-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix calico host local ipam #11022
Fix calico host local ipam #11022
Conversation
Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use.
Welcome @robertvolkmann! |
Hi @robertvolkmann. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the catch!
@@ -428,7 +432,7 @@ spec: | |||
hostPath: | |||
path: /run/xtables.lock | |||
type: FileOrCreate | |||
{% if calico_datastore == "kdd" %} | |||
{% if calico_datastore == "kdd" and not calico_ipam_host_local %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks wrong, look at the comment: It's used when upgrading from host-local to calico-ipam, we need this only when ipam is host-local. and you can see https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L641
Please let me know if I'm wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, this was also not obvious to me. If the user wants to use host-local as IPAM, then migrating the host-local state to calico-ipam is wrong because host-local should be used.
The manifest in the Helm Chart allows for a non-working setup because it doesn't support calico as the network backend with host-local IPAM. See projectcalico/calico#8642.
In my setup, where I use Calico only for policy enforcement (i.e., calico_backend: none and calico_ipam_host_local: true), migrating to calico-ipam involves removing the running state of the host-local IPAM, potentially causing it to reassign IPs that are still in use. You can refer to this link for more details: https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/manifests/calico-policy-only.yaml#L4781.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry for the delay. you are right! We need mount this only when the ipam is calico-ipam.
# Configure route aggregation based on pod CIDR. | ||
# - name: USE_POD_CIDR | ||
# value: "true" | ||
{% if calico_ipam_host_local %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like there's some formatting error. doesn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've reviewed it again, and everything seems correct on my end. If you notice any issues or have any specific suggestions, please feel free to point them out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HI @cyclinder
Do you have any comments ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ok-to-test |
thanks! /lgtm |
Thanks @robertvolkmann @cyclinder |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robertvolkmann, yankay The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279 https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133
* Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279 https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133
* Prevent upgrade-ipam for host-local IPAM Otherwise, the init container upgrade-ipam would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use. * USE_POD_CIDR required for host-local https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279 https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133
What type of PR is this?
/kind bug
What this PR does / why we need it:
The init container upgrade-ipam should only be added for calico-ipam, because otherwise it would clear the state of the host-local plugin, potentially causing it to reassign IPs that are still in use.
Additionally, the environment variable USE_POD_CIDR is necessary for the host-local plugin.
https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-node.yaml#L279
https://github.com/projectcalico/calico/blob/4efd1bfd914b0c59086531c8c5a5ac5b593c18b1/charts/calico/templates/calico-typha.yaml#L133