Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cilium nodeport #8220

Merged
merged 2 commits into from
Feb 13, 2020
Merged

Cilium nodeport #8220

merged 2 commits into from
Feb 13, 2020

Conversation

olemarkus
Copy link
Member

Cilium is capable of fully replacing kube-proxy by running in NodePort mode.
This PR will prevent kops from installing kube-proxy if NodePort is enabled on the Cilium addon.

This is implemented similar to how kube-proxy is disabled by kube-router. I do wonder if forcing kubeProxy.enabled=false would be a bit cleaner than just disabling it implicitly by the cilium.enableNodePort setting.

Note: This feature requires kernel version 4.19.57 or later

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Dec 29, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @olemarkus. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 29, 2019
@rifelpet
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 29, 2019
@olemarkus
Copy link
Member Author

/retest

@johngmyers
Copy link
Member

/test pull-kops-e2e-kubernetes-aws

@olemarkus
Copy link
Member Author

/test pull-kops-e2e-kubernetes-aws

@olemarkus olemarkus mentioned this pull request Jan 16, 2020
Merged
@olemarkus olemarkus force-pushed the cilium-nodeport branch 4 times, most recently from 4f9f897 to 1c7bf53 Compare February 9, 2020 17:41
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 10, 2020
Fixes some issues with running Cilium nodeport
eee672f 
* Cilium need to talk to the internal cluster API on  public IPs instead of the internal service
* Tell people explicitly they have to disable kubeproxy so it won't conflict with nodeport
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 11, 2020
johngmyers
johngmyers requested changes Feb 12, 2020
View reviewed changes
pkg/apis/kops/validation/legacy.go Outdated
@@ -602,6 +602,10 @@ func ValidateCluster(c *kops.Cluster, strict bool) field.ErrorList {

allErrs = append(allErrs, newValidateCluster(c)...)

if c.Spec.Networking != nil && c.Spec.Networking.Cilium != nil && c.Spec.Networking.Cilium.EnableNodePort && c.Spec.KubeProxy != nil && *c.Spec.KubeProxy.Enabled {
allErrs = append(allErrs, field.Invalid(fieldSpec.Child("KubeProxy"), "enabled", "When Cilium NodePort is enabled, KubeProxy must be disabled"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should use field.Forbidden() instead.
Should use fieldspec.Child("KubeProxy").Child("Enabled") to refer to the correct field.

@rifelpet
Copy link
Member

Just to help me understand, would specifying Cilium.EnableNodePort=true and KubeProxy.Enabled=true result in a functional cluster? If so, then no longer allowing that combination of fields would be a breaking change. You mention this being similar to KubeRouter and I'm wondering if we should update the logic here to exclude kubeproxy nodeup tasks when Cilium.EnableNodePort=true:

kops/upup/pkg/fi/nodeup/command.go

Lines 252 to 254 in cbee4dc

if c.cluster.Spec.Networking.Kuberouter == nil {
loader.Builders = append(loader.Builders, &model.KubeProxyBuilder{NodeupModelContext: modelContext})
} else {

@olemarkus
Copy link
Member Author

Without this PR, enableNodePort doesn't work at all even though it was possible to set that flag.

My first idea was actually to drop the kubeProxy task like kuberouter does, but I think it is better to make the user do the right thing instead of just disabling it explicitly. The first thing that happens in the kubeProxy task is to check the kubeProxy.enabled flag and return if it is false.

@rifelpet
Copy link
Member

I agree forcing the user to explicitly set kubeProxy.enabled=false is more clear. Maybe its worth mentioning both enableNodePort and its kubeProxy.enabled requirement in the docs? https://github.com/kubernetes/kops/blob/master/docs/networking.md#cilium-example-for-cni-and-network-policy

@olemarkus
Copy link
Member Author

I want to create documentation both for this feature and for #8316. Just need to see how these play out first in case I need to do more changes.

@rifelpet
Copy link
Member

ok great, thank you!

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 13, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olemarkus, rifelpet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 13, 2020
@mazzy89
Copy link
Contributor

mazzy89 commented Feb 13, 2020

asta la vista kube-proxy whoa

@k8s-ci-robot k8s-ci-robot merged commit 91867ce into kubernetes:master Feb 13, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Feb 13, 2020
@olemarkus olemarkus deleted the cilium-nodeport branch March 25, 2020 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johngmyers johngmyers johngmyers requested changes

@aanm aanm aanm approved these changes

@joshbranham joshbranham Awaiting requested review from joshbranham

@robinpercy robinpercy Awaiting requested review from robinpercy

Assignees

@rifelpet rifelpet

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.18
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@olemarkus @k8s-ci-robot @rifelpet @johngmyers @mazzy89 @aanm