New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/ipam: Don't let ENI IPAM override native-routing-cidr #10886
Conversation
Signed-off-by: John Watson <johnw@planetscale.com>
Please set the appropriate release note label. |
test-me-please |
@dctrwatson the CI failed:
|
Sorry. I wrote this against the v1.7 branch originally. Let me fix it up. |
Commit d7feaab93260872a8969246ee5b7eb46b87bfca5 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Signed-off-by: John Watson <johnw@planetscale.com>
d7feaab
to
1018a4a
Compare
Commit d7feaab93260872a8969246ee5b7eb46b87bfca5 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
test-me-please |
1 similar comment
test-me-please |
|
||
ranges4, _ := ip.CoalesceCIDRs([]*net.IPNet{nativeCIDR.IPNet, vpcCIDR.IPNet}) | ||
if len(ranges4) != 1 { | ||
log.WithFields(logFields).Fatal("Native routing CIDR does not contain VPC CIDR.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about this Fatal and whether it could come as a surprise but I think it's fine. It seems unlikely that the VPC CIDR changes all of a sudden. It seems more likely that a user reconfigures the NativeRoutingCIDR to no longer include the VPC CIDR in which case the Fatal is justified.
When using VPC Peering or similar, the L2 domain can be larger than the VPC CIDR from the ec2 instance's primary ENI.
The cilium agent has the
--native-routing-cidr
flag which can be used to manually configure this. However, when using ENI for IPAM, it always overwrites the configured value.This PR changes this behavior, deferring to what the configured value for
native-routing-cidr
, and verifies that thenative-routing-cidr
is valid by checking that the VPC CIDR is a subnet of it.Signed-off-by: John Watson johnw@planetscale.com