CARRY: Advertised UDN networks isolation configurable

The ovnk by default isolates advertised UDN networks isolated from each other,
but there is a requirement to disable isolation so that BGP routing functionality
can be tested between different UDN networks. Hence this commit consumes the
UDN_ISOLATION_MODE env variable and isolation can be determined accordingly.
By default it uses secure mode to isolate the networks and it can be overridden
by CNO via config map.

Signed-off-by: Periyasamy Palanisamy <[email protected]>

Author: pperiyasamy

go-controller/pkg/ovn/udn_isolation.go

@@ -300,6 +300,11 @@ func BuildAdvertisedNetworkSubnetsDropACL(advertisedNetworkSubnetsAddressSet add
 // pass   "(ip[4|6].src == <UDN_SUBNET> && ip[4|6].dst == <UDN_SUBNET>)"                1100
 // drop   "(ip[4|6].src == $<ALL_ADV_SUBNETS> && ip[4|6].dst == $<ALL_ADV_SUBNETS>)"    1050
 func (bnc *BaseNetworkController) addAdvertisedNetworkIsolation(nodeName string) error {
+	if util.IsLooseUDNIsolation() {
+		klog.Infof("The network %s is configured with loose isolation mode, skip adding tier-0 drop ACL rule",
+			bnc.GetNetworkName())
+		return nil
+	}
 	var passMatches, cidrs []string
 	var ops []ovsdb.Operation
 
@@ -363,6 +368,11 @@ func (bnc *BaseNetworkController) addAdvertisedNetworkIsolation(nodeName string)
 // deleteAdvertisedNetworkIsolation deletes advertised network isolation rules from the given node switch.
 // It removes the network CIDRs from the global advertised networks addresset together with the ACLs on the node switch.
 func (bnc *BaseNetworkController) deleteAdvertisedNetworkIsolation(nodeName string) error {
+	if util.IsLooseUDNIsolation() {
+		klog.Infof("The network %s is configured with loose isolation mode, skip deleting tier-0 drop ACL rule",
+			bnc.GetNetworkName())
+		return nil
+	}
 	addrSet, err := bnc.addressSetFactory.GetAddressSet(GetAdvertisedNetworkSubnetsAddressSetDBIDs())
 	if err != nil {
 		return fmt.Errorf("failed to get advertised subnets addresset %s for network %s: %w", GetAdvertisedNetworkSubnetsAddressSetDBIDs(), bnc.GetNetworkName(), err)

go-controller/pkg/util/multi_network.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"os"
 	"reflect"
 	"strconv"
 	"strings"
@@ -28,6 +29,13 @@ var (
 	ErrorUnsupportedIPAMKey     = errors.New("IPAM key is not supported. Use OVN-K provided IPAM via the `subnets` attribute")
 )
 
+var (
+	// UDNLooseIsolation allows communication between two advertised UDN networks.
+	UDNLooseIsolation string = "loose"
+	// UDNLooseIsolation drops communication between two advertised UDN networks.
+	UDNSecureIsolation string = "secure"
+)
+
 // NetInfo exposes read-only information about a network.
 type NetInfo interface {
 	// static information, not expected to change.
@@ -1554,3 +1562,10 @@ func ParseNetworkName(networkName string) (udnNamespace, udnName string) {
 	}
 	return "", ""
 }
+
+// IsLooseUDNIsolation returns true if two UDN networks are not configured to be
+// isolated each other when both networks advertising their pod IPs using BGP over
+// default VRF, otherwise returns false.
+func IsLooseUDNIsolation() bool {
+	return os.Getenv("UDN_ISOLATION_MODE") == UDNLooseIsolation
+}