Dual-Stack Integration with Kubeadm #79033
Conversation
k8s-ci-robot
added
release-note
|
Hi @Arvinderpal. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
|
@Arvinderpal: GitHub didn't allow me to assign the following users: aojea. Note that only kubernetes members and repo collaborators can be assigned and that issues/PRs can only have 10 assignees at the same time. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
area/kubeadm
sig/cluster-lifecycle
|
/sig cluster-lifecycle |
|
/priority important-soon |
k8s-ci-robot
added
priority/important-soon
| if len(c.PodSubnet) != 0 { | ||
| allErrs = append(allErrs, ValidateIPNetFromString(c.PodSubnet, constants.MinimumAddressesInServiceSubnet, field.NewPath("podSubnet"))...) | ||
| allErrs = append(allErrs, ValidatePodSubnetsFromString(c.PodSubnet, field.NewPath("podSubnet"))...) |
There was a problem hiding this comment.
this is only going to be a comma separated list if the feature is enable. right?
if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.IPv6DualStack) , otherwise it has to work as always
There was a problem hiding this comment.
I've looked through the feature-gate code in kubeadm, and from what I can tell feature-gates only apply to k8s components like api, kubelet, etc. For example, here is my kubeadm init config file. I'm enabling dual-stack in individual components.
There is also a top level featureGate at the ClusterConfig level; however, this throws an error.
kind: ClusterConfiguration
...
featureGates:
IPv6DualStack: true
Error:
featureGates: Invalid value: map[string]bool{"IPv6DualStack":true}: IPv6DualStack is not a valid feature name
Perhaps the kubeadm folks can shed some light here. @neolit123 @yastij do you know?
IMO, the following works whether the config.ClusterCIDR is a single IP or a list of IPs, so it should be safe to use:
cidrs := strings.Split(config.ClusterCIDR, ",")
There was a problem hiding this comment.
so on slack i said "maybe we can avoid feature gates for this", but we probably shouldn't given we are toggling an alpha feature for a number of components that can cause problems that we cannot predict:
https://github.com/kubernetes/kubernetes/blob/master/pkg/features/kube_features.go#L538
kubeadm maintains it's own way of doing feature gates (for reasons).
please, have a look at:
https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/features/features.go#L41
the unit tests should provide an example of how to use this?
kubeadm feature gates are supported in the ClusterConfiguration object (as long as they are registered), they are also supported on the CLI side but we need to double check if all init phases have the --feature-gates flag propagated.
we also need to organize the tasks better:
- first PR that we merge should add the kubeadm gate (should have a release note about the gate addition)
- second PR (this one) should modify the validation to support ",". examine if validation changes are needed based on the gate.
- third PR should add e2e tests under "kubeadm-e2e"
more comments on the implementation:
- as mentioned above validators should/might behave differently, but in my thinking they should not:
- passing a comma separated list from the config or CLI should be tolerated by the new validators
- a comma separated list is backwards compatible and a super-set of field that has a single value, therefore the new validators should can a superset of the of previous ones.
- this lets us get away with supporting "," separated lists in the old configs - e.g. v1beta2
- if the kubeadm gate is enabled all components such as kubelet, control-plane, need the respected k8s feature gate to be passed to them.
- we need to maintain the kubeadm gate until the feature is GA. once it's GA we have to deprecate the feature gate.
- if we decide to deprecate the feature gate we need to follow the deprecation policy of the "state" it's currently at e.g. longer for GA.
@Arvinderpal please ping me on the PR that adds the kubeadm feature gate.
thanks!
There was a problem hiding this comment.
so on slack i said "maybe we can avoid feature gates for this", but we probably shouldn't given we are toggling an alpha feature for a number of components that can cause problems that we cannot predict:
Ok. I will look at adding feature-gate in kubeadm as well.
we also need to organize the tasks better:
- first PR that we merge should add the kubeadm gate (should have a release note about the gate addition)
- second PR (this one) should modify the validation to support ",". examine if validation changes are needed based on the gate.
- third PR should add e2e tests under "kubeadm-e2e"
Ok. I have updated the tracking ticket and will use that to track current and future tasks. kubernetes/kubeadm#1612
@Arvinderpal please ping me on the PR that adds the kubeadm feature gate.
Will do! Thanks.
k8s-ci-robot
added
the
needs-rebase
There was a problem hiding this comment.
@Arvinderpal please remove the WIP when you think it's OK.
leaving the LGTM to someone else.
thanks.
/approve
/ok-to-test
k8s-ci-robot
added
ok-to-test
| @@ -28,6 +28,7 @@ import ( | |||
| "k8s.io/apimachinery/pkg/util/validation/field" | |||
| componentbaseconfig "k8s.io/component-base/config" | |||
| apivalidation "k8s.io/kubernetes/pkg/apis/core/validation" | |||
| kubefeatures "k8s.io/kubernetes/pkg/features" | |||
There was a problem hiding this comment.
this might complicate things for kubernetes/kubeadm#1600, I'd suggest dropping this import.
cc @neolit123 @rosti
There was a problem hiding this comment.
but this import is in pkg/proxy....validation and not cmd/kubeadm.
kubeadm does not import pkg/features (last time i've checked). why do you see this as a problem?
There was a problem hiding this comment.
my bad, I thought I was reading on cmd/kubeadm
There was a problem hiding this comment.
@Arvinderpal - can you run hack/update-bazel.sh to reflect the introduced imports on the BUILD files ?
Arvinderpal
force-pushed
the
kubeadm-ds-pod-network-cidr
branch
from
0caa164
to
3a8eb00
Compare
|
looks like there is are some failing unit tests related to the kube-proxy validation. nothing major: |
separated pod CIDRs. Dual-stack feature must be enabled for the validation to be done.
CIDRs. This is a necesary change for dual-stack.
Arvinderpal
force-pushed
the
kubeadm-ds-pod-network-cidr
branch
from
3a8eb00
to
3ac7ae6
Compare
Arvinderpal
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
@timothysc I believe I have addressed the change that you requested -- see e2e test PR. If all looks well, then please remove the change request. :) |
|
@Arvinderpal this looks good on the kubeadm side, but we need an approved on the kube-proxy side: looks like @thockin is the only approver in the file. |
|
Thanks! /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Arvinderpal, neolit123, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm ping @timothysc :) |
k8s-ci-robot
added
the
lgtm
|
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/retest Review the full test history for this PR. Silence the bot with an |
|
@Arvinderpal there is a "release-notes" tool that picks these and autogenerates a change log. |
|
@neolit123 Done. |
|
@Arvinderpal yes, AFAIK the tool operates on existing merged PRs, so having it only fixed here should be fine. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
The PR brings necessary dual-stack related changes to --pod-network-cidr handling in kubeadm.
See kubernetes/kubeadm#1612 for the complete list of kubeadm changes.
Implements:
--pod-network-cidrsupport a comma separated list of pod CIDRs. This flag is passed to the kube-controller-manager and kube-proxy.For building a test dual-stack cluster using kubeadm, within the kubeadm config, we must enable this feature. For example:
For a vagrant based test cluster, please see the
dual-stackbranch of this project (https://github.com/Nordix/k8s-ipv6/tree/dual-stack) or DM on slack.Does this PR introduce a user-facing change?: