Network plugin binding API: Support CNI plugins

[ormergi]

What this PR does / why we need it:
This PR implement the Network binding plugin API's Pod Creation & Definition integration point [1], enable invoking CNIs to configure virt-launcher pod network namespace.

How it works:
Similar to secondary networks, the binding plugin CNI is invoked by Multus, its necessary to define a NetworkAttachmentDefiniton for the bidning plugin.
Kubevirt will add the requested binding plugin NetworkAttachmentDefiniton to virt-launcher pod's Multus network selection annotation.
When the pod is created, its CNI chain will be invoked including the required binding plugin CNI.

How to use:
Given a network binding plugin 'dummy' that require invoking CNI.

Create NetworkAttachmentDefinition with the CNI(s) config for the binding plugin:

apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
  name: network-binding-dummy
spec:
  config: |
    {
      "cniVersion":"0.3.1",
      "name": "network-binding-dummy",
      "plugins": [
          {   
              "type": "templatecni"
          }
      ]
    }

templatecni source [2]

Enable network binding plugins feature and register the plugin and its NetwrokAttachmentDefinition in Kubevirt config:

  apiVersion: kubevirt.io/v1
  kind: KubeVirt
  metadata:
    name: kubevirt
    namespace: kubevirt
  spec:
    configuration:
      developerConfiguration:
        featureGates:
        - NetworkBindingPlugins
      network:
        binding:
          dummy:
            networkAttachmentDefinition: dummy-net-binding
. . .

Specify the binding in the VM spec:

apiVersion: kubevirt.io/v1
kind: VirtualMachineInstance
metadata:
  name: vmi-dummy-cni
spec:
  domain:
    devices:
      interfaces:
        - name: mgmt
          binding:
            name: dummy
. . .

virt-launcher pod's Multus network selection annotation include the required binding NetworkAttachmentDefinition :

apiVersion: v1
kind: Pod
metadata:
  name: virt-launcher-vmi-dummy-cni-jjphk
  annotations:
    kubectl.kubernetes.io/default-container: compute
    kubevirt.io/domain: vmi-dummy-cni
    k8s.v1.cni.cncf.io/networks: '[
       . . . 
       {"name":"network-binding-dummy","namespace":"default","interface":"pod4ccb1906e14"},
    ]'
. . .

[1] Network binding plugin API design: https://docs.google.com/document/d/13fLaqZuM8El_CT5XzxPv-1epKsB1-Spv_jtXveEkkdQ#heading=h.qcw5usdbc0nx
[2] templatecni source: https://github.com/EdDev/template-cni

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:
Last commit fixes virt-controller vmi_test.go unit tests, it required some more changes thus moved to new commit.

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

• Design: A design document was considered and is present (link) or not required
• PR: The PR description is expressive enough and will help future contributors
• Code: Write code that humans can understand and Keep it simple
• Refactor: You have left the code cleaner than you found it (Boy Scout Rule)
• Upgrade: Impact of this change on upgrade flows was considered and addressed if required
• Testing: New code requires new unit tests. New features and bug fixes require at least on e2e test
• Documentation: A user-guide update was considered and is present (link) or not required. You want a user-guide update if it's a user facing feature / API change.
• Community: Announcement to kubevirt-dev was considered

Release note:

Network binding plugin API support CNIs, new integration point on virt-launcher pod creation.

[EdDev]

Reviewed the 1st two commits.

[EdDev]

references to a NetworkAttachmentDefinition CR object.

[ormergi]

Done

[EdDev]

networkName is confusing, I would suggest to make it a simple name.

[ormergi]

Done

[EdDev]

This is suppose to come immediately after the "base" CNI, not after all of the previous ones.

I am also unsure if it is correct to pass podInterfaceName in. Have we defined in the design that the way to correlate between the CNI and the network is the pod interface name?

[ormergi]

This is suppose to come immediately after the "base" CNI, not after all of the previous ones.

I dont think there is difference as long as the "base" CNI invoked before the plugin CNI, right after the "base" or after other interfaces CNIs.
Anyhow I dont mind moving it, fixed.

I am also unsure if it is correct to pass podInterfaceName in

It seems that it wont work for CNIs that relays on it and config already exising interface with the same name.
I changed it to pass CNI args with the pod interface name for now.

[EdDev]

I dont think there is difference as long as the "base" CNI invoked before the plugin CNI, right after the "base" or after other interfaces CNIs

There is a difference: Resources will not be allocated for the next interface if the current injected CNI fails to configure the pod. It will also allow potential collisions to be detected in the correct order (in case the binding CNI/s touch some shared thing).

[EdDev]

There has been no logic change in template.go, so I would not expect these tests to be added here.

All logic seems to have been added to multus_annotations.go. Can you test it in that context?

[ormergi]

Tests moved to multus_annotation_test.go

[EdDev]

We are missing e2e tests, which IMO are a must when we touch the public API.

[EdDev]

I am unclear what code we are testing here as a unit.
At the VMI controller logic, I do not think we changed anything. We changed lower level logic which can be validated as a smaller unit.

[ormergi]

These are no new tests, those changes adapt the existing tests to the new code changes, that is GenerateMultusCNIAnnotationdepends on virtconfig.ClusterConfig

[EdDev]

Sorry, I do not understand why there is a need to update the annotations in a different way due to the changes in this PR. Please explain what did not work, because I would expect everything to keep on working as is without us needing to change anything, except perhaps the function signature.

[EdDev]

Ok, now I understand.
I agree with @AlonaKaplan on her comment [1], that would probably solve the distributed changes in these tests and clarify why it was needed.

[AlonaKaplan]

Tiny typo in the NAd name - netwotk-binding-dummy (both in the NAD and the pod defenition).

[AlonaKaplan]

I think this method is used when an interface is hotplugged as well.

As we don't support hotplugging a side car, I don't think that in this stage we should support hotplugging a CNI.

[EdDev]

Isn't the hotplug limited to the core bridge binding?

[ormergi]

As we don't support hotplugging a side car, I don't think that in this stage we should support hotplugging a CNI.

Done, I had to do some refactoring around multus annotation generating code to enable more granularity,
see the last commit.

Isn't the hotplug limited to the core bridge binding?

It is, but since the pod may end up with additional interface

[EdDev]

It is, but since the pod may end up with additional interface

I do not understand what this means.
What is the reasoning for complicating the code flow at this stage? (I am commenting here before looking at the changes)

[ormergi]

In case of interface hotplug where the interface specifies a binding plugin and the plugin has a NAD registered, virt controller VMI controller will the pod Multus annotation and it will have the binding NAD.

[AlonaKaplan]

Isn't the hotplug limited to the core bridge binding?

@EdDev yes, it is limited. But once you have a bridge interface to hotplug, the whole network annotation for all the interface will be recalculated.
We have special code for SRIOV to avoid adding not plugged SRIOV interfaces to the annotation. We can add the same for plugin binding,

EDIT: On the other hand, virt-controller won't copy binding plugin interface from the VM to the VMI (same as for any other binding that is not bridge or SRIOV) so I think Eddy is right. Nothing should be done.

[EdDev]

I'm confused.
We are not doing this for other bindings, e.g. masquerade, macvtap, passt, etc. We are not filtering them, and I do not understand how this is different.

We already depend on something else to filter the requests.
The only reason we had the SR-IOV check is that it depends on the actual state. That is a different logic.

So, if you think this is really needed, I would expect this to be done to all other binding types.

[AlonaKaplan]

I would also add a test for a ns/name nad name.
And as Eddy said, the test fit more mutlus_annotations_test.go.

[ormergi]

Done

[EdDev]

I have passed though all commits except the last.

[EdDev]

I dont think there is difference as long as the "base" CNI invoked before the plugin CNI, right after the "base" or after other interfaces CNIs

There is a difference: Resources will not be allocated for the next interface if the current injected CNI fails to configure the pod. It will also allow potential collisions to be detected in the correct order (in case the binding CNI/s touch some shared thing).

[EdDev]

You are still passing in the pod interface name, I do not understand why and how it is helpful for a general binding CNI. Why we are not passing the logical network name?

[ormergi]

Following offline discussion I changed it to the "logical" network name.

[EdDev]

I'm confused.
We are not doing this for other bindings, e.g. masquerade, macvtap, passt, etc. We are not filtering them, and I do not understand how this is different.

We already depend on something else to filter the requests.
The only reason we had the SR-IOV check is that it depends on the actual state. That is a different logic.

So, if you think this is really needed, I would expect this to be done to all other binding types.

[EdDev]

This needs to be documented on the commit and PRm it defines an API between kubevirt and the custom binding CNI.

And in this context, I do not think name is expressing what is provided here. ("name" of what?)

[ormergi]

This needs to be documented on the commit and PRm it defines an API between kubevirt and the custom binding CNI.

Done

And in this context, I do not think name is expressing what is provided here. ("name" of what?)

Changed to 'vm-network-name' following offline discussion.

[EdDev]

I think you should create a helper that gets a list of bindings and returns the config.

[ormergi]

Done

[EdDev]

I do not think we should use a common setup and then in one incident override it completely.
The common setup should consist of the common things, then you can modify it in each test.
If there is no common setup, then pass it to each test or use helpers to call them from the tests.

[ormergi]

Done

[EdDev]

Sorry, I do not understand why there is a need to update the annotations in a different way due to the changes in this PR. Please explain what did not work, because I would expect everything to keep on working as is without us needing to change anything, except perhaps the function signature.

[AlonaKaplan]

s/couldnt/couldn't

[ormergi]

Fixed, rephrased to "unable to find..."

[AlonaKaplan]

Please introduce NewPodForVirtualMachineWithMutlusAnnotations method instead of copy pasting it multiple times.

[ormergi]

Done

[EdDev]

This will become a formal API between kubevirt and its binding CNI(s).
I think it needs to be a constant with a good description. In the future, it should probably be elevated to a binding API package.

[ormergi]

Done

[EdDev]

nit: couldn't or could not or my preferred one: unable to find the network ...

[ormergi]

Done

[EdDev]

Thank you!

[AlonaKaplan]

No need to remove this one.

[ormergi]

Note that this test is context of hotplug interface tests, and NewPodForVirtualMachineWithMultusAnnotations() set multus annotation on the pod.

[AlonaKaplan]

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AlonaKaplan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [AlonaKaplan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[ormergi]

/test pull-kubevirt-e2e-k8s-1.26-sig-compute

[ormergi]

/cherry-pick release-1.1

[kubevirt-bot]

@ormergi: new pull request could not be created: failed to create pull request against kubevirt/kubevirt#release-1.1 from head kubevirt-bot:cherry-pick-10568-to-release-1.1: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"No commits between kubevirt:release-1.1 and kubevirt-bot:cherry-pick-10568-to-release-1.1"}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request"}

In response to this:

/cherry-pick release-1.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.