Whenever an IP block is provided as match criteria for Egress Firewall, we calculate if it overlaps with the current pod subnet. If so, then we add an exclusion match criteria to the ACL to ensure east/west traffic is not affected by the firewall. Today when a NAD changes, a handleNetworkEvent callback is made from the NAD Controller to the Egress Firewall controller. This callback causes any Egress Firewall in the NAD namespace to be reconciled. This should force the ACLs to be regenerated if the new subnet overlaps with the IP Block in the Egress Firewall.
A new e2e test or unit test should be added to pick an IP Block for an Egress Firewall that does not overlap. Then the UDN is updated with a subnet that would overlap, and ensure that the Egress Firewall gets updated with the proper ACL.
Whenever a BGP RA is configured to advertise the pod subnet, it generates an FRR-K8S configuration that includes the subnet. When a NAD changes today, we reconcile all BGP RAs. However, in the reconcilation, we check raNeedsUpdate, which only checks if the RA changed. We will need to fix this code and add a unit test to make sure that when an RA exists, with pod subnet advertisement, that adding a subnet updates the FRR-K8S configuration with the new subnet.
Whenever we enabled BGP RA, we also optionally import routes. This is done by the Route Import Manager, which is plugged into the Layer 3 or Layer 2 UDN Network Controller as a reconciler. Whenever the network controller changes, which should happen when the NetInfo is updated with the extra subnet, then Reconcile will be called, which will call NeedsReconciliation in Route Import Manager. There we need to update the logic to account for a new subnet being added. The new subnet is used for ignoring route import in normal mode, but with no-overlay mode, they will be imported.
A unit test/e2e test should be added to ensure that advertised routes with the new subnet are not imported.
Egress IP generates a route for the pod subnet towards the Gateway Router (GR). This path is triggered when a node add/update happens. Right now in the BaseNetworkController->reconcile, when a network changes it will check if local nodes should be added to the retry framework to be updated. It only checks if route advertisement changed, but we should update this to also accomodate for a new subnet being added.
A unit test should be added to make sure that when Egress IP is being used and a new a new subnet is added, then the default route gets created correctly for each subnet.
There are also Logical Route Policies created for east/west traffic that are initiated by the EgressNodeType in the retry framework. We should ensure with unit tests that policies are also created for the new subnet when it is added.
With BGP Network Isolation we add ACLs for isolation to not allow UDNs to talk to other UDNs. This is done by the addAdvertisedNetworkIsolation function, which is driven by add/update local node events. As with the Egress IP changes, BaseNetworkController->reconcile should be updated to queue local nodes to the retry framework when the subnet changes.
A unit test should be added to ensure the isolation ACLs get updated correctly with the new subnet.
Currently not supported by UDN, so this will not be handled in this OKEP.
With OpenFlow Manager we add flows for pod subnets so that traffic coming into OVS from outside (addressed to the pod) can be forwarded correctly to the GR. Since this flow only needs to exist for the subnet of the current node, it should not need to be updated on previous nodes when a new Subnet is added.