From e21d5ce5d25d0108a6943af2248ac9387675a5c9 Mon Sep 17 00:00:00 2001 From: Francesco Cheinasso Date: Thu, 24 Aug 2023 16:52:35 +0200 Subject: [PATCH] Added possibility to switch to iptables nf_tables --- deployments/liqo/README.md | 4 ++- .../templates/liqo-gateway-deployment.yaml | 4 ++- .../liqo-network-manager-deployment.yaml | 2 ++ .../liqo/templates/liqo-route-daemonset.yaml | 4 ++- deployments/liqo/values.yaml | 32 +++++++++++-------- .../_legacy/pages/configuration/networking.md | 2 +- go.mod | 3 ++ go.sum | 4 +-- pkg/liqonet/iptables/iptables.go | 12 ++++++- 9 files changed, 46 insertions(+), 21 deletions(-) diff --git a/deployments/liqo/README.md b/deployments/liqo/README.md index 7ac6b379a5..f8ad712a56 100644 --- a/deployments/liqo/README.md +++ b/deployments/liqo/README.md @@ -90,7 +90,6 @@ | metricAgent.pod.labels | object | `{}` | Labels for the metricAgent pod. | | metricAgent.pod.resources | object | `{"limits":{},"requests":{}}` | Resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) for the metricAgent pod. | | nameOverride | string | `""` | Override the standard name used by Helm and associated to Kubernetes/Liqo resources. | -| networkConfig.mtu | int | `1340` | Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces. The value is used by the gateway and route operators. The default value is configured to ensure correct behavior regardless of the combination of the underlying environments (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops. | | networkManager.config.additionalPools | list | `[]` | Set of additional network pools to perform the automatic address mapping in Liqo. Network pools are used to map a cluster network into another one in order to prevent conflicts. Default set of network pools is: [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12] | | networkManager.config.podCIDR | string | `""` | The subnet used by the pods in your cluster, in CIDR notation (e.g., 10.0.0.0/16). | | networkManager.config.reservedSubnets | list | `[]` | List of IP subnets that do not have to be used by Liqo. Liqo can perform automatic IP address remapping when a remote cluster is peering with you, e.g., in case IP address spaces (e.g., PodCIDR) overlaps. In order to prevent IP conflicting between locally used private subnets in your infrastructure and private subnets belonging to remote clusters you need tell liqo the subnets used in your cluster. E.g if your cluster nodes belong to the 192.168.2.0/24 subnet, then you should add that subnet to the reservedSubnets. PodCIDR and serviceCIDR used in the local cluster are automatically added to the reserved list. | @@ -103,6 +102,9 @@ | networkManager.pod.labels | object | `{}` | Labels for the networkManager pod. | | networkManager.pod.resources | object | `{"limits":{},"requests":{}}` | Resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) for the networkManager pod. | | networking.internal | bool | `true` | Use the default Liqo network manager. | +| networking.iptables | object | `{"mode":"nf_tables"}` | Iptables configuration tuning. | +| networking.iptables.mode | string | `"nf_tables"` | Select the iptables mode to use. Possible values are "legacy" and "nf_tables". | +| networking.mtu | int | `1340` | Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces. The value is used by the gateway and route operators. The default value is configured to ensure correct behavior regardless of the combination of the underlying environments (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops. | | networking.reflectIPs | bool | `true` | Reflect pod IPs and EnpointSlices to the remote clusters. | | openshiftConfig.enable | bool | `false` | Enable/Disable the OpenShift support, enabling Openshift-specific resources, and setting the pod security contexts in a way that is compatible with Openshift. | | openshiftConfig.virtualKubeletSCCs | list | `["anyuid"]` | Security context configurations granted to the virtual kubelet in the local cluster. The configuration of one or more SCCs for the virtual kubelet is not strictly required, and privileges can be reduced in production environments. Still, the default configuration (i.e., anyuid) is suggested to prevent problems (i.e., the virtual kubelet fails to add the appropriate labels) when attempting to offload pods not managed by higher-level abstractions (e.g., Deployments), and not associated with a properly privileged service account. Indeed, "anyuid" is the SCC automatically associated with pods created by cluster administrators. Any pod granted a more privileged SCC and not linked to an adequately privileged service account will fail to be offloaded. | diff --git a/deployments/liqo/templates/liqo-gateway-deployment.yaml b/deployments/liqo/templates/liqo-gateway-deployment.yaml index fe224a64bb..d1f7f3fa92 100644 --- a/deployments/liqo/templates/liqo-gateway-deployment.yaml +++ b/deployments/liqo/templates/liqo-gateway-deployment.yaml @@ -46,7 +46,7 @@ spec: args: - --run-as=liqo-gateway - --gateway.leader-elect=true - - --gateway.mtu={{ .Values.networkConfig.mtu }} + - --gateway.mtu={{ .Values.networking.mtu }} - --gateway.listening-port={{ .Values.gateway.config.listeningPort }} {{- if .Values.gateway.metrics.enabled }} - --metrics-bind-addr=:{{ .Values.gateway.metrics.port }} @@ -72,6 +72,8 @@ spec: fieldPath: status.podIP - name: WIREGUARD_IMPLEMENTATION value: {{ .Values.gateway.config.wireguardImplementation }} + - name: IPTABLES_MODE + value: {{ .Values.networking.iptables.mode }} hostNetwork: true {{- if ((.Values.common).nodeSelector) }} nodeSelector: diff --git a/deployments/liqo/templates/liqo-network-manager-deployment.yaml b/deployments/liqo/templates/liqo-network-manager-deployment.yaml index e5af4303cf..7f4e2813b8 100644 --- a/deployments/liqo/templates/liqo-network-manager-deployment.yaml +++ b/deployments/liqo/templates/liqo-network-manager-deployment.yaml @@ -58,6 +58,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: IPTABLES_MODE + value: {{ .Values.networking.iptables.mode }} resources: {{- toYaml .Values.networkManager.pod.resources | nindent 12 }} {{- if ((.Values.common).nodeSelector) }} nodeSelector: diff --git a/deployments/liqo/templates/liqo-route-daemonset.yaml b/deployments/liqo/templates/liqo-route-daemonset.yaml index fc9c9f4ea5..35919fae9b 100644 --- a/deployments/liqo/templates/liqo-route-daemonset.yaml +++ b/deployments/liqo/templates/liqo-route-daemonset.yaml @@ -43,7 +43,7 @@ spec: command: ["/usr/bin/liqonet"] args: - --run-as=liqo-route - - --route.vxlan-mtu={{ .Values.networkConfig.mtu }} + - --route.vxlan-mtu={{ .Values.networking.mtu }} {{- if .Values.route.pod.extraArgs }} {{- toYaml .Values.route.pod.extraArgs | nindent 10 }} {{- end }} @@ -67,6 +67,8 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: IPTABLES_MODE + value: {{ .Values.networking.iptables.mode }} volumeMounts: - mountPath: /run/xtables.lock name: xtables-lock diff --git a/deployments/liqo/values.yaml b/deployments/liqo/values.yaml index dc6d8278e9..c47b9945ce 100644 --- a/deployments/liqo/values.yaml +++ b/deployments/liqo/values.yaml @@ -6,6 +6,15 @@ tag: "" # -- The pullPolicy for liqo pods. pullPolicy: "IfNotPresent" + +common: + # -- NodeSelector for all liqo services, excluding virtual kubelet deployment. + nodeSelector: {} + # -- Tolerations for all liqo services, excluding virtual kubelet deployment. + tolerations: [] + # -- Affinity for all liqo services, excluding virtual kubelet deployment. + affinity: {} + apiServer: # -- The address that must be used to contact your API server, it needs to be reachable from the clusters that you will peer with (defaults to your master IP). address: "" @@ -17,6 +26,15 @@ networking: internal: true # -- Reflect pod IPs and EnpointSlices to the remote clusters. reflectIPs: true + # -- Iptables configuration tuning. + iptables: + # -- Select the iptables mode to use. Possible values are "legacy" and "nf_tables". + mode: "nf_tables" + # -- Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces. + # The value is used by the gateway and route operators. + # The default value is configured to ensure correct behavior regardless of the combination of the underlying environments + # (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops. + mtu: 1340 reflection: skip: @@ -465,18 +483,4 @@ openshiftConfig: virtualKubeletSCCs: - anyuid -# Configuration for liqo networking. -networkConfig: - # -- Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces. - # The value is used by the gateway and route operators. - # The default value is configured to ensure correct behavior regardless of the combination of the underlying environments - # (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops. - mtu: 1340 -common: - # -- NodeSelector for all liqo services, excluding virtual kubelet deployment. - nodeSelector: {} - # -- Tolerations for all liqo services, excluding virtual kubelet deployment. - tolerations: [] - # -- Affinity for all liqo services, excluding virtual kubelet deployment. - affinity: {} diff --git a/docs/_legacy/pages/configuration/networking.md b/docs/_legacy/pages/configuration/networking.md index e677c61d60..cceb21a5a9 100644 --- a/docs/_legacy/pages/configuration/networking.md +++ b/docs/_legacy/pages/configuration/networking.md @@ -47,7 +47,7 @@ liqoctl install ${YOUR_PROVIDER} --cluster-name ${YOUR_CLUSTER_NAME} --mtu 1400 The `liqoctl install` command is idempotent and can be executed multiple times to enforce the desired configuration. {{% /notice %}} -If you are installing Liqo using the provided helm chart than the MTU size can be configured by setting the `networkConfig.mtu` variable in the [values.yaml file](../../../installation/chart_values/#values). +If you are installing Liqo using the provided helm chart than the MTU size can be configured by setting the `networking.mtu` variable in the [values.yaml file](../../../installation/chart_values/#values). diff --git a/go.mod b/go.mod index 8c821efae7..5244b0c486 100644 --- a/go.mod +++ b/go.mod @@ -264,3 +264,6 @@ require ( ) replace github.com/grandcat/zeroconf => github.com/liqotech/zeroconf v1.0.1-0.20201020081245-6384f3f21ffb + +// Waitin for PR https://github.com/coreos/go-iptables/pull/110 to be merged +replace github.com/coreos/go-iptables => github.com/cheina97/go-iptables v0.0.0-20230824102241-61fc692e7548 diff --git a/go.sum b/go.sum index a136f9ae1a..fddfdfd671 100644 --- a/go.sum +++ b/go.sum @@ -204,6 +204,8 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/cheina97/go-iptables v0.0.0-20230824102241-61fc692e7548 h1:tsUrWiCxLp1cI8TB7qDmHNezZavWgxghH+m+pW+04wA= +github.com/cheina97/go-iptables v0.0.0-20230824102241-61fc692e7548/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -227,8 +229,6 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8= -github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= diff --git a/pkg/liqonet/iptables/iptables.go b/pkg/liqonet/iptables/iptables.go index 308d2b8a2e..a27bb043fe 100644 --- a/pkg/liqonet/iptables/iptables.go +++ b/pkg/liqonet/iptables/iptables.go @@ -17,6 +17,7 @@ package iptables import ( "encoding/csv" "fmt" + "os" "strings" "github.com/coreos/go-iptables/iptables" @@ -95,10 +96,19 @@ type IPTHandler struct { // NewIPTHandler return the iptables handler used to configure the iptables rules. func NewIPTHandler() (IPTHandler, error) { - ipt, err := iptables.New() + selectedmode := os.Getenv("IPTABLES_MODE") + var ipt *iptables.IPTables + var err error + if iptables.ModeType(selectedmode) == iptables.ModeTypeNFTables || iptables.ModeType(selectedmode) == iptables.ModeTypeLegacy { + ipt, err = iptables.New(iptables.Mode(iptables.ModeType(selectedmode))) + } else { + ipt, err = iptables.New() + } if err != nil { return IPTHandler{}, err } + v1, v2, v3, mode := ipt.GetIptablesVersion() + klog.Infof("Iptables version: %d.%d.%d, mode: %s", v1, v2, v3, mode) return IPTHandler{ ipt: *ipt, }, err