search

openyurtio / raven

provide layer 3 and layer 7 network connectivity among pods in different physical regions
Apache License 2.0
57 stars 37 forks source link

Using VTI devices and Routes to manage VPN connections #80

Open hhyasdf opened 1 year ago

hhyasdf commented 1 year ago

Raven now use the Subnet-based configuration of Libreswan to create VPN connections, which is strongly rely on the "One-Subnet-One-Node" supposition. This brings troubles when the CNI implimentation don't obay the supposition, many of CNI even makes subnets be able to cross multiple nodes.

Both Libreswan and WireGuard can support a Route-based management method. Using this, maybe raven can only watch ips of Pod object and use them to configure routes (policy route + ipset + iptables mark) instead of rely on the "subnets" of nodes.

njucjc commented 1 year ago

cc @BSWANG @DrmagicE @luckymrwang

BSWANG commented 1 year ago

@hhyasdf How to sync the ip of "nodepool"?

hhyasdf commented 1 year ago

@hhyasdf How to sync the ip of "nodepool"?

  • Watch Pods ip on each node.
  • OR sync the Pods ip of "nodepool" to gateway CR.

Maybe "Watch Pods ip on each node" is fine.

The logic can be, "only Pod ips of local nodepool donnot need to get through the VPN", so only the Pod ips of the nodepool this node belongs to need to be handled.

rambohe-ch commented 1 year ago

@hhyasdf How to sync the ip of "nodepool"?

  • Watch Pods ip on each node.
  • OR sync the Pods ip of "nodepool" to gateway CR.

Maybe "Watch Pods ip on each node" is fine.

The logic can be, "only Pod ips of local nodepool donnot need to get through the VPN", so only the Pod ips of the nodepool this node belongs to need to be handled.

@hhyasdf This means every raven agent on nodes should list/watch all pods in the cluster? but i am worried that cloud-edge public network traffic will increase greatly.

hhyasdf commented 1 year ago

@hhyasdf How to sync the ip of "nodepool"?

  • Watch Pods ip on each node.
  • OR sync the Pods ip of "nodepool" to gateway CR.

Maybe "Watch Pods ip on each node" is fine. The logic can be, "only Pod ips of local nodepool donnot need to get through the VPN", so only the Pod ips of the nodepool this node belongs to need to be handled.

@hhyasdf This means every raven agent on nodes should list/watch all pods in the cluster? but i am worried that cloud-edge public network traffic will increase greatly.

@rambohe-ch Sync the Pods ip of "nodepool" to gateway CR might be a good way to reduce the cloud-edge public network traffic, I mean, both of them are fine.