Add user guide for Egress feature #2371
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2371 +/- ##
===========================================
- Coverage 59.79% 42.05% -17.75%
===========================================
Files 283 146 -137
Lines 22118 18136 -3982
===========================================
- Hits 13226 7627 -5599
- Misses 7479 9825 +2346
+ Partials 1413 684 -729
Flags with carried forward coverage won't be shown. Click here to find out more.
|
docs/egress.md
Outdated
| outside of the cluster, for source tracing in audit logs, or whitelisting | ||
| by source IP in external firewall, etc. | ||
|
|
||
| - You want to limit outgoing external connections leave the cluster via certain |
There was a problem hiding this comment.
| - You want to limit outgoing external connections leave the cluster via certain | |
| - You want to force outgoing external connections to leave the cluster via certain |
docs/egress.md
Outdated
| by source IP in external firewall, etc. | ||
|
|
||
| - You want to limit outgoing external connections leave the cluster via certain | ||
| Nodes, for security controls, or due to the network topology restriction. |
There was a problem hiding this comment.
or due to network topology restrictions.
docs/egress.md
Outdated
| IP if it's different from the Node that the Pod runs on and will be SNATed to | ||
| the egress IP when leaving that Node. | ||
|
|
||
| You may be interested in using this capability if any of the below are true: |
There was a problem hiding this comment.
| You may be interested in using this capability if any of the below are true: | |
| You may be interested in using this capability if any of the following apply: |
docs/egress.md
Outdated
| podSelector: | ||
| matchLabels: | ||
| role: web | ||
| egressIP: 10.10.0.8 |
There was a problem hiding this comment.
| egressIP: 10.10.0.8 | |
| egressIP: 10.10.0.8 # can be populated by Antrea after assigning an IP from the pool below |
docs/egress.md
Outdated
| the `egressIP` is allocated from an `externalIPPool`**, i.e. when the | ||
| `externalIPPool` is specified. If the Node hosting the `egressIP` fails, another | ||
| Node will be elected as the new egress Node of this Egress. It will take over | ||
| the IP and sends layer 2 advertisement (for example, Gratuitous ARP for IPv4) to |
| selected Pods to the external network should use. **The IP must be reachable | ||
| from all Nodes.** The IP can be specified when creating the Egress. Starting |
There was a problem hiding this comment.
The IP must be reachable from all Nodes.
I wonder if this is really necessary. If I have a cluster with Nodes spread over multiple Node subnets, it should be ok to partition my egress IPs over the different subnets, and each egress IP only needs to be reachable from within the subnet in which it is used. I would configure the nodeSelector in my IP pools to only select Nodes within that subnet. But it's probably an unusual scenario and it's easier to frame the requirement as "The IP must be reachable from all Nodes".
There was a problem hiding this comment.
The IP must be reachable from all Nodes because we use the egress IPs as tunnel destination (to "encap" the snat IP the traffic should use). As any Pod on any Node can use the egress IPs, the source Node must be able to reach the egress IP, otherwise the tunnel traffic would be dropped.
https://github.com/antrea-io/antrea/blob/main/docs/design/ovs-pipeline.md#snattable-71 has details about the SNAT IP as Tunnel destination IP.
docs/egress.md
Outdated
|
|
||
| The `ipRanges` field contains a list of IP ranges representing the available IPs | ||
| of this IP pool. Each IP range may consist of a `cidr` or a pair of `start` and | ||
| `end` IPs inclusive. |
There was a problem hiding this comment.
| `end` IPs inclusive. | |
| `end` IPs (which are themselves included in the range). |
docs/egress.md
Outdated
| Now, the packets from the Pods with label `app=web` in `prod` Namespace to the | ||
| external network will be redirected to `node-4` Node and SNATed to `10.10.0.11` | ||
| while the packets from the Pods with label `app=web` in `staging` Namespace to | ||
| the external network will be redirected to `node-6` Node and SNATed to | ||
| `10.10.0.12`. |
There was a problem hiding this comment.
in the prod Namespaces
to the node-4 Node
in the staging Namespaces
to the node-6 Node
There was a problem hiding this comment.
done. I assume you mean "in the prod Namespace", not "Namespaces"? I used namespace name label so it can only match one namespace.
docs/egress.md
Outdated
| `10.10.0.12`. | ||
|
|
||
| Finally, if `node-4` Node powers off, `10.10.0.11` will be re-assigned to | ||
| another available Node in a short time and the packets from the Pods with label |
There was a problem hiding this comment.
s/in a short time/quickly
docs/egress.md
Outdated
| Now, the packets from the Pods with in `prod` Namespace to the external network | ||
| will be redirected to `node-4` Node and SNATed to `10.10.0.104` while the | ||
| packets from the Pods in `staging` Namespace to the external network will be | ||
| redirected to `node-5` Node and SNATed to `10.10.0.12`. |
docs/egress.md
Outdated
| The `nodeSelector` field specifies which Nodes the IPs in this pool can be | ||
| assigned to. It's useful when you want to limit egress traffic to certain Nodes. | ||
| The semantics of the selector is the same as those used elsewhere in Kubernetes, | ||
| i.e. both `matchLabel` and `matchExpressions` are supported. It can be empty, |
There was a problem hiding this comment.
| i.e. both `matchLabel` and `matchExpressions` are supported. It can be empty, | |
| i.e. both `matchLabels` and `matchExpressions` are supported. It can be empty, |
docs/egress.md
Outdated
| IP if it's different from the Node that the Pod runs on and will be SNATed to | ||
| the egress IP when leaving that Node. | ||
|
|
||
| You may be interested in using this capability if any of the below are true: |
docs/egress.md
Outdated
| outside of the cluster, for source tracing in audit logs, or whitelisting | ||
| by source IP in external firewall, etc. | ||
|
|
||
| - You want to limit outgoing external connections leave the cluster via certain |
docs/egress.md
Outdated
| by source IP in external firewall, etc. | ||
|
|
||
| - You want to limit outgoing external connections leave the cluster via certain | ||
| Nodes, for security controls, or due to the network topology restriction. |
docs/egress.md
Outdated
| podSelector: | ||
| matchLabels: | ||
| role: web | ||
| egressIP: 10.10.0.8 |
docs/egress.md
Outdated
|
|
||
| The `ipRanges` field contains a list of IP ranges representing the available IPs | ||
| of this IP pool. Each IP range may consist of a `cidr` or a pair of `start` and | ||
| `end` IPs inclusive. |
docs/egress.md
Outdated
| The `nodeSelector` field specifies which Nodes the IPs in this pool can be | ||
| assigned to. It's useful when you want to limit egress traffic to certain Nodes. | ||
| The semantics of the selector is the same as those used elsewhere in Kubernetes, | ||
| i.e. both `matchLabel` and `matchExpressions` are supported. It can be empty, |
docs/egress.md
Outdated
| Now, the packets from the Pods with label `app=web` in `prod` Namespace to the | ||
| external network will be redirected to `node-4` Node and SNATed to `10.10.0.11` | ||
| while the packets from the Pods with label `app=web` in `staging` Namespace to | ||
| the external network will be redirected to `node-6` Node and SNATed to | ||
| `10.10.0.12`. |
There was a problem hiding this comment.
done. I assume you mean "in the prod Namespace", not "Namespaces"? I used namespace name label so it can only match one namespace.
docs/egress.md
Outdated
| `10.10.0.12`. | ||
|
|
||
| Finally, if `node-4` Node powers off, `10.10.0.11` will be re-assigned to | ||
| another available Node in a short time and the packets from the Pods with label |
docs/egress.md
Outdated
| Now, the packets from the Pods with in `prod` Namespace to the external network | ||
| will be redirected to `node-4` Node and SNATed to `10.10.0.104` while the | ||
| packets from the Pods in `staging` Namespace to the external network will be | ||
| redirected to `node-5` Node and SNATed to `10.10.0.12`. |
docs/egress.md
Outdated
|
|
||
| ## Usage examples | ||
|
|
||
| ### Configuring high available Egress |
There was a problem hiding this comment.
I thought it should be "highly available", but after some researching I am not very certain now. @antoninbas : comments?
Personally I prefer "Egress with HA", or "auto-failover Egress".
There was a problem hiding this comment.
yes, it should either be "highly-available Egress" or "high-availability Egress"
There was a problem hiding this comment.
Thanks, updated to "High-Availability", following https://kubernetes.io/docs/tasks/administer-cluster/highly-available-control-plane
Signed-off-by: Quan Tian <qtian@vmware.com>
|
/skip-all |
Signed-off-by: Quan Tian qtian@vmware.com