-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set Cilium as default CNI #12752
Set Cilium as default CNI #12752
Conversation
/retest |
9e2d699
to
f62ce4c
Compare
@embik I will try some debugging here on your PR, putting it on hold so it's not accidentally merged /hold |
f62ce4c
to
aa6bcca
Compare
/test pre-kubermatic-e2e-aws-ubuntu-1.28 |
986a3bd
to
33e8f48
Compare
/unhold |
@@ -122,7 +122,7 @@ func waitUntilAllPodsAreReady(ctx context.Context, log *zap.SugaredLogger, opts | |||
unready := sets.New[string]() | |||
for _, pod := range podList.Items { | |||
// Ignore pods failing kubelet admission (KKP #6185) | |||
if !util.PodIsReady(&pod) && !podFailedKubeletAdmissionDueToNodeAffinityPredicate(&pod, log) { | |||
if !util.PodIsReady(&pod) && !podFailedKubeletAdmissionDueToNodeAffinityPredicate(&pod, log) && !util.PodIsCompleted(&pod) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here the tests expected all user cluster pods to be in a state Ready
, however, hubble adds a pod that ultimately succeeds and goes to Completed
state. Added a small commit 33e8f48 permitting that.
{ context deadline exceeded; last error was: not all Pods are ready: [hubble-generate-certs-lcb7z]}
kube-system hubble-generate-certs-l6x9h 0/1 Completed 0 10m
now there are some conformance tests failing, I will investigate further |
conformance test failures:
our test failures:
|
/test pre-kubermatic-e2e-aws-ubuntu-1.28 |
If we can, we should configure seccomp profiles in the default Helm values we pass. Not sure if the chart allows that. |
pkg/cni/cilium/cilium.go
Outdated
@@ -194,6 +194,11 @@ func GetAppInstallOverrideValues(cluster *kubermaticv1.Cluster, overwriteRegistr | |||
// we run Cilium as non-exclusive CNI to allow for Multus use-cases | |||
"exclusive": false, | |||
}, | |||
"podSecurityContext": map[string]any{ | |||
"seccompProfile": map[string]any{ | |||
"type": "RuntimeDefault", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kkp tests expect pod seccomp profile to be set by default
if pod.Spec.SecurityContext.SeccompProfile.Type == corev1.SeccompProfileTypeUnconfined { |
If we can, we should configure seccomp profiles in the default Helm values we pass. Not sure if the chart allows that.
upstream chart seems to allows that, followup to #8326
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and it's actually needed on all cilium pods
cilium/cilium@5aa1c23
{ function did not succeed after 3 attempts: expected seccomp profile on Pod kube-system/cilium-operator-85b8f66cd-hgkhq, got none
expected seccomp profile on Pod kube-system/hubble-generate-certs-g5pl8, got none
expected seccomp profile on Pod kube-system/hubble-relay-5ccf97b646-f6gnt, got none
expected seccomp profile on Pod kube-system/hubble-ui-869b75b895-trq2t, got none}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configured properly in 15cd1ef
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2ce611d
to
6b9d055
Compare
6b9d055
to
c038c60
Compare
c038c60
to
211fe34
Compare
Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
https://docs.cilium.io/en/latest/installation/cni-chaining-portmap/#portmap-hostport Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
211fe34
to
8ac82a3
Compare
@@ -218,6 +244,8 @@ func GetAppInstallOverrideValues(cluster *kubermaticv1.Cluster, overwriteRegistr | |||
} | |||
} else { | |||
values["kubeProxyReplacement"] = "disabled" | |||
values["sessionAffinity"] = true | |||
valuesCni["chainingMode"] = "portmap" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by default, KKP runs cilium with kube-proxy, this needs portmap plugin and session affinity enabled to pass conformance tests (otherwise, HostPort
is not functional)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configured in 8ac82a3
same case regarding integration tests as #12760 (comment) |
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
718db73
to
9a64627
Compare
/unhold |
@embik: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
LGTM label has been added. Git tree hash: 608bee0f61d70fa962a7da7633bdfe61624d8bba
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cnvergence The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
This PR sets Cilium as the default CNI when creating a
Cluster
object and passing it through the webhook for defaulting.Which issue(s) this PR fixes:
Fixes #
What type of PR is this?
/kind feature
Special notes for your reviewer:
Does this PR introduce a user-facing change? Then add your Release Note here:
Documentation: