Skip to content

Commit 00f9d98

Browse files
tnqntnqn
authored
Add TrafficControl API (#3644)
TrafficControl is a feature which allows mirroring or redirecting the traffic Pods send or receive. It enables users to monitor and analyze Pod traffic, and to enforce custom network protections for Pods with fine-grained control over network traffic. This patch adds types and CRD for TrafficControl API. Examples: 1. Mirror Pods (web=app) ingress traffic to a VXLAN tunnel ``` apiVersion: crd.antrea.io/v1alpha2 kind: TrafficControl metadata: name: mirror-web-app spec: appliedTo: podSelector: matchLabels: app: web direction: Ingress action: Mirror targetPort: vxlan: remoteIP: 1.1.1.1 ``` 2. Redirect Pods (web=app) traffic in both direction to OVS internal port firewall0 and expect the traffic to re-enter OVS via another OVS internal port firewall1 if they are not dropped. ``` apiVersion: crd.antrea.io/v1alpha2 kind: TrafficControl metadata: name: redirect spec: appliedTo: podSelector: matchLabels: role: web direction: Ingress action: Redirect targetPort: ovsInternal: name: firewall0 returnPort: ovsInternal: name: firewall1 ``` For #3324 Signed-off-by: Quan Tian <[email protected]>
1 parent 2e8a5b8 commit 00f9d98

File tree

21 files changed

+2578
-10
lines changed

21 files changed

+2578
-10
lines changed

build/charts/antrea/conf/antrea-agent.conf

+3
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,9 @@ featureGates:
4747
# Enable managing external IPs of Services of LoadBalancer type.
4848
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}
4949

50+
# Enable mirroring or redirecting the traffic Pods send or receive.
51+
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "TrafficControl" "default" false) }}
52+
5053
# Name of the OpenVSwitch bridge antrea-agent will create and use.
5154
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
5255
ovsBridge: {{ .Values.ovs.bridgeName | quote }}

build/charts/antrea/templates/agent/clusterrole.yaml

+1
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,7 @@ rules:
167167
resources:
168168
- externalippools
169169
- ippools
170+
- trafficcontrols
170171
verbs:
171172
- get
172173
- watch

build/charts/antrea/templates/crds/trafficcontrol.yaml

+283
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,283 @@
1+
apiVersion: apiextensions.k8s.io/v1
2+
kind: CustomResourceDefinition
3+
metadata:
4+
name: trafficcontrols.crd.antrea.io
5+
spec:
6+
group: crd.antrea.io
7+
versions:
8+
- name: v1alpha2
9+
served: true
10+
storage: true
11+
schema:
12+
openAPIV3Schema:
13+
type: object
14+
required:
15+
- spec
16+
properties:
17+
spec:
18+
type: object
19+
required:
20+
- appliedTo
21+
- direction
22+
- action
23+
- targetPort
24+
properties:
25+
appliedTo:
26+
type: object
27+
properties:
28+
podSelector:
29+
type: object
30+
properties:
31+
matchExpressions:
32+
type: array
33+
items:
34+
type: object
35+
properties:
36+
key:
37+
type: string
38+
operator:
39+
enum:
40+
- In
41+
- NotIn
42+
- Exists
43+
- DoesNotExist
44+
type: string
45+
values:
46+
type: array
47+
items:
48+
type: string
49+
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
50+
matchLabels:
51+
x-kubernetes-preserve-unknown-fields: true
52+
namespaceSelector:
53+
type: object
54+
properties:
55+
matchExpressions:
56+
type: array
57+
items:
58+
type: object
59+
properties:
60+
key:
61+
type: string
62+
operator:
63+
enum:
64+
- In
65+
- NotIn
66+
- Exists
67+
- DoesNotExist
68+
type: string
69+
values:
70+
type: array
71+
items:
72+
type: string
73+
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
74+
matchLabels:
75+
x-kubernetes-preserve-unknown-fields: true
76+
direction:
77+
type: string
78+
enum:
79+
- Ingress
80+
- Egress
81+
- Both
82+
action:
83+
type: string
84+
enum:
85+
- Mirror
86+
- Redirect
87+
targetPort:
88+
type: object
89+
oneOf:
90+
- required: [ovsInternal]
91+
- required: [device]
92+
- required: [geneve]
93+
- required: [vxlan]
94+
- required: [gre]
95+
- required: [erspan]
96+
properties:
97+
ovsInternal:
98+
type: object
99+
required:
100+
- name
101+
properties:
102+
name:
103+
type: string
104+
device:
105+
type: object
106+
required:
107+
- name
108+
properties:
109+
name:
110+
type: string
111+
geneve:
112+
type: object
113+
required:
114+
- remoteIP
115+
properties:
116+
remoteIP:
117+
type: string
118+
oneOf:
119+
- format: ipv4
120+
- format: ipv6
121+
vni:
122+
type: integer
123+
minimum: 0
124+
maximum: 16777215
125+
destinationPort:
126+
type: integer
127+
minimum: 1
128+
maximum: 65535
129+
vxlan:
130+
type: object
131+
required:
132+
- remoteIP
133+
properties:
134+
remoteIP:
135+
type: string
136+
oneOf:
137+
- format: ipv4
138+
- format: ipv6
139+
vni:
140+
type: integer
141+
minimum: 0
142+
maximum: 16777215
143+
destinationPort:
144+
type: integer
145+
minimum: 1
146+
maximum: 65535
147+
gre:
148+
type: object
149+
required:
150+
- remoteIP
151+
properties:
152+
remoteIP:
153+
type: string
154+
oneOf:
155+
- format: ipv4
156+
- format: ipv6
157+
key:
158+
type: integer
159+
minimum: 0
160+
maximum: 4294967295
161+
erspan:
162+
type: object
163+
required:
164+
- remoteIP
165+
- version
166+
properties:
167+
remoteIP:
168+
type: string
169+
oneOf:
170+
- format: ipv4
171+
- format: ipv6
172+
sessionID:
173+
type: integer
174+
minimum: 0
175+
maximum: 1023
176+
version:
177+
type: integer
178+
enum:
179+
- 1
180+
- 2
181+
index:
182+
type: integer
183+
dir:
184+
type: integer
185+
enum:
186+
- 0
187+
- 1
188+
hardwareID:
189+
type: integer
190+
returnPort:
191+
type: object
192+
oneOf:
193+
- required: [ovsInternal]
194+
- required: [device]
195+
- required: [geneve]
196+
- required: [vxlan]
197+
- required: [gre]
198+
properties:
199+
ovsInternal:
200+
type: object
201+
required:
202+
- name
203+
properties:
204+
name:
205+
type: string
206+
device:
207+
type: object
208+
required:
209+
- name
210+
properties:
211+
name:
212+
type: string
213+
geneve:
214+
type: object
215+
required:
216+
- remoteIP
217+
properties:
218+
remoteIP:
219+
type: string
220+
oneOf:
221+
- format: ipv4
222+
- format: ipv6
223+
vni:
224+
type: integer
225+
minimum: 0
226+
maximum: 16777215
227+
destinationPort:
228+
type: integer
229+
minimum: 1
230+
maximum: 65535
231+
vxlan:
232+
type: object
233+
required:
234+
- remoteIP
235+
properties:
236+
remoteIP:
237+
type: string
238+
oneOf:
239+
- format: ipv4
240+
- format: ipv6
241+
vni:
242+
type: integer
243+
minimum: 0
244+
maximum: 16777215
245+
destinationPort:
246+
type: integer
247+
minimum: 1
248+
maximum: 65535
249+
gre:
250+
type: object
251+
required:
252+
- remoteIP
253+
properties:
254+
remoteIP:
255+
type: string
256+
oneOf:
257+
- format: ipv4
258+
- format: ipv6
259+
key:
260+
type: integer
261+
minimum: 0
262+
maximum: 4294967295
263+
additionalPrinterColumns:
264+
- description: Specifies the direction of traffic that should be matched.
265+
jsonPath: .spec.direction
266+
name: Direction
267+
type: string
268+
- description: Specifies the action that should be taken for the traffic.
269+
jsonPath: .spec.action
270+
name: Action
271+
type: string
272+
- jsonPath: .metadata.creationTimestamp
273+
name: Age
274+
type: date
275+
subresources:
276+
status: {}
277+
scope: Cluster
278+
names:
279+
plural: trafficcontrols
280+
singular: trafficcontrol
281+
kind: TrafficControl
282+
shortNames:
283+
- tc

0 commit comments

Comments
 (0)