-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Amazon VPC CNI plugin #3997
Conversation
We need to ensure this is not installed on k8s versions lower 1.7. Can we add something to validation.go? |
8f3fc47
to
6d3b382
Compare
I am not seeing any IAM role change in this diff. The worker nodes needs to have following IAM policy:
|
Thanks, @liwenwu-amazon - can we set the IAM perms so that the CNI provider only has perms for that node? If the ds is running on ip-172-31-23-208, then the CNI provider would only have perms for DetachNetworkInterface on ec2 instance ip-172-31-23-208. If my node is compromised I am giving DetachNetworkInterface for my entire account, and I would prefer to not. Also, when we delete a cluster or delete a node, does kops need to clean up all of the ENI's? I just thought about cleanup upon deletion, since we are creating new networking components. |
6d3b382
to
ce75e45
Compare
3b318b5
to
9fc5a9d
Compare
I don't see additionals ENIs in the console, just in the nodes
|
@chrislovecnm @justinsb how can we measure (or compare) the performance of this cni provider? |
c5e635d
to
56d1e23
Compare
56d1e23
to
c3733d8
Compare
@liwenwu-amazon this is the procedure:
export S3_BUCKET_NAME=<some bucket you own>
export KOPS_STATE_STORE=s3://${S3_BUCKET_NAME}
export KOPS_BASE_URL=https://${S3_BUCKET_NAME}.s3.amazonaws.com/kops/dev/
make kops-install upload S3_BUCKET=s3://${S3_BUCKET_NAME} VERSION=dev
kops create cluster \
--zones us-east-1a,us-east-1b,us-east-1c \
--dns private \
--vpc vpc-0066bd79 \
--node-count 5 \
--master-size m3.xlarge \
--networking amazon-vpc-routed-eni \
--kubernetes-version 1.8.0 $NAME -v 10 |
@aledbf Thank you for the instructions. I am still getting same error. Just curious if following file name needs to be changed to networking.amazon-vpc-routed-eni?
|
@liwenwu-amazon please check you have the last commit https://github.com/kubernetes/kops/pull/3997/files#diff-cf17abfa9600a8947998f51a549c0b46 |
Also run make clean && make please Is go bindata running for you? That file is generated by go bindata |
To be clear $ make clean Also is that file on disk? |
@aledbf @chrislovecnm Thanks and I am able to bring up a kop cluster. But I am running into a new problem: Here is iptable-save output
|
We have a container that will do that, which is included with Calico. We can add that to the manifest. When your team refactors the provider to run on the master, you may want to consider enabling that from there. |
@chrislovecnm @aledbf Let me know when you have the updated manifest that enable IP forwarding. thanks |
cae06b1
to
2e05dd1
Compare
@liwenwu-amazon please update the code. The latest rebased code contains the image @chrislovecnm mentioned https://github.com/kubernetes/kops/pull/3997/files#diff-cf17abfa9600a8947998f51a549c0b46R102 |
I am getting follow error with kubernetes 1.8.0
And I am getting different error when trying kubernetes 1.7.10
|
@liwenwu-amazon did you followed the procedure #3997 (comment) to build kops and the S3 assets? |
@aledbf yes. I have done it twice. Let me try one more time. |
@aledbf It works now! Was my fault, lost my VPN during my built. |
@liwenwu-amazon so are you go to merge as is? |
@chrislovecnm looks good to me! Thanks. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
@chrislovecnm this is ok to be merged? (I still see the hold label) |
/h |
/hold cancel |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. |
TODO: