Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AKS: Clean up azure-vnet state on Cilium agent start #14452

Merged
merged 3 commits into from
Jan 11, 2021
Merged

AKS: Clean up azure-vnet state on Cilium agent start #14452

merged 3 commits into from
Jan 11, 2021

Conversation

ti-mo
Copy link
Contributor

@ti-mo ti-mo commented Dec 18, 2020

Fixes #12113
Fixes #14233

Rationale is documented in the commit messages. We need something to move AKS support forward, as there are multiple breaking issues in 1.9.

@seanmwinn Should a Helm value be added to disable the rm/ebtables/ip neigh path?
@aanm Should we document the fact that deploying with Azure IPAM disconnects all workload Pods in the cluster? (getting rid of this behaviour would be a requirement for declaring Azure IPAM as GA, so this might not be necessary)

No longer wait for and modify `/var/run/azure-vnet.json`. This confuses azure-vnet during Pod removal, causing it to incorrectly clean up machine state.
In Azure IPAM mode, remove /var/run/azure-vnet.json on Cilium agent startup, flush ebtables and remove permanent neigh entries.

@ti-mo ti-mo requested review from a team as code owners December 18, 2020 16:30
@ti-mo ti-mo requested review from a team and qmonnet December 18, 2020 16:30
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 18, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.10.0 Dec 18, 2020
@ti-mo ti-mo mentioned this pull request Dec 18, 2020
Closed
1 task
christarazi
christarazi approved these changes Dec 18, 2020
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very clean commits and readable explanations in the commits, well done! The changes look good to me, but clearly there's a lot of context here which I'm not fully on top of, so I'll defer to others for closer inspection.

@christarazi christarazi requested a review from a team December 18, 2020 18:16
twpayne
twpayne approved these changes Dec 21, 2020
View reviewed changes
Copy link
Contributor

@twpayne twpayne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I currently don't have enough understanding of Azure's networking to fully understand this PR, but the code and commits as-is look excellent.

qmonnet
qmonnet approved these changes Dec 21, 2020
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me join the club of the reviewers unfamiliar with Azure. Code looks good!

install/kubernetes/cilium/templates/cilium-nodeinit-daemonset.yaml Outdated Show resolved Hide resolved
install/kubernetes/cilium/templates/cilium-nodeinit-daemonset.yaml Show resolved Hide resolved
@aanm aanm added the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Dec 22, 2020
@aanm aanm removed their assignment Dec 22, 2020
@ti-mo ti-mo force-pushed the pr/tb/azure-vnet-state-cleanup branch 2 times, most recently from 3d8083e to c4deff1 Compare December 22, 2020 16:01
@ti-mo
Copy link
Contributor Author

ti-mo commented Dec 22, 2020

Addressed comments and rebased. 👍 Also removed stat in favor of [ -f ... ].

@ti-mo ti-mo requested a review from a team December 22, 2020 16:34
@ti-mo ti-mo force-pushed the pr/tb/azure-vnet-state-cleanup branch from 8528be8 to 7c6a967 Compare December 22, 2020 16:39
@christarazi
Copy link
Member

Looks like the docs job is not happy with the changes.

@ti-mo ti-mo force-pushed the pr/tb/azure-vnet-state-cleanup branch from 7c6a967 to 08a3e5e Compare January 5, 2021 10:34
@ti-mo
Copy link
Contributor Author

ti-mo commented Jan 5, 2021

This should be ready @aanm PTAL 🙏

@aanm
Copy link
Member

aanm commented Jan 6, 2021

@ti-mo please add the labels for which this PR needs to be backported as well as the proper release label.

@ti-mo
nodeinit: remove nodeinit.expectAzureVnet Helm option and behaviour
5583ba4 
Commit 0b70117 ("AKS: Fix dynamic reconfiguration of bridge mode") and
preceding commits would modify an internal state file of the azure-vnet CNI
plugin. This is potentially dangerous, because:

- azure-vnet uses a lockfile to coordinate access to this state file between
  independent invocations.
- The format of the state file is not controlled by us and subject to change.
- How this state file is used can change between versions of azure-vnet.

After investigating some reports of connectivity issues, it turns out that:

- Modifying the state file directly isn't necessary. azure-vnet obeys the mode
  it's given in its CNI configuration, regardless of the mode recorded in the
  state file.
- Changing the mode directly _in the state file_ from `bridge` to `transparent`
  causes azure-vnet to forget cleaning up static ARP entries for deleted Pods
  that were previously created in bridge mode before Cilium was deployed.
  This can cause addresses of Pods previously scheduled on the node to become
  unroutable on said node.
- Waiting for the state file to appear causes a deadlock on newly-created nodes
  in a cluster where Cilium is already running, for example, when scaling out
  a node pool. azure-vnet only creates the state file when it gets its first
  CNI `ADD` event, which will never happen with the CNI configurations Cilium
  installs.

Signed-off-by: Timo Beckers <timo@isovalent.com>
@ti-mo
nodeinit: Azure IPAM - remove azure-vnet.json, flush ebtables, ip nei…
684f472 
…ghbors

This aims to address cilium#14233 ("Pods scheduled before Cilium don't get state
cleaned up") until a better solution can be implemented for AKS, ideally by
gaining support for deploying Cilium directly by Azure.

Currently, when Cilium is deployed with Azure IPAM enabled, all workload Pod
connectivity is interrupted until the Pod is re-scheduled.

Signed-off-by: Timo Beckers <timo@isovalent.com>
@ti-mo
Documentation: warn for disconnected Pods when deploying Azure IPAM
d91c7f7 
Signed-off-by: Timo Beckers <timo@isovalent.com>
@ti-mo ti-mo force-pushed the pr/tb/azure-vnet-state-cleanup branch from 08a3e5e to d91c7f7 Compare January 6, 2021 12:23
@ti-mo ti-mo added needs-backport/1.9 and removed dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. labels Jan 6, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.9.2 Jan 6, 2021
@ti-mo ti-mo added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Jan 6, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 6, 2021
@ti-mo ti-mo added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 6, 2021
@gandro gandro merged commit 21d2ebc into cilium:master Jan 11, 2021
@ti-mo ti-mo deleted the pr/tb/azure-vnet-state-cleanup branch January 12, 2021 13:40
@errordeveloper errordeveloper mentioned this pull request Jan 14, 2021
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.9 in 1.9.2 Jan 14, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.9 in 1.9.2 Jan 14, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.9 to Backport done to v1.9 in 1.9.2 Jan 18, 2021
@aanm aanm mentioned this pull request Jan 20, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twpayne twpayne twpayne approved these changes

@christarazi christarazi christarazi approved these changes

@aanm aanm aanm approved these changes

@qmonnet qmonnet qmonnet approved these changes

@tgraf tgraf Awaiting requested review from tgraf

@seanmwinn seanmwinn Awaiting requested review from seanmwinn

Assignees

@tgraf tgraf

@seanmwinn seanmwinn

Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
No open projects
1.10.0
Done
1.9.2
Backport done to v1.9
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Azure IPAM] Pods scheduled before Cilium don't get state cleaned up Connectivity issues in Azure
9 participants
@ti-mo @christarazi @aanm @twpayne @qmonnet @gandro @errordeveloper @tgraf @seanmwinn