-
Notifications
You must be signed in to change notification settings - Fork 241
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Enable IP forwarding for Linux mulititenancy (#386)
* Enable ipforwarding, prevent ip spoofing and other security concern * added ovssnat test to circleci * fixed compiler error * updated circleci image * fixed circleci yaml * updated circleci image * fixed UT * fixed UTs * addressed review comments * added comments * addressed review comments * fixed UT * separating PRs - removing ip spoofing check changes * added document for describing multitenancy fields * fixed docs/cnimultitenancy.md * removed a condition as it seems to be not working
- Loading branch information
1 parent
d7320a9
commit b027258
Showing
7 changed files
with
155 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Microsoft Azure Container Networking | ||
CNI Multitenacy binaries are meant only for 1st party customers for now. | ||
|
||
Conflist Fields Description | ||
--------------------------- | ||
multiTenancy - To indicate CNI to use multitenancy network setup using ovs bridge. Thefollowing fields will be processed | ||
only if this fields is set to true | ||
|
||
enableExactMatchForPodName - If this set to false, then CNI strips the last two hex fields added by container runtime to locate the pod. | ||
For Eg: In kubernetes, if pod name is samplepod, then container runtime generates this as samplepod-3e4a-5e4a. | ||
CNI would strip 3e4a-5e4a and keep it as samplepod to locate the pod in CNS. | ||
If the field is set to true, CNI would take whatever container runtime provides. | ||
|
||
enableSnatOnHost - If pod/container wants outbound connectivity, this field should be set to true. Enabling this field also enables | ||
ip forwarding kernel setting in container host and adds iptable rule to allow forward traffic from snat bridge. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
package ovssnat | ||
|
||
import ( | ||
"os" | ||
"testing" | ||
|
||
"github.com/Azure/azure-container-networking/netlink" | ||
) | ||
|
||
var anyInterface = "dummy" | ||
|
||
func TestMain(m *testing.M) { | ||
exitCode := m.Run() | ||
|
||
// Create a dummy test network interface. | ||
|
||
os.Exit(exitCode) | ||
} | ||
|
||
func TestAllowInboundFromHostToNC(t *testing.T) { | ||
client := &OVSSnatClient{ | ||
snatBridgeIP: "169.254.0.1/16", | ||
localIP: "169.254.0.4/16", | ||
containerSnatVethName: anyInterface, | ||
} | ||
|
||
if err := netlink.AddLink(&netlink.DummyLink{ | ||
LinkInfo: netlink.LinkInfo{ | ||
Type: netlink.LINK_TYPE_DUMMY, | ||
Name: anyInterface, | ||
}, | ||
}); err != nil { | ||
t.Errorf("Error adding dummy interface %v", err) | ||
} | ||
|
||
if err := netlink.AddLink(&netlink.DummyLink{ | ||
LinkInfo: netlink.LinkInfo{ | ||
Type: netlink.LINK_TYPE_DUMMY, | ||
Name: SnatBridgeName, | ||
}, | ||
}); err != nil { | ||
t.Errorf("Error adding dummy interface %v", err) | ||
} | ||
|
||
if err := client.AllowInboundFromHostToNC(); err != nil { | ||
t.Errorf("Error adding inbound rule: %v", err) | ||
} | ||
|
||
if err := client.AllowInboundFromHostToNC(); err != nil { | ||
t.Errorf("Error adding existing inbound rule: %v", err) | ||
} | ||
|
||
if err := client.DeleteInboundFromHostToNC(); err != nil { | ||
t.Errorf("Error removing inbound rule: %v", err) | ||
} | ||
|
||
netlink.DeleteLink(anyInterface) | ||
netlink.DeleteLink(SnatBridgeName) | ||
} | ||
|
||
func TestAllowInboundFromNCToHost(t *testing.T) { | ||
client := &OVSSnatClient{ | ||
snatBridgeIP: "169.254.0.1/16", | ||
localIP: "169.254.0.4/16", | ||
containerSnatVethName: anyInterface, | ||
} | ||
|
||
if err := netlink.AddLink(&netlink.DummyLink{ | ||
LinkInfo: netlink.LinkInfo{ | ||
Type: netlink.LINK_TYPE_DUMMY, | ||
Name: anyInterface, | ||
}, | ||
}); err != nil { | ||
t.Errorf("Error adding dummy interface %v", err) | ||
} | ||
|
||
if err := netlink.AddLink(&netlink.DummyLink{ | ||
LinkInfo: netlink.LinkInfo{ | ||
Type: netlink.LINK_TYPE_DUMMY, | ||
Name: SnatBridgeName, | ||
}, | ||
}); err != nil { | ||
t.Errorf("Error adding dummy interface %v", err) | ||
} | ||
|
||
if err := client.AllowInboundFromNCToHost(); err != nil { | ||
t.Errorf("Error adding inbound rule: %v", err) | ||
} | ||
|
||
if err := client.AllowInboundFromNCToHost(); err != nil { | ||
t.Errorf("Error adding existing inbound rule: %v", err) | ||
} | ||
|
||
if err := client.DeleteInboundFromNCToHost(); err != nil { | ||
t.Errorf("Error removing inbound rule: %v", err) | ||
} | ||
|
||
netlink.DeleteLink(anyInterface) | ||
netlink.DeleteLink(SnatBridgeName) | ||
} |