Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kata: Mention incompatibility with host-reachable services or strict KPR in documentation #15589

Merged
merged 1 commit into from Apr 12, 2021
Merged

Kata: Mention incompatibility with host-reachable services or strict KPR in documentation #15589

merged 1 commit into from Apr 12, 2021

Conversation

qmonnet
Copy link
Member

@qmonnet qmonnet commented Apr 7, 2021

Host-reachable services are not supported with Kata containers at this time. This is because they use socket-based load-balancing which requires hooking in the kernel at the socket level in the pods, but Kata containers are VMs with their own kernels, making it impossible.

Kube-proxy replacement in strict mode implies host-reachable services, and is therefore not supported either.

Update the documentation accordingly, to avoid users stumbling on it.

Preview:
warning

@qmonnet qmonnet added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.9 labels Apr 7, 2021
@qmonnet qmonnet requested a review from a team as a code owner April 7, 2021 14:42
@qmonnet qmonnet requested a review from joestringer April 7, 2021 14:42
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.10.0 Apr 7, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.9.6 Apr 7, 2021
joestringer
joestringer approved these changes Apr 7, 2021
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for documenting this. Couple of minor nits.

Documentation/gettingstarted/kata.rst Outdated Show resolved Hide resolved
Documentation/gettingstarted/kata.rst Show resolved Hide resolved
joestringer
joestringer requested changes Apr 7, 2021
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant to request changes, but with those small fixups sorted we can merge this.

@pchaigno pchaigno marked this pull request as draft April 8, 2021 09:47
@pchaigno
Copy link
Member

pchaigno commented Apr 8, 2021

Switching back to draft while @qmonnet is out.

@qmonnet
docs: add to Kata GSG a note about incompatibility w/ KPR/Host Services
01bba90 
Host-reachable services are not supported with Kata containers at this
time. This is because they use socket-based load-balancing which
requires hooking in the kernel at the socket level in the pods, but Kata
containers are VMs with their own kernels, making it impossible.

Kube-proxy replacement in strict mode implies host-reachable services,
and is therefore not supported either.

Update the documentation accordingly, to avoid users stumbling on it.

Signed-off-by: Quentin Monnet <quentin@isovalent.com>
@qmonnet
Copy link
Member Author

qmonnet commented Apr 12, 2021

Thanks Joe for your feedback, I addressed the two points. New preview:
warning

Incremental diff 
diff --git a/Documentation/gettingstarted/kata.rst b/Documentation/gettingstarted/kata.rst
index 46120ad5ea5a..ac760892c8ae 100644
--- a/Documentation/gettingstarted/kata.rst
+++ b/Documentation/gettingstarted/kata.rst
@@ -77,13 +77,15 @@ Deploy Cilium release via Helm:
 
 .. warning::
 
-    Kata containers do not work with :ref:`host-services`, or with
-    :ref:`kube-proxy replacement <kubeproxy-free>` in strict mode. They should
-    be disabled with ``--set hostServices.enabled=false`` (default) and
-    ``--set kubeProxyReplacement=disabled`` (or ``partial``)
+   Kata containers do not work with :ref:`host-services`, or with
+   :ref:`kube-proxy replacement <kubeproxy-free>` in strict mode. These
+   features should be disabled with ``--set hostServices.enabled=false``
+   (default) and ``--set kubeProxyReplacement=disabled`` (or ``partial``).
 
-    Both rely on socket-based load-balancing, which is not possible given that
-    Kata containers are virtual machines running with their own kernel.
+   Both features rely on socket-based load-balancing, which is not possible
+   given that Kata containers are virtual machines running with their own
+   kernel. For kube-proxy replacement, this limitation is tracked with
+   `GitHub issue 15437 <https://github.com/cilium/cilium/issues/15437>`_.
 
 .. include:: k8s-install-validate.rst

@qmonnet qmonnet marked this pull request as ready for review April 12, 2021 10:19
@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 12, 2021
@qmonnet qmonnet merged commit 31b44f3 into cilium:master Apr 12, 2021
1.10.0 automation moved this from In progress to Done Apr 12, 2021
@qmonnet qmonnet deleted the pr/kata_nokpr branch April 12, 2021 21:53
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.9 in 1.9.6 Apr 13, 2021
@jibi jibi mentioned this pull request Apr 13, 2021
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.9 to Backport done to v1.9 in 1.9.6 Apr 14, 2021
@joestringer joestringer mentioned this pull request Apr 20, 2021
Merged
This was referenced Apr 28, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borkmann borkmann borkmann approved these changes

@joestringer joestringer joestringer approved these changes

Assignees

@joestringer joestringer

Labels
area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
No open projects
1.10.0
Done
1.9.6
Backport done to v1.9
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@qmonnet @pchaigno @borkmann @joestringer @jibi