Gitiles
Code Review Sign In
gerrit.onosproject.org / onos / 619fa28c4de8b8ddf95e7dc8cd0cf2e9cdb47bde / . / apps / k8s-networking / app / src / main / java / org / onosproject / k8snetworking / impl / K8sServiceHandler.java
blob: fd0dff061e950daa2acd5a7eb258d8f48579ead8 [file] [log] [blame]
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]1/*
2 * Copyright 2019-present Open Networking Foundation
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16package org.onosproject.k8snetworking.impl;
17
18import com.google.common.collect.Lists;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]19import com.google.common.collect.Maps;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]20import io.fabric8.kubernetes.api.model.EndpointAddress;
21import io.fabric8.kubernetes.api.model.EndpointPort;
22import io.fabric8.kubernetes.api.model.EndpointSubset;
23import io.fabric8.kubernetes.api.model.Endpoints;
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]24import io.fabric8.kubernetes.api.model.Pod;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]25import io.fabric8.kubernetes.api.model.Service;
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]26import io.fabric8.kubernetes.api.model.ServicePort;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]27import org.onlab.packet.Ethernet;
28import org.onlab.packet.IPv4;
29import org.onlab.packet.IpAddress;
30import org.onlab.packet.IpPrefix;
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]31import org.onlab.packet.MacAddress;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]32import org.onlab.packet.TpPort;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]33import org.onlab.util.Tools;
34import org.onosproject.cfg.ComponentConfigService;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]35import org.onosproject.cluster.ClusterService;
36import org.onosproject.cluster.LeadershipService;
37import org.onosproject.cluster.NodeId;
38import org.onosproject.core.ApplicationId;
39import org.onosproject.core.CoreService;
40import org.onosproject.core.GroupId;
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]41import org.onosproject.k8snetworking.api.K8sEndpointsEvent;
42import org.onosproject.k8snetworking.api.K8sEndpointsListener;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]43import org.onosproject.k8snetworking.api.K8sEndpointsService;
44import org.onosproject.k8snetworking.api.K8sFlowRuleService;
45import org.onosproject.k8snetworking.api.K8sGroupRuleService;
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]46import org.onosproject.k8snetworking.api.K8sNetwork;
47import org.onosproject.k8snetworking.api.K8sNetworkEvent;
48import org.onosproject.k8snetworking.api.K8sNetworkListener;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]49import org.onosproject.k8snetworking.api.K8sNetworkService;
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]50import org.onosproject.k8snetworking.api.K8sPodService;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]51import org.onosproject.k8snetworking.api.K8sServiceEvent;
52import org.onosproject.k8snetworking.api.K8sServiceListener;
53import org.onosproject.k8snetworking.api.K8sServiceService;
54import org.onosproject.k8snetworking.util.RulePopulatorUtil;
55import org.onosproject.k8snetworking.util.RulePopulatorUtil.NiciraConnTrackTreatmentBuilder;
56import org.onosproject.k8snode.api.K8sNode;
57import org.onosproject.k8snode.api.K8sNodeEvent;
58import org.onosproject.k8snode.api.K8sNodeListener;
59import org.onosproject.k8snode.api.K8sNodeService;
60import org.onosproject.net.DeviceId;
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]61import org.onosproject.net.PortNumber;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]62import org.onosproject.net.device.DeviceService;
63import org.onosproject.net.driver.DriverService;
64import org.onosproject.net.flow.DefaultTrafficSelector;
65import org.onosproject.net.flow.DefaultTrafficTreatment;
66import org.onosproject.net.flow.TrafficSelector;
67import org.onosproject.net.flow.TrafficTreatment;
68import org.onosproject.net.flow.criteria.ExtensionSelector;
69import org.onosproject.net.flow.instructions.ExtensionTreatment;
70import org.onosproject.net.group.GroupBucket;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]71import org.onosproject.store.service.StorageService;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]72import org.osgi.service.component.ComponentContext;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]73import org.osgi.service.component.annotations.Activate;
74import org.osgi.service.component.annotations.Component;
75import org.osgi.service.component.annotations.Deactivate;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]76import org.osgi.service.component.annotations.Modified;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]77import org.osgi.service.component.annotations.Reference;
78import org.osgi.service.component.annotations.ReferenceCardinality;
79import org.slf4j.Logger;
80
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]81import java.util.Dictionary;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]82import java.util.List;
83import java.util.Map;
84import java.util.Objects;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]85import java.util.Set;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]86import java.util.concurrent.ExecutorService;
87import java.util.stream.Collectors;
88
89import static java.util.concurrent.Executors.newSingleThreadExecutor;
90import static org.onlab.util.Tools.groupedThreads;
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]91import static org.onosproject.k8snetworking.api.Constants.ACL_TABLE;
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]92import static org.onosproject.k8snetworking.api.Constants.A_CLASS;
93import static org.onosproject.k8snetworking.api.Constants.B_CLASS;
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]94import static org.onosproject.k8snetworking.api.Constants.DST;
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]95import static org.onosproject.k8snetworking.api.Constants.GROUPING_TABLE;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]96import static org.onosproject.k8snetworking.api.Constants.K8S_NETWORKING_APP_ID;
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]97import static org.onosproject.k8snetworking.api.Constants.NAMESPACE_TABLE;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]98import static org.onosproject.k8snetworking.api.Constants.NAT_STATEFUL;
99import static org.onosproject.k8snetworking.api.Constants.NAT_STATELESS;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]100import static org.onosproject.k8snetworking.api.Constants.NAT_TABLE;
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]101import static org.onosproject.k8snetworking.api.Constants.NODE_IP_PREFIX;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]102import static org.onosproject.k8snetworking.api.Constants.POD_TABLE;
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]103import static org.onosproject.k8snetworking.api.Constants.PRIORITY_CIDR_RULE;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]104import static org.onosproject.k8snetworking.api.Constants.PRIORITY_CT_RULE;
Jian Li7d111d72019-04-12 13:58:44 +0900[diff] [blame]105import static org.onosproject.k8snetworking.api.Constants.PRIORITY_INTER_ROUTING_RULE;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]106import static org.onosproject.k8snetworking.api.Constants.PRIORITY_NAT_RULE;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]107import static org.onosproject.k8snetworking.api.Constants.ROUTING_TABLE;
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]108import static org.onosproject.k8snetworking.api.Constants.SERVICE_FAKE_MAC_STR;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]109import static org.onosproject.k8snetworking.api.Constants.SERVICE_TABLE;
110import static org.onosproject.k8snetworking.api.Constants.SHIFTED_IP_CIDR;
111import static org.onosproject.k8snetworking.api.Constants.SHIFTED_IP_PREFIX;
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]112import static org.onosproject.k8snetworking.api.Constants.SRC;
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]113import static org.onosproject.k8snetworking.api.Constants.STAT_EGRESS_TABLE;
Jian Li619fa282020-09-02 14:45:35 +0900[diff] [blame^]114import static org.onosproject.k8snetworking.api.Constants.TUN_ENTRY_TABLE;
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]115import static org.onosproject.k8snetworking.impl.OsgiPropertyConstants.SERVICE_CIDR;
116import static org.onosproject.k8snetworking.impl.OsgiPropertyConstants.SERVICE_IP_CIDR_DEFAULT;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]117import static org.onosproject.k8snetworking.impl.OsgiPropertyConstants.SERVICE_IP_NAT_MODE;
118import static org.onosproject.k8snetworking.impl.OsgiPropertyConstants.SERVICE_IP_NAT_MODE_DEFAULT;
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]119import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.getBclassIpPrefixFromCidr;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]120import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.nodeIpGatewayIpMap;
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]121import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.podByIp;
122import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.portNumberByName;
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]123import static org.onosproject.k8snetworking.util.K8sNetworkingUtil.tunnelPortNumByNetId;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]124import static org.onosproject.k8snetworking.util.RulePopulatorUtil.CT_NAT_DST_FLAG;
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]125import static org.onosproject.k8snetworking.util.RulePopulatorUtil.buildExtension;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]126import static org.onosproject.k8snetworking.util.RulePopulatorUtil.buildGroupBucket;
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]127import static org.onosproject.k8snetworking.util.RulePopulatorUtil.buildLoadExtension;
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]128import static org.onosproject.k8snetworking.util.RulePopulatorUtil.buildResubmitExtension;
129import static org.onosproject.k8snetworking.util.RulePopulatorUtil.computeCtMaskFlag;
130import static org.onosproject.k8snetworking.util.RulePopulatorUtil.computeCtStateFlag;
131import static org.onosproject.k8snetworking.util.RulePopulatorUtil.niciraConnTrackTreatmentBuilder;
132import static org.onosproject.net.group.GroupDescription.Type.SELECT;
133import static org.slf4j.LoggerFactory.getLogger;
134
135/**
136 * Handles the service IP to pod IP related translation traffic.
137 */
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]138@Component(
139 immediate = true,
140 property = {
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]141 SERVICE_IP_NAT_MODE + "=" + SERVICE_IP_NAT_MODE_DEFAULT,
142 SERVICE_CIDR + "=" + SERVICE_IP_CIDR_DEFAULT
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]143 }
144)
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]145public class K8sServiceHandler {
146
147 private final Logger log = getLogger(getClass());
148
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]149 private static final int HOST_CIDR_NUM = 32;
150
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]151 private static final String CLUSTER_IP = "ClusterIP";
152 private static final String TCP = "TCP";
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]153 private static final String UDP = "UDP";
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]154 private static final String SERVICE_IP_NAT_MODE = "serviceIpNatMode";
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]155
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]156 private static final String SERVICE_CIDR = "serviceCidr";
Jian Li44c2b122019-05-03 14:46:34 +0900[diff] [blame]157 private static final String NONE = "None";
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]158 private static final String B_CLASS_SUFFIX = ".0.0/16";
159 private static final String A_CLASS_SUFFIX = ".0.0.0/8";
160
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]161 @Reference(cardinality = ReferenceCardinality.MANDATORY)
162 protected CoreService coreService;
163
164 @Reference(cardinality = ReferenceCardinality.MANDATORY)
165 protected LeadershipService leadershipService;
166
167 @Reference(cardinality = ReferenceCardinality.MANDATORY)
168 protected ClusterService clusterService;
169
170 @Reference(cardinality = ReferenceCardinality.MANDATORY)
171 protected DriverService driverService;
172
173 @Reference(cardinality = ReferenceCardinality.MANDATORY)
174 protected DeviceService deviceService;
175
176 @Reference(cardinality = ReferenceCardinality.MANDATORY)
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]177 protected ComponentConfigService configService;
178
179 @Reference(cardinality = ReferenceCardinality.MANDATORY)
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]180 protected StorageService storageService;
181
182 @Reference(cardinality = ReferenceCardinality.MANDATORY)
183 protected K8sNetworkService k8sNetworkService;
184
185 @Reference(cardinality = ReferenceCardinality.MANDATORY)
186 protected K8sFlowRuleService k8sFlowRuleService;
187
188 @Reference(cardinality = ReferenceCardinality.MANDATORY)
189 protected K8sGroupRuleService k8sGroupRuleService;
190
191 @Reference(cardinality = ReferenceCardinality.MANDATORY)
192 protected K8sNodeService k8sNodeService;
193
194 @Reference(cardinality = ReferenceCardinality.MANDATORY)
195 protected K8sEndpointsService k8sEndpointsService;
196
197 @Reference(cardinality = ReferenceCardinality.MANDATORY)
198 protected K8sServiceService k8sServiceService;
199
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]200 @Reference(cardinality = ReferenceCardinality.MANDATORY)
201 protected K8sPodService k8sPodService;
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]202
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]203 /** Service IP address translation mode. */
204 private String serviceIpNatMode = SERVICE_IP_NAT_MODE_DEFAULT;
205
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]206 /** Ranges of IP address of service VIP. */
207 private String serviceCidr = SERVICE_IP_CIDR_DEFAULT;
208
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]209 private final ExecutorService eventExecutor = newSingleThreadExecutor(
210 groupedThreads(this.getClass().getSimpleName(), "event-handler", log));
211 private final InternalNodeEventListener internalNodeEventListener =
212 new InternalNodeEventListener();
213 private final InternalK8sServiceListener internalK8sServiceListener =
214 new InternalK8sServiceListener();
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]215 private final InternalK8sEndpointsListener internalK8sEndpointsListener =
216 new InternalK8sEndpointsListener();
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]217 private final InternalK8sNetworkListener internalK8sNetworkListener =
218 new InternalK8sNetworkListener();
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]219
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]220 private ApplicationId appId;
221 private NodeId localNodeId;
222
223 @Activate
224 protected void activate() {
225 appId = coreService.registerApplication(K8S_NETWORKING_APP_ID);
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]226 configService.registerProperties(getClass());
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]227 localNodeId = clusterService.getLocalNode().id();
228 leadershipService.runForLeadership(appId.name());
229 k8sNodeService.addListener(internalNodeEventListener);
230 k8sServiceService.addListener(internalK8sServiceListener);
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]231 k8sEndpointsService.addListener(internalK8sEndpointsListener);
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]232 k8sNetworkService.addListener(internalK8sNetworkListener);
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]233
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]234 log.info("Started");
235 }
236
237 @Deactivate
238 protected void deactivate() {
239 leadershipService.withdraw(appId.name());
240 k8sNodeService.removeListener(internalNodeEventListener);
241 k8sServiceService.removeListener(internalK8sServiceListener);
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]242 k8sEndpointsService.removeListener(internalK8sEndpointsListener);
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]243 k8sNetworkService.removeListener(internalK8sNetworkListener);
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]244 configService.unregisterProperties(getClass(), false);
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]245 eventExecutor.shutdown();
246
247 log.info("Stopped");
248 }
249
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]250 @Modified
251 void modified(ComponentContext context) {
252 readComponentConfiguration(context);
253
254 log.info("Modified");
255 }
256
257 private void setStatefulServiceNatRules(DeviceId deviceId, boolean install) {
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]258 // -trk CT rules
259 long ctUntrack = computeCtStateFlag(false, false, false);
260 long ctMaskUntrack = computeCtMaskFlag(true, false, false);
261
262 k8sNetworkService.networks().forEach(n -> {
263 // TODO: need to provide a way to add multiple service IP CIDR ranges
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]264 setUntrack(deviceId, ctUntrack, ctMaskUntrack, n.cidr(), serviceCidr,
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]265 GROUPING_TABLE, NAT_TABLE, PRIORITY_CT_RULE, install);
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]266 setUntrack(deviceId, ctUntrack, ctMaskUntrack, n.cidr(), n.cidr(),
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]267 GROUPING_TABLE, NAMESPACE_TABLE, PRIORITY_CT_RULE, install);
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]268 });
269
270 // +trk-new CT rules
271 long ctTrackUnnew = computeCtStateFlag(true, false, false);
272 long ctMaskTrackUnnew = computeCtMaskFlag(true, true, false);
273
274 setTrackEstablish(deviceId, ctTrackUnnew, ctMaskTrackUnnew,
275 NAT_TABLE, ROUTING_TABLE, PRIORITY_CT_RULE, install);
276
277 // +trk+new CT rules
278 long ctTrackNew = computeCtStateFlag(true, true, false);
279 long ctMaskTrackNew = computeCtMaskFlag(true, true, false);
280
281 k8sServiceService.services().stream()
282 .filter(s -> CLUSTER_IP.equals(s.getSpec().getType()))
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]283 .forEach(s -> setStatefulGroupFlowRules(deviceId, ctTrackNew,
284 ctMaskTrackNew, s, install));
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]285 }
286
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]287 private void setStatelessServiceNatRules(DeviceId deviceId, boolean install) {
288
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]289 String srcPodCidr = k8sNetworkService.network(
Jian Li7d111d72019-04-12 13:58:44 +0900[diff] [blame]290 k8sNodeService.node(deviceId).hostname()).cidr();
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]291 String srcPodPrefix = getBclassIpPrefixFromCidr(srcPodCidr);
292 String fullSrcPodCidr = srcPodPrefix + B_CLASS_SUFFIX;
293 String fullSrcNodeCidr = NODE_IP_PREFIX + A_CLASS_SUFFIX;
294
295 // src: POD -> dst: service (unNAT POD) grouping
296 setSrcDstCidrRules(deviceId, fullSrcPodCidr, serviceCidr, B_CLASS, null,
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]297 SHIFTED_IP_PREFIX, SRC, GROUPING_TABLE, SERVICE_TABLE,
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]298 PRIORITY_CT_RULE, install);
299 // src: POD (unNAT service) -> dst: shifted POD grouping
300 setSrcDstCidrRules(deviceId, fullSrcPodCidr, SHIFTED_IP_CIDR, B_CLASS, null,
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]301 srcPodPrefix, DST, GROUPING_TABLE, POD_TABLE, PRIORITY_CT_RULE, install);
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]302
303 // src: node -> dst: service (unNAT POD) grouping
304 setSrcDstCidrRules(deviceId, fullSrcNodeCidr, serviceCidr, A_CLASS,
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]305 null, null, null, GROUPING_TABLE, SERVICE_TABLE,
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]306 PRIORITY_CT_RULE, install);
307 // src: POD (unNAT service) -> dst: node grouping
308 setSrcDstCidrRules(deviceId, fullSrcPodCidr, fullSrcNodeCidr, A_CLASS,
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]309 null, null, null, GROUPING_TABLE, POD_TABLE,
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]310 PRIORITY_CT_RULE, install);
Jian Li7d111d72019-04-12 13:58:44 +0900[diff] [blame]311
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]312 k8sNetworkService.networks().forEach(n -> {
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]313 setSrcDstCidrRules(deviceId, fullSrcPodCidr, n.cidr(), B_CLASS,
314 n.segmentId(), null, null, ROUTING_TABLE,
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]315 STAT_EGRESS_TABLE, PRIORITY_INTER_ROUTING_RULE, install);
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]316 });
317
318 // setup load balancing rules using group table
319 k8sServiceService.services().stream()
320 .filter(s -> CLUSTER_IP.equals(s.getSpec().getType()))
321 .forEach(s -> setStatelessGroupFlowRules(deviceId, s, install));
322 }
323
324 private void setSrcDstCidrRules(DeviceId deviceId, String srcCidr,
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]325 String dstCidr, String cidrClass,
326 String segId, String shiftPrefix,
327 String shiftType, int installTable,
328 int transitTable, int priority,
329 boolean install) {
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]330 TrafficSelector selector = DefaultTrafficSelector.builder()
331 .matchEthType(Ethernet.TYPE_IPV4)
332 .matchIPSrc(IpPrefix.valueOf(srcCidr))
333 .matchIPDst(IpPrefix.valueOf(dstCidr))
334 .build();
335
Jian Li7d111d72019-04-12 13:58:44 +0900[diff] [blame]336 TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder();
337
338 if (segId != null) {
339 tBuilder.setTunnelId(Long.valueOf(segId));
340 }
Jian Li140d8a22019-04-24 23:41:44 +0900[diff] [blame]341
342 if (shiftPrefix != null && shiftType != null) {
343 ExtensionTreatment loadTreatment = buildLoadExtension(
344 deviceService.getDevice(deviceId), cidrClass, shiftType, shiftPrefix);
345 tBuilder.extension(loadTreatment, deviceId);
346 }
347
Jian Li7d111d72019-04-12 13:58:44 +0900[diff] [blame]348 tBuilder.transition(transitTable);
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]349
350 k8sFlowRuleService.setRule(
351 appId,
352 deviceId,
353 selector,
Jian Li7d111d72019-04-12 13:58:44 +0900[diff] [blame]354 tBuilder.build(),
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]355 priority,
356 installTable,
357 install);
358 }
359
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]360 /**
361 * Obtains the service port to endpoint address paired map.
362 *
363 * @param service kubernetes service
364 * @return a map where key is kubernetes service port, and value is the
365 * endpoint addresses that are associated with the service port
366 */
367 private Map<ServicePort, Set<String>> getSportEpAddressMap(Service service) {
368
369 Map<ServicePort, Set<String>> map = Maps.newConcurrentMap();
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]370
371 String serviceName = service.getMetadata().getName();
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]372 List<Endpoints> endpointses = k8sEndpointsService.endpointses()
373 .stream()
374 .filter(ep -> serviceName.equals(ep.getMetadata().getName()))
375 .collect(Collectors.toList());
376
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]377 service.getSpec().getPorts().stream()
378 .filter(Objects::nonNull)
379 .filter(sp -> sp.getTargetPort() != null)
Jian Lib7dfb5b2019-07-15 17:37:12 +0900[diff] [blame]380 .filter(sp -> sp.getTargetPort().getIntVal() != null ||
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]381 sp.getTargetPort().getStrVal() != null)
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]382 .forEach(sp -> {
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]383 Integer targetPortInt = sp.getTargetPort().getIntVal() != null ?
384 sp.getTargetPort().getIntVal() : 0;
385 String targetPortName = sp.getTargetPort().getStrVal() != null ?
386 sp.getTargetPort().getStrVal() : "";
387 String targetProtocol = sp.getProtocol();
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]388
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]389 for (Endpoints endpoints : endpointses) {
390 for (EndpointSubset endpointSubset : endpoints.getSubsets()) {
391
392 // in case service port name is specified but not port number
393 // we will lookup the container port number and use it
394 // as the target port number
395 if (!targetPortName.equals("") && targetPortInt == 0) {
396 for (EndpointAddress addr : endpointSubset.getAddresses()) {
397 Pod pod = podByIp(k8sPodService, addr.getIp());
398 targetPortInt = portNumberByName(pod, targetPortName);
399 }
400 }
401
Jian Li5cf3b002019-08-30 17:57:53 +0900[diff] [blame]402 if (targetPortInt == 0) {
403 continue;
404 }
405
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]406 for (EndpointPort endpointPort : endpointSubset.getPorts()) {
407 if (targetProtocol.equals(endpointPort.getProtocol()) &&
408 (targetPortInt.equals(endpointPort.getPort()) ||
409 targetPortName.equals(endpointPort.getName()))) {
410 Set<String> addresses = endpointSubset.getAddresses()
411 .stream().map(EndpointAddress::getIp)
412 .collect(Collectors.toSet());
413 map.put(sp, addresses);
414 }
415 }
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]416 }
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]417 }
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]418 });
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]419
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]420 return map;
421 }
422
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]423 private void setGroupBuckets(Service service, boolean install) {
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]424 Map<ServicePort, Set<String>> spEpasMap = getSportEpAddressMap(service);
425 Map<ServicePort, List<GroupBucket>> spGrpBkts = Maps.newConcurrentMap();
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]426 Map<String, String> nodeIpGatewayIpMap =
427 nodeIpGatewayIpMap(k8sNodeService, k8sNetworkService);
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]428
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]429 for (K8sNode node : k8sNodeService.completeNodes()) {
430 spEpasMap.forEach((sp, epas) -> {
431 List<GroupBucket> bkts = Lists.newArrayList();
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]432
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]433 for (String ip : epas) {
Jian Li5cf3b002019-08-30 17:57:53 +0900[diff] [blame]434 GroupBucket bkt = buildBuckets(node.intgBridge(),
435 nodeIpGatewayIpMap.getOrDefault(ip, ip), sp);
436
437 if (bkt == null) {
438 continue;
439 }
440
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]441 if (install) {
Jian Li5cf3b002019-08-30 17:57:53 +0900[diff] [blame]442 bkts.add(bkt);
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]443 } else {
Jian Li5cf3b002019-08-30 17:57:53 +0900[diff] [blame]444 bkts.remove(bkt);
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]445 }
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]446 }
447
448 spGrpBkts.put(sp, bkts);
449 });
450
451 String serviceIp = service.getSpec().getClusterIP();
452 spGrpBkts.forEach((sp, bkts) -> {
453 String svcStr = servicePortStr(serviceIp, sp.getPort(), sp.getProtocol());
454 int groupId = svcStr.hashCode();
455
456 if (bkts.size() > 0) {
457 k8sGroupRuleService.setBuckets(appId, node.intgBridge(), groupId, bkts);
458 }
459 });
460
461 spEpasMap.forEach((sp, epas) ->
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]462 // add flow rules for unshifting IP domain
463 epas.forEach(epa -> {
Jian Lib7dfb5b2019-07-15 17:37:12 +0900[diff] [blame]464
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]465 String podIp = nodeIpGatewayIpMap.getOrDefault(epa, epa);
466
467 int targetPort;
468 if (sp.getTargetPort().getIntVal() == null) {
469 Pod pod = podByIp(k8sPodService, podIp);
470 targetPort = portNumberByName(pod, sp.getTargetPort().getStrVal());
471 } else {
472 targetPort = sp.getTargetPort().getIntVal();
473 }
474
Jian Li5cf3b002019-08-30 17:57:53 +0900[diff] [blame]475 if (targetPort != 0) {
476 setUnshiftDomainRules(node.intgBridge(), POD_TABLE,
477 PRIORITY_NAT_RULE, serviceIp, sp.getPort(),
478 sp.getProtocol(), podIp,
479 targetPort, install);
480 }
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]481 })
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]482 );
483 }
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]484 }
485
Jian Lib7dfb5b2019-07-15 17:37:12 +0900[diff] [blame]486 private GroupBucket buildBuckets(DeviceId deviceId, String podIpStr, ServicePort sp) {
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]487 TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()
Jian Li7d111d72019-04-12 13:58:44 +0900[diff] [blame]488 .setIpDst(IpAddress.valueOf(podIpStr));
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]489
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]490 int targetPort;
491 if (sp.getTargetPort().getIntVal() == null) {
492 Pod pod = podByIp(k8sPodService, podIpStr);
493 targetPort = portNumberByName(pod, sp.getTargetPort().getStrVal());
494 } else {
495 targetPort = sp.getTargetPort().getIntVal();
496 }
Jian Lib7dfb5b2019-07-15 17:37:12 +0900[diff] [blame]497
Jian Li5cf3b002019-08-30 17:57:53 +0900[diff] [blame]498 if (targetPort == 0) {
499 return null;
500 }
501
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]502 if (TCP.equals(sp.getProtocol())) {
Jian Lib7dfb5b2019-07-15 17:37:12 +0900[diff] [blame]503 tBuilder.setTcpDst(TpPort.tpPort(targetPort));
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]504 } else if (UDP.equals(sp.getProtocol())) {
Jian Lib7dfb5b2019-07-15 17:37:12 +0900[diff] [blame]505 tBuilder.setUdpDst(TpPort.tpPort(targetPort));
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]506 }
507
Jian Li7d111d72019-04-12 13:58:44 +0900[diff] [blame]508 ExtensionTreatment resubmitTreatment = buildResubmitExtension(
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]509 deviceService.getDevice(deviceId), ACL_TABLE);
Jian Li7d111d72019-04-12 13:58:44 +0900[diff] [blame]510 tBuilder.extension(resubmitTreatment, deviceId);
511
Jian Li5cf3b002019-08-30 17:57:53 +0900[diff] [blame]512 // TODO: need to adjust group bucket weight by considering POD locality
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]513 return buildGroupBucket(tBuilder.build(), SELECT, (short) -1);
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]514 }
515
516 private synchronized void setStatelessGroupFlowRules(DeviceId deviceId,
517 Service service,
518 boolean install) {
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]519 Set<ServicePort> sps = service.getSpec().getPorts().stream()
520 .filter(Objects::nonNull)
521 .filter(sp -> sp.getTargetPort() != null)
Jian Lib7dfb5b2019-07-15 17:37:12 +0900[diff] [blame]522 .filter(sp -> sp.getTargetPort().getIntVal() != null ||
Jian Lie1a5b8f2019-07-23 17:13:19 +0900[diff] [blame]523 sp.getTargetPort().getStrVal() != null)
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]524 .collect(Collectors.toSet());
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]525
526 String serviceIp = service.getSpec().getClusterIP();
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]527 sps.forEach(sp -> {
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]528 String svcStr = servicePortStr(serviceIp, sp.getPort(), sp.getProtocol());
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]529 int groupId = svcStr.hashCode();
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]530
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]531 if (install) {
532
533 // add group table rules
534 k8sGroupRuleService.setRule(appId, deviceId, groupId,
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]535 SELECT, Lists.newArrayList(), true);
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]536
537 log.info("Adding group rule {}", groupId);
538
539 // if we failed to add group rule, we will not install flow rules
540 // as this might cause rule inconsistency
541 if (k8sGroupRuleService.hasGroup(deviceId, groupId)) {
542 // add flow rules for shifting IP domain
543 setShiftDomainRules(deviceId, SERVICE_TABLE, groupId,
544 PRIORITY_NAT_RULE, serviceIp, sp.getPort(),
545 sp.getProtocol(), true);
546 }
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]547 } else {
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]548 // remove flow rules for shifting IP domain
549 setShiftDomainRules(deviceId, SERVICE_TABLE, groupId,
550 PRIORITY_NAT_RULE, serviceIp, sp.getPort(),
551 sp.getProtocol(), false);
552
553 // remove group table rules
554 k8sGroupRuleService.setRule(appId, deviceId, groupId,
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]555 SELECT, Lists.newArrayList(), false);
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]556
557 log.info("Removing group rule {}", groupId);
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]558 }
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]559 });
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]560 }
561
562 private void setShiftDomainRules(DeviceId deviceId, int installTable,
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]563 int groupId, int priority, String serviceIp,
564 int servicePort, String protocol, boolean install) {
Jian Li44c2b122019-05-03 14:46:34 +0900[diff] [blame]565
566 if (serviceIp == null || NONE.equals(serviceIp)) {
567 return;
568 }
569
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]570 TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]571 .matchEthType(Ethernet.TYPE_IPV4)
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]572 .matchIPDst(IpPrefix.valueOf(IpAddress.valueOf(serviceIp), HOST_CIDR_NUM));
573
574 if (TCP.equals(protocol)) {
575 sBuilder.matchIPProtocol(IPv4.PROTOCOL_TCP)
576 .matchTcpDst(TpPort.tpPort(servicePort));
577 } else if (UDP.equals(protocol)) {
578 sBuilder.matchIPProtocol(IPv4.PROTOCOL_UDP)
579 .matchUdpDst(TpPort.tpPort(servicePort));
580 }
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]581
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]582 TrafficTreatment treatment = DefaultTrafficTreatment.builder()
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]583 .group(GroupId.valueOf(groupId))
584 .build();
585
586 k8sFlowRuleService.setRule(
587 appId,
588 deviceId,
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]589 sBuilder.build(),
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]590 treatment,
591 priority,
592 installTable,
593 install);
594 }
595
596 private void setUnshiftDomainRules(DeviceId deviceId, int installTable,
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]597 int priority, String serviceIp,
598 int servicePort, String protocol,
599 String podIp, int podPort, boolean install) {
600 TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]601 .matchEthType(Ethernet.TYPE_IPV4)
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]602 .matchIPSrc(IpPrefix.valueOf(IpAddress.valueOf(podIp), HOST_CIDR_NUM));
603
604 if (TCP.equals(protocol)) {
605 sBuilder.matchIPProtocol(IPv4.PROTOCOL_TCP)
606 .matchTcpSrc(TpPort.tpPort(podPort));
607 } else if (UDP.equals(protocol)) {
608 sBuilder.matchIPProtocol(IPv4.PROTOCOL_UDP)
609 .matchUdpSrc(TpPort.tpPort(podPort));
610 }
611
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]612 TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]613 .setIpSrc(IpAddress.valueOf(serviceIp))
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]614 .transition(ACL_TABLE);
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]615
616 if (TCP.equals(protocol)) {
617 tBuilder.setTcpSrc(TpPort.tpPort(servicePort));
618 } else if (UDP.equals(protocol)) {
619 tBuilder.setUdpSrc(TpPort.tpPort(servicePort));
620 }
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]621
622 k8sFlowRuleService.setRule(
623 appId,
624 deviceId,
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]625 sBuilder.build(),
626 tBuilder.build(),
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]627 priority,
628 installTable,
629 install);
630 }
631
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]632 private void setCidrRoutingRule(IpPrefix prefix, MacAddress mac,
633 K8sNetwork network, boolean install) {
634 TrafficSelector.Builder sBuilder = DefaultTrafficSelector.builder()
635 .matchEthType(Ethernet.TYPE_IPV4)
636 .matchIPSrc(prefix)
637 .matchIPDst(IpPrefix.valueOf(network.cidr()));
638
639 k8sNodeService.completeNodes().forEach(n -> {
640 TrafficTreatment.Builder tBuilder = DefaultTrafficTreatment.builder()
641 .setTunnelId(Long.valueOf(network.segmentId()));
642
643 if (n.hostname().equals(network.name())) {
644 if (mac != null) {
645 tBuilder.setEthSrc(mac);
646 }
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]647 tBuilder.transition(STAT_EGRESS_TABLE);
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]648 } else {
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]649 K8sNode localNode = k8sNodeService.node(network.name());
650
Jian Li619fa282020-09-02 14:45:35 +0900[diff] [blame^]651 tBuilder.setOutput(n.intgToTunPortNum());
652
653 PortNumber portNum = tunnelPortNumByNetId(network.networkId(),
654 k8sNetworkService, n);
655
656 // install rules into tunnel bridge
657 TrafficTreatment treatmentToRemote = DefaultTrafficTreatment.builder()
658 .extension(buildExtension(
659 deviceService,
660 n.tunBridge(),
661 localNode.dataIp().getIp4Address()),
662 n.tunBridge())
663 .setTunnelId(Long.valueOf(network.segmentId()))
664 .setOutput(portNum)
665 .build();
666
667 k8sFlowRuleService.setRule(
668 appId,
669 n.tunBridge(),
670 sBuilder.build(),
671 treatmentToRemote,
672 PRIORITY_CIDR_RULE,
673 TUN_ENTRY_TABLE,
674 install
675 );
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]676 }
677
678 k8sFlowRuleService.setRule(
679 appId,
680 n.intgBridge(),
681 sBuilder.build(),
682 tBuilder.build(),
683 PRIORITY_CIDR_RULE,
684 ROUTING_TABLE,
685 install
686 );
687 });
688 }
689
690 private void setupServiceDefaultRule(K8sNetwork k8sNetwork, boolean install) {
691 setCidrRoutingRule(IpPrefix.valueOf(serviceCidr),
692 MacAddress.valueOf(SERVICE_FAKE_MAC_STR), k8sNetwork, install);
693 }
694
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]695 private void setStatefulGroupFlowRules(DeviceId deviceId, long ctState,
696 long ctMask, Service service,
697 boolean install) {
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]698 List<GroupBucket> buckets = Lists.newArrayList();
699
700 String serviceName = service.getMetadata().getName();
701 String serviceIp = service.getSpec().getClusterIP();
702
703 // TODO: multi-ports case should be addressed
704 Integer servicePort = service.getSpec().getPorts().get(0).getPort();
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]705 String serviceProtocol = service.getSpec().getPorts().get(0).getProtocol();
706
707 String svcStr = servicePortStr(serviceIp, servicePort, serviceProtocol);
708 int groupId = svcStr.hashCode();
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]709
710 List<Endpoints> endpointses = k8sEndpointsService.endpointses()
711 .stream()
712 .filter(ep -> serviceName.equals(ep.getMetadata().getName()))
713 .collect(Collectors.toList());
714
715 Map<String, String> nodeIpGatewayIpMap =
716 nodeIpGatewayIpMap(k8sNodeService, k8sNetworkService);
717
718 for (Endpoints endpoints : endpointses) {
719 for (EndpointSubset endpointSubset : endpoints.getSubsets()) {
720 List<EndpointPort> ports = endpointSubset.getPorts()
721 .stream()
722 .filter(p -> p.getProtocol().equals(TCP))
723 .collect(Collectors.toList());
724
725 for (EndpointAddress address : endpointSubset.getAddresses()) {
726 String podIp = nodeIpGatewayIpMap.containsKey(address.getIp()) ?
727 nodeIpGatewayIpMap.get(address.getIp()) : address.getIp();
728
729 NiciraConnTrackTreatmentBuilder connTreatmentBuilder =
730 niciraConnTrackTreatmentBuilder(driverService, deviceId)
731 .commit(true)
732 .natAction(true)
733 .natIp(IpAddress.valueOf(podIp))
734 .natFlag(CT_NAT_DST_FLAG);
735
736 ports.forEach(p -> {
737 ExtensionTreatment ctNatTreatment = connTreatmentBuilder
Jian Lieb488ea2019-04-16 01:50:02 +0900[diff] [blame]738 .natPortMin(TpPort.tpPort(p.getPort()))
739 .natPortMax(TpPort.tpPort(p.getPort()))
740 .build();
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]741 ExtensionTreatment resubmitTreatment = buildResubmitExtension(
Jian Li73d3b6a2019-07-08 18:07:53 +0900[diff] [blame]742 deviceService.getDevice(deviceId), ACL_TABLE);
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]743 TrafficTreatment treatment = DefaultTrafficTreatment.builder()
744 .extension(ctNatTreatment, deviceId)
745 .extension(resubmitTreatment, deviceId)
746 .build();
747 buckets.add(buildGroupBucket(treatment, SELECT, (short) -1));
748 });
749 }
750 }
751 }
752
753 if (!buckets.isEmpty()) {
754 k8sGroupRuleService.setRule(appId, deviceId, groupId, SELECT, buckets, install);
755
756 setTrackNew(deviceId, ctState, ctMask, IpAddress.valueOf(serviceIp),
757 TpPort.tpPort(servicePort), NAT_TABLE, groupId,
758 PRIORITY_CT_RULE, install);
759 }
760 }
761
762 private void setUntrack(DeviceId deviceId, long ctState, long ctMask,
763 String srcCidr, String dstCidr, int installTable,
764 int transitTable, int priority, boolean install) {
765 ExtensionSelector esCtSate = RulePopulatorUtil
766 .buildCtExtensionSelector(driverService, deviceId, ctState, ctMask);
767 TrafficSelector selector = DefaultTrafficSelector.builder()
768 .matchEthType(Ethernet.TYPE_IPV4)
769 .matchIPSrc(IpPrefix.valueOf(srcCidr))
770 .matchIPDst(IpPrefix.valueOf(dstCidr))
771 .extension(esCtSate, deviceId)
772 .build();
773
774 NiciraConnTrackTreatmentBuilder connTreatmentBuilder =
775 niciraConnTrackTreatmentBuilder(driverService, deviceId)
776 .natAction(false)
777 .commit(false)
778 .table((short) transitTable);
779
780 TrafficTreatment treatment = DefaultTrafficTreatment.builder()
781 .extension(connTreatmentBuilder.build(), deviceId)
782 .build();
783
784 k8sFlowRuleService.setRule(
785 appId,
786 deviceId,
787 selector,
788 treatment,
789 priority,
790 installTable,
791 install);
792 }
793
794 private void setTrackNew(DeviceId deviceId, long ctState, long ctMask,
795 IpAddress dstIp, TpPort dstPort, int installTable,
796 int groupId, int priority, boolean install) {
797 ExtensionSelector esCtSate = RulePopulatorUtil
798 .buildCtExtensionSelector(driverService, deviceId, ctState, ctMask);
799 TrafficSelector selector = DefaultTrafficSelector.builder()
800 .matchEthType(Ethernet.TYPE_IPV4)
801 .matchIPDst(IpPrefix.valueOf(dstIp, HOST_CIDR_NUM))
802 .matchIPProtocol(IPv4.PROTOCOL_TCP)
803 .matchTcpDst(dstPort)
804 .extension(esCtSate, deviceId)
805 .build();
806 TrafficTreatment treatment = DefaultTrafficTreatment.builder()
807 .group(GroupId.valueOf(groupId))
808 .build();
809
810 k8sFlowRuleService.setRule(
811 appId,
812 deviceId,
813 selector,
814 treatment,
815 priority,
816 installTable,
817 install);
818 }
819
820 private void setTrackEstablish(DeviceId deviceId, long ctState, long ctMask,
821 int installTable, int transitTable,
822 int priority, boolean install) {
823 ExtensionSelector esCtSate = RulePopulatorUtil
824 .buildCtExtensionSelector(driverService, deviceId, ctState, ctMask);
825 TrafficSelector selector = DefaultTrafficSelector.builder()
826 .extension(esCtSate, deviceId)
827 .build();
828
829 TrafficTreatment treatment = DefaultTrafficTreatment.builder()
830 .transition(transitTable)
831 .build();
832
833 k8sFlowRuleService.setRule(
834 appId,
835 deviceId,
836 selector,
837 treatment,
838 priority,
839 installTable,
840 install);
841 }
842
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]843 private void setEndpointsRules(Endpoints endpoints, boolean install) {
844 String appName = endpoints.getMetadata().getName();
845 Service service = k8sServiceService.services().stream().filter(s ->
846 appName.equals(s.getMetadata().getName()))
847 .findFirst().orElse(null);
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]848
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]849 if (service == null) {
850 return;
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]851 }
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]852
853 setGroupBuckets(service, install);
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]854 }
855
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]856 private String servicePortStr(String ip, int port, String protocol) {
857 return ip + "_" + port + "_" + protocol;
858 }
859
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]860 /**
861 * Extracts properties from the component configuration context.
862 *
863 * @param context the component context
864 */
865 private void readComponentConfiguration(ComponentContext context) {
866 Dictionary<?, ?> properties = context.getProperties();
867
868 String updatedNatMode = Tools.get(properties, SERVICE_IP_NAT_MODE);
869 serviceIpNatMode = updatedNatMode != null ? updatedNatMode : SERVICE_IP_NAT_MODE_DEFAULT;
870 log.info("Configured. Service IP NAT mode is {}", serviceIpNatMode);
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]871
872 String updatedServiceCidr = Tools.get(properties, SERVICE_CIDR);
873 serviceCidr = updatedServiceCidr != null ?
874 updatedServiceCidr : SERVICE_IP_CIDR_DEFAULT;
875 log.info("Configured. Service VIP range is {}", serviceCidr);
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]876 }
877
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]878 private void setServiceNatRules(DeviceId deviceId, boolean install) {
879 if (NAT_STATEFUL.equals(serviceIpNatMode)) {
880 setStatefulServiceNatRules(deviceId, install);
881 } else if (NAT_STATELESS.equals(serviceIpNatMode)) {
882 setStatelessServiceNatRules(deviceId, install);
883 } else {
884 log.warn("Service IP NAT mode was not configured!");
885 }
886 }
887
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]888 private class InternalK8sServiceListener implements K8sServiceListener {
889
890 private boolean isRelevantHelper() {
891 return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));
892 }
893
894 @Override
895 public void event(K8sServiceEvent event) {
896 switch (event.type()) {
897 case K8S_SERVICE_CREATED:
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]898 case K8S_SERVICE_UPDATED:
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]899 eventExecutor.execute(() -> processServiceCreation(event.subject()));
900 break;
901 case K8S_SERVICE_REMOVED:
902 eventExecutor.execute(() -> processServiceRemoval(event.subject()));
903 break;
904 default:
905 // do nothing
906 break;
907 }
908 }
909
910 private void processServiceCreation(Service service) {
911 if (!isRelevantHelper()) {
912 return;
913 }
914
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]915 if (NAT_STATEFUL.equals(serviceIpNatMode)) {
916 long ctTrackNew = computeCtStateFlag(true, true, false);
917 long ctMaskTrackNew = computeCtMaskFlag(true, true, false);
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]918
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]919 k8sNodeService.completeNodes().forEach(n ->
920 setStatefulGroupFlowRules(n.intgBridge(), ctTrackNew,
921 ctMaskTrackNew, service, true));
922 } else if (NAT_STATELESS.equals(serviceIpNatMode)) {
923 k8sNodeService.completeNodes().forEach(n ->
924 setStatelessGroupFlowRules(n.intgBridge(), service, true));
925 }
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]926 }
927
928 private void processServiceRemoval(Service service) {
929 if (!isRelevantHelper()) {
930 return;
931 }
932
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]933 if (NAT_STATEFUL.equals(serviceIpNatMode)) {
934 long ctTrackNew = computeCtStateFlag(true, true, false);
935 long ctMaskTrackNew = computeCtMaskFlag(true, true, false);
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]936
Jian Li5e8a22a2019-02-27 11:48:42 +0900[diff] [blame]937 k8sNodeService.completeNodes().forEach(n ->
938 setStatefulGroupFlowRules(n.intgBridge(), ctTrackNew,
939 ctMaskTrackNew, service, false));
940 } else if (NAT_STATELESS.equals(serviceIpNatMode)) {
941 k8sNodeService.completeNodes().forEach(n ->
942 setStatelessGroupFlowRules(n.intgBridge(), service, false));
943 }
Jian Li004526d2019-02-25 16:26:27 +0900[diff] [blame]944 }
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]945 }
946
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]947 private class InternalK8sEndpointsListener implements K8sEndpointsListener {
948
949 private boolean isRelevantHelper() {
950 return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));
951 }
952
953 @Override
954 public void event(K8sEndpointsEvent event) {
955 Endpoints endpoints = event.subject();
956
957 switch (event.type()) {
958 case K8S_ENDPOINTS_CREATED:
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]959 case K8S_ENDPOINTS_UPDATED:
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]960 eventExecutor.execute(() -> processEndpointsCreation(endpoints));
961 break;
962 case K8S_ENDPOINTS_REMOVED:
963 eventExecutor.execute(() -> processEndpointsRemoval(endpoints));
964 break;
965 default:
966 break;
967 }
968 }
969
970 private void processEndpointsCreation(Endpoints endpoints) {
971 if (!isRelevantHelper()) {
972 return;
973 }
974
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]975 setEndpointsRules(endpoints, true);
Jian Li7b63fe62019-04-14 21:49:27 +0900[diff] [blame]976 }
977
978 private void processEndpointsRemoval(Endpoints endpoints) {
979 if (!isRelevantHelper()) {
980 return;
981 }
982
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]983 setEndpointsRules(endpoints, false);
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]984 }
985 }
986
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]987 private class InternalNodeEventListener implements K8sNodeListener {
988
989 private boolean isRelevantHelper() {
990 return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));
991 }
992
993 @Override
994 public void event(K8sNodeEvent event) {
995 K8sNode k8sNode = event.subject();
996 switch (event.type()) {
997 case K8S_NODE_COMPLETE:
998 eventExecutor.execute(() -> processNodeCompletion(k8sNode));
999 break;
1000 case K8S_NODE_INCOMPLETE:
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]1001 case K8S_NODE_REMOVED:
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]1002 default:
1003 break;
1004 }
1005 }
1006
1007 private void processNodeCompletion(K8sNode node) {
1008 if (!isRelevantHelper()) {
1009 return;
1010 }
1011
Jian Li4a7ce672019-04-09 15:20:25 +0900[diff] [blame]1012 setServiceNatRules(node.intgBridge(), true);
Jian Libf562c22019-04-15 18:07:14 +0900[diff] [blame]1013 k8sEndpointsService.endpointses().forEach(e -> setEndpointsRules(e, true));
Jian Lif5da78a2019-04-15 01:52:23 +0900[diff] [blame]1014 k8sNetworkService.networks().forEach(n -> setupServiceDefaultRule(n, true));
1015 }
1016 }
1017
1018 private class InternalK8sNetworkListener implements K8sNetworkListener {
1019
1020 private boolean isRelevantHelper() {
1021 return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));
1022 }
1023
1024 @Override
1025 public void event(K8sNetworkEvent event) {
1026 switch (event.type()) {
1027 case K8S_NETWORK_CREATED:
1028 eventExecutor.execute(() -> processNetworkCreation(event.subject()));
1029 break;
1030 case K8S_NETWORK_UPDATED:
1031 case K8S_NETWORK_REMOVED:
1032 default:
1033 break;
1034 }
1035 }
1036
1037 private void processNetworkCreation(K8sNetwork network) {
1038 if (!isRelevantHelper()) {
1039 return;
1040 }
1041
1042 setupServiceDefaultRule(network, true);
Jian Li2cc2b632019-02-18 00:56:40 +0900[diff] [blame]1043 }
1044 }
1045}