Adds a bool to the cni config that will add a policy that allows for loopbackDSR on an interface. Updates relevant documentation. Allows L2Tunnel networks to be used for L2Bridge plugin.
* Increase entroy from 2 bytes to 7 bytes to prevent collisions
* Extract common library function for hash with prefix
* Refactor portmap plugin to use library function
fixes #347
Co-authored-by: Cameron Moreau <cmoreau@pivotal.io>
Co-authored-by: Mikael Manukyan <mmanukyan@pivotal.io>
This PR add the option to configure an empty ipam for the macvlan cni plugin.
When using the macvlan cni plugin with an empty ipam the requeted pod will get the macvlan interface but without any ip address.
One of the use cases for this feature is for projects that runs a dhcp server inside the pod like KubeVirt.
In KubeVirt we need to let the vm running inside the pod to make the dhcp request so it will be able to make a release an renew request when needed.
We used to return error if no endpoint was found during delete. We now treat this as a success. If we fail during an add call, we now make a delete delegate call to the ipam to clean-up.
Now that libcni has the ability to print a version message, plumb it
through correctly.
While we're at it,
- fix import paths
- run gofmt
- add some more comments to sample
- add container runtime swappability for release
Example of usage, which uses flannel for allocating IP
addresses for containers and then registers them in `trusted`
zone in firewalld:
{
"cniVersion": "0.3.1",
"name": "flannel-firewalld",
"plugins": [
{
"name": "cbr0",
"type": "flannel",
"delegate": {
"isDefaultGateway": true
}
},
{
"type": "firewall",
"backend": "firewalld",
"zone": "trusted"
}
]
}
Fixes #114
Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Michal Rostecki <mrostecki@suse.com>
Distros often have additional rules in the their iptabvles 'filter' table
that do things like:
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
docker, for example, gets around this by adding explicit rules to the filter
table's FORWARD chain to allow traffic from the docker0 interface. Do that
for a given host interface too, as a chained plugin.
With the VLAN filter, the Linux bridge acts more like a real switch, Allow to tag and untag
vlan id's on every interface connected to the bridge.
This PR also creates a veth interface for the bridge vlan interface on L3 configuration.
Related to https://developers.redhat.com/blog/2017/09/14/vlan-filter-support-on-bridge/ post.
Note: This feature was introduced in Linux kernel 3.8 and was added to RHEL in version 7.0.
