Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Sdewan config agent is the controller of Sdewan(a CRD) instance. When a Sdewan instance is created, the agent creates the pod running OpenWRT. The OpenWRT could be a sdwan, an ipsec tunnel or a firewall, depends on the rules applied to the openwrt instand.

CRDs

Sdewan CRD depends on some CRDs. So we list the related CRDs here.

NameKindComponent
networksNetworkovn4nfv-k8s-plugin
providernetworksProviderNetworkovn4nfv-k8s-plugin
network-attachment-definitionsNetworkAttachmentDefinitionmultus


new CRDs in Sdewan will be like the below samples.

Sdewan CRD
apiVersion: batch.sdewan.akraino.org/v1alpha1
kind: Sdewan
metadata:
  name: example-sdwan
spec:
  node: node1
  networks:
    - name: ovn-net1
      isProvider: true
    - name: ovn-net2
      isProvider: false
  mwan3Conf: example1-conf
  firewallConf: example-firewall
Mwan3Rule
apiVersion: batch.sdewan.akraino.org/v1alpha1
kind: Mwan3Conf
metadata:
  name: example1-conf
spec:
  policy:
    balance1:
      members:
      - nework: ovn-net1
        weight: 2
        metric: 2
      - network: ovn-net2
        weight: 3
        metric: 3     
  rule:
    https:
      policy: balance1
      dest_ip: 0.0.0.0/0
      dest_port: 443
    http:
      policy: balance1
      dest_ip: 0.0.0.0/0
      dest_port: 80
FirewallConf
apiVersion: batch.sdewan.akraino.org/v1alpha1
kind: FirewallConf
metadata:
  name: example-firewall
spec:
  zones:
    - name: lan
      network:
        - ovn-net2
      input: REJECT
      output: ACCEPT
    - name: wan
      network:
        - ovn-net1
      input: REJECT
      output: ACCEPT
  redirects:
    - name: DNAT-LAN
      src: wan
      src_dport: 1990
      dest: lan
      dest_port: 22
      proto: tcp
      target: DNAT
  rules:
    - name: REJECT_LAN_80
      src: lan
      src_ip: 192.168.1.2
      src_port: 80
      proto: tcp
      target: REJECT
  forwardings:
    - name: lan-wan
      src: lan
      dest: wan


The reconcile function logic

The controller behave

  • Monitor Sdewan instance and Mwan3Conf/FirewallConf instance
  • When Mwan3Conf/FirewallConf instance created/update:
    • validate the instance Spec by API admission webhook 
    • If this Conf instance is used by any Sdewan instance, then info the Sdewan controller to apply the conf.
  • When Mwan3Conf/FirewallConf instance being deleted:
    • If this Conf instance is used by any Sdwan instance, prevent the delete action
  • When Sdwan instance created/updated:
    • Creates sdewan deployment/pod if it does not exist
    • Apply the Conf if the Conf instance exists
  • When Sdwan instance deleted:
    • Delete the deployment/pod
  • No labels