRuleTable:
  type: integer
- hostRPFilter:
+ podRPFilter:
  type: integer
  txQueueLen:
  type: integer

diff --git a/api/v1/agent/server/embedded_spec.go b/api/v1/agent/server/embedded_spec.go
diff --git a/charts/spiderpool/crds/spiderpool.spidernet.io_spidercoordinators.yaml b/charts/spiderpool/crds/spiderpool.spidernet.io_spidercoordinators.yaml
@@ -50,6 +50,9 @@ spec:
  type: array
  hostRPFilter:
  default: 0
+ description: Deprecated. coordinator should not set rp_filter for
+ each node, this should be done by spiderpool-agent. This field is
+ considered deprecated in the future.
  type: integer
  hostRuleTable:
  default: 500
@@ -78,6 +81,9 @@ spec:
  type: string
  podMACPrefix:
  type: string
+ podRPFilter:
+ default: 0
+ type: integer
  tunePodRoutes:
  default: true
  type: boolean

diff --git a/charts/spiderpool/crds/spiderpool.spidernet.io_spidermultusconfigs.yaml b/charts/spiderpool/crds/spiderpool.spidernet.io_spidermultusconfigs.yaml
@@ -63,6 +63,9 @@ spec:
  type: array
  hostRPFilter:
  default: 0
+ description: Deprecated. coordinator should not set rp_filter
+ for each node, this should be done by spiderpool-agent. This
+ field is considered deprecated in the future.
  type: integer
  hostRuleTable:
  default: 500
@@ -91,6 +94,9 @@ spec:
  type: string
  podMACPrefix:
  type: string
+ podRPFilter:
+ default: 0
+ type: integer
  tunePodRoutes:
  default: true
  type: boolean

diff --git a/cmd/coordinator/cmd/cni_types.go b/cmd/coordinator/cmd/cni_types.go
@@ -55,7 +55,7 @@ type Config struct {
  PodDefaultRouteNIC string `json:"podDefaultRouteNic,omitempty"`
  Mode Mode `json:"mode,omitempty"`
  HostRuleTable *int64 `json:"hostRuleTable,omitempty"`
- RPFilter int32  `json:"hostRPFilter,omitempty" `
+ RPFilter *int32 `json:"podRPFilter,omitempty" `
  TxQueueLen *int64 `json:"txQueueLen,omitempty"`
  IPConflict *bool `json:"detectIPConflict,omitempty"`
  DetectOptions *DetectOptions `json:"detectOptions,omitempty"`
@@ -136,7 +136,7 @@ func ParseConfig(stdin []byte, coordinatorConfig *models.CoordinatorConfig) (*Co
  }
 
  // value must be -1,0/1/2
- if err = validateRPFilterConfig(conf.RPFilter); err != nil {
+ if conf.RPFilter, err = validateRPFilterConfig(conf.RPFilter, coordinatorConfig.PodRPFilter); err != nil {
  return nil, err
  }
 
@@ -242,19 +242,23 @@ func validateRoutes(routes []string) error {
  return nil
 }
 
-func validateRPFilterConfig(rpfilter int32) error {
+func validateRPFilterConfig(rpfilter *int32, coordinatorConfig int64) (*int32, error) {
+ if rpfilter == nil {
+ rpfilter = ptr.To(int32(coordinatorConfig))
+ }
+
  found := false
  // NOTE: -1 means disable
  for _, value := range []int32{-1, 0, 1, 2} {
- if rpfilter == value {
+ if *rpfilter == value {
  found = true
  break
  }
  }
  if !found {
- return fmt.Errorf("invalid rp_filter value %v, available options: [-1,0,1,2]", rpfilter)
+ return nil, fmt.Errorf("invalid rp_filter value %v, available options: [-1,0,1,2]", rpfilter)
  }
- return nil
+ return rpfilter, nil
 }
 
 func ValidateDelectOptions(config *DetectOptions) (*DetectOptions, error) {

diff --git a/cmd/coordinator/cmd/command_add.go b/cmd/coordinator/cmd/command_add.go
@@ -287,8 +287,8 @@ func CmdAdd(args *skel.CmdArgs) (err error) {
  }
  }
 
- if conf.RPFilter != -1 {
- if err = sysctl.SetSysctlRPFilter(c.netns, conf.RPFilter); err != nil {
+ if *conf.RPFilter != -1 {
+ if err = sysctl.SetSysctlRPFilter(c.netns, *conf.RPFilter); err != nil {
  logger.Error(err.Error())
  return err
  }

diff --git a/cmd/spiderpool-agent/cmd/coordinator.go b/cmd/spiderpool-agent/cmd/coordinator.go
@@ -125,7 +125,7 @@ func (g *_unixGetCoordinatorConfig) Handle(params daemonset.GetCoordinatorConfig
  TunePodRoutes: coord.Spec.TunePodRoutes,
  PodDefaultRouteNIC: nic,
  HostRuleTable: int64(*coord.Spec.HostRuleTable),
- HostRPFilter: int64(*coord.Spec.HostRPFilter),
+ PodRPFilter:  int64(*coord.Spec.PodRPFilter),
  TxQueueLen: int64(*coord.Spec.TxQueueLen),
  DetectGateway: *coord.Spec.DetectGateway,
  DetectIPConflict: detectIPConflict,

diff --git a/docs/concepts/coordinator-zh_CN.md b/docs/concepts/coordinator-zh_CN.md
@@ -38,7 +38,8 @@ EOF
 | serviceCIDR | 默认的集群 Service 子网， 会注入到 Pod 中。不需要配置，自动从 Spidercoordinator default 中获取 | []stirng | optional | 默认从 Spidercoordinator default 中获取 |
 | hijackCIDR | 额外的需要从主机转发的子网路由。比如nodelocaldns 的地址: 169.254.20.10/32 | []stirng | optional | 空 |
 | hostRuleTable | 策略路由表号，同主机与 Pod 通信的路由将会存放于这个表号 | 整数型 | optional | 500 |
-| hostRPFilter | 设置主机上的 sysctl 参数 rp_filter | 整数型 | optional | 0 |
+| podRPFilter | 设置 Pod 的 sysctl 参数 rp_filter | 整数型 | optional | 0 |
+| hostRPFilter(遗弃) | 设置节点 的 sysctl 参数 rp_filter | 整数型 | optional | 0 |
 | txQueueLen | 设置 Pod 的网卡传输队列 | 整数型 | optional | 0 |
 | detectOptions | 检测地址冲突和网关可达性的高级配置项: 包括重试次数(默认为 3 次), 探测间隔(默认为 1s) 和 超时时间(默认为 1s) | 对象类型 | optional | 空 |
 | logOptions | 日志配置，包括 logLevel(默认为 debug) 和 logFile(默认为 /var/log/spidernet/coordinator.log) | 对象类型 | optional | - |
@@ -195,6 +196,7 @@ spec:
  hijackCIDR:
  - 10.244.64.0/18
  - fd00:10:244::/112
+ podRPFilter: 0
  hostRPFilter: 0
  hostRuleTable: 500
  mode: auto

diff --git a/docs/concepts/coordinator.md b/docs/concepts/coordinator.md
@@ -39,7 +39,8 @@ Let's delve into how coordinator implements these features.
 | serviceCIDR | The default service CIDR for the cluster. It doesn't need to be configured, and it collected automatically by SpiderCoordinator | []stirng | optional | []string{} |
 | hijackCIDR | The CIDR that need to be forwarded via the host network, For example, the address of nodelocaldns(169.254.20.10/32 by default) | []stirng | optional | []string{} |
 | hostRuleTable | The routes on the host that communicates with the pod's underlay IPs will belong to this routing table number | int | optional | 500 |
-| hostRPFilter | Set the rp_filter sysctl parameter on the host, which is recommended to be set to 0 | int | optional | 0 |
+| podRPFilter | Set the rp_filter sysctl parameter on the pod, which is recommended to be set to 0 | int | optional | 0 |
+| hostRPFilter(deprecated) | Set the rp_filter sysctl parameter on the node, which is recommended to be set to 0 | int | optional | 0 |
 | txQueueLen | set txqueuelen(Transmit Queue Length) of the pod's interface | int | optional | 0 |
 | detectOptions | The advanced configuration of detectGateway and detectIPConflict, including retry numbers(default is 3), interval(default is 1s) and timeout(default is 1s) | obejct | optional | nil |
 | logOptions | The configuration of logging, including logLevel(default is debug) and logFile(default is /var/log/spidernet/coordinator.log) | obejct | optional | nil |
@@ -197,6 +198,7 @@ spec:
  hijackCIDR:
  - 10.244.64.0/18
  - fd00:10:244::/112
+ podRPFilter: 0
  hostRPFilter: 0
  hostRuleTable: 500
  mode: auto