Skip to content

Commit

Permalink
Add TrafficControl API
Browse files Browse the repository at this point in the history 
TrafficControl is a feature which allows mirroring or redirecting the
traffic Pods send or receive. It enables users to monitor and analyze
Pod traffic, and to enforce custom network protections for Pods with
fine-grained control over network traffic.

This patch adds types and CRD for TrafficControl API.

Examples:

1. Mirror Pods (web=app) ingress traffic to a VXLAN tunnel
```
apiVersion: crd.antrea.io/v1alpha2
kind: TrafficControl
metadata:
  name: mirror-web-app
spec:
  appliedTo:
    podSelector:
      matchLabels:
        app: web
  direction: Ingress
  action: Mirror
  targetPort:
    vxlan:
      remoteIP: 1.1.1.1
```

2. Redirect Pods (web=app) traffic in both direction to OVS internal
port firewall0 and expect the traffic to re-enter OVS via another OVS
internal port firewall1 if they are not dropped.
```
apiVersion: crd.antrea.io/v1alpha2
kind: TrafficControl
metadata:
  name: redirect
spec:
  appliedTo:
    podSelector:
      matchLabels:
        role: web
  direction: Ingress
  action: Redirect
  targetPort:
    ovsInternal:
      name: firewall0
  returnPort:
    ovsInternal:
      name: firewall1
```

For #3324

Signed-off-by: Quan Tian <qtian@vmware.com>
  • Loading branch information
@tnqn
tnqn committed Apr 26, 2022
1 parent 70bbcb8 commit 3407cc4
Show file tree
Hide file tree
Showing 21 changed files with 2,578 additions and 10 deletions.
3 changes: 3 additions & 0 deletions build/charts/antrea/conf/antrea-agent.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ featureGates:
# Enable managing external IPs of Services of LoadBalancer type.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}

# Enable mirroring or redirecting the traffic Pods send or receive.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TrafficControl" "default" false) }}

# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
ovsBridge: {{ .Values.ovs.bridgeName | quote }}
Expand Down
1 change: 1 addition & 0 deletions build/charts/antrea/templates/agent/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@ rules:
resources:
- externalippools
- ippools
- trafficcontrols
verbs:
- get
- watch
Expand Down
283 changes: 283 additions & 0 deletions build/charts/antrea/templates/crds/trafficcontrol.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,283 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: trafficcontrols.crd.antrea.io
spec:
group: crd.antrea.io
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- appliedTo
- direction
- action
- targetPort
properties:
appliedTo:
type: object
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
direction:
type: string
enum:
- Ingress
- Egress
- Both
action:
type: string
enum:
- Mirror
- Redirect
targetPort:
type: object
oneOf:
- required: [ovsInternal]
- required: [device]
- required: [geneve]
- required: [vxlan]
- required: [gre]
- required: [erspan]
properties:
ovsInternal:
type: object
required:
- name
properties:
name:
type: string
device:
type: object
required:
- name
properties:
name:
type: string
geneve:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
vxlan:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
gre:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
key:
type: integer
minimum: 0
maximum: 4294967295
erspan:
type: object
required:
- remoteIP
- version
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
sessionID:
type: integer
minimum: 0
maximum: 1023
version:
type: integer
enum:
- 1
- 2
index:
type: integer
dir:
type: integer
enum:
- 0
- 1
hardwareID:
type: integer
returnPort:
type: object
oneOf:
- required: [ovsInternal]
- required: [device]
- required: [geneve]
- required: [vxlan]
- required: [gre]
properties:
ovsInternal:
type: object
required:
- name
properties:
name:
type: string
device:
type: object
required:
- name
properties:
name:
type: string
geneve:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
vxlan:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
vni:
type: integer
minimum: 0
maximum: 16777215
destinationPort:
type: integer
minimum: 1
maximum: 65535
gre:
type: object
required:
- remoteIP
properties:
remoteIP:
type: string
oneOf:
- format: ipv4
- format: ipv6
key:
type: integer
minimum: 0
maximum: 4294967295
additionalPrinterColumns:
- description: Specifies the direction of traffic that should be matched.
jsonPath: .spec.direction
name: Direction
type: string
- description: Specifies the action that should be taken for the traffic.
jsonPath: .spec.action
name: Action
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources:
status: {}
scope: Cluster
names:
plural: trafficcontrols
singular: trafficcontrol
kind: TrafficControl
shortNames:
- tc
Loading

0 comments on commit 3407cc4

Please sign in to comment.