search

kmesh-net / kmesh

High Performance ServiceMesh Data Plane Based on Programmable Kernel
https://kmesh.net
Apache License 2.0
361 stars 46 forks source link

Ipv6 Support - IPv6 compatibility refactor #434

Closed nlgwcy closed 1 week ago

nlgwcy commented 2 weeks ago

What type of PR is this?

Add one of the following kinds: /kind feature

What this PR does / why we need it: As issues/291 comment, This PR covers only IPv6 compatibility reconstruction.

  1. workload mode supports IPv6
    • [x] IPv6-compatible reconstruction on the control plane
    • [x] IPv6-compatible reconstruction on the data plane

Which issue(s) this PR fixes: Fixes https://github.com/kmesh-net/kmesh/issues/291

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

self test:

  1. fortio test

    [root@localhost images]# kubectl get svc
NAME                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)               AGE
fortio-server            ClusterIP   10.96.250.180   <none>        80/TCP                2d12h

[root@localhost images]# kubectl get endpoints
NAME                     ENDPOINTS         AGE
default-istio-waypoint                     102s
fortio-server            10.244.1.4:9090   2d12h

# fortio test
[root@localhost kmesh]# kubectl exec -ti fortio-client-deployment-6c86f967bf-rxwrb -- fortio load -c 1 -t 20s http://10.96.250.180:80

# ss -antp
[root@localhost images]# nsenter -t 617877 -n ss -antp
State                  Recv-Q              Send-Q                           Local Address:Port                            Peer Address:Port              Process
TIME-WAIT              0                   0                                  10.244.1.12:46496                             10.244.1.4:9090
ESTAB                  0                   0                                  10.244.1.12:45562                             10.244.1.4:9090               users:(("fortio",pid=617877,fd=3))

  2. waypoint

    # fortio test
[root@localhost images]# kubectl exec -ti fortio-client-deployment-6c86f967bf-xtf2b -- fortio load -c 1 -t 30s http://10.96.153.141:80
[root@localhost httpbin]# nsenter -t 943363 -n ss -antp
State               Recv-Q              Send-Q                           Local Address:Port                              Peer Address:Port               Process
ESTAB               0                   0                                  10.244.1.14:54676                               10.244.1.9:15019               users:(("fortio",pid=943363,fd=3))

  3. auth

    • pods info

      # pods
[root@localhost httpbin]# kubectl get pods -owide
NAME                                        READY   STATUS    RESTARTS   AGE     IP            NODE             NOMINATED NODE   READINESS GATES
fortio-client-deployment-6c86f967bf-xtf2b   1/1     Running   0          7m13s   10.244.1.14   ambient-worker   <none>           <none>
fortio-server-deployment-7fcf96565c-s22p2   1/1     Running   0          73m     10.244.1.4    ambient-worker   <none>           <none>
httpbin-f85dc8498-wp226                     1/1     Running   0          4m4s    10.244.1.17   ambient-worker   <none>           <none>
sleep-78ff5975c6-w46dv                      1/1     Running   0          4m5s    10.244.1.16   ambient-worker   <none>           <none>
sleep-78ff5975c6-xrhn7                      1/1     Running   0          4m5s    10.244.1.15   ambient-worker   <none>           <none>
# svc
[root@localhost httpbin]# kubectl get svc
NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
fortio-server   ClusterIP   10.96.153.141   <none>        80/TCP     73m
httpbin         ClusterIP   10.96.149.231   <none>        8000/TCP   4m7s
kubernetes      ClusterIP   10.96.0.1       <none>        443/TCP    75m
sleep           ClusterIP   10.96.80.90     <none>        80/TCP     4m9s
[root@localhost httpbin]

    • config accept auth rule

      kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-by-srcip
namespace: default
spec:
selector:
matchLabels:
  app: httpbin
action: ALLOW
rules:
- from:
- source:
    ipBlocks:
    - 10.244.1.15/32
EOF

    • test

      # curl 
[root@localhost httpbin]# kubectl exec -ti sleep-78ff5975c6-w46dv -- curl http://10.96.149.231:8000/headers
curl: (56) Recv failure: Connection reset by peer
command terminated with exit code 56
[root@localhost httpbin]# kubectl exec -ti sleep-78ff5975c6-xrhn7 -- curl http://10.96.149.231:8000/headers
{
"headers": {
 "Accept": "*/*",
 "Host": "10.96.149.231:8000",
 "User-Agent": "curl/8.8.0"
}
}

    • config deny auth rule

      kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-by-srcip
namespace: default
spec:
selector:
matchLabels:
  app: httpbin
action: ALLOW
rules:
- from:
- source:
    ipBlocks:
    - 10.244.1.15/32
EOF

    • test

      [root@localhost httpbin]# kubectl exec -ti sleep-78ff5975c6-xrhn7 -- curl http://10.96.149.231:8000/headers
curl: (56) Recv failure: Connection reset by peer
command terminated with exit code 56
[root@localhost httpbin]# kubectl exec -ti sleep-78ff5975c6-w46dv -- curl http://10.96.149.231:8000/headers
{
"headers": {
 "Accept": "*/*",
 "Host": "10.96.149.231:8000",
 "User-Agent": "curl/8.8.0"
}
}
[root@localhost httpbin]#
kmesh-bot commented 2 weeks ago

Adding label do-not-merge/contains-merge-commits because PR contains merge commits, which are not allowed in this repository. Use git rebase to reapply your commits on top of the target branch. Detailed instructions for doing so can be found here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
codecov-commenter commented 2 weeks ago

Codecov Report

Attention: Patch coverage is 40.00000% with 24 lines in your changes missing coverage. Please review.

:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.

Flag Coverage Δ
unittests 37.03% <40.00%> (+5.01%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
pkg/controller/workload/bpfcache/backend.go 66.66% <ø> (+66.66%) :arrow_up:
pkg/controller/workload/bpfcache/frontend.go 32.00% <ø> (+32.00%) :arrow_up:
pkg/controller/workload/bpfcache/service.go 66.66% <ø> (+66.66%) :arrow_up:
pkg/controller/workload/cache/workload_cache.go 66.66% <100.00%> (ø)
pkg/auth/rbac.go 56.75% <57.14%> (ø)
pkg/bpf/bpf_kmesh_workload.go 0.00% <0.00%> (ø)
pkg/controller/workload/workload_processor.go 43.65% <50.00%> (+28.04%) :arrow_up:
pkg/nets/nets.go 20.68% <0.00%> (-7.89%) :arrow_down:
pkg/utils/test/bpf_map.go 38.77% <33.33%> (-1.77%) :arrow_down:

... and 3 files with indirect coverage changes

kmesh-bot commented 2 weeks ago

Adding label do-not-merge/contains-merge-commits because PR contains merge commits, which are not allowed in this repository. Use git rebase to reapply your commits on top of the target branch. Detailed instructions for doing so can be found here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
kmesh-bot commented 1 week ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hzxuzhonghu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kmesh-net/kmesh/blob/main/OWNERS)~~ [hzxuzhonghu] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment