优化VPC的路由冲突检测
Closed this issue · 4 comments
log:
May 28 13:16:21 instance-8tf3544u-1 kube-cloud-controller-manager[31329]: E0528 13:16:21.648039 31329 routes.go:317] VerifyNoOverlap: 172.30.226.0/24 overlaps with 0.0.0.0/0
May 28 13:16:21 instance-8tf3544u-1 kube-cloud-controller-manager[31329]: I0528 13:16:21.648042 31329 routes.go:285] RouteTable conflict detected, custom routeRule {rr-h3gx24h56im9 rt-vtxdhj4xnrhe 192.168.16.0/20 0.0.0.0/0 nat-s5eb94r0n4eu nat nat网关} may conflict with cce routeRule {rr-jv1pf772anj4 rt-vtxdhj4xnrhe 0.0.0.0/0 172.30.226.0/24 i-SDeV9hoU custom auto generated by cce:c-IuFgLbiS}
May 28 13:16:21 instance-8tf3544u-1 kube-cloud-controller-manager[31329]: I0528 13:16:21.648031 31329 event.go:221] Event(v1.ObjectReference{Kind:"VPC", Namespace:"", Name:"RouteTableConflict", UID:"", APIVersion:"", ResourceVersion:"", FieldPath:""}): type: 'Warning' reason: 'RouteTableConflictDetection' RouteTable conflict detected, custom routeRule {rr-h3gx24h56im9 rt-vtxdhj4xnrhe 192.168.16.0/20 0.0.0.0/0 nat-s5eb94r0n4eu nat nat网关} may conflict with cce routeRule {rr-cmh4yu2bny7f rt-vtxdhj4xnrhe 0.0.0.0/0 172.31.1.0/24 i-ShIiBSWa custom auto generated by cce:c-AAxqDRmz}
May 28 13:16:21 instance-8tf3544u-1 kube-cloud-controller-manager[31329]: E0528 13:16:21.648052 31329 routes.go:317] VerifyNoOverlap: 172.19.225.0/24 overlaps with 0.0.0.0/0
May 28 13:16:21 instance-8tf3544u-1 kube-cloud-controller-manager[31329]: I0528 13:16:21.648057 31329 routes.go:285] RouteTable conflict detected, custom routeRule {rr-h3gx24h56im9 rt-vtxdhj4xnrhe 192.168.16.0/20 0.0.0.0/0 nat-s5eb94r0n4eu nat nat网关} may conflict with cce routeRule {rr-txeww3yztwvi rt-vtxdhj4xnrhe 0.0.0.0/0 172.19.225.0/24 i-DUPrStAy custom auto generated by cce:c-OAhztbQx}
May 28 13:16:21 instance-8tf3544u-1 kube-cloud-controller-manager[31329]: I0528 13:16:21.648056 31329 event.go:221] Event(v1.ObjectReference{Kind:"VPC", Namespace:"", Name:"RouteTableConflict", UID:"", APIVersion:"", ResourceVersion:"", FieldPath:""}): type: 'Warning' reason: 'RouteTableConflictDetection' RouteTable conflict detected, custom routeRule {rr-h3gx24h56im9 rt-vtxdhj4xnrhe 192.168.16.0/20 0.0.0.0/0 nat-s5eb94r0n4eu nat nat网关} may conflict with cce routeRule {rr-b5tw5et8n9ge rt-vtxdhj4xnrhe 0.0.0.0/0 172.18.4.0/24 i-Eq0cGSYe custom auto generated by cce:c-SwJoHPpR}
May 28 13:16:21 instance-8tf3544u-1 kube-cloud-controller-manager[31329]: I0528 13:16:21.648065 31329 event.go:221] Event(v1.ObjectReference{Kind:"VPC", Namespace:"", Name:"RouteTableConflict", UID:"", APIVersion:"", ResourceVersion:"", FieldPath:""}): type: 'Warning' reason: 'RouteTableConflictDetection' RouteTable conflict detected, custom routeRule {rr-h3gx24h56im9 rt-vtxdhj4xnrhe 192.168.16.0/20 0.0.0.0/0 nat-s5eb94r0n4eu nat nat网关} may conflict with cce routeRule {rr-xgu0brnk0hww rt-vtxdhj4xnrhe 0.0.0.0/0 172.18.3.0/24 i-umuuimse custom auto generated by cce:c-SwJoHPpR}
可能需要把nat网关排除在外
| src | dst | next hop | type | 可以访问 pod | CCE创建 |
|---|---|---|---|---|---|
| 192.168.0.0/16 | 172.16.0.0/23 | 192.168.0.1 | 默认网关 | 否 | 否 |
| 0.0.0.0/0 | 172.16.0.0/23 | 192.168.0.4 | 实例路由 | 是 | 否 |
| 192.168.0.0/16 | 0.0.0.0/0 | 192.168.0.1 | 默认网关 | 是 | 否 |
| 0.0.0.0/0 | 172.16.0.0/24 | 192.168.0.5 | 实例路由 | 是 | 是 |
先 最长匹配 src 地址,再去 最长匹配 dst。当有第一条规则存在时,是不会通的。目前 VPC console 添加路由规则时,只有实例路由才可以填写 0.0.0.0/0 的 src,其它类型的必须开启路由中继才可以 填写 0.0.0.0/0 的 src 地址。所以 CCE 创建的 实例路由的优先级相比用户创建的路由的优先级是低的
冲突检测对于上表的第二条规则也会报错,但并不影响 CCE 的网络通信
第三条规则的情况下,pod 是可以访问的
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
/close
@wccsama: Closing this issue.
In response to this:
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.