New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
multi-pool: Determine IP pool based on ipam.cilium.io/ip-pool
annotation
#25511
Conversation
5070857
to
3751245
Compare
3751245
to
5416626
Compare
e4566b8
to
dfa9c7e
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well-done commits, very clean history! Makes it a breeze to review. Nothing major from my side.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for API
/test |
@ysksuzuki ☝🏻 |
Thanks, I should not rely on GitHub's auto-completion too much 🙈 |
e4885bf
to
0d4ba6a
Compare
Last push fixes the unit test needed due to the new error introduced here: #25511 (comment) Restarting tests. |
/test |
@@ -554,6 +561,9 @@ func (d *Daemon) startIPAM() { | |||
log.Info("Initializing node addressing") | |||
// Set up ipam conf after init() because we might be running d.conf.KVStoreIPv4Registration | |||
d.ipam = ipam.NewIPAM(d.datapath.LocalNodeAddressing(), option.Config, d.nodeDiscovery, d.k8sWatcher, &d.mtuConfig, d.clientset) | |||
if d.ipamMetadata != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I read the code correctly, d.ipamMetadata is already created via hive? Why add a fallback here, and not where the ipamMetaddata is initialized?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The hive ipamMetaddata
constructor will return nil if it's running in an unsupported IPAM mode:
https://github.com/cilium/cilium/blob/0d4ba6a6d4edb21c92f6e469566d4d408c2ac31b/pkg/ipam/metadata/cell.go#L34-L36
And I do not want to pass in a potentially nil
value as an interface type into WithMetadata
because it will break the nil
checks here (i.e. they will not detect that metadata is nil due to nil interface types):
https://github.com/cilium/cilium/blob/0d4ba6a6d4edb21c92f6e469566d4d408c2ac31b/pkg/ipam/allocator.go#L34-L36
Example: https://go.dev/play/p/z8C_cU0eMdU
0d4ba6a
to
368278d
Compare
Last push fixes a |
/test |
@gandro Thank you for the reply!
Thanks! I'm glad to hear that.
We're not in such a hurry, so supporting it in v1.15 or later is OK. (I would of course be happy to contribute) A bit out of the topic, but it would be useful to export the Pod CIDR to the kernel routing table or a dummy interface so that other BGP software, such as BIRD or FRR, can import and announce the PodCIDR. bird.conf
|
This adds a new shared resource for local pods, i.e. pods scheduled on the local node. This is useful for cells which need to access the pod resource for a Cilium-managed endpoint. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds the IPAM pool name to the AddressPair type which is both the result of an IPAM allocation and an argument of the EndpointCreate request. This allows the API client to know the pool effectively used to allocate an IP. The caller needs to keep track of this, as it will have to pass the pool back to the IPAM subsystem when the IP is released. In Cilium, the IP is typically not released not by the CNI plugin, but directly by the endpoint package when the endpoint is deleted. This is why the field is added to the AddressPair type (which shared between the IPAM and endpoint types), rather than just to the IPAMAddressResponse. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds a field to the endpoint structure to track where the endpoint's IP has been allocated from. This is needed both for IP release, as well as endpoint restoration. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds an annotation which may be added to pods or namespaces to determine the IP pool should be used for those workloads. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds a new cell which is responsible for determining the IP pool of a particular pod. It will do that by first checking if the pod has the `ip-pool` annotation, and if present, will return that pool to be used for IP allocation. If the pod does not have such an annotation, it will then check for the same annotation on the namespace. If that is also not present, we fall back on the `default` pool. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This removes a functionality which was added for a bug fix in 03df4a5, but then made obsolete in 82a8c71 when the bug fix turned out to be insufficient. There are no other users of this funcionality. This commit also moves the parsing of the IP address back into the API handler. This ensures that the API actually returns the correct (i.e. documented) HTTP error code when the IP is invalid. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This commit contains no functional changes, but moves the variable definition of `err` from a local variable to a named return value. This makes a difference when reading `err` in the `defer` block, because if we ever return with an error without also setting `err` to a non-nil value, the `defer` statement which releases the IPv6 address would not release it. At the moment, the implementation never returns an error without also setting `err` explicitly, but moving the variable definition into the function signature ensures that future code changes may not introduce subtle bugs. See the following example for details: https://go.dev/play/p/3l7FDg5k6yP Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This commit introduces the IPAM metadata manager to the IPAM subsystem. When allocating a new random IP via `AllocateNext` with an empty pool name, the IPAM subsystem will now call into the IPAM metadata manager to obtain the pool name for the IP owner. If a pool is provided by the caller, then no lookup is performed and the caller's pool takes precedence. For `ReleaseIP` and `AllocateIP`, we now also expect the IP pool to be explicitly provided. `AllocateIP` is only used for IP restoration, in which case we expect the caller to know what pool to restore the IP from (because restoring the IP from a different pool than it was originally allocated from might lead to bugs). For `ReleaseIP`, we don't actually know the owner name, so we also expect it to be provided, because again, releasing an IP into a different pool than then one it was allocated from might lead to bugs. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
368278d
to
580382f
Compare
Rebased to resolve trivial conflict in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup! I was out for a long weekend, sorry.
/test |
This is ready to merge. |
This adds a mechanism which allows workloads to specify what IP pool their IP should be allocated from in multi-pool IPAM mode (see #22762 for details).
It will do that by first checking if the pod has a
ipam.cilium.io/ip-pool
annotation, and if present, will return that pool to be used for IP allocation. If the pod does not have such an annotation, it will then check for the same annotation on the pod's namespace. If that is also not present, we fall back on thedefault
pool.💡 Review per commit
I have manually tested this on kind as follows:
CI and documentation will be added in a separate PR. See meta issue #25470