Add kindnet network plugin #17158
Add kindnet network plugin #17158
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
added
area/addons
cncf-cla: yes
aojea
force-pushed
the
kindnet
branch
2 times, most recently
from
13985ad to
9e14fd2
Compare
|
Ok, it is working now |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
failed job is unrelated
This is ready for review |
kindnet is already used in CI for other kubernetes jobs and projects https://grep.app/search?q=aojea/kindnet so breaking compatibility within kindnet is something I don't expect, however, how to get the better integration with Kops is something I need your advice |
I think we cab skip the flag, as long as we add a warning in the doc file. |
|
@aojea Not sure if Kindnet need the CNI Network Plugin binaries. Lines 941 to 945 in 84948bb Besides the few remaining nits and the 3 failing tests, I think this is pretty good as it is. |
great, I will address last comments and work on this today /test pull-kops-e2e-cni-kindnet |
aojea
force-pushed
the
kindnet
branch
2 times, most recently
from
2bdbd59 to
a36c140
Compare
|
/test pull-kops-e2e-cni-kindnet |
get more networking information usefult to troubleshoot network issues.
aojea
force-pushed
the
kindnet
branch
3 times, most recently
from
3827c06 to
0aae903
Compare
add kindnet as an experimental network addon containerd adds the requirement to use the loopback cni plugin, kindnet provides that capability and containerd does not require it since containerd/containerd/pull/10238 Change-Id: I1397a90186885b02e98b5ffa444fe629c1046757
it needs the loopback plugin so it does not hurt having those
I've added some rudementary network connection logging to kindnet that is very useful , Checking the test failed The connections are done from
node we can see the connections go through
but practically no bytes, the connection is established but closed immediately I will work on those tests after this merge, it seems specific of this environment as I could not repro locally and in other environments, so @hakman this should be ready to go |
k8s-ci-robot
added
the
lgtm
|
/retest |
|
/test pull-kops-e2e-cni-kindnet |
All green now!!! 👏 |
it was an mtu issue :) aojea/kindnet#143 |
but could have been DNS 🤣 |
| --zones $ZONES \ | ||
| --networking kindnet \ | ||
| --yes \ | ||
| --name myclustername.mydns.io |
There was a problem hiding this comment.
Nit: we normally use example.com, I think that is reserved for examples
| @@ -5773,6 +5773,39 @@ spec: | |||
| description: GCPNetworkingSpec is the specification of GCP's native | |||
| networking mode, using IP aliases. | |||
| type: object | |||
| kindnet: | |||
| description: KindnetNetworkingSpec configures Kindnet settings. | |||
There was a problem hiding this comment.
Nit: an annoying thing about go docs mapping to OpenAPI docs is that we probably don't want to follow normal go conventions for comments. The reader of the OpenAPI docs doesn't see the name KindnetNetworkingSpec on the struct, because OpenAPI doesn't have structs (or we don't use them)
| if v.Kindnet != nil { | ||
| if optionTaken { | ||
| allErrs = append(allErrs, field.Forbidden(fldPath.Child("kindnet"), "only one networking option permitted")) | ||
| } |
There was a problem hiding this comment.
We probably should be setting optionTaken here, but we're also missing it on LyftVPC and GCP. I'll send a fix separately :-)
| func validateNetworkingKindnet(cluster *kops.Cluster, v *kops.KindnetNetworkingSpec, fldPath *field.Path) field.ErrorList { | ||
| allErrs := field.ErrorList{} | ||
|
|
||
| if v.Masquerade != nil && v.Masquerade.Enabled != nil && *v.Masquerade.Enabled { |
There was a problem hiding this comment.
Nit: We have ValueOf, v.Masquerade.Enabled != nil && *v.Masquerade.Enabled === fi.ValueOf(v.MasqueradeEnabled)
| @@ -345,7 +345,19 @@ func (n *logDumperNode) dump(ctx context.Context) []error { | |||
| if err := n.shellToFile(ctx, "sudo iptables -t filter --list-rules", filepath.Join(n.dir, "iptables-filter.log")); err != nil { | |||
| errors = append(errors, err) | |||
| } | |||
| if err := n.shellToFile(ctx, "ip route", filepath.Join(n.dir, "ip-routes.log")); err != nil { | |||
| if err := n.shellToFile(ctx, "sudo nft list ruleset", filepath.Join(n.dir, "nftables-ruleset.log")); err != nil { | |||
| c.Masquerade.NonMasqueradeCIDRs = append(c.Masquerade.NonMasqueradeCIDRs, clusterSpec.Networking.PodCIDR) | ||
| } | ||
| if clusterSpec.Networking.ServiceClusterIPRange != "" { | ||
| c.Masquerade.NonMasqueradeCIDRs = append(c.Masquerade.NonMasqueradeCIDRs, clusterSpec.Networking.ServiceClusterIPRange) |
| @@ -777,6 +789,12 @@ func addKubeRouterSrcDstCheckPermissions(p *Policy) { | |||
| ) | |||
| } | |||
|
|
|||
| func addKindnetSrcDstCheckPermissions(p *Policy) { | |||
| p.unconditionalAction.Insert( | |||
| "ec2:ModifyInstanceAttribute", | |||
There was a problem hiding this comment.
Not a blocker, but this has security/performance implications IIRC. Do we need this permission in all modes? (e.g. if we're running IPv6, do we need it?)
|
This LGTM - awesome work @aojea 🎉 Only question is about those src/dest checks, if we can avoid needing to turn them off that would be awesome. But my 2c is that the easiest way to do this is to merge this, and then send a follow on PR to try them off and seeing what breaks, so I'm in favor of merging! |
for kindnet it should work out of the box. |
I think that's a great idea, and I think we should do that in follow-on PRs. |
|
OK I think we can get this in! /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Kindnet has been running in Kubernetes CI for a while and there are some people that uses it, I've been adding new features like dns cache or kernel bypass or admin network policies that are not present in all the other common cnis.
Integration with kops will help to improve its testing and also benefits users that are looking for a more minimalistic CNI plugin
https://github.com/aojea/kindnet