* rename export policies to make it direction independent
* split creating neighborsets and prefixsets from applying export policy
* add bgp import policy to deny service VIPs
* add tests for addition of import policy
Current implementation never considers the "kube-router.io/pod-cidr"
annotation when creating an ipset for the node pod network CIDR.
The Node.Spec.PodCIDR is always used instead.
This patch prefers the annotation PodCIDR over the Node.Spec.PodCIDR
* Introduces the option --full-overlay, to always generate IPIP tunnels regardless of node subnets
* Use --overlay-type={subnet,full} instead of --full-overlay={true,false}
* - refactor / clean up / extract code dupes into methods and reuse
* - fix 639
- get external IPs to withdraw as diff against previous generation
of service
* Change append to insert for iptables rules
Updates how iptables FORWARD rules are applied to accommodate an existing final DROP rule for the chain.
* Fix the calls to Insert() to include a position
* iptables rules indexes are 1-based
* add unit tests for implementing #75
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* integration tests for #75
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* update docs for #75
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* define new kube-router.io/service.advertise.* annotations
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* Implement per service annotations for advertising IPs.
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* more consistent annotation names
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* remove redundant tests
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* update metrics docs & dashboard
* renamed `namespace` label to `svc_namespace` for service metrics as it would be overwritten by most Prometheus setups
* Made histograms for all the controller sync times for better visualization
* added `controller_routes_sync_time`, `controller_bgp_advertisements_sent` & `controller_policy_chains_sync_time` metrics
* Use ip6tables for ipv6 and handle ipv6 for egress rules
* Make the temp ipset's fit into 31 characters
This should be improved. Some hash string should be used for
temp names.
When the number of nodes in a cluster is high enough, the
`disableSourceDestinationCheck()` logic creates a high number
of requests to EC2, resulting in throttling and subsequent
problems, such as the inability to attach EBS volumes. This is
not necessarily mitigated by the `ec2IamAuthorized` attribute
which was added to overcome this issue, as the number of
requests can still be high enough to reach Amazon's request
limits. In addition, it is not necessary to run this multiple
times in a loop for all the nodes in a cluster, as it is
sufficient to set it once when an instance boots.
This CLI option allows an administrator to turn off this
feature for kube-router so they can use some other means of
setting the attribute.
* Introduced new cmdline flag --bgp-port, which controls BGP Server listening port and remote port of in-cluster node peers
* Introduced new cmdline flag --peer-router-ports, which controls remote BGP port for external peers
* Introduced new node annotation kube-router.io/peer.ports with same effect as --peer-router-ports
* Introduces the option --override-nexthop, setting it to true will make
advertised next hop for the routers to the peers will be automatically
selected to be appropriate reachable local IP. This will be overrider
any next-hop set for the routes in the RIB. Kube-router by defauly set
the next-hop to `node IP` which is not correct in case of nodes with
multiple interfaces and use differnt interaces for differect external
peers.
Fixes#480
* add next-hop-self documentation
* Node should advertise its pod CIDR to external BGP peers only if
--advertise-node-pod-cidr is set to true (defaults to true).
This is to enable a case where pod's remain non-routable from out of the
cluster but service VIP's can be routable from out side the cluster.
* fix unit test
* address review comments
