cri-o+kuryr: Switch to proper netns management

cri-o is not complying with the CNI spec when manage_network_ns_lifecycle isn't set to "true". This affects Kuryr SDN so this commit enables that option when Kuryr is enabled. As in that more reliable mode network namespaces are placed in the standard /run/netns directory we need to mount it into kuryr-cni container in order to be able to access the network namespaces there. This commit does so too.
openshift · Apr 2, 2021 · 41364f0 · 41364f0
1 parent 357bbda
commit 41364f0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/roles/container_runtime/templates/crio.conf.j2 b/roles/container_runtime/templates/crio.conf.j2
@@ -115,6 +115,12 @@ pids_limit = 1024
 # Negative values indicate that no limit is imposed.
 log_size_max = 52428800
 
+# manage_network_ns_lifecycle determines whether we pin and remove network namespaces
+# and manage their lifecycle
+{% if openshift_use_kuryr|default(false)|bool %}
+manage_network_ns_lifecycle = true
+{% endif %}
+
 # The "crio.image" table contains settings pertaining to the
 # management of OCI images.
 [crio.image]

diff --git a/roles/kuryr/templates/cni-daemonset.yaml.j2 b/roles/kuryr/templates/cni-daemonset.yaml.j2
@@ -136,6 +136,9 @@ spec:
           mountPath: /host_proc
         - name: openvswitch
           mountPath: /var/run/openvswitch
+        - name: netns
+          mountPath: /run/netns
+          mountPropagation: HostToContainer
 {% if enable_kuryr_cni_probes|default(true)|bool %}
         readinessProbe:
           httpGet:
@@ -181,3 +184,6 @@ spec:
         - name: host-var-run
           hostPath:
             path: /var/run
+        - name: netns
+          hostPath:
+            path: /run/netns