这是indexloc提供的服务,不要输入任何密码
Skip to content

Feature Request: Unnecessary IPs are automatically excluded from export-policy rule without autoExportCIDR #1028

New issue
New issue
Open
Open
Feature Request: Unnecessary IPs are automatically excluded from export-policy rule without autoExportCIDR#1028
Labels
enhancement
@ysakashita

Description

@ysakashita
ysakashita
opened on Jun 26, 2025

Describe the solution you'd like

We would like undesired networks to be automatically excluded even without specifying autoExportCIDRs.

Describe alternatives you've considered

We are considering adopting the enhanced autoExportPolicy feature introduced in Trident v25.02.
However, in our environment, network additions occur frequently. This means the autoExportCIDRs list needs to be updated often, resulting in high operational cost.

If autoExportCIDRs is omitted, IP addresses that clearly do not need to be registered in the export policy—such as the docker0 interface—get included, posing a security risk.

  • Example IP addresses on a node:
$ ip addr
...
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether fa:16:3e:9e:9a:5b brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 100.78.240.38/22 metric 100 brd 100.78.240.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe9e:9a5b/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1450 qdisc noqueue state DOWN group default 
    link/ether c2:89:6f:47:56:c2 brd ff:ff:ff:ff:ff:ff
    inet 10.27.16.1/22 brd 10.27.19.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::c089:6fff:fe47:56c2/64 scope link 
       valid_lft forever preferred_lft forever
  • export-policy rule on ONTAP by autoExportPolicy
vs002_tool_zlab::vserver export-policy rule> show -policyname ysaka_test_demo_k8s_pre_zstg_caas_dev_zlab_yahoo_co_jp_pvc_085725cb_9388_4efd_87e6_6ede29a7fbc0 
             Policy          Rule    Access   Client                RO
Vserver      Name            Index   Protocol Match                 Rule
------------ --------------- ------  -------- --------------------- ---------
vs002_tool_zlab 
             ysaka_test_demo_k8s_pre_zstg_caas_dev_zlab_yahoo_co_jp_pvc_085725cb_9388_4efd_87e6_6ede29a7fbc0 
                             1       nfs      10.27.16.1            any
vs002_tool_zlab 
             ysaka_test_demo_k8s_pre_zstg_caas_dev_zlab_yahoo_co_jp_pvc_085725cb_9388_4efd_87e6_6ede29a7fbc0 
                             2       nfs      100.78.240.38         any
2 entries were displayed.

While 100.78.240.38 is correctly registered as the node’s IP address, 10.27.16.1 belongs to docker0 and should not be registered.

Additional context

When the autoExportCIDRs value is updated, it is necessary to restart the trident-controller to re-start the backend parameters.
Unfortunatry, the trident-controller is still a single point of failure (SPOF).
#745

So we need to coordinate with our customers in advance in order to perform the restart.
Therefore, the operational cost is high.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions