-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipam: Remove cluster-pool-v2beta code #27753
ipam: Remove cluster-pool-v2beta code #27753
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
842f1fe
to
4a0f499
Compare
3740037
to
98de88d
Compare
/test Edit:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for nicely splitting these up into commits which made it a lot easier to review and verify!
One non-blocking minor nit inline.
bb7e36c
to
7a5cb7c
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Helm changes LGTM
/ci-ingress |
/ci-runtime |
/ci-integration |
Had to re-trigger some tests manually due to changed workflow names. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for docs
@tommyp1ckles Ping for review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
k8s changes look good
CI is stuck because the PR has been open for a while and new tests have been introduce. I'll rebase to be able to re-run CI |
This commit moves various functions used by the multipool.go implementation out of clusterpool.go. This will allow us to remove the clusterpool.go file in a subsequent commit. This commit contains no functional changes. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This IPAM mode has been deprecated in Cilium v1.14 and has been superseded by multi-pool IPAM instead. This commit removes all code related to cluster-pool-v2beta from the agent. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This mostly reverts commit 3d6b9a8. The changes in podcidr.go have been restored to the behavior before the cluster-pool-v2beta code was added. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
They are no longer used. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
26d7a29
to
10599ea
Compare
/test Edit:
|
Can we expect a proper upgrade/migration path from |
Unfortunately, BGP for multi-pool cannot be backported to v1.14, due to some other larger refactoring PRs that depend on it. Generally speaking, there is no migration guide planned, since clusterpool-v2beta was never recommended for production. However, having said that, I think we would accept contribution which adds some migration documentation and potentially also some helper logic in the agent for example which reads the old |
In that case, can we consider not dropping |
I don't think simply reverting this PR is a good way forward. The I also don't think it's possible to run in two IPAM modes: There is only one operator, and it only runs one IPAM allocator at a time. It would To find the best solution, I think it would be useful to get a bit more context on what deployments you have and what problems you want to solve. I'm not opposed to adding code or logic that helps the migration both in v1.14 or v1.15. I can totally envision a migration mode where we make the multi-pool logic backwards-compatible with the clusterpool-v2beta fields, and I think such a solution would be less work and less overall risk than backporting BGP to v1.14 or reverting this PR. |
That makes sense and originally I was looking for "best way" to migrate from We are heavily relying on BGP CP so now the problem is in order to migrate to Now thinking about it, BGP CP support for So I suppose what I am looking for is how do we perform this migration in best way possible without effecting any workload. I am thinking we are going to have to run different versions at the same time where each node (running say v1.15) is migrated to new pool one at a time. Let's say we manage to rollout in this fashion so my concern is if cilium global config is changed based on v1.15 will it effect existing v1.14 agents and not just IPAM functionality but also BGP CP? |
Thanks a lot for the clarification!
So yeah, unless Cilium agents are restarted, they will not start to use the new configuration. Only once they are restarted, will they read the newer I think the bigger challenge however is the fact that The good news however is that I think this should be fixable with some migration logic from v1.14 with Step 1: Prepare a v1.15 configuration, that uses Step 2: Mirror all per-node pod CIDRs from all CiliumNode Step 3: Update the Operator to Cilium v1.15 with multi-pool IPAM mode. Thanks to the mirrored pod CIDRs, it will make sure that any already allocated pod CIDRs are retained and not re-allocated to any new nodes. At this point, any v1.14 agent running in Step 4: Update Cilium agents one by one from v1.14 with (Optional) Step 5: If migration is successful and no downgrade is needed, go ahead and clear any The only code that needs to be created for this migration plan to work is the code in step 2. This could either be done by a custom shell or python script, or we could add this logic to the Cilium operator. I would accept such a PR. |
Good stuff! Thank you for all the details. Isnt there a shortcut to all of this, you drain/delete the node and rejoin or bring the node up with no previous CNI config and with v1.15? This obviously assumes that somehow we can control v1.15 is deployed onto cluster however agent is not rolled out on every node except new joining ones. Use this approach along with |
So yeah, if you don't mind workload pods being restarted during the Cilium upgrade, then draining nodes is also an option. They would basically forgot all about their old The main concern there however is that you want to avoid the operator handing out out a podCIDR to a new (upgraded) node that is still owned by an old (non-upgraded) node. This could happen because from the view of the upgraded This can be circumvented in two ways:
Yeah. I'm not well versed enough in Kubernetes to tell you what the best option would be to have certain nodes of the DaemonSet use the old image, where as other nodes use the new image. Maybe you will need two separate cilium-agent DaemonSets with disjunct Node Selectors. (Note that my proposal above says "Update Cilium agents one by one" but you can also do it all at once, i.e. it does not necessarily require that you control which nodes have been migrated and which ones haven't. But of course you might still want to do this for safety reasons) |
Yes, restarting workload on one node at a time is not big of an issue as there is redundancy. Overlapping/Copying per-node CIDR over is a good point, I had not considered that. iirc, cilium operator does that where it allocates ipam block per node from the start of podCIDR subnet. Let me give this a try, will test this out in dev environment and see how it goes. |
This IPAM mode has been deprecated in Cilium v1.14 and has been superseeded by multi-pool IPAM instead. This commit removes all code related to cluster-pool-v2beta from Cilium.