From 7c15f3b3cc37c46199a7bc666447cc7cb6822629 Mon Sep 17 00:00:00 2001 From: sridhar Date: Tue, 24 Oct 2023 09:47:39 -0700 Subject: [PATCH 1/3] Changes to support ebpf and ipv6 --- pkg/controller/installation/validation.go | 15 ++++++++++++--- pkg/controller/installation/validation_test.go | 7 +++++-- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/pkg/controller/installation/validation.go b/pkg/controller/installation/validation.go index 8d52d272ec..733c6fbe49 100644 --- a/pkg/controller/installation/validation.go +++ b/pkg/controller/installation/validation.go @@ -230,6 +230,7 @@ func validateCustomResource(instance *operatorv1.Installation) error { } } + bpfIPv6Enabled := false if v6pool != nil { _, cidr, err := net.ParseCIDR(v6pool.CIDR) if err != nil { @@ -241,7 +242,7 @@ func validateCustomResource(instance *operatorv1.Installation) error { } if bpfDataplane { - return fmt.Errorf("IPv6 IP pool is specified but eBPF mode does not support IPv6") + bpfIPv6Enabled = true } // Verify NAT outgoing values. @@ -291,8 +292,16 @@ func validateCustomResource(instance *operatorv1.Installation) error { } } - if bpfDataplane && instance.Spec.CalicoNetwork.NodeAddressAutodetectionV4 == nil { - return fmt.Errorf("spec.calicoNetwork.nodeAddressAutodetectionV4 is required for the BPF dataplane") + if bpfDataplane { + if bpfIPv6Enabled { + if instance.Spec.CalicoNetwork.NodeAddressAutodetectionV6 == nil { + return fmt.Errorf("spec.calicoNetwork.nodeAddressAutodetectionV6 is required for the BPF dataplane") + } + } else { + if instance.Spec.CalicoNetwork.NodeAddressAutodetectionV4 == nil { + return fmt.Errorf("spec.calicoNetwork.nodeAddressAutodetectionV4 is required for the BPF dataplane") + } + } } if instance.Spec.CalicoNetwork.NodeAddressAutodetectionV4 != nil { diff --git a/pkg/controller/installation/validation_test.go b/pkg/controller/installation/validation_test.go index f6cfe2f623..02e2e2f924 100644 --- a/pkg/controller/installation/validation_test.go +++ b/pkg/controller/installation/validation_test.go @@ -74,7 +74,7 @@ var _ = Describe("Installation validation tests", func() { Expect(err).NotTo(HaveOccurred()) }) - It("should prevent IPv6 if BPF is enabled", func() { + It("should allow IPv6 if BPF is enabled", func() { bpf := operator.LinuxDataplaneBPF instance.Spec.CalicoNetwork.LinuxDataplane = &bpf instance.Spec.CalicoNetwork.IPPools = []operator.IPPool{ @@ -85,8 +85,11 @@ var _ = Describe("Installation validation tests", func() { NodeSelector: "all()", }, } + instance.Spec.CalicoNetwork.NodeAddressAutodetectionV6 = &operator.NodeAddressAutodetection{ + CanReach: "2001:4860:4860::8888", + } err := validateCustomResource(instance) - Expect(err).To(MatchError("IPv6 IP pool is specified but eBPF mode does not support IPv6")) + Expect(err).To(BeNil()) }) It("should allow IPv6 VXLAN", func() { From 12f9fc5d0d850919f0061c1081e0b3d25d18157c Mon Sep 17 00:00:00 2001 From: sridhar Date: Wed, 25 Oct 2023 15:19:18 -0700 Subject: [PATCH 2/3] Add check for dual stack --- pkg/controller/installation/validation.go | 25 +++++++---------- .../installation/validation_test.go | 27 +++++++++++++++++++ 2 files changed, 37 insertions(+), 15 deletions(-) diff --git a/pkg/controller/installation/validation.go b/pkg/controller/installation/validation.go index 733c6fbe49..5c0610a5b7 100644 --- a/pkg/controller/installation/validation.go +++ b/pkg/controller/installation/validation.go @@ -152,12 +152,20 @@ func validateCustomResource(instance *operatorv1.Installation) error { } } + if bpfDataplane && v4pool != nil && v6pool != nil { + return fmt.Errorf("bpf dataplane does not support dual stack") + } + if v4pool != nil { _, cidr, err := net.ParseCIDR(v4pool.CIDR) if err != nil { return fmt.Errorf("ipPool.CIDR(%s) is invalid: %s", v4pool.CIDR, err) } + if bpfDataplane && instance.Spec.CalicoNetwork.NodeAddressAutodetectionV4 == nil { + return fmt.Errorf("spec.calicoNetwork.nodeAddressAutodetectionV4 is required for the BPF dataplane") + } + if instance.Spec.CNI.Type == operatorv1.PluginCalico { switch instance.Spec.CNI.IPAM.Type { case operatorv1.IPAMPluginCalico: @@ -230,7 +238,6 @@ func validateCustomResource(instance *operatorv1.Installation) error { } } - bpfIPv6Enabled := false if v6pool != nil { _, cidr, err := net.ParseCIDR(v6pool.CIDR) if err != nil { @@ -241,8 +248,8 @@ func validateCustomResource(instance *operatorv1.Installation) error { return fmt.Errorf("IPIP encapsulation is not supported by IPv6 pools, but it is set for %s", v6pool.CIDR) } - if bpfDataplane { - bpfIPv6Enabled = true + if bpfDataplane && instance.Spec.CalicoNetwork.NodeAddressAutodetectionV6 == nil { + return fmt.Errorf("spec.calicoNetwork.nodeAddressAutodetectionV6 is required for the BPF dataplane") } // Verify NAT outgoing values. @@ -292,18 +299,6 @@ func validateCustomResource(instance *operatorv1.Installation) error { } } - if bpfDataplane { - if bpfIPv6Enabled { - if instance.Spec.CalicoNetwork.NodeAddressAutodetectionV6 == nil { - return fmt.Errorf("spec.calicoNetwork.nodeAddressAutodetectionV6 is required for the BPF dataplane") - } - } else { - if instance.Spec.CalicoNetwork.NodeAddressAutodetectionV4 == nil { - return fmt.Errorf("spec.calicoNetwork.nodeAddressAutodetectionV4 is required for the BPF dataplane") - } - } - } - if instance.Spec.CalicoNetwork.NodeAddressAutodetectionV4 != nil { err := validateNodeAddressDetection(instance.Spec.CalicoNetwork.NodeAddressAutodetectionV4) if err != nil { diff --git a/pkg/controller/installation/validation_test.go b/pkg/controller/installation/validation_test.go index 02e2e2f924..7d85ee8389 100644 --- a/pkg/controller/installation/validation_test.go +++ b/pkg/controller/installation/validation_test.go @@ -92,6 +92,33 @@ var _ = Describe("Installation validation tests", func() { Expect(err).To(BeNil()) }) + It("should not allow dual stack (both IPv4 and IPv6) if BPF is enabled", func() { + bpf := operator.LinuxDataplaneBPF + instance.Spec.CalicoNetwork.LinuxDataplane = &bpf + instance.Spec.CalicoNetwork.IPPools = []operator.IPPool{ + { + CIDR: "1eef::/64", + NATOutgoing: operator.NATOutgoingEnabled, + Encapsulation: operator.EncapsulationNone, + NodeSelector: "all()", + }, + { + CIDR: "192.168.0.0/27", + Encapsulation: operator.EncapsulationNone, + NATOutgoing: operator.NATOutgoingEnabled, + NodeSelector: "all()", + }, + } + instance.Spec.CalicoNetwork.NodeAddressAutodetectionV6 = &operator.NodeAddressAutodetection{ + CanReach: "2001:4860:4860::8888", + } + instance.Spec.CalicoNetwork.NodeAddressAutodetectionV4 = &operator.NodeAddressAutodetection{ + CanReach: "8.8.8.8", + } + err := validateCustomResource(instance) + Expect(err).To(MatchError("bpf dataplane does not support dual stack")) + }) + It("should allow IPv6 VXLAN", func() { encaps := []operator.EncapsulationType{operator.EncapsulationVXLAN, operator.EncapsulationVXLANCrossSubnet} for _, vxlanMode := range encaps { From 4e2bd093821a4be2ef584e359b3a0a18f66a1ee7 Mon Sep 17 00:00:00 2001 From: sridhar Date: Wed, 25 Oct 2023 15:59:42 -0700 Subject: [PATCH 3/3] Update CRD --- .../crd.projectcalico.org_bgpfilters.yaml | 16 ++++++------- ...projectcalico.org_felixconfigurations.yaml | 23 ++++++++++++++++++- 2 files changed, 30 insertions(+), 9 deletions(-) diff --git a/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml b/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml index a44e155532..dc5fe117b3 100644 --- a/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml @@ -47,10 +47,10 @@ spec: type: string matchOperator: type: string + source: + type: string required: - action - - cidr - - matchOperator type: object type: array exportV6: @@ -66,10 +66,10 @@ spec: type: string matchOperator: type: string + source: + type: string required: - action - - cidr - - matchOperator type: object type: array importV4: @@ -85,10 +85,10 @@ spec: type: string matchOperator: type: string + source: + type: string required: - action - - cidr - - matchOperator type: object type: array importV6: @@ -104,10 +104,10 @@ spec: type: string matchOperator: type: string + source: + type: string required: - action - - cidr - - matchOperator type: object type: array type: object diff --git a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml index 8d7e5f9cc2..209c7146d9 100644 --- a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml @@ -58,12 +58,25 @@ spec: [Default: unset - means logs are emitted when BPFLogLevel id debug and BPFLogFilters not set.]' type: string + bpfConnectTimeLoadBalancing: + description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls + whether Felix installs the connect-time load balancer. The connect-time + load balancer is required for the host to be able to reach Kubernetes + services and it improves the performance of pod-to-service connections.When + set to TCP, connect time load balancing is available only for services + with TCP ports. [Default: TCP]' + enum: + - TCP + - Enabled + - Disabled + type: string bpfConnectTimeLoadBalancingEnabled: description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services and it improves the performance of pod-to-service - connections. The only reason to disable it is for debugging purposes. [Default: + connections. The only reason to disable it is for debugging purposes. + This will be deprecated. Use BPFConnectTimeLoadBalancing [Default: true]' type: boolean bpfDSROptoutCIDRs: @@ -138,6 +151,14 @@ spec: conntrack in BPF mode for workloads and services. [Default: true - bypass Linux conntrack]' type: boolean + bpfHostNetworkedNATWithoutCTLB: + description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls + whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing + determines the CTLB behavior. [Default: Enabled]' + enum: + - Enabled + - Disabled + type: string bpfKubeProxyEndpointSlicesEnabled: description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls whether Felix's embedded kube-proxy accepts EndpointSlices or not.