Make aws-cni config more flexible and generalized #11816
Conversation
k8s-ci-robot
added
cncf-cla: yes
moshevayner
force-pushed
the
fix-11144-aws-cni-config
branch
from
625161b
to
b8c401d
Compare
pkg/apis/kops/networking.go
Outdated
| // Specifies whether ipamd should configure rp filter for primary interface. | ||
| // Setting this to false will require rp filter to be configured through init container. | ||
| AwsVpcK8sCniConfigureRpFilter string `json:"awsVpcK8sCniConfigureRpFilter,omitempty"` | ||
| Env []EnvVar `json:"env,omitempty"` |
There was a problem hiding this comment.
Should not remove the documentation comment
pkg/apis/kops/networking.go
Outdated
| @@ -248,12 +248,19 @@ type RomanaNetworkingSpec struct { | |||
|
|
|||
| // AmazonVPCNetworkingSpec declares that we want Amazon VPC CNI networking | |||
| type AmazonVPCNetworkingSpec struct { | |||
| // Specifies whether ipamd should configure rp filter for primary interface. | |||
There was a problem hiding this comment.
Doc comment needs to start with the name of the field.
pkg/apis/kops/networking.go
Outdated
| // Setting this to false will require rp filter to be configured through init container. | ||
| AwsVpcK8sCniConfigureRpFilter string `json:"awsVpcK8sCniConfigureRpFilter,omitempty"` | ||
| Env []EnvVar `json:"env,omitempty"` | ||
| // If ENABLE_POD_ENI is set to true, in order for the kubelet to connect via TCP (for liveness or readiness probes) to pods that are using per pod security groups, |
There was a problem hiding this comment.
Doc comment needs to start with the name of the field.
upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template
Show resolved
Hide resolved
|
Thanks for the review, @johngmyers ! |
pkg/apis/kops/networking.go
Outdated
| InitImageName string `json:"initImageName,omitempty"` | ||
| // AwsVpcK8sCniConfigureRpFilter specifies whether ipamd should configure rp filter for primary interface. | ||
| // Setting this to false will require rp filter to be configured through init container. | ||
| AwsVpcK8sCniConfigureRpFilter string `json:"awsVpcK8sCniConfigureRpFilter,omitempty"` |
There was a problem hiding this comment.
All of this refers to the AWS VPC CNI, so that part of the name is redundant.
"RP" is an acronym for "Reverse Path".
The possible values are "true" and "false", so it's a boolean.
| AwsVpcK8sCniConfigureRpFilter string `json:"awsVpcK8sCniConfigureRpFilter,omitempty"` | |
| ConfigureRPFilter *bool `json:"configureRPFilter,omitempty"` |
pkg/apis/kops/networking.go
Outdated
| // The init container image name to use | ||
| InitImageName string `json:"initImageName,omitempty"` | ||
| // AwsVpcK8sCniConfigureRpFilter specifies whether ipamd should configure rp filter for primary interface. | ||
| // Setting this to false will require rp filter to be configured through init container. |
There was a problem hiding this comment.
Should mention the default is true.
pkg/apis/kops/networking.go
Outdated
| // in order for the kubelet to connect via TCP (for liveness or readiness probes) to pods that are using per pod security groups. | ||
| // This will increase the local TCP connection latency slightly. | ||
| // To use this setting, a Linux kernel version of at least 4.6 is needed on the worker node. | ||
| DisableTCPEarlyDemux string `json:"disableTCPEarlyDemux,omitempty"` |
There was a problem hiding this comment.
Also a boolean.
We try to avoid negative booleans.
| DisableTCPEarlyDemux string `json:"disableTCPEarlyDemux,omitempty"` | |
| TCPEarlyDemux *bool `json:"enableTCPEarlyDemux,omitempty"` |
moshevayner
force-pushed
the
fix-11144-aws-cni-config
branch
from
8a05ab4
to
5f9f480
Compare
moshevayner
force-pushed
the
fix-11144-aws-cni-config
branch
from
5f9f480
to
e239838
Compare
So I did that with everything else, however it seems like these two are actually different from the default values according to the docs, so I needed to make an override on them. Is there a better way to handle that, than the one I used? |
|
/retest |
moshevayner
force-pushed
the
fix-11144-aws-cni-config
branch
3 times, most recently
from
6ffaba3
to
dd26563
Compare
|
Hey @MoShitrit, sorry for the delay, but was traveling for the past few days. Will take another look at this today. |
|
I would add a template function like this: if cluster.Spec.Networking != nil && cluster.Spec.Networking.AmazonVPC != nil {
c := cluster.Spec.Networking.AmazonVPC
dest["AmazonVpcEnvVars"] = func() map[string]string {
envVars := map[string]string{
"AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER": "false",
}
for _, e := range c.Env {
envVars[e.Name] = e.Value
}
return envVars
}
}and change the template to use it instead of directly accessing the env vars: {{- range $name, $value := AmazonVpcEnvVars }}
- "name": "{{ $name }}"
"value": "{{ $value }}"
{{- end }}This way we can change the defaults, but still allow overwriting them. |
moshevayner
force-pushed
the
fix-11144-aws-cni-config
branch
from
dd26563
to
0bdfabc
Compare
upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template
Show resolved
Hide resolved
upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template
Show resolved
Hide resolved
moshevayner
force-pushed
the
fix-11144-aws-cni-config
branch
from
0bdfabc
to
c4ab20a
Compare
…mplate functions for ease of customization Update auto-generated files
moshevayner
force-pushed
the
fix-11144-aws-cni-config
branch
from
c4ab20a
to
6dee0ad
Compare
|
/lgtm Will let @hakman do the final approval |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
1 similar comment
|
/retest |
Fixes #11144
/cc @hakman