Skip to content

Support Pod traffic control in Antrea #3324

Closed
Closed
Support Pod traffic control in Antrea#3324
Labels
kind/designCategorizes issue or PR as related to design.
Milestone
Antrea v1.7 release
@tnqn

Description

@tnqn
tnqn
opened on Feb 16, 2022

Describe what you are trying to solve

Security and visibility services like IDS, NSM require receving packets sent from/to Pods to analyse. There was an issue opened for such requirement: #3008. Having the capacity of Pod traffic control will be useful for these services as Antrea can be configured to redirect/mirror specific Pods' traffic to specific destination, from which the services can capture traffic.

Describe the solution you have in mind

We propose to add a traffic control API using K8s CRD. The traffic control API accepts client requests and controls the container traffic with OpenFlow rules. The API is designed to be generic, providing a mechanism to specify the Pods whose traffic should be selected, the direction of the traffic, whether the traffic should be mirrored or redirected, and the network device port to redirect or mirror to.

type TrafficControl struct {
	metav1.TypeMeta `json:",inline"`
	// Standard metadata of the object.
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Specification of the desired behavior of TrafficControl.
	Spec TrafficControlSpec `json:"spec"`
}

type TrafficControlSpec struct {
	// AppliedTo selects Pods to which the traffic control configuration will be applied.
	AppliedTo AppliedTo `json:"appliedTo"`

	// The direction of traffic that should be matched. It can be Ingress, Egress, or Both.
	Direction Direction `json:"direction,omitempty"`

	// The action that should be taken for the traffic. It can be Redirect or Mirror.
	Action Action `json:"action,omitempty"`

	// The destination that the traffic should be redirected or mirrored to.
	Destination TrafficDestination `json:"destination,omitempty"`
}

type TrafficDestination struct {
	// The name of the traffic destination, used to identify the port name in OVS.
	Name string
	// Port represents a port that is attached to the OVS bridge.
	// It can be an OVS internal port, a physical NIC, or a veth device.
	// +optional
	Port *PortTrafficDestination
	// VXLAN represents a VXLAN tunnel that is created on the Node.
	// +optional
	VXLAN *TunnelTrafficDestination
	// GENEVE represents a GENEVE tunnel that is created on the Node.
	// +optional
	GENEVE *TunnelTrafficDestination
	// GRE represents a GRE tunnel that is created on the Node.
	// +optional
	GRE *TunnelTrafficDestination
	// ERSPAN represents a ERSPAN tunnel that is created on the Node.
	// +optional
	ERSPAN *ERSPANTrafficDestination
}

// PortTrafficDestination represents a port that is attached to the OVS bridge.
// It can be an OVS internal port, a physical NIC, or a veth device.
type PortTrafficDestination struct {
	// Internal represents whether this is an OVS internal port.
	// Antrea will create the port if it's internal and missing. Otherwise the port must already exist.
	Internal bool
	// PeerName represents the name of the peer device from which the traffic
	// will be sent back to OVS. It should only be set for Redirect action.
	PeerName string
}

// TunnelTrafficDestination represents a tunnel that is created on the Node.
type TunnelTrafficDestination struct {
	// The remote IP of the tunnel.
	RemoteIP string
	// The ID of the tunnel.
	TunnelID int64
}

// ERSPANTrafficDestination represents an ERSPAN tunnel that is created on the Node.
type ERSPANTrafficDestination struct {
	RemoteIP   string
	TunnelID   int64
	Version    int8
	Index      int32
	Dir        int8
	HardwareID int8
}

As an example, the TrafficControl resource “mirror-web-app” shown below declares all ingress traffic to Pods with “app=web” in all Namespaces should be redirected to a remote collector running on 10.10.0.2 via GRE tunnel :

apiVersion: crd.antrea.io/v1alpha2
kind: TrafficControl
metadata:
  name: mirror-web-app
spec:
  appliedTo:
    podSelector:
      matchLabels:
        app: web
  direction: Ingress
  action: Mirror
  destination:
    name: gre0
    gre:
      remoteIP: 10.10.0.2

The Antrea Agent is responsible for realizing the traffic control request. It watches the TrafficControl resources from the K8s API server, and manages the container traffic with OpenFlow rules. Specifically, the agent executes the following steps for a TrafficControl resource:

  • Use label selectors to filter Pods running on this Node.
  • Translate the selected Pods to OVS ports, which will be used to filter traffic that should be mirrored or redirected.
  • Translate the target device to OVS port, which will be used as the target port the traffic should be mirrored or redirected to.
  • Install OpenFlow rules calculated using the above arguments.

Describe how your solution impacts user flows

Describe the main design/architecture of your solution

Alternative solutions that you considered

Test plan

Additional context

Work breakdown:

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/designCategorizes issue or PR as related to design.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions