Add more configuration flexibility to Egress for user

jainpulkit22 · jainpulkit22 · commit a4d3382fd951 · 2025-03-20T12:18:31.000+05:30
Added an immutable FailurePolicy field to the Egress spec.
If this field is set to "NodeSNAT" then if the egress node
is not available due to any reason then the packet
transfer or we can say the traffic will go via normal
Node SNAT, while in the second case where this field
is set to "Drop", and if egress node is not available
packet won't go out and traffic will be stuck
because of unavailability of egress node.

Signed-off-by: Pulkit Jain &lt;pulkit.jain@broadcom.com&gt;
diff --git a/build/charts/antrea/crds/egress.yaml b/build/charts/antrea/crds/egress.yaml
@@ -20,6 +20,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - failurePolicy
               oneOf:
               - anyOf:
                 - required:
@@ -118,6 +119,9 @@ spec:
                       type: string
                     burst:
                       type: string
+                failurePolicy:
+                  type: string
+                  enum: ['Drop', 'NodeSNAT']
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - failurePolicy
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,9 @@ spec:
                       type: string
                     burst:
                       type: string
+                failurePolicy:
+                  type: string
+                  enum: ['Drop', 'NodeSNAT']
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-crds.yml b/build/yamls/antrea-crds.yml
@@ -1403,6 +1403,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - failurePolicy
               oneOf:
               - anyOf:
                 - required:
@@ -1501,6 +1502,9 @@ spec:
                       type: string
                     burst:
                       type: string
+                failurePolicy:
+                  type: string
+                  enum: ['Drop', 'NodeSNAT']
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - failurePolicy
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,9 @@ spec:
                       type: string
                     burst:
                       type: string
+                failurePolicy:
+                  type: string
+                  enum: ['Drop', 'NodeSNAT']
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - failurePolicy
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,9 @@ spec:
                       type: string
                     burst:
                       type: string
+                failurePolicy:
+                  type: string
+                  enum: ['Drop', 'NodeSNAT']
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - failurePolicy
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,9 @@ spec:
                       type: string
                     burst:
                       type: string
+                failurePolicy:
+                  type: string
+                  enum: ['Drop', 'NodeSNAT']
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -1414,6 +1414,7 @@ spec:
               type: object
               required:
               - appliedTo
+              - failurePolicy
               oneOf:
               - anyOf:
                 - required:
@@ -1512,6 +1513,9 @@ spec:
                       type: string
                     burst:
                       type: string
+                failurePolicy:
+                  type: string
+                  enum: ['Drop', 'NodeSNAT']
             status:
               type: object
               properties:
diff --git a/pkg/agent/controller/egress/egress_controller.go b/pkg/agent/controller/egress/egress_controller.go
@@ -88,6 +88,8 @@ var emptyWatch = watch.NewEmptyWatch()
 
 var newIPAssigner = ipassigner.NewIPAssigner
 
+var egressNodeAvailability = hasEgressNode
+
 // egressState keeps the actual state of an Egress that has been realized.
 type egressState struct {
 	// The actual egress IP of the Egress. If it's different from the desired IP, there is an update to EgressIP, and we
@@ -989,6 +991,12 @@ func (c *EgressController) updateEgressStatus(egress *crdv1b1.Egress, egressIP s
 	return nil
 }
 
+func hasEgressNode(egress *crdv1b1.Egress) bool {
+	if egress.Status.EgressNode == "" {
+		return false
+	}
+	return true
+}
 func (c *EgressController) syncEgress(egressName string) error {
 	startTime := time.Now()
 	defer func() {
@@ -1024,6 +1032,7 @@ func (c *EgressController) syncEgress(egressName string) error {
 			desiredNode = egressNode
 		} else {
 			scheduleErr = err
+			desiredEgressIP = egress.Spec.EgressIP
 		}
 	} else {
 		desiredEgressIP = egress.Spec.EgressIP
@@ -1118,39 +1127,42 @@ func (c *EgressController) syncEgress(egressName string) error {
 	}()
 
 	egressIP := net.ParseIP(eState.egressIP)
-	// Install SNAT flows for desired Pods.
-	for pod := range pods {
-		eState.pods.Insert(pod)
-		stalePods.Delete(pod)
+	failurePolicy := egress.Spec.FailurePolicy
+	if failurePolicy == crdv1b1.FailurePolicyDrop || egressNodeAvailability(egress) {
+		// Install SNAT flows for desired Pods.
+		for pod := range pods {
+			eState.pods.Insert(pod)
+			stalePods.Delete(pod)
+
+			// If the Egress is not the effective one for the Pod, do nothing.
+			if !c.bindPodEgress(pod, egressName) {
+				continue
+			}
 
-		// If the Egress is not the effective one for the Pod, do nothing.
-		if !c.bindPodEgress(pod, egressName) {
-			continue
-		}
+			// Get the Pod's openflow port.
+			parts := strings.Split(pod, "/")
+			podNamespace, podName := parts[0], parts[1]
+			ifaces := c.ifaceStore.GetContainerInterfacesByPod(podName, podNamespace)
+			if len(ifaces) == 0 {
+				klog.Infof("Interfaces of Pod %s/%s not found", podNamespace, podName)
+				continue
+			}
 
-		// Get the Pod's openflow port.
-		parts := strings.Split(pod, "/")
-		podNamespace, podName := parts[0], parts[1]
-		ifaces := c.ifaceStore.GetContainerInterfacesByPod(podName, podNamespace)
-		if len(ifaces) == 0 {
-			klog.Infof("Interfaces of Pod %s/%s not found", podNamespace, podName)
-			continue
+			ofPort := ifaces[0].OFPort
+			if eState.ofPorts.Has(ofPort) {
+				staleOFPorts.Delete(ofPort)
+				continue
+			}
+			if err := c.ofClient.InstallPodSNATFlows(uint32(ofPort), egressIP, mark); err != nil {
+				return err
+			}
+			eState.ofPorts.Insert(ofPort)
 		}
 
-		ofPort := ifaces[0].OFPort
-		if eState.ofPorts.Has(ofPort) {
-			staleOFPorts.Delete(ofPort)
-			continue
-		}
-		if err := c.ofClient.InstallPodSNATFlows(uint32(ofPort), egressIP, mark); err != nil {
+		// Uninstall SNAT flows for stale Pods.
+		if err := c.uninstallPodFlows(egressName, eState, staleOFPorts, stalePods); err != nil {
 			return err
 		}
-		eState.ofPorts.Insert(ofPort)
-	}
-
-	// Uninstall SNAT flows for stale Pods.
-	if err := c.uninstallPodFlows(egressName, eState, staleOFPorts, stalePods); err != nil {
-		return err
 	}
 	return nil
 }
diff --git a/pkg/agent/controller/egress/egress_controller_test.go b/pkg/agent/controller/egress/egress_controller_test.go
@@ -1101,6 +1101,15 @@ func TestSyncEgress(t *testing.T) {
 			},
 		},
 	}
+
+	egressNodeAvailability = func(egress *crdv1b1.Egress) bool {
+		return true
+	}
+
+	defer func() {
+		egressNodeAvailability = hasEgressNode
+	}()
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			initObjects := []runtime.Object{tt.existingEgress}
@@ -1195,6 +1204,15 @@ func TestPodUpdateShouldSyncEgress(t *testing.T) {
 			{Pod: &cpv1b2.PodReference{Name: "pendingPod", Namespace: "ns1"}},
 		},
 	}
+
+	egressNodeAvailability = func(egress *crdv1b1.Egress) bool {
+		return true
+	}
+
+	defer func() {
+		egressNodeAvailability = hasEgressNode
+	}()
+
 	c := newFakeController(t, []runtime.Object{egress})
 	stopCh := make(chan struct{})
 	defer close(stopCh)
@@ -1327,6 +1345,15 @@ func TestSyncOverlappingEgress(t *testing.T) {
 			{Pod: &cpv1b2.PodReference{Name: "pod4", Namespace: "ns4"}},
 		},
 	}
+
+	egressNodeAvailability = func(egress *crdv1b1.Egress) bool {
+		return true
+	}
+
+	defer func() {
+		egressNodeAvailability = hasEgressNode
+	}()
+
 	c := newFakeController(t, []runtime.Object{egress1, egress2, egress3})
 	stopCh := make(chan struct{})
 	defer close(stopCh)
diff --git a/pkg/apis/crd/v1beta1/types.go b/pkg/apis/crd/v1beta1/types.go
@@ -1004,9 +1004,17 @@ type EgressSpec struct {
 	// Cannot be set with ExternalIPPool.
 	ExternalIPPools []string `json:"externalIPPools,omitempty"`
 	// Bandwidth specifies the rate limit of north-south egress traffic of this Egress.
-	Bandwidth *Bandwidth `json:"bandwidth,omitempty"`
+	Bandwidth     *Bandwidth        `json:"bandwidth,omitempty"`
+	FailurePolicy FailurePolicyType `json:"failurePolicy"`
 }
 
+type FailurePolicyType string
+
+const (
+	FailurePolicyDrop     FailurePolicyType = "Drop"
+	FailurePolicyNodeSNAT FailurePolicyType = "NodeSNAT"
+)
+
 type Bandwidth struct {
 	// Rate specifies the maximum traffic rate. e.g. 300k, 10M
 	Rate string `json:"rate"`
diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go
diff --git a/pkg/controller/egress/validate.go b/pkg/controller/egress/validate.go
@@ -65,6 +65,10 @@ func (c *EgressController) ValidateEgress(review *admv1.AdmissionReview) *admv1.
 				return false, fmt.Sprintf("Burst %s in Egress %s is invalid: %v", newEgress.Spec.Bandwidth.Burst, newEgress.Name, err)
 			}
 		}
+		// Don't Allow if the FailurePolicy is updated.
+		if oldEgress.Spec.FailurePolicy != "" && newEgress.Spec.FailurePolicy != oldEgress.Spec.FailurePolicy {
+			return false, fmt.Sprint("Field FailurePolicy in Egress Spec is immutable. If you want to update kindly delete and re apply Egress.")
+		}
 		// Allow it if EgressIP and ExternalIPPool don't change.
 		if newEgress.Spec.EgressIP == oldEgress.Spec.EgressIP && newEgress.Spec.ExternalIPPool == oldEgress.Spec.ExternalIPPool {
 			return true, ""

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,10 @@ func (c EgressController) ValidateEgress(review admv1.AdmissionReview) *admv1.`
`65`	`65`	`return false, fmt.Sprintf("Burst %s in Egress %s is invalid: %v", newEgress.Spec.Bandwidth.Burst, newEgress.Name, err)`
`66`	`66`	`}`
`67`	`67`	`}`
	`68`	`+ // Don't Allow if the FailurePolicy is updated.`
	`69`	`+ if oldEgress.Spec.FailurePolicy != "" && newEgress.Spec.FailurePolicy != oldEgress.Spec.FailurePolicy {`
	`70`	`+ return false, fmt.Sprint("Field FailurePolicy in Egress Spec is immutable. If you want to update kindly delete and re apply Egress.")`
	`71`	`+ }`
`68`	`72`	`// Allow it if EgressIP and ExternalIPPool don't change.`
`69`	`73`	`if newEgress.Spec.EgressIP == oldEgress.Spec.EgressIP && newEgress.Spec.ExternalIPPool == oldEgress.Spec.ExternalIPPool {`
`70`	`74`	`return true, ""`