Ensure full functionality of AntreaProxy with proxyAll enabled when kube-proxy presents #6308
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Depends on #6381
Resolve #6232
To ensure the full functionality of AntreaProxy with proxyAll enabled even when kube-proxy presents, there are some key changes when proxyAll is enabled:
The jump rules for the chains managed by Antrea, ANTREA-PREROUTING and ANTREA-OUTPUT in nat table, are installed by inserting instead of appending to bypass the chain
KUBE-SERVICES
performing Service DNAT managed by kube-proxy. Antrea ensures that the jump rules take precedence over those managed by kube-proxy.The iptables rules of nat table chain ANTREA-PREROUTING are like below, and it is similar in chain ANTREA-OUTPUT.
kubeAPIServerOverride
is not set.KUBE-SERVICES
. The Service CIDR is got fromserviceCIDRProvider
. TODO: whether to sync iptables immediately after the update of Service CIDR.KUBE-SERVICES
. This is not a new rule, and we have this rule before.KUBE-SERVICES
. We use an ipset to match the traffic.The iptables rules of raw table chainANTREA-PREROUTING are like below:
TODO:
ANTREA-PREROUTING
andANTREA-OUTPUT
are in the first rule of corresponding default iptables chains to skip kube-proxy chains.