Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[kube-proxy/ipvs] Add flag to enable strict ARP #75295

Merged
merged 1 commit into from Mar 20, 2019

Conversation

@lbernail
Copy link
Contributor

commented Mar 12, 2019

What type of PR is this?
/kind bug

Not exactly a bug but a regression for some users which use CNI plugins not compatible with this change.

What this PR does / why we need it:
#70530 introduced a change to avoid answering ARP queries for addresses bound to kube-ipvs0 (this broke some setups). However some CNI plugins use unnumbered ptp links between containers and host and this change breaks ARP for them. This PR adds a flag to control this behavior. It's not enabled by default to avoid breaking existing setups when upgrading (not that if a user has run a version that configures the sysctls they will need to change it back, kube-proxy won't do it).

Which issue(s) this PR fixes:
Fixes #71555
Fixes #72779

Not for reviewers:
We discussed alternatives in both issues (see above) and this one seems the best trade-off:

  • does not require an arptable rule per service
  • does not break existing setups
  • add an option to address issues faced by some users

It's the first I'm adding a flag so I may have have missed something. I tried to find a flag name that was clear and not too long but we can change it of course.

Does this PR introduce a user-facing change?:

[IPVS] Introduces flag ipvs-strict-arp to configure stricter ARP sysctls, defaulting to false to preserve existing behaviors. This was enabled by default in 1.13.0, which impacted a few CNI plugins.

/sig network
/area ipvs
/assign @m1093782566

cc @kvaps

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Mar 12, 2019

Hi @lbernail. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@fejta-bot

This comment has been minimized.

Copy link

commented Mar 12, 2019

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@m1093782566

This comment has been minimized.

Copy link
Member

commented Mar 13, 2019

/ok-to-test

/assign @thockin

for API review.

@lbernail

This comment has been minimized.

Copy link
Contributor Author

commented Mar 13, 2019

/test pull-kubernetes-kubemark-e2e-gce-big

@thockin
Copy link
Member

left a comment

I'll approve, but @m1093782566 holds LGTM

/approve

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Mar 13, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lbernail, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@m1093782566

This comment has been minimized.

Copy link
Member

commented Mar 19, 2019

/lgtm

Thanks @lbernail for contributing IPVS 👍

@k8s-ci-robot k8s-ci-robot added the lgtm label Mar 19, 2019

@k8s-ci-robot k8s-ci-robot merged commit 59140d6 into kubernetes:master Mar 20, 2019

17 checks passed

cla/linuxfoundation lbernail authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-godeps Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
k8s-ci-robot added a commit that referenced this pull request Apr 4, 2019
Merge pull request #75720 from DataDog/automated-cherry-pick-of-#7529…
…5-upstream-release-1.13

Automated cherry pick of #75295 upstream release 1.13
@ymmt2005 ymmt2005 referenced this pull request Apr 5, 2019
3 of 3 tasks complete
k8s-ci-robot added a commit that referenced this pull request Apr 30, 2019
Merge pull request #75719 from DataDog/automated-cherry-pick-of-#7529…
…5-upstream-release-1.14

Automated cherry pick of #75295 upstream release 1.14
@lbernail lbernail referenced this pull request May 13, 2019
6 of 6 tasks complete
@ymmt2005 ymmt2005 referenced this pull request Aug 4, 2019
4 of 4 tasks complete
champtar added a commit to champtar/kubespray that referenced this pull request Sep 17, 2019
kube-proxy/ipvs: allow to configure strict ARP
strict ARP flag was added by
kubernetes/kubernetes#75295

It's disable by default to not break some CNI, including flannel
so we leave it off by default

We must enable it for MetalLB to work
danderson/metallb#153 (comment)
so fail MetalLB roles if it's not enabled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.