Skip to content

Commit

Permalink
Add Hairpin traffic limitation doc (#5705)
Browse files Browse the repository at this point in the history
1. Skip allowHairpinSerivce test when Antrea-Proxy is disabled.
2. Add documentation including the behavior of the hairpin service
   when Antrea-Proxy is enabled and disabled.

Signed-off-by: graysonwu <wgrayson@vmware.com>
  • Loading branch information
GraysonWu authored Nov 15, 2023
1 parent 1acb2c6 commit 29bea94
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
7 changes: 7 additions & 0 deletions docs/antrea-network-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -1777,3 +1777,10 @@ Similar RBAC is applied to the ClusterGroup resource.
- NetworkPolicies are connection/flow oriented and stateful. They apply to
connections, instead of individual packets, which means established connections
won't be blocked by new rules.
- For hairpin service traffic, when a Pod initiates traffic towards the service it provides,
and the same Pod is selected as the Endpoint, NetworkPolicies will consistently permit
this traffic during ingress enforcement if AntreaProxy is enabled. However, when AntreaProxy
is disabled, NetworkPolicies may not function as expected for hairpin service traffic.
This is due to kube-proxy performing SNAT, which conceals the original source IP from Antrea.
Consequently, NetworkPolicies are unable to differentiate between hairpin service traffic and
external traffic in this scenario.
1 change: 1 addition & 0 deletions test/e2e/networkpolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ func TestNetworkPolicy(t *testing.T) {
})
t.Run("testAllowHairpinService", func(t *testing.T) {
t.Cleanup(exportLogsForSubtest(t, data))
skipIfProxyDisabled(t, data)
testAllowHairpinService(t, data)
})
}
Expand Down

0 comments on commit 29bea94

Please # to comment.