Per-node configuration overrides (v2) #22656

squeed · 2022-12-09T15:21:01Z

This un-reverts #22163, which was reverted in #22630. The only difference

Tolerate the CRD not existing, which can happen in cleanup mode
Fixup the l4lb test, pulling in the change test/l4lb, nat64x46: pass k8s api server to the standalone proxy #22627

The message from 22163 is included below.

This adds the ability to tweak configuration on a per-node basis, as designed in #22036. Specifically, there is an InitContainer that implements the configuration resolution logic. It writes a directory that imitates ConfigMaps, so there are no code changes in the agent itself.

This adds a new type, ClilumNodeConfig, that allows for tweaking configuration flags on a fine-grained basis. For example, you could create

apiVersion: cilium.io/v2alpha1
kind: CiliumNodeConfig
metadata:
  namespace: kube-system
  name: kube-proxy-replacement
spec:
  nodeSelector: 
    matchLabels:
      io.cilium.kube-proxy-replacement: "" 
  defaults:
    kube-proxy-replacement: strict

then add a NodeAntiAffinity to the kube-proxy daemonset. Then, one by one, label nodes with io.cilium.kube-proxy-replacement: "". This will cause that node to begin using this particular configuration override.

Fixes: #22036

Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors.

(Note: This also includes a CI workaround for the extra roles; I'll fix that in cilium-cli and remove it shortly).

squeed · 2022-12-09T15:38:31Z

/test

squeed · 2022-12-09T20:34:28Z

This needs cilium/cilium-cli#1286 to merge for CI to be green (I'm not sure why the previous PR worked).

This is to make sure that cilium operator is having update permission for the newly added CiliumNodeConfigs CRD, otherwise, we will have the below issue: ``` 2022-12-21T05:29:34.477230831Z level=fatal msg="Unable to register CRDs" error="Unable to create custom resource definition: customresourcedefinitions.apiextensions.k8s.io \"ciliumnodeconfigs.cilium.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\" cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" subsys=cilium-operator-generic ``` Relates: cilium#22656 Signed-off-by: Tam Mach <tam.mach@cilium.io>

This is to make sure that cilium operator is having update permission for the newly added CiliumNodeConfigs CRD, otherwise, we will have the below issue: ``` 2022-12-21T05:29:34.477230831Z level=fatal msg="Unable to register CRDs" error="Unable to create custom resource definition: customresourcedefinitions.apiextensions.k8s.io \"ciliumnodeconfigs.cilium.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\" cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" subsys=cilium-operator-generic ``` Relates: #22656 Signed-off-by: Tam Mach <tam.mach@cilium.io>

[ upstream commit c46eb0b ] This is to make sure that cilium operator is having update permission for the newly added CiliumNodeConfigs CRD, otherwise, we will have the below issue: ``` 2022-12-21T05:29:34.477230831Z level=fatal msg="Unable to register CRDs" error="Unable to create custom resource definition: customresourcedefinitions.apiextensions.k8s.io \"ciliumnodeconfigs.cilium.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\" cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" subsys=cilium-operator-generic ``` Relates: cilium#22656 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io>

[ upstream commit c46eb0b ] This is to make sure that cilium operator is having update permission for the newly added CiliumNodeConfigs CRD, otherwise, we will have the below issue: ``` 2022-12-21T05:29:34.477230831Z level=fatal msg="Unable to register CRDs" error="Unable to create custom resource definition: customresourcedefinitions.apiextensions.k8s.io \"ciliumnodeconfigs.cilium.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\" cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" subsys=cilium-operator-generic ``` Relates: #22656 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io>

Introduced in #22656, now that cilium-cli install can handle this case, we can remove this workaround. Fixes: #22517 Reverts: 43cb8e9 Signed-off-by: Casey Callendrello <cdc@isovalent.com>

[ upstream commit d67aed5 ] Introduced in #22656, now that cilium-cli install can handle this case, we can remove this workaround. [ Backport note: Fixed conflict related to most touched filed being removed in branch v1.13 with commit e845e1d ("Prepare v1.13 stable branch"). ] Fixes: #22517 Reverts: 43cb8e9 Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

This commit adds the removal of the cilium-config-agent role and rolebinding (introduced in cilium/cilium#22656) during the uninstallation process, to ensure that the status of the cluster is properly restored. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>

[ upstream commit c46eb0b ] This is to make sure that cilium operator is having update permission for the newly added CiliumNodeConfigs CRD, otherwise, we will have the below issue: ``` 2022-12-21T05:29:34.477230831Z level=fatal msg="Unable to register CRDs" error="Unable to create custom resource definition: customresourcedefinitions.apiextensions.k8s.io \"ciliumnodeconfigs.cilium.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\" cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" subsys=cilium-operator-generic ``` Relates: cilium#22656 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>

[ upstream commit d67aed5 ] Introduced in cilium#22656, now that cilium-cli install can handle this case, we can remove this workaround. [ Backport note: Fixed conflict related to most touched filed being removed in branch v1.13 with commit e845e1d ("Prepare v1.13 stable branch"). ] Fixes: cilium#22517 Reverts: 43cb8e9 Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>

This commit adds the removal of the cilium-config-agent role and rolebinding (introduced in cilium#22656) during the uninstallation process, to ensure that the status of the cluster is properly restored. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>

squeed requested review from a team as code owners December 9, 2022 15:21

squeed requested a review from thorn3r December 9, 2022 15:21

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 9, 2022

squeed requested review from ldelossa, tommyp1ckles, gandro, joestringer and christarazi December 9, 2022 15:21

github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Dec 9, 2022

squeed added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. and removed kind/community-contribution This was a contribution made by a community member. labels Dec 9, 2022

maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 9, 2022

maintainer-s-little-helper bot added this to Needs backport from master in 1.13.0-rc4 Dec 9, 2022

squeed mentioned this pull request Dec 12, 2022

testing per-node-config workflow changes #22691

Closed

squeed requested a review from a team as a code owner December 12, 2022 15:34

joestringer added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 labels Dec 21, 2022

maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.13 in 1.13.0-rc4 Dec 21, 2022

joestringer mentioned this pull request Dec 21, 2022

.github: Clean up RBAC artifacts for v1.13 CI #22823

Merged

sayboras mentioned this pull request Dec 21, 2022

operator: Add RBAC permission for CiliumNodeConfigs resource #22824

Merged

joestringer added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Dec 22, 2022

joestringer moved this from Backport pending to v1.13 to Backport done to v1.10 in 1.13.0-rc4 Dec 22, 2022

joestringer mentioned this pull request Dec 22, 2022

Prepare for release v1.13.0-rc4 #22851

Merged

squeed mentioned this pull request Jan 16, 2023

ci: remove workaround to clean up stale rbac objects #23123

Merged

giorio94 mentioned this pull request Feb 10, 2023

uninstall: remove cilium-config-agent role/rolebinding cilium/cilium-cli#1382

Merged

chancez mentioned this pull request Mar 15, 2024

Provides a signal to warn users when agent settings differ from Configmap #31101

Draft

8 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Per-node configuration overrides (v2) #22656

Per-node configuration overrides (v2) #22656

squeed commented Dec 9, 2022 •

edited

Loading

squeed commented Dec 9, 2022

squeed commented Dec 9, 2022

Per-node configuration overrides (v2) #22656

Per-node configuration overrides (v2) #22656

Conversation

squeed commented Dec 9, 2022 • edited Loading

squeed commented Dec 9, 2022

squeed commented Dec 9, 2022

squeed commented Dec 9, 2022 •

edited

Loading