Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNI: improve plugin chaining #24956

Merged
merged 6 commits into from May 4, 2023
Merged

CNI: improve plugin chaining #24956

merged 6 commits into from May 4, 2023

Conversation

squeed
Copy link
Contributor

@squeed squeed commented Apr 18, 2023

The Cilium agent already supports a mode where it waits for a certain CNI network to exist, then injects itself as a chained plugin, and writes a new file. However, this was only only supported for AWS. Instead, let's make this functionality generic.

This PR makes these changes:

  • plugins/cni: improve logic around chaining mode. Previously, we would use the cni network name to decide what chaining mode to use. This makes it impossible to chain off of arbitrary networks. So, make the chaining mode an optional explicit parameter
  • Add an explicit chaining-target parameter, and generalize the aws-cni injection code to support arbitrary networks
  • wire this all up in Helm

The end result is a cleaner setup for end-users who would like to chain Cilium.

Fixes: #22286
Inspired-by: #22358

Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget.

@squeed squeed requested review from a team as code owners April 18, 2023 16:06
@squeed squeed requested review from rolinh and youngnick April 18, 2023 16:06
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 18, 2023
@squeed squeed requested review from asauber and kaworu April 18, 2023 16:07
@squeed
Copy link
Contributor Author

squeed commented Apr 18, 2023

fyi @sofat1989, do you want to see if this covers your use case?

@squeed squeed added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Apr 18, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 18, 2023
@squeed squeed added area/cni Impacts the Container Networking Interface between Cilium and the orchestrator. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Apr 18, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Apr 18, 2023
@squeed squeed requested a review from a team as a code owner April 19, 2023 11:46
@squeed squeed requested a review from qmonnet April 19, 2023 11:46
@squeed
Copy link
Contributor Author

squeed commented Apr 19, 2023
edited

as far as I can tell, the test failure isn't caused by this PR: the pod's CNI plugin execution returned without any issues, meaning that nothing this PR touched failed.

Unfortunately there's not enough information to debug; #24982 will improve that situation.

asauber
asauber approved these changes Apr 20, 2023
View reviewed changes
Copy link
Member

@asauber asauber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CLI related changed LGTM. I'll read through to see if I have any other comments, and leave reviews of other portions to the related codeowners.

asauber
asauber reviewed Apr 20, 2023
View reviewed changes
daemon/cmd/cni/cell.go Outdated Show resolved Hide resolved
rolinh
rolinh approved these changes Apr 20, 2023
View reviewed changes
Copy link
Member

@rolinh rolinh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vendor changes lgtm

kaworu
kaworu approved these changes Apr 20, 2023
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Helm changes LGTM

zacharysarah
zacharysarah approved these changes Apr 21, 2023
View reviewed changes
Copy link
Contributor

@zacharysarah zacharysarah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nits for typos and clarity, otherwise LGTM 👍

Approved preemptively with the understanding that changes must happen prior to merge.

daemon/cmd/cni/cell.go Outdated Show resolved Hide resolved
@squeed
Copy link
Contributor Author

squeed commented Apr 24, 2023
edited by maintainer-s-little-helper bot

/test

Job 'Cilium-PR-K8s-1.27-kernel-net-next' failed:

Click to show.

Test Name

K8sDatapathServicesTest Checks N/S loadbalancing with L7 policy Tests NodePort with L7 Policy from outside

Failure Output

FAIL: Can not connect to service "http://192.168.56.11:31222" from outside cluster (1/10)

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.27-kernel-net-next/108/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.27-kernel-net-next so I can create one.

youngnick
youngnick approved these changes May 1, 2023
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a couple of nits.

daemon/cmd/cni/config.go Outdated Show resolved Hide resolved
daemon/cmd/cni/config.go Outdated Show resolved Hide resolved
squeed added 6 commits May 3, 2023 09:32
@squeed
mechanical: fix cni lint errors
200ce71 
Just some capitalized errors that were annoying the linter.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed
plugins/cni: make CNI chaining mode explicit
6fd2d55 
We determined exactly how to chain by reading the CNI network name. This
is fragile, and means that end-users can't easily configure chaining for
their own networks.

This keeps the existing logic but adds an explicit chaining-mode field
in the CNI configuration.

Additionally: remove the "portmap" plugin, since all it did was signify
that the network "portmap" was the same as "cilium". There are cleaner
ways to handle that.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed
go mod vendor
985345e 
Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed
cni/agent: add cni-chaining-target option
99a75d4 
People would like to automatically inject Cilium in to CNI configuration
files. Add an option to the daemon that watches for networks of a given
name and injects Cilium into it.

We already supported this in a limited sense with aws-cni, but let's
generalize it to support arbitrary CNI networks.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed
install: wire up cni.chainingTarget
73cf477 
Add the option to set a CNI chaining target explicitly. Also, clean up
some of the defaulting around cni chaining mode.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed
daemon/cni: correctly handle empty chaining mode
0f75ecd 
There was a logic error when handling an unset chaining mode.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed
Copy link
Contributor Author

squeed commented May 3, 2023

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 3, 2023
@joestringer joestringer merged commit 1c31770 into cilium:main May 4, 2023
56 checks passed
@squeed squeed mentioned this pull request May 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asauber asauber asauber approved these changes

@kaworu kaworu kaworu approved these changes

@rolinh rolinh rolinh approved these changes

@zacharysarah zacharysarah zacharysarah approved these changes

@youngnick youngnick youngnick approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
area/cni Impacts the Container Networking Interface between Cilium and the orchestrator. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cilium kubernetes IPAM shows duplicated addresses when in chaining mode
8 participants
@squeed @kaworu @rolinh @asauber @zacharysarah @youngnick @qmonnet @joestringer