Documentation ¶
Index ¶
- Constants
- Variables
- func IsIPv4Enabled(nodeConfig *NodeConfig, trafficEncapMode TrafficEncapModeType) (bool, error)
- func IsIPv6Enabled(nodeConfig *NodeConfig, trafficEncapMode TrafficEncapModeType) (bool, error)
- type AdapterNetConfig
- type EgressConfig
- type GatewayConfig
- type IPsecAuthenticationMode
- type IPsecConfig
- type L7NetworkPolicyConfig
- type LoadBalancerMode
- type NetworkConfig
- type NodeConfig
- type NodeType
- type ServiceConfig
- type TrafficEncapModeType
- type TrafficEncryptionModeType
- type WireGuardConfig
Constants ¶
const ( // Invalid ofport_request number is in range 1 to 65,279. For ofport_request number not in the range, OVS // ignore the it and automatically assign a port number. // Here we use an invalid port number "0" to request for automatically port allocation. AutoAssignedOFPort = 0 DefaultTunOFPort = 1 HostGatewayOFPort = 2 UplinkOFPort = 3 // 0xfffffffe is a reserved port number in OpenFlow protocol, which is dedicated for the Bridge interface. BridgeOFPort = 0xfffffffe )
const ( // WireGuard overhead: 20-byte outer IPv4, 8-byte UDP header, 4-byte type, 4-byte key index, 8-byte nonce, 16-byte authentication tag WireGuardOverhead = 60 // IPsec ESP can add a maximum of 38 bytes to the packet including the ESP // header and trailer. IPSecESPOverhead = 38 )
const ( L7RedirectTargetPortName = "antrea-l7-tap0" L7RedirectReturnPortName = "antrea-l7-tap1" L7SuricataSocketPath = "/var/run/suricata/suricata_eve.socket" )
const ( NodeNetworkPolicyIngressRulesChain = "ANTREA-POL-INGRESS-RULES" NodeNetworkPolicyEgressRulesChain = "ANTREA-POL-EGRESS-RULES" NodeNetworkPolicyPrefix = "ANTREA-POL" )
Variables ¶
var ( // VirtualServiceIPv4 or VirtualServiceIPv6 is used in the following scenarios: // - The IP is used to perform SNAT for packets of Service sourced from Antrea gateway and destined for external // network via Antrea gateway. // - The IP is used as destination IP in host routing entry to forward replied SNATed Service packets back to Antrea // gateway. // - The IP is used as the next hop of host routing entry for ClusterIP and virtual NodePort DNAT IP. // The IP cannot be one used in the network, and cannot be within the 169.254.1.0 - 169.254.254.255 range // according to https://datatracker.ietf.org/doc/html/rfc3927#section-2.1 VirtualServiceIPv4 = net.ParseIP("169.254.0.253") VirtualServiceIPv6 = net.ParseIP("fc01::aabb:ccdd:eeff") // VirtualNodePortDNATIPv4 or VirtualNodePortDNATIPv6 is used in the following scenarios: // - The IP is used to perform DNAT on host for packets of NodePort sourced from local Node or external network. // - The IP is used as destination IP in host routing entry to forward DNATed NodePort packets to Antrea gateway VirtualNodePortDNATIPv4 = net.ParseIP("169.254.0.252") VirtualNodePortDNATIPv6 = net.ParseIP("fc01::aabb:ccdd:eefe") )
Functions ¶
func IsIPv4Enabled ¶
func IsIPv4Enabled(nodeConfig *NodeConfig, trafficEncapMode TrafficEncapModeType) (bool, error)
IsIPv4Enabled returns true if the cluster network supports IPv4. Legal cases are: - NetworkPolicyOnly, NodeIPv4Addr != nil, IPv4 is enabled - NetworkPolicyOnly, NodeIPv4Addr == nil, IPv4 is disabled - Non-NetworkPolicyOnly, PodIPv4CIDR != nil, NodeIPv4Addr != nil, IPv4 is enabled - Non-NetworkPolicyOnly, PodIPv4CIDR == nil, IPv4 is disabled
func IsIPv6Enabled ¶
func IsIPv6Enabled(nodeConfig *NodeConfig, trafficEncapMode TrafficEncapModeType) (bool, error)
IsIPv6Enabled returns true if the cluster network supports IPv6. Legal cases are: - NetworkPolicyOnly, NodeIPv6Addr != nil, IPv6 is enabled - NetworkPolicyOnly, NodeIPv6Addr == nil, IPv6 is disabled - Non-NetworkPolicyOnly, PodIPv6CIDR != nil, NodeIPv6Addr != nil, IPv6 is enabled - Non-NetworkPolicyOnly, PodIPv6CIDR == nil, IPv6 is disabled
Types ¶
type AdapterNetConfig ¶
type EgressConfig ¶ added in v1.4.0
type GatewayConfig ¶
type GatewayConfig struct { // Name is the name of host gateway, e.g. antrea-gw0. Name string IPv4 net.IP IPv6 net.IP MAC net.HardwareAddr // LinkIndex is the link index of host gateway. LinkIndex int // OFPort is the OpenFlow port number of host gateway allocated by OVS. OFPort uint32 }
func (*GatewayConfig) String ¶
func (g *GatewayConfig) String() string
type IPsecAuthenticationMode ¶ added in v1.7.0
type IPsecAuthenticationMode int
const ( IPsecAuthenticationModePSK IPsecAuthenticationMode = iota IPsecAuthenticationModeCert IPsecAuthenticationModeInvalid = -1 )
func GetIPsecAuthenticationModeFromStr ¶ added in v1.7.0
func GetIPsecAuthenticationModeFromStr(str string) (bool, IPsecAuthenticationMode)
GetIPsecAuthenticationModeFromStr returns true and IPsecAuthenticationModeType corresponding to input string. Otherwise, false and undefined value is returned
func GetIPsecConfigModes ¶ added in v1.7.0
func GetIPsecConfigModes() []IPsecAuthenticationMode
func (IPsecAuthenticationMode) String ¶ added in v1.7.0
func (am IPsecAuthenticationMode) String() string
String returns value in string.
type IPsecConfig ¶ added in v1.7.0
type IPsecConfig struct { AuthenticationMode IPsecAuthenticationMode PSK string }
IPsecConfig includes IPsec related configurations.
type L7NetworkPolicyConfig ¶ added in v1.10.0
type L7NetworkPolicyConfig struct { TargetOFPort uint32 // Matched L7 NetworkPolicy traffic is forwarded to an application-aware engine via this ofPort. ReturnOFPort uint32 // Scanned L7 NetworkPolicy traffic is returned from an application-aware engine via this ofPort. }
L7NetworkPolicyConfig includes target and return ofPorts for L7 NetworkPolicy.
type LoadBalancerMode ¶ added in v1.13.0
type LoadBalancerMode int
const ( LoadBalancerModeNAT LoadBalancerMode = iota LoadBalancerModeDSR LoadBalancerModeInvalid = -1 )
func GetLoadBalancerModeFromStr ¶ added in v1.13.0
func GetLoadBalancerModeFromStr(str string) (bool, LoadBalancerMode)
GetLoadBalancerModeFromStr returns true and LoadBalancerMode corresponding to input string. Otherwise, false and undefined value is returned
func (LoadBalancerMode) String ¶ added in v1.13.0
func (m LoadBalancerMode) String() string
String returns value in string.
type NetworkConfig ¶
type NetworkConfig struct { TrafficEncapMode TrafficEncapModeType TunnelType ovsconfig.TunnelType TunnelPort int32 TunnelCsum bool TrafficEncryptionMode TrafficEncryptionModeType IPsecConfig IPsecConfig TransportIface string TransportIfaceCIDRs []string IPv4Enabled bool IPv6Enabled bool // MTUDeduction is the MTU deduction for encapsulation and encryption in cluster. MTUDeduction int // WireGuardMTUDeduction is the MTU deduction for WireGuard encryption. // It is calculated based on whether IPv6 is used. WireGuardMTUDeduction int // Set by the defaultMTU config option or auto discovered. // Auto discovery will use MTU value of the Node's transport interface. // For Encap and Hybrid mode, InterfaceMTU will be adjusted to account for // encap header. InterfaceMTU int EnableMulticlusterGW bool MulticlusterEncryptionMode TrafficEncryptionModeType }
NetworkConfig includes user provided network configuration parameters.
func (*NetworkConfig) CalculateMTUDeduction ¶ added in v1.11.0
func (nc *NetworkConfig) CalculateMTUDeduction(isIPv6 bool) int
func (*NetworkConfig) NeedsDirectRoutingToPeer ¶ added in v1.3.0
NeedsDirectRoutingToPeer returns true if Pod traffic to peer Node needs a direct route installed to the routing table.
func (*NetworkConfig) NeedsTunnelInterface ¶ added in v1.11.0
func (nc *NetworkConfig) NeedsTunnelInterface() bool
func (*NetworkConfig) NeedsTunnelToPeer ¶ added in v1.3.0
NeedsTunnelToPeer returns true if Pod traffic to peer Node needs to be encapsulated by OVS tunneling.
type NodeConfig ¶
type NodeConfig struct { // The Node's name used in Kubernetes. Name string // The type to identify it is a Kubernetes Node or an external Node. Type NodeType // The name of the OpenVSwitch bridge antrea-agent uses. OVSBridge string // The name of the default tunnel interface. Defaults to "antrea-tun0", but can // be overridden by the discovered tunnel interface name from the OVS bridge. DefaultTunName string // The CIDR block from which to allocate IPv4 address to Pod. // It's nil for the networkPolicyOnly trafficEncapMode which doesn't do IPAM. PodIPv4CIDR *net.IPNet // The CIDR block from where to allocate IPv6 address to Pod. // It's nil for the networkPolicyOnly trafficEncapMode which doesn't do IPAM. PodIPv6CIDR *net.IPNet // The Node's IPv4 address used in Kubernetes. It has the network mask information. NodeIPv4Addr *net.IPNet // The Node's IPv6 address used in Kubernetes. It has the network mask information. NodeIPv6Addr *net.IPNet // The name of the Node's transport interface. The transport interface defaults to the interface that has the K8s // Node IP, and can be overridden by the configuration parameters TransportInterface and TransportInterfaceCIDRs. NodeTransportInterfaceName string // The IPv4 address on the Node's transport interface. It is used for tunneling or routing the Pod traffic across Nodes. NodeTransportIPv4Addr *net.IPNet // The IPv6 address on the Node's transport interface. It is used for tunneling or routing the Pod traffic across Nodes. NodeTransportIPv6Addr *net.IPNet // The original MTU of the Node's transport interface. NodeTransportInterfaceMTU int // TunnelOFPort is the OpenFlow port number of tunnel interface allocated by OVS. With noEncap mode, the value is 0. TunnelOFPort uint32 // HostInterfaceOFPort is the OpenFlow port number of the host interface allocated by OVS. The host interface is the // one which the IP/MAC of the uplink is moved to. If the host interface is the OVS bridge interface (br-int), the // value is config.BridgeOFPort. HostInterfaceOFPort uint32 // The config of the gateway interface on the OVS bridge. GatewayConfig *GatewayConfig // The config of the OVS bridge uplink interface. Only for Windows Node. UplinkNetConfig *AdapterNetConfig // The config of the WireGuard interface. WireGuardConfig *WireGuardConfig // The config of the Egress interface. EgressConfig *EgressConfig }
Local Node configurations retrieved from K8s API or host networking state.
func (*NodeConfig) String ¶
func (n *NodeConfig) String() string
type ServiceConfig ¶ added in v1.7.0
type ServiceConfig struct { ServiceCIDR *net.IPNet // K8s Service ClusterIP CIDR ServiceCIDRv6 *net.IPNet // K8s Service ClusterIP CIDR in IPv6 NodePortAddressesIPv4 []net.IP NodePortAddressesIPv6 []net.IP }
ServiceConfig includes K8s Service CIDR and available IP addresses for NodePort.
type TrafficEncapModeType ¶
type TrafficEncapModeType int
const ( TrafficEncapModeEncap TrafficEncapModeType = iota TrafficEncapModeNoEncap TrafficEncapModeHybrid TrafficEncapModeNetworkPolicyOnly TrafficEncapModeInvalid = -1 )
func GetTrafficEncapModeFromStr ¶
func GetTrafficEncapModeFromStr(str string) (bool, TrafficEncapModeType)
GetTrafficEncapModeFromStr returns true and TrafficEncapModeType corresponding to input string. Otherwise, false and undefined value is returned
func GetTrafficEncapModes ¶
func GetTrafficEncapModes() []TrafficEncapModeType
func (TrafficEncapModeType) IsNetworkPolicyOnly ¶
func (m TrafficEncapModeType) IsNetworkPolicyOnly() bool
IsNetworkPolicyOnly returns true if TrafficEncapModeType is network policy only.
func (TrafficEncapModeType) String ¶
func (m TrafficEncapModeType) String() string
String returns value in string.
func (TrafficEncapModeType) SupportsEncap ¶
func (m TrafficEncapModeType) SupportsEncap() bool
SupportsEncap returns true if TrafficEncapModeType supports encap.
func (TrafficEncapModeType) SupportsNoEncap ¶
func (m TrafficEncapModeType) SupportsNoEncap() bool
SupportsNoEncap returns true if TrafficEncapModeType supports noEncap.
type TrafficEncryptionModeType ¶ added in v1.3.0
type TrafficEncryptionModeType int
const ( TrafficEncryptionModeNone TrafficEncryptionModeType = iota TrafficEncryptionModeIPSec TrafficEncryptionModeWireGuard TrafficEncryptionModeInvalid = -1 )
func GetTrafficEncryptionModeFromStr ¶ added in v1.3.0
func GetTrafficEncryptionModeFromStr(str string) (bool, TrafficEncryptionModeType)
GetTrafficEncryptionModeFromStr returns true and TrafficEncryptionModeType corresponding to input string. Otherwise, false and undefined value is returned
func GetTrafficEncryptionModes ¶ added in v1.3.0
func GetTrafficEncryptionModes() []TrafficEncryptionModeType
func (TrafficEncryptionModeType) String ¶ added in v1.3.0
func (m TrafficEncryptionModeType) String() string
String returns value in string.