Merge pull request #86 from DockToFuture/add/bpf-lb-sock-hostns-only-…

…flag Support configuration for bpfSocketLBHostnsOnly flag
gardener · Mar 28, 2022 · 72eec06 · 72eec06
2 parents 8b751bd + a3fbe57
commit 72eec06
Show file tree

Hide file tree

Showing 11 changed files with 157 additions and 1 deletion.
diff --git a/charts/internal/cilium/charts/config/templates/configmap.yaml b/charts/internal/cilium/charts/config/templates/configmap.yaml
@@ -245,6 +245,11 @@ data:
   # optimization for nodeport reverse NAT handling.
   bpf-lb-external-clusterip: "{{ .Values.global.bpf.lbExternalClusterip }}"
 {{- end }}
+{{- if .Values.global.bpfSocketLBHostnsOnly.enabled }}
+  # bpf-lb-sock-hostns-only skip socket LB for services when inside a pod namespace, in favor of service LB at the pod interface.
+  # Socket LB is still used when in the host namespace. Required by service mesh (e.g., Istio, Linkerd).
+  bpf-lb-sock-hostns-only: "{{ .Values.global.bpfSocketLBHostnsOnly.enabled }}"
+{{- end }}
 
   # Pre-allocation of map entries allows per-packet latency to be reduced, at
   # the expense of up-front memory allocation for the entries in the maps. The

diff --git a/charts/internal/cilium/values.yaml b/charts/internal/cilium/values.yaml
@@ -276,6 +276,11 @@ global:
   # optimization for nodeport reverse NAT handling.
     lbExternalClusterip: "false"
 
+  # bpf-lb-sock-hostns-only skip socket LB for services when inside a pod namespace, in favor of service LB at the pod interface.
+  # Socket LB is still used when in the host namespace. Required by service mesh (e.g., Istio, Linkerd).
+  bpfSocketLBHostnsOnly:
+    enabled: false
+
   # encryption is the encryption specific configuration
   encryption:
     # enabled enables encryption

diff --git a/example/20-network.yaml b/example/20-network.yaml
@@ -42,6 +42,8 @@ spec:
   providerConfig:
     apiVersion: cilium.networking.extensions.gardener.cloud/v1alpha1
     kind: NetworkConfig
+#    bpfSocketLBHostnsOnly:
+#      enabled: true
 #    hubble:
 #      enabled: true
 #      ui: true
@@ -54,4 +56,4 @@ spec:
 #        - "icmp"
 #        - "http"
 #    store: kubernetes
-#    psp: true
+#    psp: true
diff --git a/hack/api-reference/cilium.md b/hack/api-reference/cilium.md
@@ -137,6 +137,49 @@ IPv6
 <p>Enable IPv6</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>bpfSocketLBHostnsOnly</code></br>
+<em>
+<a href="#cilium.networking.extensions.gardener.cloud/v1alpha1.BPFSocketLBHostnsOnly">
+BPFSocketLBHostnsOnly
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>BPFSocketLBHostnsOnly flag to be enabled or not</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="cilium.networking.extensions.gardener.cloud/v1alpha1.BPFSocketLBHostnsOnly">BPFSocketLBHostnsOnly
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#cilium.networking.extensions.gardener.cloud/v1alpha1.NetworkConfig">NetworkConfig</a>)
+</p>
+<p>
+<p>BPFSocketLBHostnsOnly enablement for cilium</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>enabled</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="cilium.networking.extensions.gardener.cloud/v1alpha1.Hubble">Hubble

diff --git a/pkg/apis/cilium/types_network.go b/pkg/apis/cilium/types_network.go
@@ -94,6 +94,11 @@ type IPv6 struct {
 	Enabled bool
 }
 
+// BPFSocketLBHostnsOnly enablement for cilium
+type BPFSocketLBHostnsOnly struct {
+	Enabled bool
+}
+
 // Nodeport enablement for cilium
 type Nodeport struct {
 	// Enabled is used to define whether Nodeport is required or not.
@@ -131,4 +136,6 @@ type NetworkConfig struct {
 	Store *Store
 	// Enable IPv6
 	IPv6 *IPv6
+	// BPFSocketLBHostnsOnly flag to be enabled or not
+	BPFSocketLBHostnsOnly *BPFSocketLBHostnsOnly
 }
diff --git a/pkg/apis/cilium/v1alpha1/types_network.go b/pkg/apis/cilium/v1alpha1/types_network.go
@@ -84,6 +84,11 @@ type IPv6 struct {
 	Enabled bool `json:"enabled"`
 }
 
+// BPFSocketLBHostnsOnly enablement for cilium
+type BPFSocketLBHostnsOnly struct {
+	Enabled bool `json:"enabled"`
+}
+
 // Nodeport enablement for cilium
 type Nodeport struct {
 	// Enabled is used to define whether Nodeport is required or not.
@@ -130,4 +135,7 @@ type NetworkConfig struct {
 	// Enable IPv6
 	// +optional
 	IPv6 *IPv6 `json:"ipv6,omitempty"`
+	// BPFSocketLBHostnsOnly flag to be enabled or not
+	// +optional
+	BPFSocketLBHostnsOnly *BPFSocketLBHostnsOnly `json:"bpfSocketLBHostnsOnly,omitempty"`
 }
diff --git a/pkg/apis/cilium/v1alpha1/zz_generated.conversion.go b/pkg/apis/cilium/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/cilium/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/cilium/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/cilium/zz_generated.deepcopy.go b/pkg/apis/cilium/zz_generated.deepcopy.go
diff --git a/pkg/charts/config.go b/pkg/charts/config.go
@@ -32,6 +32,7 @@ type globalConfig struct {
 	NodePort               nodePort                                `json:"nodePort"`
 	PodCIDR                string                                  `json:"podCIDR"`
 	UseProjectedTokenMount bool                                    `json:"useProjectedTokenMount bool"`
+	BPFSocketLBHostnsOnly  bpfSocketLBHostnsOnly                   `json:"bpfSocketLBHostnsOnly"`
 }
 
 // etcd related configuration for cilium
@@ -121,3 +122,7 @@ type config struct {
 	// config is required or not
 	Enabled bool `json:"enabled"`
 }
+
+type bpfSocketLBHostnsOnly struct {
+	Enabled bool `json:"enabled"`
+}
diff --git a/pkg/charts/utils.go b/pkg/charts/utils.go
@@ -87,6 +87,9 @@ var defaultGlobalConfig = globalConfig{
 	},
 	PodCIDR:                "",
 	UseProjectedTokenMount: false,
+	BPFSocketLBHostnsOnly: bpfSocketLBHostnsOnly{
+		Enabled: false,
+	},
 }
 
 func newGlobalConfig() globalConfig {
@@ -162,5 +165,9 @@ func generateChartValues(config *ciliumv1alpha1.NetworkConfig, network *extensio
 		globalConfig.Ipv6.Enabled = config.IPv6.Enabled
 	}
 
+	// check if BPFSocketLBHostnsOnly is enabled
+	if config.BPFSocketLBHostnsOnly != nil {
+		globalConfig.BPFSocketLBHostnsOnly.Enabled = config.BPFSocketLBHostnsOnly.Enabled
+	}
 	return requirementsConfig, globalConfig, nil
 }