Add multicast support. #885

dceara · 2019-10-25T15:05:24Z

Enable IGMP Snoop (when supported) and IGMP relay to allow multicast
connectivity across nodes.

Enforce the following network policies for IP multicast traffic:

a default deny-all network policy is applied to all IP multicast
traffic. This is implemented with two ACLs:
a) one ACL dropping egress multicast traffic from all pods:
this is to protect OVN controller from processing IP multicast
reports from nodes that are not allowed to receive multicast
traffic.
b) one ACL dropping ingress multicast traffic to all pods.
when multicast is explicitly enabled in the namespace, IP multicast
traffic is forwarded only to pods in the same namespace. This is done
by adding:
a) a port group containing all logical ports associated with the
namespace.
b) one "from-lport" ACL allowing egress multicast traffic from the
in the namespace.
c) one "to-lport" ACL allowing ingress multicast traffic to pods in
the namespace. This matches only traffic originated by pods in
the same namespace (based on the namespace address set).

Add a new namespace annotation to allow enabling of multicast:
"k8s.ovn.org/multicast-enabled".

Signed-off-by: Dumitru Ceara [email protected]

go-controller/pkg/ovn/namespace.go

go-controller/pkg/ovn/policy.go

go-controller/pkg/ovn/namespace.go

go-controller/pkg/ovn/policy.go

go-controller/pkg/ovn/namespace.go

go-controller/pkg/ovn/ovn.go

Enable IGMP Snoop (when supported) and IGMP relay to allow multicast connectivity across nodes. Enforce the following network policies for IP multicast traffic: - a default deny-all network policy is applied to all IP multicast traffic. This is implemented with two ACLs: a) one ACL dropping egress multicast traffic from all pods: this is to protect OVN controller from processing IP multicast reports from nodes that are not allowed to receive multicast traffic. b) one ACL dropping ingress multicast traffic to all pods. - when multicast is explicitly enabled in the namespace, IP multicast traffic is forwarded only to pods in the same namespace. This is done by adding: a) a port group containing all logical ports associated with the namespace. b) one "from-lport" ACL allowing egress multicast traffic from the in the namespace. c) one "to-lport" ACL allowing ingress multicast traffic to pods in the namespace. This matches only traffic originated by pods in the same namespace (based on the namespace address set). Add a new namespace annotation to allow enabling of multicast: "k8s.ovn.org/multicast-enabled". Signed-off-by: Dumitru Ceara <[email protected]>

dcbw · 2019-11-01T21:50:03Z

@girishmg this passed OpenShift CI FWIW

girishmg · 2019-11-02T03:12:46Z

@dcbw I will not be able to look at these changes immediately (I will look at it later), so please go ahead if you think it is good.

FYI, I quickly gave the changes in this PR a spin on my cluster and there is no regression from the tests I ran.

First, updateNamespace() didn't have locking for oc.namespaceMutex Introduced by c3def15 (PR ovn-kubernetes#885). Second, getNamespaceLock() didn't protect against concurrent access of oc.namespaceMutex when it checked it the second time. That's fishy anyway; we serialize Namespace events from the watch factory and getNamespaceLock() is only called from event handler functions, so it doesn't seem possible for the namespace to be deleted between grabbing these two locks. Signed-off-by: Dan Williams <[email protected]>