includes workaround for musl hardcoded protocol table that
is missing SCTP support by using protocol name to
numeric value mapping in ipset entries
closes: https://github.com/cloudnativelabs/kube-router/issues/1019
Signed-off-by: Roman Kuzmitskii <roman@damex.org>
Replace the misleading kube_router_controller_bgp_peers gauge
which only counts 'cluster nodes' with a new per peer metric
kube_router_bgp_peer_info with 'GaugeVec' that exposes actual
BGP session state from gobgp. labels include peer address, asn,
type, and state. Metric value is 1 if established and 0 otherwise.
Closes: https://github.com/cloudnativelabs/kube-router/issues/848
Signed-off-by: Roman Kuzmitskii <roman@damex.org>
Logic errors & regressions relating to traffic policies make up
approximately 8 or so preventable historical issues with the project.
Therefore prioritizing them as a unit testing surface.
Changes AFI SAFI configuration to:
* Use consolidated logic for AFI SAFI configuration for both internal
peers and external peers
* Configure AFI SAFI regardless of GracefulRestart enablement
* This is important because by default GoBGP only configures a default
AFI SAFI configuration for the address family of its configured
peering IP. Which means that previously dual-stack configurations
that did not enable GracefulRestart would not work (see: #1992)
When resolving EndpointSlice -> Service ownership, do expose an error if the ownerReference in the metadata does not
agree with the kubernetes.io/service-name label. Instead just use the service-name label.
This aligns better to the way that other network plugins work.
The problem here stems from the fact that when netpol generates its list of expected ipsets, it includes the inet6:
prefix, however, when the proxy and routing controller sent their list of expected ipsets, they did not do so. This
meant that no matter how we handled it in ipset.go it was wrong for one or the other use-cases.
I decided to standardize on the netpol way of sending the list of expected ipset names so that BuildIPSetRestore() can
function in the same way for all invocations.
Attempt to filter out sets that we are not authoritative for to avoid
race conditions with other operators (like Istio) that might be
attempting to modify ipsets at the same time.
This commit allows ICMP traffic always, not just on the case that
network policy is not applied in a particular direction, as was
originally the intention for KUBE-NWPLCY-DEFAULT.
This commit also consolidates common matching logic for established /
related & invalid traffic flows which hopefully reduces how much
iptables rules we have to make by a significant factor.
