Skip to content
This repository has been archived by the owner. It is now read-only.

IPv6: Allow AAAA record use #148

Merged
merged 1 commit into from Jun 14, 2018
Merged

Conversation

@pmichali
Copy link
Contributor

@pmichali pmichali commented Jun 8, 2018

By default, DNS is set up to ignore (IPv6) AAAA records. As a result,
whenever a remote site is accessed, only the (IPv4) A record is used,
and a synthesized IPv6 address formed. This means that NAT64 will be
used for all external accesses, even when a site supports IPv6.

This is fine for environments where the cluster only has IPv4 access,
like GCE currently. However, if the cluster will have IPv6 access too,
the configuration can be modified to use AAAA records in DNS lookups,
and then remote sites with IPv6 addresses can be directly accessed
(without using NAT64).

This change provides a knob to allow enabling use of AAAA records. In
addition to modifying the DNS configuration, ip6tables rules are
created to perform SNAT for packets coming from the container nodes
and to forward external packets to the kubeadm-dind-net to get to the
pods.

The boolean environment variable, ALLOW_AAAA_USE, is defined for this
capability. The default is NOT to allow use of AAAA records, for
backwards compatibility.

Fixes issue #147

@@ -76,6 +76,7 @@ if [[ ${IP_MODE} = "ipv6" ]]; then
dns_server="${dind_ip_base}100"
DEFAULT_POD_NETWORK_CIDR="fd00:10:20::/72"
USE_HAIRPIN="${USE_HAIRPIN:-true}" # defaults on
ALLOW_AAAA_USE="${ALLOW_AAAA_USE:-false}" # Default is to use DNS64 always

This comment has been minimized.

@rpothier

rpothier Jun 11, 2018
Contributor

Would it make sense going forward that we prefix new env variables with DIND_?
I know only some have the prefix at this point, (DIND_SUBNET, DIND_IMAGE ...) but it makes it easier to review the env variables.

This comment has been minimized.

@pmichali

pmichali Jun 11, 2018
Author Contributor

Sure, will update.

@pmichali pmichali force-pushed the pmichali:allow_aaaa branch from 3c72cdd to 0e31706 Jun 11, 2018
By default, DNS is set up to ignore (IPv6) AAAA records. As a result,
whenever a remote site is accessed, only the (IPv4) A record is used,
and a synthesized IPv6 address formed. This means that NAT64 will be
used for all external accesses, even when a site supports IPv6.

This is fine for environments where the cluster only has IPv4 access,
like GCE currently. However, if the cluster will have IPv6 access too,
the configuration can be modified to use AAAA records in DNS lookups,
and then remote sites with IPv6 addresses can be directly accessed
(without using NAT64).

This change provides a knob to allow enabling use of AAAA records. In
addition to modifying the DNS configuration, ip6tables rules are
created to perform SNAT for packets coming from the container nodes
and to forward external packets to the kubeadm-dind-net to get to the
pods.

The boolean environment variable, DIND_ALLOW_AAAA_USE, is defined for
this capability. If set to any value, it will be enabled (so false or
zero are considered "set", meaning true). If unset (the default for
backwards compatibility) AAAA records will not be used.

For IPv4, if this is set, a warning message will be displayed and it
will be ignored (it only applies to IPv6). For IPv6, if running on
GCE and this is set, the run will be aborted, as GCE doesn't support
native IPv6 outside of the cluster.

Note: This commit also modifies GCE_SETUP to be a boolean, instead of
a string representation of a boolean, for consistency.

Fixes issue #147
@pmichali pmichali force-pushed the pmichali:allow_aaaa branch from 0e31706 to 5e938fa Jun 13, 2018
@ivan4th
Copy link
Contributor

@ivan4th ivan4th commented Jun 14, 2018

/approve

@k8s-ci-robot
Copy link
Contributor

@k8s-ci-robot k8s-ci-robot commented Jun 14, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ivan4th, pmichali

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ivan4th
Copy link
Contributor

@ivan4th ivan4th commented Jun 14, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot merged commit f42af42 into kubernetes-retired:master Jun 14, 2018
20 of 21 checks passed
20 of 21 checks passed
@k8s-ci-robot
tide Not mergeable.
Details
ci/circleci: build Your tests passed on CircleCI!
Details
ci/circleci: test_1.10 Your tests passed on CircleCI!
Details
ci/circleci: test_1.10_calico Your tests passed on CircleCI!
Details
ci/circleci: test_1.10_calico_kdd Your tests passed on CircleCI!
Details
ci/circleci: test_1.10_flannel Your tests passed on CircleCI!
Details
ci/circleci: test_1.10_weave Your tests passed on CircleCI!
Details
ci/circleci: test_1.8 Your tests passed on CircleCI!
Details
ci/circleci: test_1.8_calico Your tests passed on CircleCI!
Details
ci/circleci: test_1.8_calico_kdd Your tests passed on CircleCI!
Details
ci/circleci: test_1.8_flannel Your tests passed on CircleCI!
Details
ci/circleci: test_1.8_weave Your tests passed on CircleCI!
Details
ci/circleci: test_1.9 Your tests passed on CircleCI!
Details
ci/circleci: test_1.9_calico Your tests passed on CircleCI!
Details
ci/circleci: test_1.9_calico_kdd Your tests passed on CircleCI!
Details
ci/circleci: test_1.9_flannel Your tests passed on CircleCI!
Details
ci/circleci: test_1.9_weave Your tests passed on CircleCI!
Details
ci/circleci: test_src_master Your tests passed on CircleCI!
Details
ci/circleci: test_src_release Your tests passed on CircleCI!
Details
@thelinuxfoundation
cla/linuxfoundation pmichali authorized
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants