New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode #26663
ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode #26663
Conversation
9514070
to
c60bf41
Compare
/test |
|
/ci-aks |
ci-eks keeps suspiciously failing with the same error. Moving back to draft until this has been sorted out Sysdump does not reveal much so far. What is interesting is that I don't see the failing flows in Hubble. In both cases, Cilium failed with IPSec and I do see xfrm errors (though this could either be cause or symptom)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the detailed commit msg, looks great 👍
The IPSec failures seem legitimate. It seems we do not setup IPSec if the node does not have a podCIDR, even in ENI mode: cilium/pkg/datapath/linux/node.go Line 1006 in 9c78f2a
|
c60bf41
to
95b3512
Compare
/test |
This is currently in draft because it affects the IPSec code base, which is currently also undergoing a refactor. Paul asked me to hold off with this change until the IPSec refactor dust has settled. |
I agree it's unlikely caused by this PR. Nevertheless, the fact that it happens in both cases in the key rotation section which we've just added makes me wonder if it's not a new flake caused by the key rotation changes. Might be worth opening a flake issue, just so we can track it. |
IPSec e2e test failed again, this time with a different symptom though. I'll investigate. |
I've created an issue. Pretty sure it's unrelated since I also found scheduled runs with the same error. #27799 Triage of new failures: Setup & Test (1, 4.19-20230810.091425, iptables, false, vxlan, ipsec, false)
There are some weird RSTs coming
Edit: This looks very much like #27759 (comment) which also has some "inexplicable RSTs" Setup & Test (2, 5.4-20230810.091425, iptables, false, disabled, ipsec, false)
There are no RSTs in this trace (at least not related to IP
Edit: This looks like #26351 (comment) |
Given that I don't see anything wrong with the routes, and both symptoms have been observed before (see links), I'll restart again. I don't know how to otherwise troubleshoot those failures further |
/ci-ipsec-e2e |
This commit fixes an issue where Cilium-Agent would announce its internal auto-generated IPv4/IPv6AllocRange by writing it into the local CiliumNode resource.
Cilium-Agents IPv4/IPv6AllocRange is Cilium's internal representation of the local node's PodCIDR. The concept of a single allocation CIDR however is outdated, since in many IPAM modes (ENI, Azure, AlibabaCloud, MultiPool) there either is no PodCIDR to begin with (and pod IPs are allocated using a different scheme), or there are multiple PodCIDRs (in the case of MultiPool).
Before this commit, cilium-agent used to copy its internal PodCIDR into the CiliumNode resource, but this behavior is only correct in Kubernetes IPAM mode. In Kubernetes IPAM mode, the IPv4/IPv6AllocRange is taken from the Kubernetes Node resource, and thus it makes sense to announce it to other cilium-agent instances via the CiliumNode resource. This field then is for example used by
auto-direct-node-routes
to install routes for direct routing mode.However, in all other IPAM modes that we have, copying the internal PodCIDR into the the CiliumNode resource does not make sense:
The announced auto-generated PodCIDR is causing issues in IPAM MultiPool mode. With this commit, we will no longer install invalid routes for the auto-generated PodCIDR. This was mostly harmless (since the auto-generated PodCIDR rarely overlapped with the real ones), but still a potential cause for confusion and bugs.
In addition, ENI-mode users have reported that they are confused by the this "fake" PodCIDR, which is understandable, since that PodCIDR is meaningless in ENI mode (#9409).
Long term, we want to remove the concept of the IPv4/IPv6AllocCIDR completely (and remove the auto-generation code), but this is a first incremental step towards that goal.
Fixes: #9409