Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PSUPCLPL-15272] IPIP connectivity check rework #652

Merged
merged 5 commits into from
May 14, 2024
Merged

[PSUPCLPL-15272] IPIP connectivity check rework #652

merged 5 commits into from
May 14, 2024

Conversation

alexarefev
Copy link
Collaborator

@alexarefev alexarefev commented May 4, 2024
edited
Loading

Description

  • The network.ipip_connectivity task in check_iaas could return incorrect results due to IaaS level firewall rules. For instance, in OpenStack set of Iptables rules that implements the Security Group. That Iptables rules allow the ESTABLISHED and RELATED packets which leads to the following case. IPIP packets moving from VM-1 to VM-2 are blocked, but the IPIP packets from VM-2 to VM-1 are allowed as they look like RELATED packets whereas, IPIP traffic is not allowed in Security Group at all for VM-1 and VM-2.
  • In this case, the only way to check the IPIP connectivity in cluster is to avoid IPIP packets movement from VM-1 to VM-2 and vice versa. Therefore, VM-1 must send packets to VM-2 and VM-2 to VM-3 and VM-3 must send packets to VM-1 (if there are three nodes in the cluster). That approach is not comprehensive (it doesn't take in to account the connectivity from VM-1 to VM-3 and from VM-2 to VM-1 ), but allows to check IPIP connectivity in general in the particular cluster.
  • There is no possibility to set the source port in ipip_check

Solution

  • Organize ring topology in the network.ipip_connectivity procedure
  • Add input sport parameter

How to apply

Not applicable

Test Cases

TestCase 1
Check if the new approach is working

Test Configuration:

  • Hardware:
  • OS:
  • Inventory:

Steps:

  1. Prepare OpenStack instances as Kubernetes cluster nodes.
  2. Set Security Group to allow all IPv4 egress traffic and not allow IPIP ingress traffic.
  3. Run check_iaas with --tasks "network.ipip_connectivity" option several times in a row.
  4. Change Security Group to allow IPIP ingress traffic for some of the cluster nodes.
  5. Run check_iaas with --tasks "network.ipip_connectivity" option several time in a row.

Results:

Before After
Results vary; Results do not match the Security Group rules Results are the same; Results match the Security Group rules
Results vary; Results do not match the Security Group rules Results are the same; Results match the Security Group rules

Checklist

  • I have commented my code, particularly in hard-to-understand areas
  • Integration CI passed
  • There is no merge conflicts

@alexarefev alexarefev added the improvement New feature or request label May 4, 2024
@alexarefev alexarefev marked this pull request as ready for review May 6, 2024 14:24
@alexarefev alexarefev requested review from Imadzuma and ilia1243 May 6, 2024 14:25
@koryaga koryaga requested a review from theboringstuff May 7, 2024 07:52
@koryaga koryaga requested a review from OleksandrIaresko May 13, 2024 12:43
@koryaga koryaga added this to the v0.30.0 milestone May 14, 2024
@koryaga koryaga merged commit 187d767 into main May 14, 2024
43 checks passed
@koryaga koryaga deleted the improvement/ipip_check_rework branch May 14, 2024 11:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ilia1243 ilia1243 ilia1243 approved these changes

@Imadzuma Imadzuma Imadzuma approved these changes

@theboringstuff theboringstuff theboringstuff approved these changes

@OleksandrIaresko OleksandrIaresko OleksandrIaresko approved these changes

Assignees

@koryaga koryaga

Labels
improvement New feature or request
Projects
None yet
Milestone
v0.30.0
Development

Successfully merging this pull request may close these issues.
6 participants
@alexarefev @ilia1243 @Imadzuma @theboringstuff @OleksandrIaresko @koryaga