-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dns-controller: allow it to run on CNI networking mode and remove dependency on kube-proxy #8131
dns-controller: allow it to run on CNI networking mode and remove dependency on kube-proxy #8131
Conversation
Hi @rochacon. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
660eefd
to
67c9e03
Compare
Kube-router is also running without kube-proxy. Could be an idea to look at the code paths that makes this cni work. |
@olemarkus the main difference is that with kube-router integration kops will manage the CNI, leading to a working cluster by the end of provisioning, so no extra steps are required. I also used the |
We are also using cilium with I want to add support for running cilium without kube-proxy managed by kops, but hadn't had much time to look at it yet. |
It is both @olemarkus. The The [1] This is the node and pod list after launching the cluster with
[2] Node not ready due to lack of CNI configuration:
edit: added more info |
Extra note: |
Just out of curiousity, which AMI are you using with this? enable-node-port requires a newer image than kops default. |
When you have the three NotReady masters, the API (obviously) is available so you can simply deploy the cilium resources. Then the nodes become Ready and eventually the rest of the nodes join the cluster. There is no need to change taints or anything for that to work. |
I'm using CoreOS 2303.3.0, latest stable. The API is available but only from one of the masters servers, since without Since dns-controller also controls the etcd endpoints, I believe full etcd quorum won't be available when running a multi-master setup, until dns-controller starts (but haven't tested this). |
dns-controller only sets the api.internal domain. protokube will handle etcd and the external api. I'll see if I can get |
When running with a LB for the masters, Kops creates the DNS record during the Without this patch the cluster stays with the public/external DNS record pointing to the placeholder [4], resulting in the need to SSH into the master to publish the CNI settings. [1]
[2]
[3]
[4]
|
This is where we currently add the annotation for this kind of setup: kops/nodeup/pkg/model/kube_apiserver.go Lines 515 to 517 in a21bdb2
|
Looks like you need to run |
When booting a cluster with `--networking=cni`, `dns-controller` will not start due to the master node being _tainted_ as "network unreachable". This adds an extra step when managing your own CNI setup, having to SSH into a master and publish the CNI manifests from there. This commit adds tolerance and configuration that allows `dns-controller` pod to start when running with `--networking=cni`, properly creating the DNS records so the operator can remotely publish the CNI and extra manifests to have a full working cluster. This also removes the dependency on `kube-proxy`, by adding the `KUBERNETES_SERVICE_HOST` environment variable, bypassing `kube-proxy` when disabled. Presumably, as a side-effect, this change also allows for "host network only" clusters to work. Signed-off-by: Rodrigo Chacon <rochacon@gmail.com>
67c9e03
to
e449467
Compare
Thanks @johngmyers, updated the test artifacts, tests should pass now. |
This looks great - thanks @rochacon There is the risk that we start before something else is ready, but if we encounter such a thing we should be able to tweak dns-controller to tolerate it. The nodeSelector will continue to keep this running on the master. Moreover this should help things start a little bit faster - dns-controller is very much in the critical path for cluster bringup. /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, rochacon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
env: | ||
- name: KUBERNETES_SERVICE_HOST | ||
value: "127.0.0.1" | ||
{{- if .EgressProxy }} | ||
{{ range $name, $value := ProxyEnv }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now you've refactored this, I'm wondering if we need the "if .EgressProxy" guard. For another PR though!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved the if
below to add the new environment variable by default. There was actually a bug here, since if using DigitalOcean and EgressProxy together a duplicated env:
key would be rendered.
Given the range
on ProxyEnv
, I'm not sure we need the if
either, but didn't want to change this right now, I'm not familiar with this feature.
/test pull-kops-e2e-kubernetes-aws |
@rochacon: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Problem
When booting a cluster with
--networking=cni
,dns-controller
will not start due to the master node being tainted as "network unreachable". This adds an extra step when managing your own CNI setup, having to SSH into a master and publish the CNI manifests from there.Desired behavior
An operator should expect
kops
to provide a managable cluster by the end ofkops update cluster --yes
step, even if managing the CNI externally, so the next step is a natural "kubectl apply -f my-cni.yaml
".Proposal
This PR adds tolerance and configuration that allows
dns-controller
pod to start when running with--networking=cni
, properly creating the DNS records so the operator can remotely publish the CNI and extra manifests to have a full working cluster.This also removes the dependency on
kube-proxy
, by adding theKUBERNETES_SERVICE_HOST
environment variable, bypassingkube-proxy
when disabled.Presumably, as a side-effect, this change also allows for "host network only" clusters to work.
More context
I'm currently running a kube-proxyless Cilum setup, and due to the dns-controller failing to start I had to script around kops to SSH and publish the CNI setup from the master node itself.