DinDinD - Need way to configure NAT64 V4 Subnet without multicluster kicking in #220
Comments
|
For DinDinD you can use a cluster ID of zero, which means first cluster of a multi-cluster configuration or single cluster mode. You can omit the CLUSTER_ID and it will default to zero. So, in a single-cluster or first cluster of a multi-cluster, you can omit CLUSTER_ID and end up with names kube-master, kube-node-1, kube-node-2,... For multi-cluster, additional clusters can use the CLUSTER_ID to uniquely identify the cluster. |
|
From discussion with @leblancd, the NAT64 mapping network, should be in RFC-1918 private network range. Currently, one can use a prefix of 10, and comply with that requirement, but we may want to consider using the 172.16.0.0/12 subnet and ensure addresses are within limits. |
|
Some options are: Option A User specifies a two octet NAT64 prefix, iff they want to override. Default: 172.17. Subnet will be ..0.0/16 always. Single cluster, no settings needed, get 172.17.0.0/16. Multicluster, for all but the first cluster (as long as no docker conflict), user sets NAT64_V4_SUBNET_PREFIX=172.X, where X is unique and between 17..31 and doesn’t conflict with docker. Advantages: Can use any prefix (e.g. 10.50). Option B User specifies two octet NAT64 prefix, with default 172.17. Subnet will be .<PREFIX+CLUSTER_ID>.0.0/16 Single cluster, no settings needed, get 172.17.0.0/16. Multicluster, if use 172.X as prefix, X must be between 17..31 and doesn’t conflict with docker. In addition, CLUSTER_ID must be 0..(31-X), so that it stays within limits of private network. If use 10.X, just need cluster ID 0..(254-X). Advantages: Don’t need to specify, unless have a docker issue. Option C User specifies one octet NAT64 base, between 17..31, with default 17. Subnet will be 172.<BASE+CLUSTER_ID>.0.0/16. Single cluster, no settings needed, get 172.17.0.0/16. Multicluster: can override base, if needed. CLUSTER_ID must be 0..(31-base), so that it stays within limits of private network. Advantages: Don’t need to specify, unless have a docker issue. Maybe easier specification. Variation: Allow prefix to specify first octet, which makes this effectively the same as option B, only more complicated, by specifying two items. Subnet would be .<BASE+CLUSTER_ID>.0.0/16. |
|
Working up a solution for this issue, should be posted today. |
This commit does several things related to the NAT64 prefix, as specified by the NAT64_V4_SUBNET_PREFIX environment variable. This prefix is for a /16 subnet. First, we want the prefix to be within one of the two private network ranges (172.16.0.0/12 or 10.0.0.0/8). Second, to accommodate that, the NAT64_V4_SUBNET_PREFIX will be two octets, instead of one. The default, if not specified, will be 172.18, to avoid docker usage of that private network. Third, the code will range check the prefix, to ensure that it is within range, based on the private network selected. 172.16 to 172.31 or 10.0 to 10.253 values are allowed. Fourth, the cluster ID is added to the prefix, so that a unique subnet is used for each cluster. This affects the allowable values for the prefix. For 172.16.0.0/12, the prefix plus cluster ID must be from 172.16 to 172.31. For 10.0.0.0/8, the prefix plus cluster ID must be from 10.0 to 10.253. So, for example, if the default 172.18 is used, then cluster IDs can be from 0 to 13. Another side effect of this change is w.r.t. legacy mode, where the user specifies (only) the DIND_LABEL. In that case, a cluster ID is generated, and we now will use numbers from 1..13 to help keep the values within the range for the V4 mapping prefix (using 13 instead of 15 as the default prefix is 172.18). If the user wants to use the legacy DIND_LABEL, but have a larger range for cluster IDs, they can set the NAT64_V4_SUBNET_PREFIX to the 10.0.0.0/8 subnet and/or explicitly set the CLUSTER_ID. Fixes Issue: kubernetes-retired#220
This commit does several things related to the NAT64 prefix, as specified by the NAT64_V4_SUBNET_PREFIX environment variable. This prefix is for a /16 subnet. First, we want the prefix to be within one of the two private network ranges (172.16.0.0/12 or 10.0.0.0/8). Second, to accommodate that, the NAT64_V4_SUBNET_PREFIX will be two octets, instead of one. The default, if not specified, will be 172.18, to avoid docker usage of that private network. Third, the code will range check the prefix, to ensure that it is within range, based on the private network selected. 172.16 to 172.31 or 10.0 to 10.253 values are allowed. Fourth, the cluster ID is added to the prefix, so that a unique subnet is used for each cluster. This affects the allowable values for the prefix. For 172.16.0.0/12, the prefix plus cluster ID must be from 172.16 to 172.31. For 10.0.0.0/8, the prefix plus cluster ID must be from 10.0 to 10.253. So, for example, if the default 172.18 is used, then cluster IDs can be from 0 to 13. Another side effect of this change is w.r.t. legacy mode, where the user specifies (only) the DIND_LABEL. In that case, a cluster ID is generated, and we now will use numbers from 1..13 to help keep the values within the range for the V4 mapping prefix (using 13 instead of 15 as the default prefix is 172.18). If the user wants to use the legacy DIND_LABEL, but have a larger range for cluster IDs, they can set the NAT64_V4_SUBNET_PREFIX to the 10.0.0.0/8 subnet and/or explicitly set the CLUSTER_ID. Fixes Issue: kubernetes-retired#220
This commit does several things related to the NAT64 prefix, as specified by the NAT64_V4_SUBNET_PREFIX environment variable. This prefix is for a /16 subnet. First, we want the prefix to be within one of the two private network ranges (172.16.0.0/12 or 10.0.0.0/8). Second, to accommodate that, the NAT64_V4_SUBNET_PREFIX will be two octets, instead of one. The default, if not specified, will be 172.18, to avoid docker usage of that private network. Third, the code will range check the prefix, to ensure that it is within range, based on the private network selected. 172.16 to 172.31 or 10.0 to 10.253 values are allowed. Fourth, the cluster ID is added to the prefix, so that a unique subnet is used for each cluster. This affects the allowable values for the prefix. For 172.16.0.0/12, the prefix plus cluster ID must be from 172.16 to 172.31. For 10.0.0.0/8, the prefix plus cluster ID must be from 10.0 to 10.253. So, for example, if the default 172.18 is used, then cluster IDs can be from 0 to 13. Another side effect of this change is w.r.t. legacy mode, where the user specifies (only) the DIND_LABEL. In that case, a cluster ID is generated, and we now will use numbers from 1..13 to help keep the values within the range for the V4 mapping prefix (using 13 instead of 15 as the default prefix is 172.18). If the user wants to use the legacy DIND_LABEL, but have a larger range for cluster IDs, they can set the NAT64_V4_SUBNET_PREFIX to the 10.0.0.0/8 subnet and/or explicitly set the CLUSTER_ID. For the multicluster IPv6 CI test, it creates a cluster using the default cluster ID (0), one with cluster ID specified (20), and legacy mode with q cluster ID generated between 1..13. Since the default prefix is 172.18, there is a 7% chance that the generated cluster ID is 2 causing a conflict with the 20 used in the second cluster (172.18 + 2 = 172.20). To prevent this in the CI test, we'll change the base NAT64 prefix to 10.100, where this private network has a larger available range, and the generated cluster ID will not create a conflicting prefix (10.101 to 10.113 for the third cluster versus 10.120 for the second cluster and 10.100 for the first cluster). Fixes Issue: kubernetes-retired#220
This commit does several things related to the NAT64 prefix, as specified by the NAT64_V4_SUBNET_PREFIX environment variable. This prefix is for a /16 subnet. First, we want the prefix to be within one of the two private network ranges (172.16.0.0/12 or 10.0.0.0/8). Second, to accommodate that, the NAT64_V4_SUBNET_PREFIX will be two octets, instead of one. The default, if not specified, will be 172.18, to avoid docker usage of that private network. Third, the code will range check the prefix, to ensure that it is within range, based on the private network selected. 172.16 to 172.31 or 10.0 to 10.253 values are allowed. Fourth, the cluster ID is added to the prefix, so that a unique subnet is used for each cluster. This affects the allowable values for the prefix. For 172.16.0.0/12, the prefix plus cluster ID must be from 172.16 to 172.31. For 10.0.0.0/8, the prefix plus cluster ID must be from 10.0 to 10.253. So, for example, if the default 172.18 is used, then cluster IDs can be from 0 to 13. Another side effect of this change is w.r.t. legacy mode, where the user specifies (only) the DIND_LABEL. In that case, a cluster ID is generated, and we now will use numbers from 1..13 to help keep the values within the range for the V4 mapping prefix (using 13 instead of 15 as the default prefix is 172.18). If the user wants to use the legacy DIND_LABEL, but have a larger range for cluster IDs, they can set the NAT64_V4_SUBNET_PREFIX to the 10.0.0.0/8 subnet and/or explicitly set the CLUSTER_ID. For the multicluster IPv6 CI test, it creates a cluster using the default cluster ID (0), one with cluster ID specified (20), and legacy mode with q cluster ID generated between 1..13. Since the default prefix is 172.18, the second cluster will create a prefix (172.18 + 20 = 172.38) that is outside the 172.16.0.0/12 private network and will be rejected. To avoid this, we'll use a base prefix of 10.100. That will use 10.100 for the first cluster, 10.120 for the second cluster, and a random value of 10.101 to 10.113 for the third cluster. This avoids any conflict, and ensures that the prefix is within the 10.0.0.0/8 private network. Fixes Issue: kubernetes-retired#220
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
For running K-D-C within a container (DinDinD configuration, as used in CI), we would like to have a way of specifying the NAT64 V4 subnet without having the scripts set up a cluster in multi-cluster mode. It would be better if the setting of NAT64 V4 subnet and the triggering of multi-cluster mode could be done independently.
Background:
When running K-D-C within a container (DinDinD configuration), we need a way of specifying the NAT64 V4 Subnet to be something different than the host Docker network (typically 172.17.0.0/16) and different than the container's base docker network (typically 172.18.0.0/16). For example, we'd like to set the K-D-C NAT64 V4 subnet to something like 172.20.0.0/16.
With the current K-D-C scripts, we would configure a NAT64 V4 subnet of 172.20.0.0/16 with the following environment variables:
export NAT64_V4_SUBNET_PREFIX=172
export CLUSTER_ID=20
The problem with this is that by specifying CLUSTER_ID, the K-D-C scripts automatically assume multi-cluster operation. For DinDinD, we don't need multi-cluster operation... the simpler non-multi-cluster operation would work fine in each individual DinDinD container.
For example, with the environment variables configured above, because multi-cluster mode is initiated, kubectl commands executed in the host DinDinD container must include a context:
There may be other aspects of multi-cluster operation that are not desirable for DinDinD operation.
The text was updated successfully, but these errors were encountered: