add an option to wait for kube-proxy

[michi-covalent]

Description

This commit is to add the flag in helm, which will enable init
container waiting for kube-proxy if required. The main reason is
to avoid any potential race condition between kube-proxy and
cilium agent. More context can be found in below related PR.

Relates: #20123

Signed-off-by: Michi Mutsuzaki michi@isovalent.com

Testing

(tam) The changes are done original by Michi, I just add below minor things:

• Add check for kubeProxyReplacement not to be strict
• Add securityContext as privileged for running iptables command
• Correct manifest syntax error

Testing was done locally by setting this flag enabled (and kube proxy
replacement is not set).

$ helm install cilium install/kubernetes/cilium -n kube-system --set waitForKubeProxy=true

$ ksyslo ds/cilium --timestamps -c wait-for-kube-proxy
2022-07-14T09:44:18.298138416Z :KUBE-PROXY-CANARY - [0:0]
2022-07-14T09:44:18.298293549Z Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'iptables-nft-save -t mangle'

$ ksysex ds/cilium --  iptables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'
Defaulted container "cilium-agent" out of: cilium-agent, mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init), wait-for-kube-proxy (init)
:KUBE-PROXY-CANARY - [0:0]

[ldelossa]

LGTM, I'd like to see if the --check flag can be used instead of grepping, but this works too.

[ldelossa]

Is finding one or the other enough? I'm assuming the rules are atomically set at the same time?

[jrfastab]

yes my understanding, KUBE-IPTABLES-HINT was what the old versions used the newer versions use KUBE-PROXY-CANARY so if we ever find both things are strange already.

[ldelossa]

Instead of doing a save and grep could you use the --check flag to check for the chain and a particular rule?

       -C, --check chain rule-specification
              Check whether a rule matching the specification does exist in the selected chain. This command uses the same logic as -D to  find  a  matching
              entry, but does not alter the existing iptables configuration and uses its exit code to indicate success or failure.

[jrfastab]

not sure... I've never used --check maybe @joestringer knows the answer.

[sayboras]

/test

Job 'Cilium-PR-K8s-1.24-kernel-net-next' failed:

Click to show.

Test Name

K8sServicesTest Checks N/S loadbalancing Tests NodePort with sessionAffinity from outside

Failure Output

FAIL: Timed out after 240.000s.

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-net-next so I can create one.

[sayboras]

Self approved :shameless:

[sayboras]

/test-1.24-net-next

Job 'Cilium-PR-K8s-1.24-kernel-net-next' failed:

Click to show.

Test Name

K8sServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Checks in-cluster KPR Tests NodePort with externalTrafficPolicy=Local

Failure Output

FAIL: k8s2 host unexpectedly connected to service "http://192.168.56.11:30083", it should fail

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-net-next so I can create one.

[aanm]

/mlh new-flake Cilium-PR-K8s-1.24-kernel-net-next