Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow user defined endpoint to host action for Canal #3272

Conversation

KashifSaadat
Copy link
Contributor

Adds ability to define Networking.Canal.DefaultEndpointToHostAction in the Cluster Spec. This allows you to customise the behaviour of traffic routing from a pod to the host (after calico iptables chains have been processed). ACCEPT is the default value and is left as-is.

If you want to allow some or all traffic from endpoint to host, set this parameter to “RETURN” or “ACCEPT”. Use “RETURN” if you have your own rules in the iptables “INPUT” chain; Calico will insert its rules at the top of that chain, then “RETURN” packets to the “INPUT” chain once it has completed processing workload endpoint egress policy.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Aug 25, 2017
@KashifSaadat
Copy link
Contributor Author

/assign @justinsb

@KashifSaadat KashifSaadat force-pushed the canal-custom-endpoint-to-host-action branch from 280f92e to 2fd2db2 Compare August 25, 2017 17:02
@gambol99
Copy link
Contributor

LGTM ...

Side issue we need to look at getting it applied in a pre-existing cluster (even if only on delete, given it's a daemonet), I thought protokube unit applied the channels but maybe i'm mistaken ..

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Aug 26, 2017
@KashifSaadat KashifSaadat force-pushed the canal-custom-endpoint-to-host-action branch from 222879b to d48b269 Compare August 26, 2017 09:21
@KashifSaadat
Copy link
Contributor Author

@gambol99 I've added validation to the Canal spec, please could you have another peek?

// Check Canal Networking Spec if used
if c.Spec.Networking.Canal != nil {
action := c.Spec.Networking.Canal.DefaultEndpointToHostAction
if action != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could probably shorten this with a case statement instead

switch action {
case "", "ACCEPT", "DROP", "RETURN":
default: 
     return field.Invalid(fieldSpec.Child("Networking", "Canal", "DefaultEndpointToHostAction"), action, fmt.Sprintf("Unsupported value: %s, supports ACCEPT, DROP or RETURN", action))
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup good idea, will update.

@KashifSaadat KashifSaadat force-pushed the canal-custom-endpoint-to-host-action branch from d48b269 to a627a83 Compare August 26, 2017 10:34
@gambol99
Copy link
Contributor

other than the above comment ... lgtm

@KashifSaadat KashifSaadat force-pushed the canal-custom-endpoint-to-host-action branch from a627a83 to f254a06 Compare August 26, 2017 10:57
@@ -119,7 +119,7 @@ spec:
fieldPath: spec.nodeName
# Set Felix endpoint to host default action to ACCEPT.
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
value: "ACCEPT"
value: "{{- if eq .Networking.Canal.DefaultEndpointToHostAction "" }}ACCEPT{{- else -}}{{ .Networking.Canal.DefaultEndpointToHostAction }}{{- end -}}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can also use {{- or .Networking.Canal.DefaultEndpointToHostAction "ACCEPT" }} but this works :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep that works and cleaner, will update. :) Cheers!

@justinsb
Copy link
Member

/ok-to-test

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 26, 2017
@justinsb
Copy link
Member

There's a gotcha here for applying in an existing cluster ... we only apply if the version is different currently. But this is tricky, because this is a change that isn't described by a version. The "k8s way" would be to set a configmap, but we're still figuring that all out TBH.

A trick would be to delete the calico manifest annotation on the kube-system namespace, then the manifest will be reapplied.

@KashifSaadat KashifSaadat force-pushed the canal-custom-endpoint-to-host-action branch from f254a06 to 2ffc790 Compare August 26, 2017 11:53
@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 26, 2017
@k8s-github-robot
Copy link

/lgtm cancel //PR changed after LGTM, removing LGTM. @KashifSaadat @justinsb

@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 26, 2017
@justinsb
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 27, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: KashifSaadat, justinsb

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@justinsb
Copy link
Member

Test failure filed as kubernetes/kubernetes#51429

@KashifSaadat
Copy link
Contributor Author

/test pull-kops-e2e-kubernetes-aws

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 1aef760 into kubernetes:master Aug 28, 2017
@KashifSaadat KashifSaadat deleted the canal-custom-endpoint-to-host-action branch August 28, 2017 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants