-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add romana to built-in CNI options #3290
Add romana to built-in CNI options #3290
Conversation
Hi @cgilmour. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/ok-to-test You mind squashing your commits? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! Some questions and changes.
pkg/apis/kops/networking.go
Outdated
|
||
// Romana declares that we want Romana networking | ||
type RomanaNetworkingSpec struct { | ||
DaemonServiceIP string `json:"daemonServiceIP,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we get a description on the sctruct members?
docs/networking.md
Outdated
|
||
#### Installing Romana on a new Cluster | ||
|
||
The following command sets up a cluster with Kube-router as the CNI, service proxy and networking policy provider |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we document that etcd has to be open to the nodes?
effect: NoSchedule | ||
containers: | ||
- name: romana-agent | ||
image: quay.io/romana/agent:v2.0-preview.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this released in GA? If not may want to add a note to the docs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a note into the Romana section of networking doc.
args: | ||
- --service-cluster-ip-range={{ .ServiceClusterIPRange }} | ||
securityContext: | ||
privileged: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it need full privileged?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one does, yes.
tolerations: | ||
- key: node-role.kubernetes.io/master | ||
effect: NoSchedule | ||
containers: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can I add CPU and mem limits please?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CPU and memory limits added for all containers in the spec.
imagePullPolicy: Always | ||
args: | ||
- --etcd_use_v2 | ||
- --etcd_addr={{ .Networking.Romana.EtcdServiceIP }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is calico setting this? Can we do hostname(s) instead of IP address?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This component, romana-vpcrouter
is involved in creating route entries so that pods can be reached, and runs on the host network instead of as a plain pod.
We'd originally configured it as a regular pod and using a DNS address for etcd, but it didn't work. It provides the routing to pods, such as kube-dns. When the routes don't exist yet, it can't find etcd to get the information to add those routes.
For those reasons, it uses hostNetworking and a predeclared service ip for the etcd address.
@@ -468,6 +468,27 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri | |||
} | |||
} | |||
|
|||
if b.cluster.Spec.Networking.Romana != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we test that k8s version is 1.6 or greater?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine adding this. Is there an example to base it on?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably best to add it to cluster validation and a similar example (where a networking mode is not supported on particular k8s versions) is here https://github.com/kubernetes/kops/blob/master/pkg/apis/kops/validation/legacy.go#L400
(And I'm sure you could make romana work with k8s 1.5, but I agree that it probably isn't worth it :-) )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cgilmour did you make this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, here
tolerations: | ||
- key: node-role.kubernetes.io/master | ||
effect: NoSchedule | ||
containers: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CPU and mem limits please
eb32ca1
to
57bf416
Compare
Commits have been squashed, and updates made for the requested changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM. I'm happy to merge and iterate on these!
if b.Cluster.Spec.Networking.Romana != nil { | ||
// Romana needs to access etcd | ||
glog.Warningf("Opening etcd port on masters for access from the nodes, for romana. This is unsafe in untrusted environments.") | ||
tcpPorts = append(tcpPorts, 4001) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like you open etcd on 12379, not 4001.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kind of. The service port is 12379, but that gets translated by kube-proxy's iptables rules to a specific IP and port 4001. So the security group sees connections to port 4001.
@@ -468,6 +468,27 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri | |||
} | |||
} | |||
|
|||
if b.cluster.Spec.Networking.Romana != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably best to add it to cluster validation and a similar example (where a networking mode is not supported on particular k8s versions) is here https://github.com/kubernetes/kops/blob/master/pkg/apis/kops/validation/legacy.go#L400
(And I'm sure you could make romana work with k8s 1.5, but I agree that it probably isn't worth it :-) )
@@ -69,5 +69,18 @@ func (b *NetworkingOptionsBuilder) BuildOptions(o interface{}) error { | |||
} | |||
} | |||
|
|||
if networking.Romana != nil { | |||
daemonIP, err := WellKnownServiceIP(clusterSpec, 99) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may want to set these only if they aren't already set, to allow the user to override them if they want to. That said I suspect we don't want to allow the user to override them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Our" needs for the address is mainly that it's static and reserved, because in this "layer" we can't depend on kube-dns pods being reachable.
I don't think it'd be an issue if users changed them, because they'd get substituted in all the necessary places, but it's not really a valuable thing to do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@justinsb thoughts?
name: romana | ||
namespace: kube-system | ||
spec: | ||
clusterIP: {{ .Networking.Romana.DaemonServiceIP }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this actually changeable? I note that the clients aren't templated with this value, so I'm wondering how they reach the service.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most of the containers take the address from the environment variables that get added to the pod automatically for services. Those ones don't need to have the value passed in explicitly via flags.
if b.Cluster.Spec.Networking.Romana != nil { | ||
// Romana needs to access etcd | ||
glog.Warningf("Opening etcd port on masters for access from the nodes, for romana. This is unsafe in untrusted environments.") | ||
tcpRanges = []portRange{{From: 1, To: 4001}, {From: 4003, To: 65535}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is inconsistent with the above opened ports (e.g. 9600 is missing)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was based on what another CNI does. Port 9600 is covered by the second range (4003-65535).
I'm OK with making this more specific in both places.
57bf416
to
558eb62
Compare
@@ -393,6 +393,12 @@ func ValidateCluster(c *kops.Cluster, strict bool) *field.Error { | |||
} | |||
} | |||
|
|||
if kubernetesRelease.LT(semver.MustParse("1.6.0")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This adds the version check to require v1.6.0 or higher for romana networking.
Are there any other changes that you'd like in this PR, or other questions that need an answer? |
@cgilmour PR needs rebase |
558eb62
to
79d331e
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
This PR adds
romana
as a networking option for kops.It installs the latest "preview" release of Romana v2.0, which provides the expected features in terms of IP allocations and route configuration. Network policy features are being ported to 2.0 and will be in the final release. (We intend to submit a followup PR for kops as part of that rolling out that release.)
Note: in this setup, we're using the etcd cluster that kops deploys for k8s. This isn't ideal, but some possibilities (eg: StatefulSets) aren't practical for the CNI itself, and creating a parallel etcd cluster via manifests seemed to be a more-intrusive approach than using the existing one.
If this is a concern or problem, then I'm very open to discussing and implementing it based on your suggestions.
Also, some functionality is exclusive to AWS environments. Other cloud platforms are on Romana's roadmap but not developed yet. Let me know that restriction needs to be enforced in code or directly documented.