ovn-kubernetes icon indicating copy to clipboard operation
ovn-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon ovn-org

Enhancement: OVN secondary network should have the possibility to disable mac spoof check

Open agonzalezrh opened this issue 1 year ago • 9 comments

Using bridge for secondary network allows to specify macspoofchk to enable or disable the mac spoofing check.

It would be useful for the OVN secondary network to have the same feature. I think a simply condition can be added here:

https://github.com/ovn-org/ovn-kubernetes/blob/c463ceae1c0ec5d260ed66583a5a0dd6948e7f7f/go-controller/pkg/ovn/base_network_controller_pods.go#L563

Use case: nested virtualization

agonzalezrh avatar Sep 25 '23 20:09 agonzalezrh

This should be easy to add. We have it downstream @cathy-zhou can you PTAL?

girishmg avatar Sep 26 '23 00:09 girishmg

From my tests is needed as well to set "Addresses" to unknown.

agonzalezrh avatar Sep 26 '23 13:09 agonzalezrh

the way we support it downstream is to add a particular annotation in the net-attach-def to indicate on this particular network, spoofcheck is disabled.

cathy-zhou avatar Sep 26 '23 16:09 cathy-zhou

o/

could you elaborate on the design choice @cathy-zhou ?

I.e. why have this a per-network attribute rather than per pod attachment ?

Like ... assume everything connected to a network like this is "unsafe" ?

maiqueb avatar Sep 27 '23 09:09 maiqueb

Do we have any new information about this?

agonzalezrh avatar Nov 03 '23 11:11 agonzalezrh

I've been thinking again about this; it could make sense, and if the setting is done per network - and defaulted to having MAC spoofing - I am OK with it.

maiqueb avatar Feb 06 '24 09:02 maiqueb

Thanks for the update, I will work on implement it and create a PR if you agree

agonzalezrh avatar Feb 06 '24 10:02 agonzalezrh

Thanks for the update, I will work on implement it and create a PR if you agree

Before you spend time on it, let's hear from a~~nother~~ maintainer; @trozet / @jcaamano / @tssurya any thoughts about this feature ?

maiqueb avatar Feb 06 '24 12:02 maiqueb

Yes, we are OK to support this. Seems like NAD is a natural place for the setting to live. Perhaps when we move NAD creation to a CRD it should be a field there.

trozet avatar Apr 25 '24 13:04 trozet

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Jun 25 '24 01:06 github-actions[bot]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Aug 25 '24 01:08 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Aug 31 '24 01:08 github-actions[bot]