Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set Cilium as default CNI #12752

Merged
merged 6 commits into from
Oct 24, 2023
Merged

Set Cilium as default CNI #12752

merged 6 commits into from
Oct 24, 2023

Conversation

embik
Copy link
Member

@embik embik commented Oct 19, 2023

What this PR does / why we need it:

This PR sets Cilium as the default CNI when creating a Cluster object and passing it through the webhook for defaulting.

Which issue(s) this PR fixes:

Fixes #

What type of PR is this?
/kind feature

Special notes for your reviewer:

Does this PR introduce a user-facing change? Then add your Release Note here:

Set Cilium as default CNI for user clusters

Documentation:

NONE

@kubermatic-bot kubermatic-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. docs/none Denotes a PR that doesn't need documentation (changes). dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/code-freeze Indicates that a PR should not merge because it has not been approved for code freeze yet. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 19, 2023
@embik
Copy link
Member Author

embik commented Oct 19, 2023

/retest

@embik embik self-assigned this Oct 19, 2023
@kubermatic-bot kubermatic-bot added the sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. label Oct 19, 2023
@wozniakjan
Copy link
Contributor

@embik I will try some debugging here on your PR, putting it on hold so it's not accidentally merged

/hold

@kubermatic-bot kubermatic-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 19, 2023
@wozniakjan
Copy link
Contributor

/test pre-kubermatic-e2e-aws-ubuntu-1.28

@wozniakjan wozniakjan force-pushed the cilium-default branch 3 times, most recently from 986a3bd to 33e8f48 Compare October 19, 2023 14:45
@wozniakjan
Copy link
Contributor

/unhold

@kubermatic-bot kubermatic-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 19, 2023
wozniakjan
wozniakjan reviewed Oct 19, 2023
View reviewed changes
cmd/conformance-tester/pkg/runner/waiters.go
@@ -122,7 +122,7 @@ func waitUntilAllPodsAreReady(ctx context.Context, log *zap.SugaredLogger, opts
unready := sets.New[string]()
for _, pod := range podList.Items {
// Ignore pods failing kubelet admission (KKP #6185)
if !util.PodIsReady(&pod) && !podFailedKubeletAdmissionDueToNodeAffinityPredicate(&pod, log) {
if !util.PodIsReady(&pod) && !podFailedKubeletAdmissionDueToNodeAffinityPredicate(&pod, log) && !util.PodIsCompleted(&pod) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here the tests expected all user cluster pods to be in a state Ready, however, hubble adds a pod that ultimately succeeds and goes to Completed state. Added a small commit 33e8f48 permitting that.

{  context deadline exceeded; last error was: not all Pods are ready: [hubble-generate-certs-lcb7z]}

kube-system            hubble-generate-certs-l6x9h                  0/1     Completed   0             10m

@wozniakjan
Copy link
Contributor

now there are some conformance tests failing, I will investigate further

@wozniakjan
Copy link
Contributor

conformance test failures:

our test failures:

@wozniakjan
Copy link
Contributor

/test pre-kubermatic-e2e-aws-ubuntu-1.28

@embik
Copy link
Member Author

embik commented Oct 20, 2023

seccomp

If we can, we should configure seccomp profiles in the default Helm values we pass. Not sure if the chart allows that.

@kubermatic-bot kubermatic-bot added the sig/networking Denotes a PR or issue as being assigned to SIG Networking. label Oct 20, 2023
wozniakjan
wozniakjan reviewed Oct 20, 2023
View reviewed changes
pkg/cni/cilium/cilium.go Outdated
@@ -194,6 +194,11 @@ func GetAppInstallOverrideValues(cluster *kubermaticv1.Cluster, overwriteRegistr
// we run Cilium as non-exclusive CNI to allow for Multus use-cases
"exclusive": false,
},
"podSecurityContext": map[string]any{
"seccompProfile": map[string]any{
"type": "RuntimeDefault",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kkp tests expect pod seccomp profile to be set by default

kubermatic/cmd/conformance-tester/pkg/tests/usercluster_controller.go

Line 149 in 31f9faf

if pod.Spec.SecurityContext.SeccompProfile.Type == corev1.SeccompProfileTypeUnconfined {

If we can, we should configure seccomp profiles in the default Helm values we pass. Not sure if the chart allows that.

upstream chart seems to allows that, followup to #8326

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and it's actually needed on all cilium pods
cilium/cilium@5aa1c23

{  function did not succeed after 3 attempts: expected seccomp profile on Pod kube-system/cilium-operator-85b8f66cd-hgkhq, got none
expected seccomp profile on Pod kube-system/hubble-generate-certs-g5pl8, got none
expected seccomp profile on Pod kube-system/hubble-relay-5ccf97b646-f6gnt, got none
expected seccomp profile on Pod kube-system/hubble-ui-869b75b895-trq2t, got none}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

configured properly in 15cd1ef

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, hubble-ui and hubble-generate-certs doesn't have the option supported natively, with @embik we decided to skip these two as short-term remediation in
718db73 and ideally we can try to contribute upstream.

@kubermatic-bot kubermatic-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 20, 2023
embik and others added 5 commits October 20, 2023 16:05
@embik @wozniakjan
Default cluster CNI to Cilium
b34cd08 
Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
@embik @wozniakjan
Update unit tests for CNI mutation
8433e97 
Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
@wozniakjan
conformance-tester: allow completed pods
7120015 
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
@wozniakjan
cilium: set pod seccomp profile
15cd1ef 
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
@wozniakjan
cilium: chain CNI hostport plugin when kubeproxy still enabled
8ac82a3 
https://docs.cilium.io/en/latest/installation/cni-chaining-portmap/#portmap-hostport

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
@kubermatic-bot kubermatic-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 20, 2023
wozniakjan
wozniakjan reviewed Oct 20, 2023
View reviewed changes
pkg/cni/cilium/cilium.go
@@ -218,6 +244,8 @@ func GetAppInstallOverrideValues(cluster *kubermaticv1.Cluster, overwriteRegistr
}
} else {
values["kubeProxyReplacement"] = "disabled"
values["sessionAffinity"] = true
valuesCni["chainingMode"] = "portmap"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

by default, KKP runs cilium with kube-proxy, this needs portmap plugin and session affinity enabled to pass conformance tests (otherwise, HostPort is not functional)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

configured in 8ac82a3

@wozniakjan
Copy link
Contributor

same case regarding integration tests as #12760 (comment)

@wozniakjan
conformance-tester: skip seccomp for hubble-ui and hubble-generate-certs
9a64627 
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
@wozniakjan
Copy link
Contributor

/unhold
/retest

@kubermatic-bot
Copy link
Contributor

kubermatic-bot commented Oct 21, 2023
edited

@embik: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pre-kubermatic-e2e-aws-ubuntu-1.25 2ce611d link true /test pre-kubermatic-e2e-aws-ubuntu-1.25

Full PR test history

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@cnvergence
Copy link
Member

/retest

cnvergence
cnvergence approved these changes Oct 24, 2023
View reviewed changes
Copy link
Member

@cnvergence cnvergence left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@kubermatic-bot kubermatic-bot added the lgtm Indicates that a PR is ready to be merged. label Oct 24, 2023
@kubermatic-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 608bee0f61d70fa962a7da7633bdfe61624d8bba

@kubermatic-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cnvergence

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubermatic-bot kubermatic-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 24, 2023
@wozniakjan wozniakjan added this to the KKP 2.24 milestone Oct 24, 2023
@embik embik added the code-freeze-approved Indicates a PR has been approved by release managers during code freeze. label Oct 24, 2023
@kubermatic-bot kubermatic-bot removed the do-not-merge/code-freeze Indicates that a PR should not merge because it has not been approved for code freeze yet. label Oct 24, 2023
@kubermatic-bot kubermatic-bot merged commit 0135ed4 into kubermatic:main Oct 24, 2023
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wozniakjan wozniakjan wozniakjan left review comments

@cnvergence cnvergence cnvergence approved these changes

Assignees

@embik embik

@cnvergence cnvergence

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. code-freeze-approved Indicates a PR has been approved by release managers during code freeze. dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. docs/none Denotes a PR that doesn't need documentation (changes). kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. sig/networking Denotes a PR or issue as being assigned to SIG Networking. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
KKP 2.24
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@embik @wozniakjan @kubermatic-bot @cnvergence