Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Current implementation isn't compliant with kubernetes conformance tests #6

Open
elssuy opened this issue Aug 29, 2023 · 1 comment
Open

Current implementation isn't compliant with kubernetes conformance tests #6

elssuy opened this issue Aug 29, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@elssuy
Copy link
Owner

elssuy commented Aug 29, 2023
edited
Loading

Current implementation isn't compliant to Conformance tests:

Conformance test was runned with sonobuoy:

$ sonobuoy run --mode certified-conformance --wait

Results were:

[It] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin] should mutate configmap [Conformance]
[It] [sig-network] HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol [LinuxOnly] [Conformance]
[It] [sig-api-machinery] Aggregator Should be able to support the 1.17 Sample API Server using the current Aggregator [Conformance]
[It] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin] should be able to deny custom resource creation, update and deletion [Conformance]

At this time only:

[It] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin] should be able to deny custom resource creation, update and deletion [Conformance]
[It] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin] should mutate configmap [Conformance]

has been treated by c9b1589

Still failing tests:

[It] [sig-network] HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol [LinuxOnly] [Conformance]
[It] [sig-api-machinery] Aggregator Should be able to support the 1.17 Sample API Server using the current Aggregator [Conformance]
@elssuy elssuy added the bug Something isn't working label Aug 29, 2023
@elssuy
Copy link
Owner Author

elssuy commented Aug 30, 2023
edited
Loading

Current implementation of cilium v1.14.1 with free KubeProxy isn't complient with Kubernetes Conformance tests.
As explained here: cilium/cilium#26399 there are currently working on feature to differenciate UDP and TCP protocol. Discussion file is found here: https://docs.google.com/document/d/1USB6KnQA2mdJZYxrXn4vvr86hO8V9ItJTgWV7IgHL1A/edit#heading=h.emkst1tlqm39

Why is it important ? The test [It] [sig-network] HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol [LinuxOnly] [Conformance] deploy 3 pods:

  1. On Node 1, Ip 127.0.0.1 with nodeport 54323 Protocol TCP
  2. On Node 1, Ip with nodeport 54323 Protocol TCP
  3. On Node 1, Ip with nodeport 54323 Protocol UDP

This test check if there is no conflicts if two pod share the same hostport, with different protocol and/or ip. With current implementation of Cilium full kube-proxy replacement this test failes.

Current workaround:

  1. Deploy Cilium along side kube-proxy.
  2. Deploy Cilium with portmap plugin enabled in chaining mode.

Other issue related:
cilium/cilium#14287
cilium/cilium#9207

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@elssuy