-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cilium nodeport #8220
Cilium nodeport #8220
Conversation
Hi @olemarkus. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
/retest |
/test pull-kops-e2e-kubernetes-aws |
484e6de
to
3440bd0
Compare
/test pull-kops-e2e-kubernetes-aws |
3440bd0
to
96e6df2
Compare
96e6df2
to
30add92
Compare
upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml
Outdated
Show resolved
Hide resolved
4f9f897
to
1c7bf53
Compare
* Cilium need to talk to the internal cluster API on public IPs instead of the internal service * Tell people explicitly they have to disable kubeproxy so it won't conflict with nodeport
1c7bf53
to
eee672f
Compare
pkg/apis/kops/validation/legacy.go
Outdated
@@ -602,6 +602,10 @@ func ValidateCluster(c *kops.Cluster, strict bool) field.ErrorList { | |||
|
|||
allErrs = append(allErrs, newValidateCluster(c)...) | |||
|
|||
if c.Spec.Networking != nil && c.Spec.Networking.Cilium != nil && c.Spec.Networking.Cilium.EnableNodePort && c.Spec.KubeProxy != nil && *c.Spec.KubeProxy.Enabled { | |||
allErrs = append(allErrs, field.Invalid(fieldSpec.Child("KubeProxy"), "enabled", "When Cilium NodePort is enabled, KubeProxy must be disabled")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should use field.Forbidden()
instead.
Should use fieldspec.Child("KubeProxy").Child("Enabled")
to refer to the correct field.
Just to help me understand, would specifying kops/upup/pkg/fi/nodeup/command.go Lines 252 to 254 in cbee4dc
|
Without this PR, enableNodePort doesn't work at all even though it was possible to set that flag. My first idea was actually to drop the kubeProxy task like kuberouter does, but I think it is better to make the user do the right thing instead of just disabling it explicitly. The first thing that happens in the kubeProxy task is to check the kubeProxy.enabled flag and return if it is false. |
I agree forcing the user to explicitly set kubeProxy.enabled=false is more clear. Maybe its worth mentioning both enableNodePort and its kubeProxy.enabled requirement in the docs? https://github.com/kubernetes/kops/blob/master/docs/networking.md#cilium-example-for-cni-and-network-policy |
I want to create documentation both for this feature and for #8316. Just need to see how these play out first in case I need to do more changes. |
ok great, thank you! /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olemarkus, rifelpet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
asta la vista |
Cilium is capable of fully replacing kube-proxy by running in NodePort mode.
This PR will prevent kops from installing kube-proxy if NodePort is enabled on the Cilium addon.
This is implemented similar to how kube-proxy is disabled by kube-router. I do wonder if forcing
kubeProxy.enabled=false
would be a bit cleaner than just disabling it implicitly by thecilium.enableNodePort
setting.Note: This feature requires kernel version 4.19.57 or later