metropolis: use interface groups
This adds interface groups to all K8s pod interfaces via a CNI plugin
patch and corresponding configuration. It also adds an interface group
to the clusternet interface. Using these new interface groups the
nftables rules for NAT can be simplified.
These will also be used by the network policy plugin later.
Change-Id: I4638a4349ccb12b8724ad28ae34bb61cac4b4ece
Reviewed-on: https://review.monogon.dev/c/monogon/+/3814
Tested-by: Jenkins CI
Reviewed-by: Jan Schär <jan@monogon.tech>
diff --git a/build/bazel/go.MODULE.bazel b/build/bazel/go.MODULE.bazel
index 44c9802..ec02cbd 100644
--- a/build/bazel/go.MODULE.bazel
+++ b/build/bazel/go.MODULE.bazel
@@ -302,6 +302,11 @@
"//third_party/go/patches:cni-fix-cachepath.patch",
],
},
+ "github.com/containernetworking/plugins": {
+ "patches": [
+ "//third_party/go/patches:cniplugins-add-linkgroup.patch",
+ ],
+ },
"github.com/corverroos/commentwrap": {
"patches": [
"//third_party/go/patches:commentwrap-uri.patch",
diff --git a/go.mod b/go.mod
index fff9184..e99fe47 100644
--- a/go.mod
+++ b/go.mod
@@ -65,7 +65,7 @@
github.com/cockroachdb/cockroach-go/v2 v2.2.10
github.com/container-storage-interface/spec v1.9.0
github.com/containerd/containerd/v2 v2.0.1
- github.com/containernetworking/plugins v1.5.1
+ github.com/containernetworking/plugins v1.6.1
github.com/coreos/go-semver v0.3.1
github.com/corverroos/commentwrap v0.0.0-20191204065359-2926638be44c
github.com/diskfs/go-diskfs v1.2.0
@@ -83,9 +83,10 @@
github.com/google/uuid v1.6.0
github.com/iancoleman/strcase v0.3.0
github.com/improbable-eng/grpc-web v0.15.0
- github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c
+ github.com/insomniacslk/dhcp v0.0.0-20240829085014-a3a4c1f04475
github.com/joho/godotenv v1.4.0
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
+ github.com/klauspost/compress v1.17.11
github.com/lib/pq v1.10.9
github.com/mattn/go-shellwords v1.0.12
github.com/mdlayher/arp v0.0.0-20220512170110-6706a2966875
@@ -125,7 +126,7 @@
golang.org/x/crypto v0.28.0
golang.org/x/net v0.30.0
golang.org/x/sync v0.8.0
- golang.org/x/sys v0.26.0
+ golang.org/x/sys v0.27.0
golang.org/x/term v0.25.0
golang.org/x/text v0.19.0
golang.org/x/time v0.7.0
@@ -207,7 +208,7 @@
github.com/containerd/zfs/v2 v2.0.0-rc.0 // indirect
github.com/containernetworking/cni v1.2.3 // indirect
github.com/containers/ocicrypt v1.2.0 // indirect
- github.com/coreos/go-iptables v0.7.0 // indirect
+ github.com/coreos/go-iptables v0.8.0 // indirect
github.com/coreos/go-oidc v2.2.1+incompatible // indirect
github.com/coreos/go-systemd/v22 v22.5.0 // indirect
github.com/cosiner/argv v0.1.0 // indirect
@@ -293,7 +294,6 @@
github.com/jsimonetti/rtnetlink v1.4.1 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/karrick/godirwalk v1.17.0 // indirect
- github.com/klauspost/compress v1.17.11
github.com/kr/fs v0.1.0 // indirect
github.com/kr/pty v1.1.8 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
@@ -308,7 +308,7 @@
github.com/mattn/go-runewidth v0.0.15 // indirect
github.com/mattn/go-sqlite3 v1.14.17 // indirect
github.com/mattn/go-xmlrpc v0.0.3 // indirect
- github.com/mdlayher/socket v0.5.0 // indirect
+ github.com/mdlayher/socket v0.5.1 // indirect
github.com/mdlayher/vsock v1.2.1 // indirect
github.com/mdlayher/wifi v0.1.0 // indirect
github.com/miekg/pkcs11 v1.1.1 // indirect
@@ -341,7 +341,7 @@
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pganalyze/pg_query_go/v4 v4.2.3 // indirect
github.com/pierrec/lz4 v2.6.1+incompatible // indirect
- github.com/pierrec/lz4/v4 v4.1.18 // indirect
+ github.com/pierrec/lz4/v4 v4.1.21 // indirect
github.com/pingcap/errors v0.11.5-0.20210425183316-da1aaba5fb63 // indirect
github.com/pingcap/failpoint v0.0.0-20220801062533-2eaa32854a6c // indirect
github.com/pingcap/log v1.1.0 // indirect
@@ -359,7 +359,7 @@
github.com/robfig/cron/v3 v3.0.1 // indirect
github.com/rs/cors v1.8.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
- github.com/safchain/ethtool v0.4.0 // indirect
+ github.com/safchain/ethtool v0.5.9 // indirect
github.com/sassoftware/go-rpmutils v0.1.1 // indirect
github.com/sbezverk/nftableslib v0.0.0-20221012061059-e05e022cec75 // indirect
github.com/seccomp/libseccomp-golang v0.10.0 // indirect
@@ -371,7 +371,7 @@
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect
- github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
+ github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
github.com/ulikunitz/xz v0.5.12 // indirect
github.com/urfave/cli v1.22.15 // indirect
github.com/urfave/cli/v2 v2.27.5 // indirect
@@ -439,6 +439,7 @@
nhooyr.io/websocket v1.8.6 // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+ sigs.k8s.io/knftables v0.0.18 // indirect
sigs.k8s.io/kustomize/api v0.18.0 // indirect
sigs.k8s.io/kustomize/kustomize/v5 v5.5.0 // indirect
sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
diff --git a/go.sum b/go.sum
index 300a3fd..f4400ca 100644
--- a/go.sum
+++ b/go.sum
@@ -1833,8 +1833,8 @@
github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM=
github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
github.com/containernetworking/plugins v1.0.1/go.mod h1:QHCfGpaTwYTbbH+nZXKVTxNBDZcxSOplJT5ico8/FLE=
-github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+E5J/EcKOE4gQ=
-github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
+github.com/containernetworking/plugins v1.6.1 h1:bYd2bpE6hEBqexyaiI2/sst0xJ+v7pEMWrjA5qtkxiU=
+github.com/containernetworking/plugins v1.6.1/go.mod h1:SP5UG3jDO9LtmfbBJdP+nl3A1atOtbj2MBOYsnaxy64=
github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4=
github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY=
@@ -1850,8 +1850,8 @@
github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
-github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
-github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc=
+github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -2546,8 +2546,8 @@
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
-github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c h1:PgxFEySCI41sH0mB7/2XswdXbUykQsRUGod8Rn+NubM=
-github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
+github.com/insomniacslk/dhcp v0.0.0-20240829085014-a3a4c1f04475 h1:hxST5pwMBEOWmxpkX20w9oZG+hXdhKmAIPQ3NGGAxas=
+github.com/insomniacslk/dhcp v0.0.0-20240829085014-a3a4c1f04475/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic=
github.com/intel/goresctrl v0.2.0/go.mod h1:+CZdzouYFn5EsxgqAQTEzMfwKwuc0fVdMrT9FCCAVRQ=
github.com/intel/goresctrl v0.8.0 h1:N3shVbS3kA1Hk2AmcbHv8805Hjbv+zqsCIZCGktxx50=
github.com/intel/goresctrl v0.8.0/go.mod h1:T3ZZnuHSNouwELB5wvOoUJaB7l/4Rm23rJy/wuWJlr0=
@@ -2649,7 +2649,6 @@
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
@@ -2859,8 +2858,8 @@
github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs=
github.com/mdlayher/socket v0.2.1/go.mod h1:QLlNPkFR88mRUNQIzRBMfXxwKal8H7u1h3bL1CV+f0E=
github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
-github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
-github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
+github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
+github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
github.com/mdlayher/vsock v1.2.1 h1:pC1mTJTvjo1r9n9fbm7S1j04rCgCzhCOS5DY0zqHlnQ=
github.com/mdlayher/vsock v1.2.1/go.mod h1:NRfCibel++DgeMD8z/hP+PPTjlNJsdPOmxcnENvE+SE=
github.com/mdlayher/wifi v0.1.0 h1:y8wYRUXwok5CtUZOXT3egghYesX0O79E3ALl+SIDm9Q=
@@ -3017,8 +3016,9 @@
github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc=
github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI=
-github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg=
+github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
@@ -3048,8 +3048,9 @@
github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.36.0 h1:Pb12RlruUtj4XUuPUqeEWc6j5DkVVVA49Uf6YLfC95Y=
+github.com/onsi/gomega v1.36.0/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -3132,10 +3133,10 @@
github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
github.com/pierrec/lz4/v4 v4.1.8/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.18 h1:xaKrnTkyoqfh1YItXl56+6KJNVYWlEEPuAQW9xsplYQ=
github.com/pierrec/lz4/v4 v4.1.18/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
+github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
github.com/pingcap/errors v0.11.0/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
github.com/pingcap/errors v0.11.5-0.20210425183316-da1aaba5fb63 h1:+FZIDR/D97YOPik4N4lPDaUcLDF/EQPogxtlHB2ZZRM=
@@ -3280,8 +3281,8 @@
github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
-github.com/safchain/ethtool v0.4.0 h1:vq1i2HCjshJNywOXFZ1BpwIjyeFR/kvNdHiRzqSElDI=
-github.com/safchain/ethtool v0.4.0/go.mod h1:XLLnZmy4OCRTkksP/UiMjij96YmIsBfmBQcs7H6tA48=
+github.com/safchain/ethtool v0.5.9 h1://6RvaOKFf3nQ0rl5+8zBbE4/72455VC9Jq61pfq67E=
+github.com/safchain/ethtool v0.5.9/go.mod h1:w8oSsZeowyRaM7xJJBAbubzzrOkwO8TBgPSEqPP/5mg=
github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
@@ -3427,8 +3428,8 @@
github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM=
github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
-github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo=
github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
@@ -4219,7 +4220,6 @@
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -4252,8 +4252,9 @@
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@@ -5200,6 +5201,8 @@
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
sigs.k8s.io/knftables v0.0.17/go.mod h1:f/5ZLKYEUPUhVjUCg6l80ACdL7CIIyeL0DxfgojGRTk=
+sigs.k8s.io/knftables v0.0.18 h1:6Duvmu0s/HwGifKrtl6G3AyAPYlWiZqTgS8bkVMiyaE=
+sigs.k8s.io/knftables v0.0.18/go.mod h1:f/5ZLKYEUPUhVjUCg6l80ACdL7CIIyeL0DxfgojGRTk=
sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo=
sigs.k8s.io/kustomize/api v0.18.0/go.mod h1:f8isXnX+8b+SGLHQ6yO4JG1rdkZlvhaCf/uZbLVMb0U=
sigs.k8s.io/kustomize/cmd/config v0.15.0/go.mod h1:Jq57b0nPaoYUlOqg//0JtAh6iibboqMcfbtCYoWPM00=
diff --git a/metropolis/node/core/clusternet/wireguard.go b/metropolis/node/core/clusternet/wireguard.go
index 9d14b98..cc5f941 100644
--- a/metropolis/node/core/clusternet/wireguard.go
+++ b/metropolis/node/core/clusternet/wireguard.go
@@ -86,7 +86,7 @@
}
}
- wgInterface := &netlink.Wireguard{LinkAttrs: netlink.LinkAttrs{Name: clusterNetDeviceName, Flags: net.FlagUp}}
+ wgInterface := &netlink.Wireguard{LinkAttrs: netlink.LinkAttrs{Name: clusterNetDeviceName, Flags: net.FlagUp, Group: common.LinkGroupClusternet}}
if err := netlink.LinkAdd(wgInterface); err != nil {
return fmt.Errorf("when adding network interface: %w", err)
}
diff --git a/metropolis/node/core/network/BUILD.bazel b/metropolis/node/core/network/BUILD.bazel
index 6809c58..103f033 100644
--- a/metropolis/node/core/network/BUILD.bazel
+++ b/metropolis/node/core/network/BUILD.bazel
@@ -13,6 +13,7 @@
deps = [
"//go/algorithm/toposort",
"//go/logging",
+ "//metropolis/node",
"//metropolis/node/core/network/dhcp4c",
"//metropolis/node/core/network/dhcp4c/callback",
"//osbase/event/memory",
@@ -22,6 +23,7 @@
"//osbase/supervisor",
"//osbase/sysctl",
"@com_github_google_nftables//:nftables",
+ "@com_github_google_nftables//binaryutil",
"@com_github_google_nftables//expr",
"@com_github_insomniacslk_dhcp//dhcpv4",
"@com_github_mdlayher_arp//:arp",
diff --git a/metropolis/node/core/network/main.go b/metropolis/node/core/network/main.go
index e51ed11..dd0023d 100644
--- a/metropolis/node/core/network/main.go
+++ b/metropolis/node/core/network/main.go
@@ -24,10 +24,12 @@
"strconv"
"github.com/google/nftables"
+ "github.com/google/nftables/binaryutil"
"github.com/google/nftables/expr"
"github.com/insomniacslk/dhcp/dhcpv4"
"github.com/vishvananda/netlink"
+ "source.monogon.dev/metropolis/node"
"source.monogon.dev/metropolis/node/core/network/dhcp4c"
dhcpcb "source.monogon.dev/metropolis/node/core/network/dhcp4c/callback"
"source.monogon.dev/osbase/event/memory"
@@ -274,41 +276,38 @@
Table: s.natTable,
Type: nftables.ChainTypeNAT,
})
- // SNAT/Masquerade all traffic coming from interfaces starting with
- // veth going to interfaces not starting with veth.
- // This NATs all container traffic going out of the host without
- // affecting anything else and without needing to care about specific
- // interfaces. Will need to be changed when we support L3 attachments
- // (BGP, ...).
+ // SNAT/Masquerade all traffic coming from pod interface (identified by
+ // group) not going to another pod, either local or over clusternet.
+ // Will need to be changed when we support L3 attachments (BGP, ...).
s.nftConn.AddRule(&nftables.Rule{
Table: s.natTable,
Chain: s.natPostroutingChain,
Exprs: []expr.Any{
&expr.Meta{
- Key: expr.MetaKeyIIFNAME,
- Register: 8, // covers registers 8-12 (16 bytes/4 regs)
+ Key: expr.MetaKeyIIFGROUP,
+ Register: 8,
},
- // Check if incoming interface starts with veth
+ // Check if incoming interface is a K8s pod
&expr.Cmp{
Op: expr.CmpOpEq,
Register: 8,
- Data: []byte{'v', 'e', 't', 'h'},
+ Data: binaryutil.NativeEndian.PutUint32(node.LinkGroupK8sPod),
},
&expr.Meta{
- Key: expr.MetaKeyOIFNAME,
- Register: 8, // covers registers 8-12
+ Key: expr.MetaKeyOIFGROUP,
+ Register: 8,
},
- // Check if outgoing interface doesn't start with veth
+ // Check if outgoing interface is not a K8s pod
&expr.Cmp{
Op: expr.CmpOpNeq,
Register: 8,
- Data: []byte{'v', 'e', 't', 'h'},
+ Data: binaryutil.NativeEndian.PutUint32(node.LinkGroupK8sPod),
},
// Check if outgoing interface isn't clusternet
&expr.Cmp{
Op: expr.CmpOpNeq,
Register: 8,
- Data: []byte{'c', 'l', 'u', 's', 't', 'e', 'r', 'n', 'e', 't'},
+ Data: binaryutil.NativeEndian.PutUint32(node.LinkGroupClusternet),
},
&expr.Masq{
FullyRandom: true,
diff --git a/metropolis/node/kubernetes/containerd/cnispec.gojson b/metropolis/node/kubernetes/containerd/cnispec.gojson
index d703ded..4fca790 100644
--- a/metropolis/node/kubernetes/containerd/cnispec.gojson
+++ b/metropolis/node/kubernetes/containerd/cnispec.gojson
@@ -6,6 +6,8 @@
{
"type": "ptp",
"mtu": 1420,
+ {{/* Must be node.LinkGroupK8sPod */}}
+ "linkGroup": 8,
"ipam": {
"type": "host-local",
"dataDir": "/ephemeral/containerd/ipam",
diff --git a/metropolis/node/net_protocols.go b/metropolis/node/net_protocols.go
index 2e005fb..26dd0c0 100644
--- a/metropolis/node/net_protocols.go
+++ b/metropolis/node/net_protocols.go
@@ -7,3 +7,13 @@
// creating/removing routes pointing to the clusternet interface.
ProtocolClusternet int = 129
)
+
+// Netlink link groups used for interface classification and traffic matching.
+const (
+ // LinkGroupK8sPod is set on all host side PtP interfaces going to K8s
+ // pods.
+ LinkGroupK8sPod uint32 = 8
+ // LinkGroupClusternet is set on all interfaces not needing SNAT from the
+ // K8s internal IPs.
+ LinkGroupClusternet uint32 = 9
+)
diff --git a/third_party/go/patches/cniplugins-add-linkgroup.patch b/third_party/go/patches/cniplugins-add-linkgroup.patch
new file mode 100644
index 0000000..f294550
--- /dev/null
+++ b/third_party/go/patches/cniplugins-add-linkgroup.patch
@@ -0,0 +1,55 @@
+From a2c65ec075a9376e3b8e9fb72a96db36a613a1d0 Mon Sep 17 00:00:00 2001
+From: Lorenz Brun <lorenz@brun.one>
+Date: Thu, 2 Jan 2025 00:36:05 +0100
+Subject: [PATCH] Add linkGroup setting
+
+---
+ plugins/main/ptp/ptp.go | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/main/ptp/ptp.go b/plugins/main/ptp/ptp.go
+index 129146f2..aee37b11 100644
+--- a/plugins/main/ptp/ptp.go
++++ b/plugins/main/ptp/ptp.go
+@@ -46,6 +46,7 @@ type NetConf struct {
+ IPMasq bool `json:"ipMasq"`
+ IPMasqBackend *string `json:"ipMasqBackend,omitempty"`
+ MTU int `json:"mtu"`
++ LinkGroup int `json:"linkGroup,omitempty"`
+ }
+
+ func setupContainerVeth(netns ns.NetNS, ifName string, mtu int, pr *current.Result) (*current.Interface, *current.Interface, error) {
+@@ -145,7 +146,7 @@ func setupContainerVeth(netns ns.NetNS, ifName string, mtu int, pr *current.Resu
+ return hostInterface, containerInterface, nil
+ }
+
+-func setupHostVeth(vethName string, result *current.Result) error {
++func setupHostVeth(vethName string, group int, result *current.Result) error {
+ // hostVeth moved namespaces and may have a new ifindex
+ veth, err := netlink.LinkByName(vethName)
+ if err != nil {
+@@ -177,6 +178,12 @@ func setupHostVeth(vethName string, result *current.Result) error {
+ }
+ }
+
++ if group != 0 {
++ if err := netlink.LinkSetGroup(veth, group); err != nil {
++ return fmt.Errorf("failed to set link group for if %q: %v", vethName, err)
++ }
++ }
++
+ return nil
+ }
+
+@@ -224,7 +231,7 @@ func cmdAdd(args *skel.CmdArgs) error {
+ return err
+ }
+
+- if err = setupHostVeth(hostInterface.Name, result); err != nil {
++ if err = setupHostVeth(hostInterface.Name, conf.LinkGroup, result); err != nil {
+ return err
+ }
+
+--
+2.47.1
+