Fix calico host local ipam #11022
Fix calico host local ipam #11022
Conversation
Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use.
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @robertvolkmann! |
|
Hi @robertvolkmann. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
| @@ -428,7 +432,7 @@ spec: | |||
| hostPath: | |||
| path: /run/xtables.lock | |||
| type: FileOrCreate | |||
| {% if calico_datastore == "kdd" %} | |||
| {% if calico_datastore == "kdd" and not calico_ipam_host_local %} | |||
There was a problem hiding this comment.
This looks wrong, look at the comment: It's used when upgrading from host-local to calico-ipam, we need this only when ipam is host-local. and you can see https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L641
Please let me know if I'm wrong.
There was a problem hiding this comment.
Yeah, this was also not obvious to me. If the user wants to use host-local as IPAM, then migrating the host-local state to calico-ipam is wrong because host-local should be used.
The manifest in the Helm Chart allows for a non-working setup because it doesn't support calico as the network backend with host-local IPAM. See projectcalico/calico#8642.
In my setup, where I use Calico only for policy enforcement (i.e., calico_backend: none and calico_ipam_host_local: true), migrating to calico-ipam involves removing the running state of the host-local IPAM, potentially causing it to reassign IPs that are still in use. You can refer to this link for more details: https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/manifests/calico-policy-only.yaml#L4781.
There was a problem hiding this comment.
sorry for the delay. you are right! We need mount this only when the ipam is calico-ipam.
| # Configure route aggregation based on pod CIDR. | ||
| # - name: USE_POD_CIDR | ||
| # value: "true" | ||
| {% if calico_ipam_host_local %} |
There was a problem hiding this comment.
It looks like there's some formatting error. doesn't it?
There was a problem hiding this comment.
I've reviewed it again, and everything seems correct on my end. If you notice any issues or have any specific suggestions, please feel free to point them out.
There was a problem hiding this comment.
HI @cyclinder
Do you have any comments ?
There was a problem hiding this comment.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
thanks! /lgtm |
k8s-ci-robot
added
the
lgtm
|
Thanks @robertvolkmann @cyclinder |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robertvolkmann, yankay The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
* Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279 https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133
* Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279 https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133
* Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279 https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133
What type of PR is this?
/kind bug
What this PR does / why we need it:
The init container upgrade-ipam should only be added for calico-ipam, because otherwise it would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use.
Additionally, the environment variable USE_POD_CIDR is necessary for the host-local plugin.
https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279
https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133