Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[kubelet]: verify ipv6 is enabled before adding ipv6 entries to hosts file #124758

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[kubelet]: verify ipv6 is enabled before adding ipv6 entries to hosts file #124758

wants to merge 1 commit into from
+180 −64

Conversation

HirazawaUi
Copy link
Contributor

What type of PR is this?

/kind bug

What this PR does / why we need it:

we should not add IPv6 entries to /etc/hosts on systems when IPv6 is disabled.

Which issue(s) this PR fixes:

Fixes part of #124686

Special notes for your reviewer:

Does this PR introduce a user-facing change?

When IPv6 is disabled, IPv6 entries are no longer added to the pod's /etc/hosts file.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 8, 2024
@k8s-ci-robot k8s-ci-robot added area/kubelet sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 8, 2024
@HirazawaUi
Copy link
Contributor Author

/sig network

@k8s-ci-robot k8s-ci-robot added the sig/network Categorizes an issue or PR as relevant to SIG Network. label May 8, 2024
aojea
aojea reviewed May 8, 2024
View reviewed changes
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
aojea
aojea reviewed May 8, 2024
View reviewed changes
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
@HirazawaUi HirazawaUi force-pushed the check-loopback-interface branch 2 times, most recently from fbe3b2a to eeff940 Compare May 8, 2024 18:00
bart0sh
bart0sh reviewed May 8, 2024
View reviewed changes
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
@bart0sh bart0sh added this to Triage in SIG Node PR Triage May 8, 2024
@HirazawaUi
Copy link
Contributor Author

@danwinship All problems have been fixed.

adrianmoisey
adrianmoisey reviewed May 11, 2024
View reviewed changes
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
@HirazawaUi
Copy link
Contributor Author

/test pull-kubernetes-e2e-gce

@HirazawaUi
Copy link
Contributor Author

/test pull-kubernetes-e2e-kind-ipv6

danwinship
danwinship approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@danwinship danwinship left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm but I can't actually approve it

pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: danwinship, HirazawaUi
Once this PR has been reviewed and has the lgtm label, please assign derekwaynecarr for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fedebongio
Copy link
Contributor

/remove-sig api-machinery

@k8s-ci-robot k8s-ci-robot removed the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label May 14, 2024
@bart0sh
Copy link
Contributor

bart0sh commented May 15, 2024

/triage accepted
/priority important-longterm

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 15, 2024
aojea
aojea reviewed May 15, 2024
View reviewed changes
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
@bart0sh bart0sh moved this from Triage to Needs Reviewer in SIG Node PR Triage May 15, 2024
thockin
thockin reviewed May 15, 2024
View reviewed changes
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
pkg/kubelet/kubelet_pods.go Outdated Show resolved Hide resolved
pkg/kubelet/kubelet_pods_test.go Outdated Show resolved Hide resolved
thockin
thockin reviewed May 16, 2024
View reviewed changes
pkg/kubelet/kubelet_pods.go Outdated
@@ -85,6 +86,8 @@ const (
kubeletUser = "kubelet"
)

const sysctlAllDisableIPv6 = "/proc/sys/net/ipv6/conf/all/disable_ipv6"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this moved the wrong direction, but I'm not really as deep in SIG node as I once was. I feel like this SHOULD be passing a sysctl.Interface to be used, rather than hard-coding a path and doing manual parsing. It's rather inconsequential since we don't have tests for ensureHostsFile. We shouldm and if we did we would not be able to just read from /proc.

@mrunalp @SergeyKanzhelev how much do you care about this? It's minor in the grand scheme of things.

I suggest one of two paths:

  1. Go back to utilsysctl.New().GetSysctl() and leave a "TODO" comment that this should be injected by the caller.

  2. Create a kubelet-level sysctl.Interface early, store it, and pass it as an argument to ensureHostsFile (or make that a method which reads the Kubelet.sysctl.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a fun starter project for someone - find all the places in kubelet that use sysctl and make them all use an injected sysctl.Interface, which is created early in Kubelet's lifecycle.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Create a kubelet-level sysctl.Interface early, store it, and pass it as an argument to ensureHostsFile (or make that a method which reads the Kubelet.sysctl.

I think it would be better to add sysctl.Interface in the kubelet struct and pass it on, although we need to span makeMounts -> makeHostsMount -> ensureHostsFile -> managedHostsFileContent......

find all the places in kubelet that use sysctl and make them all use an injected sysctl.Interface

We currently only use it in setupKernelTunables.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to add ...

I agree, though after writing it, I am not sure that should be in THIS PR. I'd like someone more involved in kubelet to decide if that's important enough to do right now

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, let's keep it until sig-node's approver makes the decision.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the previous form (utilsysctl.New) is better than this, and the change to injected sysctl.Interface will be simpler

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reverted.

@HirazawaUi HirazawaUi force-pushed the check-loopback-interface branch 2 times, most recently from a3c9a59 to 6f1b534 Compare May 16, 2024 17:14
bart0sh
bart0sh reviewed May 16, 2024
View reviewed changes
pkg/kubelet/kubelet_pods.go
@@ -85,6 +87,8 @@ const (
kubeletUser = "kubelet"
)

const sysctlAllDisableIPv6 = "net/ipv6/conf/all/disable_ipv6"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest to move this constant to the utilsysctl module as it already has similar constants used by Kubelet: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/component-helpers/node/util/sysctl/sysctl.go#L27-L46

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I considered doing this, but ultimately decided to put it on the caller.

The sysctl is not quite in the same category as those in the utilsysctl module, and perhaps we should be cautious about adding constants to k8s.io/component-helpers unless we use it in multiple components.

@HirazawaUi
Copy link
Contributor Author

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PaulFurtado PaulFurtado PaulFurtado left review comments

@adrianmoisey adrianmoisey adrianmoisey left review comments

@thockin thockin thockin left review comments

@aojea aojea aojea left review comments

@bart0sh bart0sh bart0sh left review comments

@cndoit18 cndoit18 cndoit18 left review comments

@danwinship danwinship danwinship approved these changes

@SergeyKanzhelev SergeyKanzhelev Awaiting requested review from SergeyKanzhelev

@sttts sttts Awaiting requested review from sttts

Assignees
No one assigned
Labels
area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Node PR Triage
Status: Needs Reviewer
SIG Node PR Triage
Needs Reviewer
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@HirazawaUi @k8s-ci-robot @fedebongio @bart0sh @danwinship @PaulFurtado @adrianmoisey @thockin @aojea @cndoit18