Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IPv6: Allow AAAA record use #148

Merged
merged 1 commit into from Jun 14, 2018

Conversation

Projects
None yet
4 participants
@pmichali
Copy link
Contributor

pmichali commented Jun 8, 2018

By default, DNS is set up to ignore (IPv6) AAAA records. As a result,
whenever a remote site is accessed, only the (IPv4) A record is used,
and a synthesized IPv6 address formed. This means that NAT64 will be
used for all external accesses, even when a site supports IPv6.

This is fine for environments where the cluster only has IPv4 access,
like GCE currently. However, if the cluster will have IPv6 access too,
the configuration can be modified to use AAAA records in DNS lookups,
and then remote sites with IPv6 addresses can be directly accessed
(without using NAT64).

This change provides a knob to allow enabling use of AAAA records. In
addition to modifying the DNS configuration, ip6tables rules are
created to perform SNAT for packets coming from the container nodes
and to forward external packets to the kubeadm-dind-net to get to the
pods.

The boolean environment variable, ALLOW_AAAA_USE, is defined for this
capability. The default is NOT to allow use of AAAA records, for
backwards compatibility.

Fixes issue #147

@k8s-ci-robot k8s-ci-robot requested review from ivan4th and timothysc Jun 8, 2018

@pmichali pmichali force-pushed the pmichali:allow_aaaa branch from 33c5ccc to 3c72cdd Jun 11, 2018

@k8s-ci-robot k8s-ci-robot added size/L and removed size/M labels Jun 11, 2018

@@ -76,6 +76,7 @@ if [[ ${IP_MODE} = "ipv6" ]]; then
dns_server="${dind_ip_base}100"
DEFAULT_POD_NETWORK_CIDR="fd00:10:20::/72"
USE_HAIRPIN="${USE_HAIRPIN:-true}" # defaults on
ALLOW_AAAA_USE="${ALLOW_AAAA_USE:-false}" # Default is to use DNS64 always

This comment has been minimized.

@rpothier

rpothier Jun 11, 2018

Contributor

Would it make sense going forward that we prefix new env variables with DIND_?
I know only some have the prefix at this point, (DIND_SUBNET, DIND_IMAGE ...) but it makes it easier to review the env variables.

This comment has been minimized.

@pmichali

pmichali Jun 11, 2018

Author Contributor

Sure, will update.

@pmichali pmichali force-pushed the pmichali:allow_aaaa branch from 3c72cdd to 0e31706 Jun 11, 2018

IPv6: Allow AAAA record use
By default, DNS is set up to ignore (IPv6) AAAA records. As a result,
whenever a remote site is accessed, only the (IPv4) A record is used,
and a synthesized IPv6 address formed. This means that NAT64 will be
used for all external accesses, even when a site supports IPv6.

This is fine for environments where the cluster only has IPv4 access,
like GCE currently. However, if the cluster will have IPv6 access too,
the configuration can be modified to use AAAA records in DNS lookups,
and then remote sites with IPv6 addresses can be directly accessed
(without using NAT64).

This change provides a knob to allow enabling use of AAAA records. In
addition to modifying the DNS configuration, ip6tables rules are
created to perform SNAT for packets coming from the container nodes
and to forward external packets to the kubeadm-dind-net to get to the
pods.

The boolean environment variable, DIND_ALLOW_AAAA_USE, is defined for
this capability. If set to any value, it will be enabled (so false or
zero are considered "set", meaning true). If unset (the default for
backwards compatibility) AAAA records will not be used.

For IPv4, if this is set, a warning message will be displayed and it
will be ignored (it only applies to IPv6). For IPv6, if running on
GCE and this is set, the run will be aborted, as GCE doesn't support
native IPv6 outside of the cluster.

Note: This commit also modifies GCE_SETUP to be a boolean, instead of
a string representation of a boolean, for consistency.

Fixes issue #147

@pmichali pmichali force-pushed the pmichali:allow_aaaa branch from 0e31706 to 5e938fa Jun 13, 2018

@ivan4th

This comment has been minimized.

Copy link
Collaborator

ivan4th commented Jun 14, 2018

/approve

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Jun 14, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ivan4th, pmichali

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ivan4th

This comment has been minimized.

Copy link
Collaborator

ivan4th commented Jun 14, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Jun 14, 2018

@k8s-ci-robot k8s-ci-robot merged commit f42af42 into kubernetes-sigs:master Jun 14, 2018

20 of 21 checks passed

tide Not mergeable.
Details
ci/circleci: build Your tests passed on CircleCI!
Details
ci/circleci: test_1.10 Your tests passed on CircleCI!
Details
ci/circleci: test_1.10_calico Your tests passed on CircleCI!
Details
ci/circleci: test_1.10_calico_kdd Your tests passed on CircleCI!
Details
ci/circleci: test_1.10_flannel Your tests passed on CircleCI!
Details
ci/circleci: test_1.10_weave Your tests passed on CircleCI!
Details
ci/circleci: test_1.8 Your tests passed on CircleCI!
Details
ci/circleci: test_1.8_calico Your tests passed on CircleCI!
Details
ci/circleci: test_1.8_calico_kdd Your tests passed on CircleCI!
Details
ci/circleci: test_1.8_flannel Your tests passed on CircleCI!
Details
ci/circleci: test_1.8_weave Your tests passed on CircleCI!
Details
ci/circleci: test_1.9 Your tests passed on CircleCI!
Details
ci/circleci: test_1.9_calico Your tests passed on CircleCI!
Details
ci/circleci: test_1.9_calico_kdd Your tests passed on CircleCI!
Details
ci/circleci: test_1.9_flannel Your tests passed on CircleCI!
Details
ci/circleci: test_1.9_weave Your tests passed on CircleCI!
Details
ci/circleci: test_src_master Your tests passed on CircleCI!
Details
ci/circleci: test_src_release Your tests passed on CircleCI!
Details
cla/linuxfoundation pmichali authorized
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.