-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SchedulerPredicates: pods with same hostPort but different hostIP and protocol #14287
Comments
From the logs -
I don't think we support loopback address as a hostIP - https://github.com/cilium/cilium/blob/master/pkg/k8s/watchers/pod.go#L517 You should see this warning message in the cilium logs - Connectivity to the other hostIP should succeed. \cc @borkmann |
Also just to add to what Aditi said, the difference of protocols will likely be fixed by #9207 |
Yes, connectivity should work for both the protocols, though. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Kubernetes v1.20 conformance still fails with Cilium last I checked. |
@dghubble Per the last comments - There are 2 issues here :
|
CNI plugins should pass all conformance tests, regardless of whether or not a use case can be presented. This is blocking us from certifying Cilium for use with Rancher/RKE2. |
Yeah, this also precludes Typhoon making Cilium the default. As contrived as some of the Kubernetes conformance tests are the conformance matters to some users. |
I tested with Cilium v1.10.0 on Kubernetes v1.21.1 and this was the one conformance failure. |
Hi folks, just as a heads up one way to get this conformance test to pass is to run Cilium chaining on top of portmap, like I've done in PR #17048. |
Chaining mode isn't supposed to be needed anymore, I don't see this as a config we'd go back to as a workaround and it had other issues in my testing. |
For what it's worth, I briefly looked into the two issues that @aditighag mentioned above with the kube-proxy replacement implementation of this feature, notes below. I also notice that the Kubernetes best practices basically say "don't use hostport if at all possible" which is perhaps indicative of how tricky it can be to implement safely.
I think that the above problems are solvable but they just require careful thought to mitigate the security and upgrade concerns. |
This issue has been automatically marked as stale because it has not |
Pretty sure this conformance test will still fail with Kubernetes v1.24.2 |
With k8s v1.22.12 and cilium 1.12
|
No surprises. As was mentioned above, this test will fail until the following two features are not supported:
This is work in progress. |
This test is passing now according to #21060 |
With Cilium v1.13.1, I still see this conformance test failing (with Kubernetes/Typhoon v1.26.3, manifests) |
I just tested cilium 1.13.1, including patch #21366 with k3s and kubeadm on ubuntu 22.04 and debian 11 (kubernetes 1.26.3), and test "HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" is still failing for me. EDIT: Sorry, I overlooked a post from aspsk where it is mentioned that we need to wait for #9207 to be implemented too. |
It's interesting that for example digitalocean managed kubernetes which uses cilium too all certified-conformance tests are passing. It seems they are using official cilium images, so what's the difference there? |
@ShiroDN you do have to configure Cilium in a particular way to get conformance tests passing. See kubernetes-test.sh for more details. |
@nathanjsweet @aanm That link was great insight, but to me it looks like the kubernetes-test.sh is for passing with kube-proxy based cluster only? I've seen passing of conformance test in kube-proxy mode but #9207 is still open which was a blocker for strict / eBPF mode. I tried an adaption of the script like below (ansible):
This had me the following result:
the ~/bin/sonobuoy run --mode=certified-conformance fails as well. |
@nathanjsweet Thanks for the link. Now, I managed to pass conformance test as well.
|
We are running v1.13.2, I enabled kube-proxy replacement in cilium, I also installed portmap cni, and set those:
but still kubernetes conformance test is failing (due to the fact that hostPort with UDP and TCP overwrite each other). |
@camaeel, I think it could be failing because of |
@ShiroDN are you sure? |
@camaeel, yes, I am sure. I tested it by not setting the kubeProxyReplacement at all. The default is 'disabled', and it worked fine. All conformance tests were successfully completed. Here's something about it in the docs: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#container-hostport-support. Cilium’s eBPF kube-proxy replacement also natively supports hostPort service mapping without having to use the Helm CNI chaining option of cni.chainingMode=portmap. By specifying kubeProxyReplacement=strict the native hostPort support is automatically enabled and therefore no further action is required... |
I tested workaround which seems to work:
Then Cilium's kube-proxy replacement works for everything except hostPorts, and hostPorts are handled by portmap CNI. Are there any plans/schedule to implement final solution for this issue? |
Failure of `[sig-network] HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol [LinuxOnly] [Conformance]` is expected until cilium/cilium#14287 is fixed
Failure of `[sig-network] HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol [LinuxOnly] [Conformance]` is expected until cilium/cilium#14287 is fixed
Failure of `[sig-network] HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol [LinuxOnly] [Conformance]` is expected until cilium/cilium#14287 is fixed
* feat: support cilium cin * fix lint error * set version in manifest file * use helm for cilium * fix vendir * add vendir in hack * set cilium tag * update makefile for vendir install * remove cni assertion * add validation step for network drivers * fix tests * add executable perm to vendir install script * fix functional test * resolve conflict * fix typo * add zuul ci jobs for cilium network driver * enable sessionAffinity in cilium For users who run with kube-proxy (i.e. with Cilium's kube-proxy replacement disabled), the ClusterIP service loadbalancing when a request is sent from a pod running in a non-host network namespace is still performed at the pod network interface (until cilium/cilium#16197 is fixed). For this case the session affinity support is disabled by default. * fix flake8 errors * ignore the below test failure until the upstream issue fixed Failure of `[sig-network] HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol [LinuxOnly] [Conformance]` is expected until cilium/cilium#14287 is fixed * use portmap chain mode * fix lint error --------- Co-authored-by: okozachenko1203 <okozachenko1203@users.noreply.github.com>
Bug report
Some early testing of Kubernetes v1.20.0-rc.0, found one conformance failure with Cilium that's on the horizon. Filing this as an initial report.
Full Logs
The test failure was repeatable. The test relates to pods exposing host ports. When using Calico (distro default) the same test did pass.
General Information
How to reproduce the issue
A cluster can be provisioned and tested via CNCF docs if someone is inclined. Set the ref to
master
to get Kubernetes v1.20.x candidates and setnetworking
to cilium. Abbreviated:The text was updated successfully, but these errors were encountered: