[icxtunnel] Wire up controllers and integrate with kubernetes. #76
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
assumption is always to use apiserver --dev
dpeckett
changed the title
dilyevsky
approved these changes
Nov 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Get enough infrastructure in place that integrating with the apiserver works.
Couple outstanding todos/issues:
If multiple relay connections publish the same route, netstack will use a round robin source address for the route. ATM we choose the destination for packets solely based on there destination address, this can result in packets with different source addresses than expected which will end up in a packet drop on the other end.
I need to extend icx's
allowed_ipssemantics toallowed_srcs/allowed_dstsor something of that nature. Will allow the icx handler to make smart routing decisions.If the relay dies there is no garbage collection for connections on the tunnelagent object. One option is to mark connections with some kind of periodically updated lastupdated timestamp/heartbeat and when no more updates heard (from the relay owning the connection). The TunnelAgent reconciler of the apiserver can nuke them, idk. Maybe a throttled lastheardrx timestamp or other vnet stats.
While the relay is alive it does garbage collect it's own connections.