cleanup: Remove deprecated values for KPR

This commit is to remove all deprecated values (strict, disabled, probe and partial) for kubeProxyReplacement. Relates: cilium#26036, cilium#26496 Signed-off-by: Tam Mach <tam.mach@cilium.io>
rzdebskiy · Apr 3, 2024 · a5bbf67 · a5bbf67
1 parent e2e7631
commit a5bbf67
Show file tree

Hide file tree

Showing 17 changed files with 48 additions and 109 deletions.
diff --git a/.github/workflows/tests-ipsec-upgrade.yaml b/.github/workflows/tests-ipsec-upgrade.yaml
@@ -80,15 +80,15 @@ jobs:
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
             kernel: '5.4-20240305.092417'
             kube-proxy: 'iptables'
-            kpr: 'disabled'
+            kpr: 'false'
             tunnel: 'disabled'
             encryption: 'ipsec'
 
           - config: '5.10'
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
             kernel: '5.10-20240305.092417'
             kube-proxy: 'iptables'
-            kpr: 'disabled'
+            kpr: 'false'
             tunnel: 'disabled'
             encryption: 'ipsec'
             endpoint-routes: 'true'
@@ -107,7 +107,7 @@ jobs:
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
             kernel: '6.1-20240305.092417'
             kube-proxy: 'iptables'
-            kpr: 'disabled'
+            kpr: 'false'
             tunnel: 'vxlan'
             encryption: 'ipsec'
             endpoint-routes: 'false'
@@ -116,7 +116,7 @@ jobs:
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
             kernel: 'bpf-next-20240315.012542'
             kube-proxy: 'iptables'
-            kpr: 'disabled'
+            kpr: 'false'
             tunnel: 'vxlan'
             encryption: 'ipsec'
             endpoint-routes: 'true'

diff --git a/Documentation/operations/upgrade.rst b/Documentation/operations/upgrade.rst
@@ -445,6 +445,9 @@ Removed Options
 * The long defunct and undocumented ``single-cluster-route`` flag has been removed.
 
 * Deprecated options ``enable-k8s-event-handover`` and ``cnp-status-update-interval`` has been removed.
+* Deprecated values ``strict``, ``partial``, ``probe`` and ``disabled`` for ``kube-proxy-replacement`` flag have been
+  removed. Please use ``true`` or ``false`` instead. Please refer to :ref:`kube-proxy replacement <kubeproxy-free>`
+  for more details.
 
 Helm Options
 ~~~~~~~~~~~~
@@ -469,6 +472,9 @@ Helm Options
 
 * Values  ``enableK8sEventHandover`` and ``enableCnpStatusUpdates`` have been removed.
 
+* Deprecated values ``strict``, ``partial``, ``probe`` and ``disabled`` for ``kubeProxyReplacement`` option have been
+  removed. Please use ``true`` or ``false`` instead.
+
 Added Metrics
 ~~~~~~~~~~~~~
 

diff --git a/api/v1/models/kube_proxy_replacement.go b/api/v1/models/kube_proxy_replacement.go
diff --git a/api/v1/openapi.yaml b/api/v1/openapi.yaml
@@ -2352,10 +2352,6 @@ definitions:
       mode:
         type: string
         enum:
-        - Disabled
-        - Strict
-        - Probe
-        - Partial
         - 'True'
         - 'False'
       devices:

diff --git a/api/v1/server/embedded_spec.go b/api/v1/server/embedded_spec.go
diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -1811,7 +1811,7 @@ func startDaemon(d *Daemon, restoredEndpoints *endpointRestoreState, cleaner *da
 
 	d.startAgentHealthHTTPService()
 	if option.Config.KubeProxyReplacementHealthzBindAddr != "" {
-		if option.Config.KubeProxyReplacement != option.KubeProxyReplacementDisabled {
+		if option.Config.KubeProxyReplacement != option.KubeProxyReplacementFalse {
 			d.startKubeProxyHealthzHTTPService(option.Config.KubeProxyReplacementHealthzBindAddr)
 		}
 	}

diff --git a/daemon/cmd/kube_proxy_replacement.go b/daemon/cmd/kube_proxy_replacement.go
@@ -42,37 +42,12 @@ import (
 // if this function cannot determine the strictness an error is returned and the boolean
 // is false. If an error is returned the boolean is of no meaning.
 func initKubeProxyReplacementOptions(sysctl sysctl.Sysctl, tunnelConfig tunnel.Config) error {
-	if option.Config.KubeProxyReplacement != option.KubeProxyReplacementStrict &&
-		option.Config.KubeProxyReplacement != option.KubeProxyReplacementPartial &&
-		option.Config.KubeProxyReplacement != option.KubeProxyReplacementDisabled &&
-		option.Config.KubeProxyReplacement != option.KubeProxyReplacementTrue &&
+	if option.Config.KubeProxyReplacement != option.KubeProxyReplacementTrue &&
 		option.Config.KubeProxyReplacement != option.KubeProxyReplacementFalse {
 		return fmt.Errorf("Invalid value for --%s: %s", option.KubeProxyReplacement, option.Config.KubeProxyReplacement)
 	}
 
-	if option.Config.KubeProxyReplacement == option.KubeProxyReplacementStrict ||
-		option.Config.KubeProxyReplacement == option.KubeProxyReplacementPartial ||
-		option.Config.KubeProxyReplacement == option.KubeProxyReplacementDisabled {
-		log.Warnf("Deprecated value for --%s: %s (use either \"true\", or \"false\")", option.KubeProxyReplacement, option.Config.KubeProxyReplacement)
-	}
-
-	// This will be removed in v1.15
-	if option.Config.KubeProxyReplacement == option.KubeProxyReplacementDisabled {
-		log.Infof("Auto-disabling %q, %q, %q, %q features and falling back to %q",
-			option.EnableNodePort, option.EnableExternalIPs,
-			option.EnableSocketLB, option.EnableHostPort,
-			option.EnableHostLegacyRouting)
-
-		disableNodePort()
-		option.Config.EnableSocketLB = false
-		option.Config.EnableSocketLBTracing = false
-
-		return nil
-	}
-
-	if option.Config.KubeProxyReplacement == option.KubeProxyReplacementStrict ||
-		option.Config.KubeProxyReplacement == option.KubeProxyReplacementTrue {
-
+	if option.Config.KubeProxyReplacement == option.KubeProxyReplacementTrue {
 		log.Infof("Auto-enabling %q, %q, %q, %q, %q features",
 			option.EnableNodePort, option.EnableExternalIPs,
 			option.EnableSocketLB, option.EnableHostPort,
@@ -85,7 +60,7 @@ func initKubeProxyReplacementOptions(sysctl sysctl.Sysctl, tunnelConfig tunnel.C
 		option.Config.EnableSessionAffinity = true
 	}
 
-	if option.Config.KubeProxyReplacement != option.KubeProxyReplacementDisabled &&
+	if option.Config.KubeProxyReplacement != option.KubeProxyReplacementFalse &&
 		option.Config.EnableEnvoyConfig && !option.Config.EnableIPSec &&
 		!option.Config.EnableNodePort {
 		// CiliumEnvoyConfig L7 LB only works with bpf node port enabled
@@ -425,8 +400,8 @@ func finishKubeProxyReplacementInit(sysctl sysctl.Sysctl) error {
 		// Non-BPF masquerade requires netfilter and hence CT.
 		case option.Config.IptablesMasqueradingEnabled():
 			msg = fmt.Sprintf("BPF host routing requires %s.", option.EnableBPFMasquerade)
-		// KPR=strict is needed or we might rely on netfilter.
-		case option.Config.KubeProxyReplacement != option.KubeProxyReplacementStrict && option.Config.KubeProxyReplacement != option.KubeProxyReplacementTrue:
+		// KPR=true is needed or we might rely on netfilter.
+		case option.Config.KubeProxyReplacement != option.KubeProxyReplacementTrue:
 			msg = fmt.Sprintf("BPF host routing requires %s=%s.", option.KubeProxyReplacement, option.KubeProxyReplacementTrue)
 		default:
 			if probes.HaveProgramHelper(ebpf.SchedCLS, asm.FnRedirectNeigh) != nil ||

diff --git a/daemon/cmd/kube_proxy_replacement_test.go b/daemon/cmd/kube_proxy_replacement_test.go
@@ -114,25 +114,6 @@ func (s *KPRSuite) TestInitKubeProxyReplacementOptions(c *C) {
 			},
 		},
 
-		// KPR disabled: all options disabled except host legacy routing.
-		{
-			"kpr-disabled",
-			func(cfg *kprConfig) {
-				cfg.kubeProxyReplacement = option.KubeProxyReplacementDisabled
-			},
-			kprConfig{
-				enableSocketLB:          false,
-				enableNodePort:          false,
-				enableHostPort:          false,
-				enableExternalIPs:       false,
-				enableSessionAffinity:   false,
-				enableIPSec:             false,
-				enableHostLegacyRouting: true,
-				enableSocketLBTracing:   false,
-				expectedErrorRegex:      "",
-			},
-		},
-
 		// KPR true: all options enabled, host routing disabled.
 		{
 			"kpr-true",
@@ -215,6 +196,26 @@ func (s *KPRSuite) TestInitKubeProxyReplacementOptions(c *C) {
 				enableSocketLBTracing:      true,
 			},
 		},
+
+		// KPR false: all options disabled exception socket LB tracing
+		{
+			"kpr-disabled",
+			func(cfg *kprConfig) {
+				cfg.kubeProxyReplacement = option.KubeProxyReplacementFalse
+			},
+			kprConfig{
+				enableSocketLB:          false,
+				enableNodePort:          false,
+				enableHostPort:          false,
+				enableExternalIPs:       false,
+				enableSessionAffinity:   false,
+				enableIPSec:             false,
+				enableHostLegacyRouting: false,
+				enableSocketLBTracing:   true,
+				expectedErrorRegex:      "",
+			},
+		},
+
 		// KPR false + no conntrack ipt rules: error, needs KPR
 		{
 			"kpr-false+no-conntrack-ipt-rules",

diff --git a/daemon/cmd/status.go b/daemon/cmd/status.go
@@ -231,12 +231,6 @@ func (d *Daemon) getKubeProxyReplacementStatus() *models.KubeProxyReplacement {
 		mode = models.KubeProxyReplacementModeTrue
 	case option.KubeProxyReplacementFalse:
 		mode = models.KubeProxyReplacementModeFalse
-	case option.KubeProxyReplacementStrict:
-		mode = models.KubeProxyReplacementModeStrict
-	case option.KubeProxyReplacementPartial:
-		mode = models.KubeProxyReplacementModePartial
-	case option.KubeProxyReplacementDisabled:
-		mode = models.KubeProxyReplacementModeDisabled
 	}
 
 	devices, _ := datapathTables.SelectedDevices(d.devices, d.db.ReadTxn())

diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -66,8 +66,8 @@
   {{- $stringValueKPR = "" -}}
 {{- end}}
 {{- $kubeProxyReplacement := (coalesce $stringValueKPR $defaultKubeProxyReplacement) -}}
-{{- if and (ne $kubeProxyReplacement "disabled") (ne $kubeProxyReplacement "partial") (ne $kubeProxyReplacement "strict") (ne $kubeProxyReplacement "true") (ne $kubeProxyReplacement "false") }}
-  {{ fail "kubeProxyReplacement must be explicitly set to a valid value (true, false, disabled (deprecated), partial (deprecated), or strict (deprecated)) to continue." }}
+{{- if and (ne $kubeProxyReplacement "true") (ne $kubeProxyReplacement "false") }}
+  {{ fail "kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue." }}
 {{- end }}
 {{- $azureUsePrimaryAddress = (coalesce .Values.azure.usePrimaryAddress $azureUsePrimaryAddress) -}}
 {{- $socketLB := (coalesce .Values.socketLB .Values.hostServices) -}}

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
@@ -1764,7 +1764,7 @@ readinessProbe:
   # -- interval between checks of the readiness probe
   periodSeconds: 30
 # -- Configure the kube-proxy replacement in Cilium BPF datapath
-# Valid options are "true", "false", "disabled" (deprecated), "partial" (deprecated), "strict" (deprecated).
+# Valid options are "true" or "false".
 # ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/
 #kubeProxyReplacement: "false"
 

diff --git a/operator/pkg/gateway-api/cell.go b/operator/pkg/gateway-api/cell.go
@@ -99,7 +99,6 @@ func initGatewayAPIController(params gatewayAPIParams) error {
 	}
 
 	if params.GatewayApiConfig.KubeProxyReplacement != option.KubeProxyReplacementTrue &&
-		params.GatewayApiConfig.KubeProxyReplacement != option.KubeProxyReplacementStrict &&
 		!params.GatewayApiConfig.EnableNodePort {
 		params.Logger.Warn("Gateway API support requires either kube-proxy-replacement or enable-node-port enabled")
 		return nil

diff --git a/operator/pkg/ingress/cell.go b/operator/pkg/ingress/cell.go
@@ -99,7 +99,6 @@ func registerReconciler(params ingressParams) error {
 	}
 
 	if params.IngressConfig.KubeProxyReplacement != option.KubeProxyReplacementTrue &&
-		params.IngressConfig.KubeProxyReplacement != option.KubeProxyReplacementStrict &&
 		!params.IngressConfig.EnableNodePort {
 		params.Logger.Warn("Ingress Controller support requires either kube-proxy-replacement or enable-node-port enabled")
 		return nil

diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -325,7 +325,7 @@ func FormatStatusResponse(w io.Writer, sr *models.StatusResponse, sd StatusDetai
 	}
 	if sr.KubeProxyReplacement != nil {
 		devices := ""
-		if sr.KubeProxyReplacement.Mode != models.KubeProxyReplacementModeDisabled {
+		if sr.KubeProxyReplacement.Mode != models.KubeProxyReplacementModeFalse {
 			for i, dev := range sr.KubeProxyReplacement.DeviceList {
 				kubeProxyDevices += fmt.Sprintf("%s %s", dev.Name, strings.Join(dev.IP, " "))
 				if dev.Name == sr.KubeProxyReplacement.DirectRoutingDevice {

diff --git a/pkg/datapath/tunnel/cell.go b/pkg/datapath/tunnel/cell.go
@@ -33,7 +33,6 @@ var Cell = cell.Module(
 		func(dcfg *option.DaemonConfig) EnablerOut {
 			return NewEnabler(
 				(dcfg.EnableNodePort ||
-					dcfg.KubeProxyReplacement == option.KubeProxyReplacementStrict ||
 					dcfg.KubeProxyReplacement == option.KubeProxyReplacementTrue) &&
 					dcfg.LoadBalancerUsesDSR() &&
 					dcfg.LoadBalancerDSRDispatch == option.DSRDispatchGeneve,

diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -1269,22 +1269,12 @@ const (
 	// NodePortAccelerationBestEffort means we accelerate NodePort via native XDP in the driver (preferred), but will skip devices without driver support
 	NodePortAccelerationBestEffort = XDPModeBestEffort
 
-	// KubeProxyReplacementPartial specifies to enable only selected kube-proxy
-	// replacement features (might panic)
-	KubeProxyReplacementPartial = "partial"
-
-	// KubeProxyReplacementStrict specifies to enable all kube-proxy replacement
-	// features (might panic)
-	KubeProxyReplacementStrict = "strict"
-
-	// KubeProxyReplacementDisabled specified to completely disable kube-proxy
-	// replacement
-	KubeProxyReplacementDisabled = "disabled"
-
-	// KubeProxyReplacementTrue has the same meaning as previous "strict".
+	// KubeProxyReplacementTrue specifies to enable all kube-proxy replacement
+	// features (might panic).
 	KubeProxyReplacementTrue = "true"
 
-	// KubeProxyReplacementTrue has the same meaning as previous "partial".
+	// KubeProxyReplacementFalse specifies to enable only selected kube-proxy
+	// replacement features (might panic).
 	KubeProxyReplacementFalse = "false"
 
 	// KubeProxyReplacement healthz server bind address
@@ -4101,7 +4091,7 @@ func getDefaultMonitorQueueSize(numCPU int) int {
 func MightAutoDetectDevices() bool {
 	devices := Config.GetDevices()
 	return ((Config.EnableHostFirewall || Config.EnableWireguard || Config.EnableHighScaleIPcache) && len(devices) == 0) ||
-		(Config.KubeProxyReplacement != KubeProxyReplacementDisabled &&
+		(Config.KubeProxyReplacement != KubeProxyReplacementFalse &&
 			(len(devices) == 0 || Config.DirectRoutingDevice == ""))
 }