Add romana to built-in CNI options #3290
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @cgilmour. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
needs-ok-to-test
|
/ok-to-test You mind squashing your commits? |
k8s-ci-robot
removed
the
needs-ok-to-test
pkg/apis/kops/networking.go
Outdated
|
|
||
| // Romana declares that we want Romana networking | ||
| type RomanaNetworkingSpec struct { | ||
| DaemonServiceIP string `json:"daemonServiceIP,omitempty"` |
There was a problem hiding this comment.
Can we get a description on the sctruct members?
docs/networking.md
Outdated
|
|
||
| #### Installing Romana on a new Cluster | ||
|
|
||
| The following command sets up a cluster with Kube-router as the CNI, service proxy and networking policy provider |
There was a problem hiding this comment.
Can we document that etcd has to be open to the nodes?
| effect: NoSchedule | ||
| containers: | ||
| - name: romana-agent | ||
| image: quay.io/romana/agent:v2.0-preview.2 |
There was a problem hiding this comment.
Is this released in GA? If not may want to add a note to the docs
There was a problem hiding this comment.
Added a note into the Romana section of networking doc.
| args: | ||
| - --service-cluster-ip-range={{ .ServiceClusterIPRange }} | ||
| securityContext: | ||
| privileged: true |
There was a problem hiding this comment.
Does it need full privileged?
There was a problem hiding this comment.
This one does, yes.
| tolerations: | ||
| - key: node-role.kubernetes.io/master | ||
| effect: NoSchedule | ||
| containers: |
There was a problem hiding this comment.
Can I add CPU and mem limits please?
There was a problem hiding this comment.
CPU and memory limits added for all containers in the spec.
| imagePullPolicy: Always | ||
| args: | ||
| - --etcd_use_v2 | ||
| - --etcd_addr={{ .Networking.Romana.EtcdServiceIP }} |
There was a problem hiding this comment.
How is calico setting this? Can we do hostname(s) instead of IP address?
There was a problem hiding this comment.
This component, romana-vpcrouter is involved in creating route entries so that pods can be reached, and runs on the host network instead of as a plain pod.
We'd originally configured it as a regular pod and using a DNS address for etcd, but it didn't work. It provides the routing to pods, such as kube-dns. When the routes don't exist yet, it can't find etcd to get the information to add those routes.
For those reasons, it uses hostNetworking and a predeclared service ip for the etcd address.
| @@ -468,6 +468,27 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri | |||
| } | |||
| } | |||
|
|
|||
| if b.cluster.Spec.Networking.Romana != nil { | |||
There was a problem hiding this comment.
Should we test that k8s version is 1.6 or greater?
There was a problem hiding this comment.
I'm fine adding this. Is there an example to base it on?
There was a problem hiding this comment.
Probably best to add it to cluster validation and a similar example (where a networking mode is not supported on particular k8s versions) is here https://github.com/kubernetes/kops/blob/master/pkg/apis/kops/validation/legacy.go#L400
(And I'm sure you could make romana work with k8s 1.5, but I agree that it probably isn't worth it :-) )
There was a problem hiding this comment.
@cgilmour did you make this change?
| tolerations: | ||
| - key: node-role.kubernetes.io/master | ||
| effect: NoSchedule | ||
| containers: |
There was a problem hiding this comment.
CPU and mem limits please
cgilmour
force-pushed
the
romana-networking-option
branch
from
eb32ca1
to
57bf416
Compare
|
Commits have been squashed, and updates made for the requested changes. |
| if b.Cluster.Spec.Networking.Romana != nil { | ||
| // Romana needs to access etcd | ||
| glog.Warningf("Opening etcd port on masters for access from the nodes, for romana. This is unsafe in untrusted environments.") | ||
| tcpPorts = append(tcpPorts, 4001) |
There was a problem hiding this comment.
It looks like you open etcd on 12379, not 4001.
There was a problem hiding this comment.
Kind of. The service port is 12379, but that gets translated by kube-proxy's iptables rules to a specific IP and port 4001. So the security group sees connections to port 4001.
| @@ -468,6 +468,27 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri | |||
| } | |||
| } | |||
|
|
|||
| if b.cluster.Spec.Networking.Romana != nil { | |||
There was a problem hiding this comment.
Probably best to add it to cluster validation and a similar example (where a networking mode is not supported on particular k8s versions) is here https://github.com/kubernetes/kops/blob/master/pkg/apis/kops/validation/legacy.go#L400
(And I'm sure you could make romana work with k8s 1.5, but I agree that it probably isn't worth it :-) )
| @@ -69,5 +69,18 @@ func (b *NetworkingOptionsBuilder) BuildOptions(o interface{}) error { | |||
| } | |||
| } | |||
|
|
|||
| if networking.Romana != nil { | |||
| daemonIP, err := WellKnownServiceIP(clusterSpec, 99) | |||
There was a problem hiding this comment.
You may want to set these only if they aren't already set, to allow the user to override them if they want to. That said I suspect we don't want to allow the user to override them?
There was a problem hiding this comment.
"Our" needs for the address is mainly that it's static and reserved, because in this "layer" we can't depend on kube-dns pods being reachable.
I don't think it'd be an issue if users changed them, because they'd get substituted in all the necessary places, but it's not really a valuable thing to do.
| name: romana | ||
| namespace: kube-system | ||
| spec: | ||
| clusterIP: {{ .Networking.Romana.DaemonServiceIP }} |
There was a problem hiding this comment.
Is this actually changeable? I note that the clients aren't templated with this value, so I'm wondering how they reach the service.
There was a problem hiding this comment.
Most of the containers take the address from the environment variables that get added to the pod automatically for services. Those ones don't need to have the value passed in explicitly via flags.
| if b.Cluster.Spec.Networking.Romana != nil { | ||
| // Romana needs to access etcd | ||
| glog.Warningf("Opening etcd port on masters for access from the nodes, for romana. This is unsafe in untrusted environments.") | ||
| tcpRanges = []portRange{{From: 1, To: 4001}, {From: 4003, To: 65535}} |
There was a problem hiding this comment.
This is inconsistent with the above opened ports (e.g. 9600 is missing)
There was a problem hiding this comment.
This was based on what another CNI does. Port 9600 is covered by the second range (4003-65535).
I'm OK with making this more specific in both places.
cgilmour
force-pushed
the
romana-networking-option
branch
from
57bf416
to
558eb62
Compare
| @@ -393,6 +393,12 @@ func ValidateCluster(c *kops.Cluster, strict bool) *field.Error { | |||
| } | |||
| } | |||
|
|
|||
| if kubernetesRelease.LT(semver.MustParse("1.6.0")) { | |||
There was a problem hiding this comment.
This adds the version check to require v1.6.0 or higher for romana networking.
|
Are there any other changes that you'd like in this PR, or other questions that need an answer? |
k8s-github-robot
added
the
needs-rebase
|
@cgilmour PR needs rebase |
cgilmour
force-pushed
the
romana-networking-option
branch
from
558eb62
to
79d331e
Compare
k8s-github-robot
removed
the
needs-rebase
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
This PR adds
romanaas a networking option for kops.It installs the latest "preview" release of Romana v2.0, which provides the expected features in terms of IP allocations and route configuration. Network policy features are being ported to 2.0 and will be in the final release. (We intend to submit a followup PR for kops as part of that rolling out that release.)
Note: in this setup, we're using the etcd cluster that kops deploys for k8s. This isn't ideal, but some possibilities (eg: StatefulSets) aren't practical for the CNI itself, and creating a parallel etcd cluster via manifests seemed to be a more-intrusive approach than using the existing one.
If this is a concern or problem, then I'm very open to discussing and implementing it based on your suggestions.
Also, some functionality is exclusive to AWS environments. Other cloud platforms are on Romana's roadmap but not developed yet. Let me know that restriction needs to be enforced in code or directly documented.