Use target port of Service in NodePortLocal to configure Pod reachability

[monotosh-avi]

Currently we use container ports of a Pod to program iptables rules to make the Pod
reachable through a port in the Node. But container ports are not mandatory and multiple
services can use different target ports for the same pod. Hence adding a change in
NodePortLocal implementation, where target ports of all services would be used to
program iptables rules and annotate pods.

To implement this, target ports are being obtained from all the Services selecting a Pod,
in the function handleAddUpdatePod().
Necessary changes in the tests have been added.

Fixes #1912

[codecov-commenter]

Codecov Report

Merging #2222 (686b2d9) into main (ef14ad1) will increase coverage by 0.00%.
The diff coverage is 62.50%.

@@           Coverage Diff           @@
##             main    #2222   +/-   ##
=======================================
  Coverage   62.05%   62.05%           
=======================================
  Files         277      277           
  Lines       21588    21615   +27     
=======================================
+ Hits        13396    13414   +18     
- Misses       6792     6800    +8     
- Partials     1400     1401    +1     

Flag	Coverage Δ
e2e-tests	∅ <ø> (?)
kind-e2e-tests	52.37% <62.50%> (+0.02%)	⬆️
unit-tests	41.79% <0.00%> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/nodeportlocal/k8s/npl_controller.go	59.57% <62.50%> (+0.35%)	⬆️
pkg/apiserver/handlers/endpoint/handler.go	58.82% <0.00%> (-11.77%)	⬇️
pkg/apis/controlplane/v1beta2/sets.go	66.66% <0.00%> (-2.57%)	⬇️
pkg/controller/networkpolicy/status_controller.go	86.45% <0.00%> (-0.65%)	⬇️
pkg/agent/openflow/client.go	58.39% <0.00%> (-0.26%)	⬇️
pkg/agent/flowexporter/exporter/exporter.go	78.89% <0.00%> (+0.22%)	⬆️
pkg/agent/stats/collector.go	98.46% <0.00%> (+3.84%)	⬆️

[antoninbas]

TargetPort can be a string (named port in the target Pod's container). If we don't want to support this case yet, it's fine, but we should check for that case and log an error.

[antoninbas]

but it seems that we should be able to support named ports here, by returning both a list of numerical ports and a list of named ports (strings), and letting handleAddUpdatePod do the resolution from port name to port number.

[monotosh-avi]

Added support for named target port

[antoninbas]

it feels like using ContainerPort as the key is not sufficient, we need ContainerPort + Protocol?

it could be interesting to have a test case with 2 container ports, one for UDP and one for TCP but using the same container port number, and have them both exposed as host ports

[monotosh-avi]

Added protocol type in the key too.
I didn't understand the test case with two container ports.
I have added a few for test cases. Let me know if those covers that case.

[antoninbas]

I meant a test with a Pod like this one:

	testPod.Spec.Containers[0].Ports = append(
		testPod.Spec.Containers[0].Ports,
		corev1.ContainerPort{ContainerPort: int32(defaultPort), HostPort: int32(hostPort), Protocol: corev1.ProtocolTCP},
	)
	testPod.Spec.Containers[0].Ports = append(
		testPod.Spec.Containers[0].Ports,
		corev1.ContainerPort{ContainerPort: int32(defaultPort), HostPort: int32(hostPort), Protocol: corev1.ProtocolUDP},
	)

with a Service using both of these as target ports

[antoninbas]

@monotosh-avi ping on this, what do you think of adding this test?

[monotosh-avi]

@antoninbas I had missed this. Added a test case now.

[antoninbas]

that kind of defeats the original purpose of the test, now that we install forwarding rules for a single port...

maybe we should have a different test case to validate that only ports used as Service target ports are exposed with NPL

[monotosh-avi]

Yes. The original test case has been modified.
Now we are validating that only ports used as Service target ports are exposed with NPL. For annotation, this was already being done. Added couple of more checks to ensure no NPL rules are added for pod container ports.

[antoninbas]

I don't think we need this, I added -w 10 to the iptables delete command already to accommodate for this issue

[monotosh-avi]

Removed

[monotosh-avi]

Removed

[antoninbas]

I think it would be better to keep this part early in the function and use if len(targetPortsInt) == 0 && len(targetsPortStr) as the if check

[monotosh-avi]

I had thought about this, but in that case we would miss the condition where targetsPortStr is not empty but no matching port name is found in the container ports.

[antoninbas]

sounds good, but maybe a comment to that effect would avoid confusion in the future

do we have a unit test for that edge case?

[monotosh-avi]

Sure. Added a comment.
In the test case TestTargetPortWithName, I have added a check to make sure updating Service with wrong target port ensures deletion of rules and annotations from the Pod.

[antoninbas]

can't we re-organize the code like this, I feel like it would make more sense since the port name is not always set:

			portProtoInt := fmt.Sprint(cport.ContainerPort) + delim + string(cport.Protocol)
			if int(cport.HostPort) > 0 {
				klog.V(4).Infof("Host Port is defined for Container %s in Pod %s, thus extra NPL port is not allocated", container.Name, key)
				hostPorts[portProtoInt] = int(cport.HostPort)
			}
			if cport.Name == "" {
				continue
			}
			portProtoStr := cport.Name + delim + string(cport.Protocol)
			if targetPortsStr.Has(portProtoStr) {
				targetPortsInt.Insert(portProtoInt)
			}

[monotosh-avi]

Done

[antoninbas]

can we have a helper function for building the port:proto string and one for parsing it?

[monotosh-avi]

Added.

[antoninbas]

I'm still trying to understand why we need to add 2 new ports here (91 and 91). Neither of these is a target port, so neither of these is used for NPL. We only use the default port (90), yet the test is called multi-port. It feels like 90 and 91 should both be NPL ports, but not 92.

[monotosh-avi]

Actually default port is 80. Updated the pod container ports to 80 and 81 and then the test ensures that we are adding rule for only 80.

[antoninbas]

s/TestMultipleService/TestMultipleServices

or maybe TestMultipleServicesSameBackendPod for clarity

[monotosh-avi]

Changed

[antoninbas]

this function should be moved to nodeportlocal_test.go IMO. But I am not sure why we even need it. You always use the same port number (90) and I see no reference to the port name ("http").

[monotosh-avi]

Moved to nodeportlocal_test.go. We needed this function to have option to provide port number for the container port of nginx pod.

[antoninbas]

shouldn't this return both port and protocol?

[monotosh-avi]

The caller function is only using port for now. Later if required we can return both.

[antoninbas]

sounds good, but maybe a comment to that effect would avoid confusion in the future

do we have a unit test for that edge case?

[antoninbas]

I think we're back to my original comment. Why are we modifying this test like this, instead of having 2 separate tests

• TestServiceMultipleTargetPorts: Service has 2 target ports pointing to 2 different container ports, both are exposed with NPL
• TestPodContainerPortWithoutService: a Pod has 2 container ports, only one of them exposed with NPL (this is your current test, but I feel like the name is confusing)

Or do we already have a test for the first case?

[monotosh-avi]

Got it. I have added a separate test case.

[antoninbas]

some small comments, otherwise LGTM

[antoninbas]

I think we should add: "If a Service uses a named target port that doesn't match any named container port for the current Pod, no corresponding entry will be added to the targetPortsInt set by the code above."

[monotosh-avi]

Updated

[antoninbas]

Suggested change

	// It is verified that the Pod's NPL annotationthe local port table are updated correctly.
	// It verifies that the Pod's NPL annotation and the local port table are updated correctly.

[monotosh-avi]

Done

[antoninbas]

adding Pod container ports is not required any more (now that we use the Service's target ports), unless we are dealing with a named port. Maybe for this test case we should omit the container ports.

[antoninbas]

@monotosh-avi ping on this, any thoughts?

[monotosh-avi]

missed this, updated now

[antoninbas]

It verifies that the Pod's NPL annotation and the local port table are updated correctly, with only one port corresponding to the Service's single target port.

[monotosh-avi]

Done

[antoninbas]

The test case name should include HostPort

[monotosh-avi]

Updated

[antoninbas]

s/It is verified/It verifies

[monotosh-avi]

Done

[antoninbas]

I think we should stick with a method on the test data object for consistency:

func (data *testData) createNginxPodWithPort(...)

[monotosh-avi]

Done

[antoninbas]

I am still unsure about this function and it's use: since NPL doesn't require the ContainerPort to be set anymore, what's the point?

Also it doesn't seem that there is any value in setting it to 90 in tests. I feel like it is actually misleading since we never use 90 as the Service targetPort. Am I missing something?

[monotosh-avi]

I thought that adding a different port number in the pod explicitly would show that NPL doesn't depend on that port. But yeah, we don't need that. Removed.

[antoninbas]

LGTM

[antoninbas]

/test-all

[antoninbas]

/test-networkpolicy

[monotosh-avi]

/test-e2e

[antoninbas]

/test-all

[antoninbas]

/test-e2e
/test-networkpolicy

[monotosh-avi]

/test-e2e
/test-networkpolicy

[antoninbas]

@monotosh-avi I see that the e2e tests were consistently failing before your last push. Were you able to identify the root cause?

[monotosh-avi]

@monotosh-avi I see that the e2e tests were consistently failing before your last push. Were you able to identify the root cause?

@antoninbas it looked like there was some problem with the test setup.
fixtures.go:341: Error when tearing down test: error when deleting 'antrea-test' Namespace: Delete "https://192.168.9.154:6443/api/v1/namespaces/antrea-test": dial tcp 192.168.9.154:6443: connect: no route to host

I do see the similar issue with other tests too., e.g. https://jenkins.antrea-ci.rocks/job/antrea-e2e-for-pull-request/2747/console.

I didn't face this issue when I ran the tests in my local set up.

[antoninbas]

@monotosh-avi could you rebase main. Some fixes went in to address known stability issues with the test jobs. I want to make sure that the test failures were because of them and not something else. It may be a good opportunity to squash your commits too (the squashed commit must be signed). Thanks!

[monotosh-avi]

@monotosh-avi could you rebase main. Some fixes went in to address known stability issues with the test jobs. I want to make sure that the test failures were because of them and not something else. It may be a good opportunity to squash your commits too (the squashed commit must be signed). Thanks!

@antoninbas rebased and squashed commits.

[antoninbas]

/test-all

[antoninbas]

Another --- FAIL: TestFlowAggregator/IPv4/RemoteServiceAccess (13.40s) failure
/skip-e2e