Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Istio Breaking Multus Network Management After Overwriting Existing Pod Annotations #45034

Closed
1 of 14 tasks
brobb7 opened this issue May 22, 2023 · 1 comment
Closed
1 of 14 tasks

Istio Breaking Multus Network Management After Overwriting Existing Pod Annotations #45034

brobb7 opened this issue May 22, 2023 · 1 comment
Assignees
@brobb7
Labels
area/environments area/networking area/test and release

Comments

@brobb7
Copy link
Contributor

brobb7 commented May 22, 2023
edited by istio-policy-bot
Loading

Bug Description

If a pod has an annotation that points to an existing NetworkAttachmentDefinition for Multus, when injecting a sidecar, Istio overwrites the the network annotation (ex: k8s.v1.cni.cncf.io/networks: macvlan-conf) with k8s.v1.cni.cncf.io/networks: istio-cni. This breaks Multus' network management by preventing macvlan-conf from executing. Istio should be appending istio-cni to the annotation, to get k8s.v1.cni.cncf.io/networks: macvlan-conf, istio-cni.

@dougbtv wrote an in-depth gist article on the effects of this issue here: https://gist.github.com/dougbtv/babe9b59e4d54e7a0fc67f134b74b908

Here is a configuration that can replicate the issue: https://gist.github.com/jacob-delgado/bb3a08d21e13130e6b685df75ec54a10

cc @dougbtv @jwendell @dgn

Version

Known Istioctl versions affected 1.11-current

Additional Information

No response

Affected product area

  • Ambient
  • Docs
  • Installation
  • Networking
  • Performance and Scalability
  • Extensions and Telemetry
  • Security
  • Test and Release
  • User Experience
  • Developer Infrastructure
  • Upgrade
  • Multi Cluster
  • Virtual Machine
  • Control Plane Revisions
@brobb7 brobb7 mentioned this issue May 22, 2023
Closed
@brobb7
Copy link
Contributor Author

brobb7 commented May 25, 2023

Discussion on #45036 has determined that this issue is being caused by the instructions to add the following annotation to installation overrides files:

    sidecarInjectorWebhook:
      injectedAnnotations:
        k8s.v1.cni.cncf.io/networks: istio-cni

This is duplicating the work of the appendMultusNetworks function in the helm configuration and is causing the appended multus configurations to be overwritten during helm installation.

@jacob-delgado jacob-delgado mentioned this issue May 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brobb7 brobb7

Labels
area/environments area/networking area/test and release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jacob-delgado @istio-policy-bot @brobb7