Skip to content

Commit

Permalink
[occm] Improve route controller reconciling to ensure the cluster's c…
Browse files Browse the repository at this point in the history
…onnectivity

In oreder to ensure the connectivity between different nodes, route controller need
to do the following things:

1. Check and set openstack router's route rules, so that the packets can be
   forwarded to correct nodes.
2. Check and set the node port's AllowAddressPair, to permit the packets from
   the pods pass through the node's port and leave the node.
3. Check and set openstack security group's rules, so that the nodes that bind the
   security group permit the packets from other nodes enter into.

But, the previous occm codes just check router's route rules, just set router's
route and AllowAddressPair, this patch completed the other steps.
  • Loading branch information
jeffyjf committed Jan 15, 2024
1 parent 0e2aad1 commit ee22e72
Show file tree
Hide file tree
Showing 3 changed files with 394 additions and 89 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,9 @@ The options in `Global` section are used for openstack-cloud-controller-manager
* `router-id`
Specifies the Neutron router ID to activate [route controller](https://kubernetes.io/docs/concepts/architecture/cloud-controller/#route-controller) to manage Kubernetes cluster routes.
`auto-config-node-security-group`
Whether or not to enable auto config node security group feature. The node security group used to ensure the node permit other nodes packets enter into.
Default: false
**NOTE: This require openstack-cloud-controller-manager's `--cluster-cidr` flag to be set.**
Expand Down
8 changes: 5 additions & 3 deletions pkg/openstack/openstack.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ import (
cloudprovider "k8s.io/cloud-provider"
"k8s.io/klog/v2"

"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
"k8s.io/client-go/informers"
coreinformers "k8s.io/client-go/informers/core/v1"
"k8s.io/client-go/kubernetes/scheme"
Expand Down Expand Up @@ -149,7 +149,8 @@ type NetworkingOpts struct {

// RouterOpts is used for Neutron routes
type RouterOpts struct {
RouterID string `gcfg:"router-id"`
RouterID string `gcfg:"router-id"`
AutoConfigSecurityGroup bool `gcfg:"auto-config-node-security-group"`
}

type ServerAttributesExt struct {
Expand Down Expand Up @@ -237,6 +238,7 @@ func ReadConfig(config io.Reader) (Config, error) {
cfg.LoadBalancer.ContainerStore = "barbican"
cfg.LoadBalancer.MaxSharedLB = 2
cfg.LoadBalancer.ProviderRequiresSerialAPICalls = false
cfg.Route.AutoConfigSecurityGroup = false

err := gcfg.FatalOnly(gcfg.ReadInto(&cfg, config))
if err != nil {
Expand Down Expand Up @@ -483,7 +485,7 @@ func (os *OpenStack) Routes() (cloudprovider.Routes, bool) {
return nil, false
}

r, err := NewRoutes(os, network, netExts["extraroute-atomic"], netExts["allowed-address-pairs"])
r, err := NewRoutes(os, network, netExts["extraroute-atomic"], netExts["allowed-address-pairs"], os.routeOpts.AutoConfigSecurityGroup)
if err != nil {
klog.Warningf("Error initialising Routes support: %v", err)
return nil, false
Expand Down
Loading

0 comments on commit ee22e72

Please sign in to comment.