Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.23] Add support for configuring the EgressSelector mode #5603

Merged
merged 1 commit into from
May 23, 2022
Merged

[release-1.23] Add support for configuring the EgressSelector mode #5603

merged 1 commit into from
May 23, 2022

Conversation

brandond
Copy link
Contributor

@brandond brandond commented May 23, 2022
edited
Loading

Proposed Changes

Add support for server configuration flag --egress-selector-mode to configure the apiserver egress selector configuration:

  • disabled: The apiserver does not use agent tunnels to communicate with nodes. This mode requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to access service endpoints or perform kubectl exec and kubectl logs.
    This is the historical default for RKE2
  • agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection if it is to a loopback address. This is mode requires that servers also run agents, or the apiserver will not be able to access service endpoints.
    This is the historical default for k3s.
  • pod (default): The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection if it is to a loopback address, or a CIDR assigned to their node.
    NOTE: This will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. cluster should be used with these CNIs instead.
  • cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection if it is to a loopback address, or the configured cluster CIDR range.
    This is marginally less secure and less efficient than pod mode.

Types of Changes

bugfix

Verification

Normal QA checks
Validate in RKE2 with Calico

Linked Issues

User-Facing Change

The integrated apiserver network proxy's operational mode can now be set with `--egress-selector-mode`.

Further Comments

Will need a docs update.

@brandond brandond requested a review from a team as a code owner May 23, 2022 19:20
@brandond brandond changed the base branch from master to release-1.23 May 23, 2022 19:21
@brandond
Add support for configuring the EgressSelector mode
68c6c4f 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 9d72304)
@brandond brandond force-pushed the configurable_egress_selector_release-1.23 branch from e574e28 to 68c6c4f Compare May 23, 2022 19:22
@brandond
Copy link
Contributor Author

Tests flaked; merging

[PARALLEL-mysql] + local 'failures=Summarizing 2 Failures:
[PARALLEL-mysql] 
[PARALLEL-mysql] [Fail] [sig-node] Variable Expansion [It] should fail substituting values in a volume subpath with backticks [Slow] [Conformance] 
[PARALLEL-mysql] /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/common/node/expansion.go:379
[PARALLEL-mysql] 
[PARALLEL-mysql] [Fail] [sig-node] Probing container [It] should have monotonically increasing restart count [NodeConformance] [Conformance] 
[PARALLEL-mysql] /workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/common/node/container_probe.go:195
[PARALLEL-mysql] 
[PARALLEL-mysql] Ran 325 of 7044 Specs in 514.466 seconds
[PARALLEL-mysql] FAIL! -- 323 Passed | 2 Failed | 0 Pending | 6719 Skipped

@brandond brandond merged commit 615020e into k3s-io:release-1.23 May 23, 2022
@dlouzan dlouzan mentioned this pull request Jul 15, 2022
Closed
1 task
dlouzan added a commit to dlouzan/ks3-io-docs that referenced this pull request Jul 18, 2022
@dlouzan
feat(server-config): document new server CLI flag egress-selector-mode
a4a2751 
Related k3s-io/k3s#5603
@dlouzan dlouzan mentioned this pull request Jul 18, 2022
Closed
dlouzan added a commit to dlouzan/ks3-io-docs that referenced this pull request Jul 18, 2022
@dlouzan
feat(server-config): document new server CLI flag egress-selector-mode
7a81366 
Related k3s-io/k3s#5603
dlouzan added a commit to dlouzan/ks3-io-docs that referenced this pull request Jul 18, 2022
@dlouzan
feat(server-config): document new server CLI flag egress-selector-mode
6e719e5 
Related k3s-io/k3s#5603

Signed-off-by: Diego Louzán <diego.louzan@gmail.com>
dlouzan added a commit to dlouzan/ks3-io-docs that referenced this pull request Jul 18, 2022
@dlouzan
feat(server-config): document new server CLI flag egress-selector-mode
d22f949 
Related k3s-io/k3s#5603

Signed-off-by: Diego Louzán <diego.louzan@gmail.com>
@brandond brandond deleted the configurable_egress_selector_release-1.23 branch June 6, 2024 21:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@galal-hussein galal-hussein galal-hussein approved these changes

@dereknola dereknola dereknola approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brandond @galal-hussein @dereknola