Add host network rules for ports used by Antrea#7803
Add host network rules for ports used by Antrea#7803hongliangl wants to merge 1 commit intoantrea-io:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request refactors how Antrea manages host network iptables rules for various components that listen on specific ports. Instead of hardcoding individual port parameters, the code now uses a more extensible pattern with HostNetworkRulePortFn functions and a map-based approach to store port configurations.
Changes:
- Introduced a flexible, function-based API for configuring host network rule ports using
HostNetworkRulePortFnandWith*helper functions - Added iptables rules for Agent APIServer (port 10350) and Agent cluster membership (port 10351) to allow necessary traffic
- Integrated dynamic iptables rule updates for Controller APIServer based on endpoint resolution
- Refactored the initialization of host network rules to use consistent naming (
init*HostNetworkRules)
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/agent/route/route_linux.go | Core implementation of the new host network rules system, including the HostNetworkRulePortFn pattern, feature-based iptables cache, and dynamic Controller APIServer rule updates |
| pkg/agent/route/route_linux_test.go | Updated test expectations to reflect new iptables rules for Agent APIServer and cluster membership ports |
| pkg/agent/client/endpoint_resolver.go | Added NewAntreaServiceEndpointResolver helper function to create endpoint resolvers for the Antrea Service |
| pkg/agent/client/client.go | Refactored to accept endpointResolver as a parameter and removed the endpoint resolver Run call from the client provider |
| cmd/antrea-agent/agent.go | Updated to create and run the endpoint resolver, and configure host network rule ports using the new API |
| test/integration/agent/route_test.go | Updated test setup to use the new HostNetworkRulePortFn API |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
hongliangl
force-pushed
the
20260113-add-host-rules-for-features
branch
2 times, most recently
from
e5fb9ea to
12ce84f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
hongliangl
force-pushed
the
20260113-add-host-rules-for-features
branch
from
12ce84f to
ee0dd0e
Compare
hongliangl
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
hongliangl
force-pushed
the
20260113-add-host-rules-for-features
branch
from
ee0dd0e to
2b52f7e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
hongliangl
force-pushed
the
20260113-add-host-rules-for-features
branch
4 times, most recently
from
da40d1a to
9b89e28
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
hongliangl
force-pushed
the
20260113-add-host-rules-for-features
branch
from
9b89e28 to
3edd1b3
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
hongliangl
force-pushed
the
20260113-add-host-rules-for-features
branch
from
3edd1b3 to
d80e7d5
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
hongliangl
force-pushed
the
20260113-add-host-rules-for-features
branch
from
d80e7d5 to
c497412
Compare
There was a problem hiding this comment.
Is this just a cosmetic change? why are we including it in this PR? I don't see it mentioned in the PR description
There was a problem hiding this comment.
antrea-agent installs the host network rules, but it cannot obtain the antrea-controller listening port from configuration or environment variables.
While the ports used by antrea-agent are available from configuration, the antrea-controller port must be discovered dynamically. I found that antreaServiceEndpointResolver already provides this functionality.
As a result, I moved it to cmd/antrea-agent/agent.go so it can also be reused in pkg/agent/route/route_linux.go to get the antrea-controller Endpoints.
cmd/antrea-agent/agent.go
Outdated
| proxyHealthCheckPort, _ = strconv.ParseInt(proxyHealthCheckPortStr, 10, 32) | ||
| } | ||
|
|
||
| hostNetworkRulePortFns := []route.HostNetworkRulePortFn{ |
There was a problem hiding this comment.
The caller (this code) doesn't need to know that these are functions.
If possible, IMO, it would be better to have usage that looks like this:
hostNetworkPortRules := route.NewHostNetworkPortRules()
.Allow(o.config.APIPort, "tcp", "kube-apiserver")
.Allow(o.config.ClusterMembershipPort, "udp", "cluster membership")
.Allow(o.config.WireGuard.Port, "udp", "wireguard")Let me know if you think this is possible
There was a problem hiding this comment.
This is is more graceful. and I remove dthe protocol. This is because we developers know the protocol like Wireguard using UDP, ClusterMembershipPort using TCP/UDP, but the port number is configurable.
Add host network allow rules for Antrea components and features that listen on the Node's host network (antrea-agent APIServer, cluster membership, WireGuard, proxy health check). These rules ensure that the corresponding traffic is allowed when the default Node host network policy is set to drop. Additionally, move Antrea Service EndpointResolver creation from `pkg/agent/client` to `cmd/antrea-agent` so the Client in `pkg/agent/route/route_linux.go` can use the same resolver and obtain the Antrea Controller APIServer listening port dynamically for its host network rules. Signed-off-by: Hongliang Liu <hongliang.liu@broadcom.com>
hongliangl
force-pushed
the
20260113-add-host-rules-for-features
branch
from
c497412 to
fdabdb9
Compare
For #7823
Add host network allow rules for Antrea components and features that listen on
the Node's host network (antrea-agent APIServer, cluster membership, WireGuard,
proxy health check). These rules ensure that the corresponding traffic is allowed
when the default Node host network policy is set to drop.
Additionally, move Antrea Service EndpointResolver creation from
pkg/agent/clientto
cmd/antrea-agentso the Client inpkg/agent/route/route_linux.gocan usethe same resolver and obtain the Antrea Controller APIServer listening port dynamically
for its host network rules.