Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automated cherry pick of #5687: Fix NP not working on Hairpin #5699

Merged
merged 2 commits into from
Nov 16, 2023
Merged

Automated cherry pick of #5687: Fix NP not working on Hairpin #5699

merged 2 commits into from
Nov 16, 2023

Conversation

GraysonWu
Copy link
Contributor

Cherry pick of #5687 on release-1.12.

#5687: Fix NP not working on Hairpin

For details on the cherry pick process, see the cherry pick requests page.

@GraysonWu GraysonWu added the kind/cherry-pick Categorizes issue or PR as related to the cherry-pick of a bug fix from the main branch to a release label Nov 13, 2023
@GraysonWu
Fix NP not working on Hairpin
24cb305 
Fix antrea-io#5681

Network policy didn't work when using a server Pod to establish a
connection to the service provided by itself. This hairpin service
connection initiated through a local Pod will be SNATed to the
gateway IP, which will prevent it from being correctly categorized by
the network policy during the Ingress rule enforcement.

This commit added a bypass flow to always allow the hairpin service
connection to address this issue. Given we don't consider self-access
blocking to be a valid case.

Signed-off-by: graysonwu <wgrayson@vmware.com>
@GraysonWu GraysonWu force-pushed the automated-cherry-pick-of-#5687-upstream-release-1.12 branch from 2136191 to 24cb305 Compare November 13, 2023 20:10
@GraysonWu GraysonWu requested a review from tnqn November 13, 2023 20:51
@tnqn
Copy link
Member

tnqn commented Nov 14, 2023

/skip-all

@tnqn
Copy link
Member

tnqn commented Nov 14, 2023

testAllowHairpinService failed https://github.com/antrea-io/antrea/actions/runs/6855202813/job/18640154742?pr=5699

@GraysonWu
Copy link
Contributor Author

testAllowHairpinService failed https://github.com/antrea-io/antrea/actions/runs/6855202813/job/18640154742?pr=5699

When Antrea-Proxy is disabled, we can't categorize it as a hairpin service, so this test case can't pass. Opened PR #5705 fixing it.

@tnqn tnqn mentioned this pull request Nov 15, 2023
Merged
@GraysonWu
Add Hairpin traffic limitation doc
37ede97 
1. Skip allowHairpinSerivce test when Antrea-Proxy is disabled.
2. Add documentation including the behavior of the hairpin service
   when Antrea-Proxy is enabled and disabled.

Signed-off-by: graysonwu <wgrayson@vmware.com>
@tnqn
Copy link
Member

tnqn commented Nov 16, 2023

/skip-all

@tnqn tnqn merged commit 852ab81 into antrea-io:release-1.12 Nov 16, 2023
49 of 55 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tnqn tnqn tnqn approved these changes

Assignees
No one assigned
Labels
kind/cherry-pick Categorizes issue or PR as related to the cherry-pick of a bug fix from the main branch to a release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@GraysonWu @tnqn