From ba6aed0145265222885c60d0d2c1fb2a0b9cf329 Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Fri, 3 Apr 2020 10:38:33 +0300 Subject: [PATCH] Set FELIX_CHAININSERTMODE default to "append" --- cmd/kops/create_cluster.go | 2 +- docs/cli/kops_create_cluster.md | 2 +- k8s/crds/kops.k8s.io_clusters.yaml | 9 +++++++++ pkg/apis/kops/networking.go | 7 ++++++- pkg/apis/kops/v1alpha2/networking.go | 7 ++++++- pkg/apis/kops/v1alpha2/zz_generated.conversion.go | 2 ++ .../create_cluster/complex/expected-v1alpha2.yaml | 5 ++++- .../integration/create_cluster/ha/expected-v1alpha2.yaml | 5 ++++- .../create_cluster/ha_encrypt/expected-v1alpha2.yaml | 5 ++++- .../create_cluster/ha_gce/expected-v1alpha2.yaml | 5 ++++- .../ha_shared_zones/expected-v1alpha2.yaml | 5 ++++- .../create_cluster/minimal/expected-v1alpha2.yaml | 5 ++++- .../create_cluster/overrides/expected-v1alpha2.yaml | 5 ++++- .../create_cluster/shared_subnets/expected-v1alpha2.yaml | 5 ++++- .../shared_subnets_vpc_lookup/expected-v1alpha2.yaml | 5 ++++- .../create_cluster/shared_vpc/expected-v1alpha2.yaml | 5 ++++- .../networking.projectcalico.org/k8s-1.16.yaml.template | 3 +++ upup/pkg/fi/cloudup/bootstrapchannelbuilder.go | 2 +- 18 files changed, 69 insertions(+), 15 deletions(-) diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go index 38437b5c6361f..cb25c1eb86909 100644 --- a/cmd/kops/create_cluster.go +++ b/cmd/kops/create_cluster.go @@ -174,7 +174,7 @@ func (o *CreateClusterOptions) InitDefaults() { o.Yes = false o.Target = cloudup.TargetDirect o.Models = strings.Join(cloudup.CloudupModels, ",") - o.Networking = "kubenet" + o.Networking = "calico" o.Channel = api.DefaultChannel o.Topology = api.TopologyPublic o.DNSType = string(api.DNSTypePublic) diff --git a/docs/cli/kops_create_cluster.md b/docs/cli/kops_create_cluster.md index 6c02e8b00ee48..9663803b547e2 100644 --- a/docs/cli/kops_create_cluster.md +++ b/docs/cli/kops_create_cluster.md @@ -93,7 +93,7 @@ kops create cluster [flags] --master-zones strings Zones in which to run masters (must be an odd number) --model string Models to apply (separate multiple models with commas) (default "proto,cloudup") --network-cidr string Set to override the default network CIDR - --networking string Networking mode to use. kubenet (default), classic, external, kopeio-vxlan (or kopeio), weave, flannel-vxlan (or flannel), flannel-udp, calico, canal, kube-router, romana, amazon-vpc-routed-eni, cilium, cni. (default "kubenet") + --networking string Networking mode to use. kubenet (default), classic, external, kopeio-vxlan (or kopeio), weave, flannel-vxlan (or flannel), flannel-udp, calico, canal, kube-router, romana, amazon-vpc-routed-eni, cilium, cni. (default "calico") --node-count int32 Set the number of nodes --node-security-groups strings Add precreated additional security groups to nodes. --node-size string Set instance size for nodes diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index 9a1a66792ca2c..8873847560f96 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -2490,7 +2490,16 @@ spec: calico: description: CalicoNetworkingSpec declares that we want Calico networking properties: + chainInsertMode: + description: 'ChainInsertMode controls whether Felix inserts + rules to the top of iptables chains, or appends to the bottom. + Leaving the default option is safest to prevent accidentally + breaking connectivity. Default: ''insert'' (other options: + ''append'')' + type: string crossSubnet: + description: CrossSubnet enables Calico's cross-subnet mode + when set to true type: boolean ipipMode: description: IPIPMode is mode for CALICO_IPV4POOL_IPIP diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index 41a69656ffdae..b6dc676a98c30 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -100,7 +100,12 @@ type FlannelNetworkingSpec struct { // CalicoNetworkingSpec declares that we want Calico networking type CalicoNetworkingSpec struct { - CrossSubnet bool `json:"crossSubnet,omitempty"` // Enables Calico's cross-subnet mode when set to true + // ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or + // appends to the bottom. Leaving the default option is safest to prevent accidentally + // breaking connectivity. Default: 'insert' (other options: 'append') + ChainInsertMode string `json:"chainInsertMode,omitempty"` + // CrossSubnet enables Calico's cross-subnet mode when set to true + CrossSubnet bool `json:"crossSubnet,omitempty"` // LogSeverityScreen lets us set the desired log level. (Default: info) LogSeverityScreen string `json:"logSeverityScreen,omitempty"` // MTU to be set in the cni-network-config for calico. diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index 4dae5cb772131..12818cb7604a6 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -100,7 +100,12 @@ type FlannelNetworkingSpec struct { // CalicoNetworkingSpec declares that we want Calico networking type CalicoNetworkingSpec struct { - CrossSubnet bool `json:"crossSubnet,omitempty"` // Enables Calico's cross-subnet mode when set to true + // ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or + // appends to the bottom. Leaving the default option is safest to prevent accidentally + // breaking connectivity. Default: 'insert' (other options: 'append') + ChainInsertMode string `json:"chainInsertMode,omitempty"` + // CrossSubnet enables Calico's cross-subnet mode when set to true + CrossSubnet bool `json:"crossSubnet,omitempty"` // LogSeverityScreen lets us set the desired log level. (Default: info) LogSeverityScreen string `json:"logSeverityScreen,omitempty"` // MTU to be set in the cni-network-config for calico. diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 1769d3ed1769c..42c401bd1aa11 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1223,6 +1223,7 @@ func Convert_kops_CNINetworkingSpec_To_v1alpha2_CNINetworkingSpec(in *kops.CNINe } func autoConvert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in *CalicoNetworkingSpec, out *kops.CalicoNetworkingSpec, s conversion.Scope) error { + out.ChainInsertMode = in.ChainInsertMode out.CrossSubnet = in.CrossSubnet out.LogSeverityScreen = in.LogSeverityScreen out.MTU = in.MTU @@ -1245,6 +1246,7 @@ func Convert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in *Cali } func autoConvert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in *kops.CalicoNetworkingSpec, out *CalicoNetworkingSpec, s conversion.Scope) error { + out.ChainInsertMode = in.ChainInsertMode out.CrossSubnet = in.CrossSubnet out.LogSeverityScreen = in.LogSeverityScreen out.MTU = in.MTU diff --git a/tests/integration/create_cluster/complex/expected-v1alpha2.yaml b/tests/integration/create_cluster/complex/expected-v1alpha2.yaml index 7293df889d0d3..9d6674b392df7 100644 --- a/tests/integration/create_cluster/complex/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/complex/expected-v1alpha2.yaml @@ -19,12 +19,14 @@ spec: name: a memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - instanceGroup: master-us-test-1a name: a memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -36,7 +38,8 @@ spec: masterPublicName: api.complex.example.com networkCIDR: 172.20.0.0/16 networking: - kubenet: {} + calico: + majorVersion: v3 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - 1.2.3.4/32 diff --git a/tests/integration/create_cluster/ha/expected-v1alpha2.yaml b/tests/integration/create_cluster/ha/expected-v1alpha2.yaml index 7c7bc993ac0e0..225a672cf9298 100644 --- a/tests/integration/create_cluster/ha/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/ha/expected-v1alpha2.yaml @@ -23,6 +23,7 @@ spec: name: c memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - instanceGroup: master-us-test-1a @@ -33,6 +34,7 @@ spec: name: c memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -44,7 +46,8 @@ spec: masterPublicName: api.ha.example.com networkCIDR: 172.20.0.0/16 networking: - kubenet: {} + calico: + majorVersion: v3 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - 0.0.0.0/0 diff --git a/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml b/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml index 013219726bec7..d27424de9e63e 100644 --- a/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/ha_encrypt/expected-v1alpha2.yaml @@ -26,6 +26,7 @@ spec: name: c memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - encryptedVolume: true @@ -39,6 +40,7 @@ spec: name: c memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -50,7 +52,8 @@ spec: masterPublicName: api.ha.example.com networkCIDR: 172.20.0.0/16 networking: - kubenet: {} + calico: + majorVersion: v3 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - 0.0.0.0/0 diff --git a/tests/integration/create_cluster/ha_gce/expected-v1alpha2.yaml b/tests/integration/create_cluster/ha_gce/expected-v1alpha2.yaml index 2efae9c1aecb0..3d3df55d681d8 100644 --- a/tests/integration/create_cluster/ha_gce/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/ha_gce/expected-v1alpha2.yaml @@ -23,6 +23,7 @@ spec: name: c memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - instanceGroup: master-us-test1-a @@ -33,6 +34,7 @@ spec: name: c memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -43,7 +45,8 @@ spec: kubernetesVersion: v1.15.6-beta.1 masterPublicName: api.ha-gce.example.com networking: - kubenet: {} + calico: + majorVersion: v3 nonMasqueradeCIDR: 100.64.0.0/10 project: testproject sshAccess: diff --git a/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml b/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml index 84b50987e4f3f..211023522b47e 100644 --- a/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/ha_shared_zones/expected-v1alpha2.yaml @@ -27,6 +27,7 @@ spec: name: a-3 memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - instanceGroup: master-us-test-1a-1 @@ -41,6 +42,7 @@ spec: name: a-3 memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -52,7 +54,8 @@ spec: masterPublicName: api.ha.example.com networkCIDR: 172.20.0.0/16 networking: - kubenet: {} + calico: + majorVersion: v3 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - 0.0.0.0/0 diff --git a/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml b/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml index 7b00c675a161b..d3cb04d2acb91 100644 --- a/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/minimal/expected-v1alpha2.yaml @@ -19,12 +19,14 @@ spec: name: a memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - instanceGroup: master-us-test-1a name: a memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -36,7 +38,8 @@ spec: masterPublicName: api.minimal.example.com networkCIDR: 172.20.0.0/16 networking: - kubenet: {} + calico: + majorVersion: v3 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - 0.0.0.0/0 diff --git a/tests/integration/create_cluster/overrides/expected-v1alpha2.yaml b/tests/integration/create_cluster/overrides/expected-v1alpha2.yaml index 69ef83a8ecc0c..3aa3584848dbc 100644 --- a/tests/integration/create_cluster/overrides/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/overrides/expected-v1alpha2.yaml @@ -19,12 +19,14 @@ spec: name: a memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - instanceGroup: master-us-test-1a name: a memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -36,7 +38,8 @@ spec: masterPublicName: api.overrides.example.com networkCIDR: 172.20.0.0/16 networking: - kubenet: {} + calico: + majorVersion: v3 nodePortAccess: - 1.2.3.4/32 - 10.20.30.0/24 diff --git a/tests/integration/create_cluster/shared_subnets/expected-v1alpha2.yaml b/tests/integration/create_cluster/shared_subnets/expected-v1alpha2.yaml index c21efb368b1b1..51dc1b5b13a9a 100644 --- a/tests/integration/create_cluster/shared_subnets/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/shared_subnets/expected-v1alpha2.yaml @@ -19,12 +19,14 @@ spec: name: a memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - instanceGroup: master-us-test-1a name: a memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -37,7 +39,8 @@ spec: networkCIDR: 10.0.0.0/12 networkID: vpc-12345678 networking: - kubenet: {} + calico: + majorVersion: v3 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - 0.0.0.0/0 diff --git a/tests/integration/create_cluster/shared_subnets_vpc_lookup/expected-v1alpha2.yaml b/tests/integration/create_cluster/shared_subnets_vpc_lookup/expected-v1alpha2.yaml index c21efb368b1b1..51dc1b5b13a9a 100644 --- a/tests/integration/create_cluster/shared_subnets_vpc_lookup/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/shared_subnets_vpc_lookup/expected-v1alpha2.yaml @@ -19,12 +19,14 @@ spec: name: a memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - instanceGroup: master-us-test-1a name: a memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -37,7 +39,8 @@ spec: networkCIDR: 10.0.0.0/12 networkID: vpc-12345678 networking: - kubenet: {} + calico: + majorVersion: v3 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - 0.0.0.0/0 diff --git a/tests/integration/create_cluster/shared_vpc/expected-v1alpha2.yaml b/tests/integration/create_cluster/shared_vpc/expected-v1alpha2.yaml index 2b267546d2996..3ad297968e84f 100644 --- a/tests/integration/create_cluster/shared_vpc/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/shared_vpc/expected-v1alpha2.yaml @@ -19,12 +19,14 @@ spec: name: a memoryRequest: 100Mi name: main + version: 3.2.24 - cpuRequest: 100m etcdMembers: - instanceGroup: master-us-test-1a name: a memoryRequest: 100Mi name: events + version: 3.2.24 iam: allowContainerRegistry: true legacy: false @@ -37,7 +39,8 @@ spec: networkCIDR: 10.0.0.0/12 networkID: vpc-12345678 networking: - kubenet: {} + calico: + majorVersion: v3 nonMasqueradeCIDR: 100.64.0.0/10 sshAccess: - 0.0.0.0/0 diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index 7d3285b3cbde9..3c6e00a99c480 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -839,6 +839,9 @@ spec: value: "true" # kops additions + # Controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom + - name: FELIX_CHAININSERTMODE + value: "{{- or .Networking.Calico.ChainInsertMode "append" }}" # Set Felix iptables binary variant, Legacy or NFT - name: FELIX_IPTABLESBACKEND value: "{{- or .Networking.Calico.IptablesBackend "Auto" }}" diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index de2e7f11ffa74..0394f119b9d1c 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -703,7 +703,7 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { "k8s-1.7": "2.6.12-kops.1", "k8s-1.7-v3": "3.8.0-kops.2", "k8s-1.12": "3.9.5-kops.1", - "k8s-1.16": "3.12.0-kops.1", + "k8s-1.16": "3.12.0-kops.2", } {