From 29bea94e7c049dffaae4a50f18980811e32b514f Mon Sep 17 00:00:00 2001 From: GraysonWu Date: Tue, 14 Nov 2023 22:07:02 -0800 Subject: [PATCH] Add Hairpin traffic limitation doc (#5705) 1. Skip allowHairpinSerivce test when Antrea-Proxy is disabled. 2. Add documentation including the behavior of the hairpin service when Antrea-Proxy is enabled and disabled. Signed-off-by: graysonwu --- docs/antrea-network-policy.md | 7 +++++++ test/e2e/networkpolicy_test.go | 1 + 2 files changed, 8 insertions(+) diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md index ae3180d402d..9d289aa6e64 100644 --- a/docs/antrea-network-policy.md +++ b/docs/antrea-network-policy.md @@ -1777,3 +1777,10 @@ Similar RBAC is applied to the ClusterGroup resource. - NetworkPolicies are connection/flow oriented and stateful. They apply to connections, instead of individual packets, which means established connections won't be blocked by new rules. +- For hairpin service traffic, when a Pod initiates traffic towards the service it provides, + and the same Pod is selected as the Endpoint, NetworkPolicies will consistently permit + this traffic during ingress enforcement if AntreaProxy is enabled. However, when AntreaProxy + is disabled, NetworkPolicies may not function as expected for hairpin service traffic. + This is due to kube-proxy performing SNAT, which conceals the original source IP from Antrea. + Consequently, NetworkPolicies are unable to differentiate between hairpin service traffic and + external traffic in this scenario. diff --git a/test/e2e/networkpolicy_test.go b/test/e2e/networkpolicy_test.go index eb10f0144d9..0a7fbe2d74e 100644 --- a/test/e2e/networkpolicy_test.go +++ b/test/e2e/networkpolicy_test.go @@ -93,6 +93,7 @@ func TestNetworkPolicy(t *testing.T) { }) t.Run("testAllowHairpinService", func(t *testing.T) { t.Cleanup(exportLogsForSubtest(t, data)) + skipIfProxyDisabled(t, data) testAllowHairpinService(t, data) }) }