Adding more configuration flexibility to Egress for user

jainpulkit22 · jainpulkit22 · commit 83f9094af711 · 2025-03-03T15:06:27.000+05:30
Added a StrictEnforcement field to the Egress spec.
If this field is set to flase then if the egress node
is not available due to any reason then the packet
transfer or we can say the traffic will go via normal
Node SNAT, while in the second case where this field
is set to true, and if egress node is not available
packet won't go out and traffic will be stuck
because of unavailability of egress node.
diff --git a/build/charts/antrea/crds/egress.yaml b/build/charts/antrea/crds/egress.yaml
@@ -20,6 +20,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - strictEnforcement
               oneOf:
               - anyOf:
                 - required:
@@ -118,6 +119,8 @@ spec:
                       type: string
                     burst:
                       type: string
+                strictEnforcement:
+                  type: boolean
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - strictEnforcement
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,8 @@ spec:
                       type: string
                     burst:
                       type: string
+                strictEnforcement:
+                  type: boolean
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-crds.yml b/build/yamls/antrea-crds.yml
@@ -1403,6 +1403,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - strictEnforcement
               oneOf:
               - anyOf:
                 - required:
@@ -1501,6 +1502,8 @@ spec:
                       type: string
                     burst:
                       type: string
+                strictEnforcement:
+                  type: boolean
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - strictEnforcement
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,8 @@ spec:
                       type: string
                     burst:
                       type: string
+                strictEnforcement:
+                  type: boolean
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - strictEnforcement
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,8 @@ spec:
                       type: string
                     burst:
                       type: string
+                strictEnforcement:
+                  type: boolean
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - strictEnforcement
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,8 @@ spec:
                       type: string
                     burst:
                       type: string
+                strictEnforcement:
+                  type: boolean
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - strictEnforcement
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,8 @@ spec:
                       type: string
                     burst:
                       type: string
+                strictEnforcement:
+                  type: boolean
             status:
               type: object
               properties:
diff --git a/pkg/agent/controller/egress/egress_controller.go b/pkg/agent/controller/egress/egress_controller.go
@@ -88,6 +88,8 @@ var emptyWatch = watch.NewEmptyWatch()
 
 var newIPAssigner = ipassigner.NewIPAssigner
 
+var egressNodeAvailability = hasEgressNode
+
 // egressState keeps the actual state of an Egress that has been realized.
 type egressState struct {
 	// The actual egress IP of the Egress. If it's different from the desired IP, there is an update to EgressIP, and we
@@ -989,6 +991,12 @@ func (c *EgressController) updateEgressStatus(egress *crdv1b1.Egress, egressIP s
 	return nil
 }
 
+func hasEgressNode(egress *crdv1b1.Egress) bool {
+	if egress.Status.EgressNode == "" {
+		return false
+	}
+	return true
+}
 func (c *EgressController) syncEgress(egressName string) error {
 	startTime := time.Now()
 	defer func() {
@@ -1118,39 +1126,42 @@ func (c *EgressController) syncEgress(egressName string) error {
 	}()
 
 	egressIP := net.ParseIP(eState.egressIP)
-	// Install SNAT flows for desired Pods.
-	for pod := range pods {
-		eState.pods.Insert(pod)
-		stalePods.Delete(pod)
+	strictEnforcement := egress.Spec.StrictEnforcement
+	if strictEnforcement || egressNodeAvailability(egress) {
+		// Install SNAT flows for desired Pods.
+		for pod := range pods {
+			eState.pods.Insert(pod)
+			stalePods.Delete(pod)
+
+			// If the Egress is not the effective one for the Pod, do nothing.
+			if !c.bindPodEgress(pod, egressName) {
+				continue
+			}
 
-		// If the Egress is not the effective one for the Pod, do nothing.
-		if !c.bindPodEgress(pod, egressName) {
-			continue
-		}
+			// Get the Pod's openflow port.
+			parts := strings.Split(pod, "/")
+			podNamespace, podName := parts[0], parts[1]
+			ifaces := c.ifaceStore.GetContainerInterfacesByPod(podName, podNamespace)
+			if len(ifaces) == 0 {
+				klog.Infof("Interfaces of Pod %s/%s not found", podNamespace, podName)
+				continue
+			}
 
-		// Get the Pod's openflow port.
-		parts := strings.Split(pod, "/")
-		podNamespace, podName := parts[0], parts[1]
-		ifaces := c.ifaceStore.GetContainerInterfacesByPod(podName, podNamespace)
-		if len(ifaces) == 0 {
-			klog.Infof("Interfaces of Pod %s/%s not found", podNamespace, podName)
-			continue
+			ofPort := ifaces[0].OFPort
+			if eState.ofPorts.Has(ofPort) {
+				staleOFPorts.Delete(ofPort)
+				continue
+			}
+			if err := c.ofClient.InstallPodSNATFlows(uint32(ofPort), egressIP, mark); err != nil {
+				return err
+			}
+			eState.ofPorts.Insert(ofPort)
 		}
 
-		ofPort := ifaces[0].OFPort
-		if eState.ofPorts.Has(ofPort) {
-			staleOFPorts.Delete(ofPort)
-			continue
-		}
-		if err := c.ofClient.InstallPodSNATFlows(uint32(ofPort), egressIP, mark); err != nil {
+		// Uninstall SNAT flows for stale Pods.
+		if err := c.uninstallPodFlows(egressName, eState, staleOFPorts, stalePods); err != nil {
 			return err
 		}
-		eState.ofPorts.Insert(ofPort)
-	}
-
-	// Uninstall SNAT flows for stale Pods.
-	if err := c.uninstallPodFlows(egressName, eState, staleOFPorts, stalePods); err != nil {
-		return err
 	}
 	return nil
 }
diff --git a/pkg/agent/controller/egress/egress_controller_test.go b/pkg/agent/controller/egress/egress_controller_test.go
@@ -1101,6 +1101,15 @@ func TestSyncEgress(t *testing.T) {
 			},
 		},
 	}
+
+	egressNodeAvailability = func(egress *crdv1b1.Egress) bool {
+		return true
+	}
+
+	defer func() {
+		egressNodeAvailability = hasEgressNode
+	}()
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			initObjects := []runtime.Object{tt.existingEgress}
@@ -1195,6 +1204,15 @@ func TestPodUpdateShouldSyncEgress(t *testing.T) {
 			{Pod: &cpv1b2.PodReference{Name: "pendingPod", Namespace: "ns1"}},
 		},
 	}
+
+	egressNodeAvailability = func(egress *crdv1b1.Egress) bool {
+		return true
+	}
+
+	defer func() {
+		egressNodeAvailability = hasEgressNode
+	}()
+
 	c := newFakeController(t, []runtime.Object{egress})
 	stopCh := make(chan struct{})
 	defer close(stopCh)
@@ -1327,6 +1345,15 @@ func TestSyncOverlappingEgress(t *testing.T) {
 			{Pod: &cpv1b2.PodReference{Name: "pod4", Namespace: "ns4"}},
 		},
 	}
+
+	egressNodeAvailability = func(egress *crdv1b1.Egress) bool {
+		return true
+	}
+
+	defer func() {
+		egressNodeAvailability = hasEgressNode
+	}()
+
 	c := newFakeController(t, []runtime.Object{egress1, egress2, egress3})
 	stopCh := make(chan struct{})
 	defer close(stopCh)
diff --git a/pkg/apis/crd/v1beta1/types.go b/pkg/apis/crd/v1beta1/types.go
@@ -1004,7 +1004,8 @@ type EgressSpec struct {
 	// Cannot be set with ExternalIPPool.
 	ExternalIPPools []string `json:"externalIPPools,omitempty"`
 	// Bandwidth specifies the rate limit of north-south egress traffic of this Egress.
-	Bandwidth *Bandwidth `json:"bandwidth,omitempty"`
+	Bandwidth         *Bandwidth `json:"bandwidth,omitempty"`
+	StrictEnforcement bool       `json:"strictEnforcement"`
 }
 
 type Bandwidth struct {
diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go

Original file line number	Diff line number	Diff line change
`@@ -1004,7 +1004,8 @@ type EgressSpec struct {`
`1004`	`1004`	`// Cannot be set with ExternalIPPool.`
`1005`	`1005`	ExternalIPPools []string `json:"externalIPPools,omitempty"`
`1006`	`1006`	`// Bandwidth specifies the rate limit of north-south egress traffic of this Egress.`
`1007`		- Bandwidth *Bandwidth `json:"bandwidth,omitempty"`
	`1007`	+ Bandwidth *Bandwidth `json:"bandwidth,omitempty"`
	`1008`	+ StrictEnforcement bool `json:"strictEnforcement"`
`1008`	`1009`	`}`
`1009`	`1010`
`1010`	`1011`	`type Bandwidth struct {`