API Evolution for VPC and Networking Topologies

[randomvariable]

/kind feature

Describe the solution you'd like
There are differing options on how to run Kubernetes clusters in AWS, these include:

• IPv6 vs IPv4
• NAT gateways for internet connectivity, vs. DirectConnect vs. internal only
• A plethora of CNIs
• Multiple load balancer implementation for Kubernetes services

How does a user figure out what one to use, and how best can we enable them?

Related issues include:
#931, #1208 , #1158 , #1062 , #1727

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

A proposal for this should include a evolutionary roadmap as far as the API goes. What are the most immediate concerns that can be addressed as additions to the v1alpha3 API, and what should be best considered as a breaking API changes.

[randomvariable]

@fabriziopandini if you have any thoughts on this, would be appreciated.

[fabriziopandini]

@randomvariable I have something similar in the radar, but I dubt we can workout details during this iteration
rif kubernetes-sigs/cluster-api#1729

• Prototype interactive mode for allowing users to set "on-the-fly" the variables to be injected in the yaml for providers components or providers templates
• Prototype a pluggable template system (vs supporting only variables substitution)

In order to ^^^, it should be defined a way for clusterctl to interact with each provider while creating the cluster template, because the providers are the owner of the knowledge of what can be configured or not, and considering this should be accepted by each provider, I assume this requires a CAEP

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[detiber]

/lifecycle frozen

[richardcase]

Also relates to #1643 and #1323

[randomvariable]

@richardcase Would be useful to get the requirements for EKS down. I would have thought we can make EKS work with the existing topology.

[richardcase]

@randomvariable - i'll start documenting the requirments. The current default topology doesn't work as the 2 subnets it creates (1 public & 1 private) are in a single az and EKS requires subnets in at least 2 azs.

[richardcase]

https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html

It would include stuff from there and other requirements.

[moensch]

I've been asked to document our specific topology in here (ref: https://kubernetes.slack.com/archives/CD6U2V71N/p1588804729193200)

Our starting point in the account is that a Direct Connect Gateway (DXG) exists. What we would need CAPA be able to do is:

1. Accept DXG ID as input (probably as part of the AWSCluster NetworkSpec?)
2. Ability to create a Virtual Private Gateway/VPN Gateway/VGW (it has many names)
3. Attach the VGW to the VPC once it's created
4. Attach the VGW to the DXG (that's a very slow process, several minutes to reconcile)
5. Accept an array of CIDRs to add route table entries for with a target of the VGW (or a flag to enable route propagation)

[randomvariable]

/assign

[randomvariable]

/assign @voor

[k8s-ci-robot]

@randomvariable: GitHub didn't allow me to assign the following users: voor.

Note that only kubernetes-sigs members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @voor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[randomvariable]

/lifecycle active (only from a gathering thoughts perspective)

Will be sharing a Google Doc with initial ideas in a little while. Will definitely be towards v1alpha4 though.

[sedefsavas]

/triage accepted

[sedefsavas]

Another use case is using only public subnets: #2997

[enxebre]

kinda related #3035

[richardcase]

/remove-lifecycle frozen

[richardcase]

/milestone v2.x

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[AverageMarcus]

/remove-lifecycle rotten

Still relevant and related to #3711

[AverageMarcus]

Also relevant: #4026

[enxebre]

There are differing options on how to run Kubernetes clusters in AWS, these include:

Some thoughts: We'd probably want to also reason in terms of Control Plane vs Data Plane networking and how konnectivity enables that.
We could also categorise topologies as public, private, PublicAndPrivate depending on how we expose the control plane components, e.g. in a private setup kas endpoint would only be accessible via privateLink.

[k8s-triage-robot]

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

[richardcase]

/triage accepted