New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci-datapath: Enable IPV6 masquerading when KPR=off #25111
Conversation
As pointed by Maxim Mikityanskiy, the issue #23461 was resolved, so we can enable IPv6 with IPsec/vxlan. Signed-off-by: Martynas Pumputis <m@lambda.lt>
More test coverage. Signed-off-by: Martynas Pumputis <m@lambda.lt>
b2df60d
to
494898a
Compare
/test |
494898a
to
e8a39c0
Compare
# BPF-masq requires KPR=strict. | ||
# Disable IPv6 until https://github.com/cilium/cilium/issues/14350 has been resolved | ||
MASQ="--helm-set=bpf.masquerade=true --helm-set=enableIPv6Masquerade=false" | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't seem to understand this second commit... It says:
Enable v6 masquerading with KPR=off in ci-dp
...but enableIPv6Masquerade is still false,
More test coverage.
...but bpf.masquerade is now set to true only when KPR=strict (used to be set unconditionally).
Could you explain what's the idea of this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...but enableIPv6Masquerade is still false,
If not specified, it defaults to true
- https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml#L1527
...but bpf.masquerade is now set to true only when KPR=strict
This is because of https://github.com/cilium/cilium/blob/main/daemon/cmd/daemon.go#L940 (KPR=strict means that NodePort is enabled).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is because of https://github.com/cilium/cilium/blob/main/daemon/cmd/daemon.go#L940
How did it work before? When KPR could be none, and bpf.masquerade was always enabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very good question. I wanted to figure out myself. Anyway:
level=warning msg="Falling back to iptables-based masquerading." error="BPF masquerade requires NodePort (--enable-node-port="true")" subsys=daemon
The agent automatically switched to the iptables-based masquerading.
ci-dp successful run https://github.com/cilium/cilium/actions/runs/4798712433/jobs/8537364470?pr=25111.
Before removing the WIP commit, all ginkgo tests have passed.