-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dual-Stack Integration with Kubeadm #79033
Dual-Stack Integration with Kubeadm #79033
Conversation
Hi @Arvinderpal. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@Arvinderpal: GitHub didn't allow me to assign the following users: aojea. Note that only kubernetes members and repo collaborators can be assigned and that issues/PRs can only have 10 assignees at the same time. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig cluster-lifecycle |
/priority important-soon |
if len(c.PodSubnet) != 0 { | ||
allErrs = append(allErrs, ValidateIPNetFromString(c.PodSubnet, constants.MinimumAddressesInServiceSubnet, field.NewPath("podSubnet"))...) | ||
allErrs = append(allErrs, ValidatePodSubnetsFromString(c.PodSubnet, field.NewPath("podSubnet"))...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is only going to be a comma separated list if the feature is enable. right?
if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.IPv6DualStack)
, otherwise it has to work as always
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've looked through the feature-gate code in kubeadm, and from what I can tell feature-gates only apply to k8s components like api, kubelet, etc. For example, here is my kubeadm init config file. I'm enabling dual-stack in individual components.
There is also a top level featureGate at the ClusterConfig level; however, this throws an error.
kind: ClusterConfiguration
...
featureGates:
IPv6DualStack: true
Error:
featureGates: Invalid value: map[string]bool{"IPv6DualStack":true}: IPv6DualStack is not a valid feature name
Perhaps the kubeadm folks can shed some light here. @neolit123 @yastij do you know?
IMO, the following works whether the config.ClusterCIDR is a single IP or a list of IPs, so it should be safe to use:
cidrs := strings.Split(config.ClusterCIDR, ",")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so on slack i said "maybe we can avoid feature gates for this", but we probably shouldn't given we are toggling an alpha feature for a number of components that can cause problems that we cannot predict:
https://github.com/kubernetes/kubernetes/blob/master/pkg/features/kube_features.go#L538
kubeadm maintains it's own way of doing feature gates (for reasons).
please, have a look at:
https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/features/features.go#L41
the unit tests should provide an example of how to use this?
kubeadm feature gates are supported in the ClusterConfiguration object (as long as they are registered), they are also supported on the CLI side but we need to double check if all init
phases have the --feature-gates
flag propagated.
we also need to organize the tasks better:
- first PR that we merge should add the kubeadm gate (should have a release note about the gate addition)
- second PR (this one) should modify the validation to support ",". examine if validation changes are needed based on the gate.
- third PR should add e2e tests under "kubeadm-e2e"
more comments on the implementation:
- as mentioned above validators should/might behave differently, but in my thinking they should not:
- passing a comma separated list from the config or CLI should be tolerated by the new validators
- a comma separated list is backwards compatible and a super-set of field that has a single value, therefore the new validators should can a superset of the of previous ones.
- this lets us get away with supporting "," separated lists in the old configs - e.g. v1beta2
- if the kubeadm gate is enabled all components such as kubelet, control-plane, need the respected k8s feature gate to be passed to them.
- we need to maintain the kubeadm gate until the feature is GA. once it's GA we have to deprecate the feature gate.
- if we decide to deprecate the feature gate we need to follow the deprecation policy of the "state" it's currently at e.g. longer for GA.
@Arvinderpal please ping me on the PR that adds the kubeadm feature gate.
thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so on slack i said "maybe we can avoid feature gates for this", but we probably shouldn't given we are toggling an alpha feature for a number of components that can cause problems that we cannot predict:
Ok. I will look at adding feature-gate in kubeadm as well.
we also need to organize the tasks better:
- first PR that we merge should add the kubeadm gate (should have a release note about the gate addition)
- second PR (this one) should modify the validation to support ",". examine if validation changes are needed based on the gate.
- third PR should add e2e tests under "kubeadm-e2e"
Ok. I have updated the tracking ticket and will use that to track current and future tasks. kubernetes/kubeadm#1612
@Arvinderpal please ping me on the PR that adds the kubeadm feature gate.
Will do! Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Arvinderpal please remove the WIP when you think it's OK.
leaving the LGTM to someone else.
thanks.
/approve
/ok-to-test
@@ -28,6 +28,7 @@ import ( | |||
"k8s.io/apimachinery/pkg/util/validation/field" | |||
componentbaseconfig "k8s.io/component-base/config" | |||
apivalidation "k8s.io/kubernetes/pkg/apis/core/validation" | |||
kubefeatures "k8s.io/kubernetes/pkg/features" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this might complicate things for kubernetes/kubeadm#1600, I'd suggest dropping this import.
cc @neolit123 @rosti
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but this import is in pkg/proxy....validation and not cmd/kubeadm.
kubeadm does not import pkg/features (last time i've checked). why do you see this as a problem?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my bad, I thought I was reading on cmd/kubeadm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Arvinderpal - can you run hack/update-bazel.sh
to reflect the introduced imports on the BUILD files ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
0caa164
to
3a8eb00
Compare
looks like there is are some failing unit tests related to the kube-proxy validation. nothing major: |
separated pod CIDRs. Dual-stack feature must be enabled for the validation to be done.
CIDRs. This is a necesary change for dual-stack.
3a8eb00
to
3ac7ae6
Compare
@timothysc I believe I have addressed the change that you requested -- see e2e test PR. If all looks well, then please remove the change request. :) |
@Arvinderpal this looks good on the kubeadm side, but we need an approved on the kube-proxy side: looks like @thockin is the only approver in the file. |
Thanks! /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Arvinderpal, neolit123, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm ping @timothysc :) |
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
@Arvinderpal there is a "release-notes" tool that picks these and autogenerates a change log. |
@neolit123 Done. |
@Arvinderpal yes, AFAIK the tool operates on existing merged PRs, so having it only fixed here should be fine. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
The PR brings necessary dual-stack related changes to --pod-network-cidr handling in kubeadm.
See kubernetes/kubeadm#1612 for the complete list of kubeadm changes.
Implements:
--pod-network-cidr
support a comma separated list of pod CIDRs. This flag is passed to the kube-controller-manager and kube-proxy.For building a test dual-stack cluster using kubeadm, within the kubeadm config, we must enable this feature. For example:
For a vagrant based test cluster, please see the
dual-stack
branch of this project (https://github.com/Nordix/k8s-ipv6/tree/dual-stack) or DM on slack.Does this PR introduce a user-facing change?: