Sdewan config agent is the controller of Sdewan(a CRD) instance. When a Sdewan instance is created, the agent creates the pod running OpenWRT. The OpenWRT could be a sdwan, an ipsec tunnel or a firewall, depends on the rules applied to the openwrt instand.
CRDs
Sdewan CRD depends on some CRDs. So we list the related CRDs here.
Name | Kind | Component |
---|
networks | Network | ovn4nfv-k8s-plugin |
providernetworks | ProviderNetwork | ovn4nfv-k8s-plugin |
network-attachment-definitions | NetworkAttachmentDefinition | multus |
new CRDs in Sdewan will be like the below samples.
Code Block |
---|
language | yml |
---|
title | Sdewan CRD |
---|
|
apiVersion: batch.sdewan.akraino.org/v1alpha1
kind: Sdewan
metadata:
name: example-sdwan
spec:
node: node1
networks:
- name: ovn-net1
isProvider: true
- name: ovn-net2
isProvider: false
mwan3Conf: example1-conf
firewallConf: example-firewall |
Code Block |
---|
language | yml |
---|
title | Mwan3Rule |
---|
|
apiVersion: batch.sdewan.akraino.org/v1alpha1
kind: Mwan3Conf
metadata:
name: example1-conf
spec:
policy:
balance1:
members:
- nework: ovn-net1
weight: 2
metric: 2
- network: ovn-net2
weight: 3
metric: 3
rule:
https:
policy: balance1
dest_ip: 0.0.0.0/0
dest_port: 443
http:
policy: balance1
dest_ip: 0.0.0.0/0
dest_port: 80 |
Code Block |
---|
language | yml |
---|
title | FirewallConf |
---|
|
apiVersion: batch.sdewan.akraino.org/v1alpha1
kind: FirewallConf
metadata:
name: example-firewall
spec:
zones:
- name: lan
network:
- ovn-net2
input: REJECT
output: ACCEPT
- name: wan
network:
- ovn-net1
input: REJECT
output: ACCEPT
redirects:
- name: DNAT-LAN
src: wan
src_dport: 1990
dest: lan
dest_port: 22
proto: tcp
target: DNAT
rules:
- name: REJECT_LAN_80
src: lan
src_ip: 192.168.1.2
src_port: 80
proto: tcp
target: REJECT
forwardings:
- name: lan-wan
src: lan
dest: wan |
The controller behave
- Monitor Sdewan instance and Mwan3Conf/FirewallConf instance
- When Mwan3Conf/FirewallConf instance created/update:
- validate the instance Spec by API admission webhook
- If this Conf instance is used by any Sdewan instance, then info the Sdewan controller to apply the conf.
- When Mwan3Conf/FirewallConf instance being deleted:
- If this Conf instance is used by any Sdwan instance, prevent the delete action
- When Sdwan instance created/updated:
- Creates sdewan deployment/pod if it does not exist
- Apply the Conf if the Conf instance exists
- When Sdwan instance deleted:
- Delete the deployment/pod