-
Notifications
You must be signed in to change notification settings - Fork 467
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to provide customise intra-host communication #7754
Comments
we don't plan to implement a way to customize Flannel so far, but you can disable Flannel in Talos and bring your own manifest with the desired configuration |
Would you be open to this change if I worked on it @smira? |
It's more of a question how far we want to go. There are many ways to customize Flannel, I almost wonder if we could be more flexible by allowing to update some of the bootstrap manifests (override them). I don't think that templating Flannel manifest even more would help to solve all cases. Do you have a diff of standard Talos manifest vs. what it should be to support the custom interface option? |
Overriding the bootstrap manifests would be nice, and more configurable for other cases. I'd like to avoid using our own manifest as then there's potential for drift on Talos upgrades that we don't track, especially when it's for something as simple as extra args. It seems a bit counter intuitive to have so much customisability of the networking in general but then force users to replace the whole CNI manifest if they want to change anything for their own setup. In terms of diff, I feel covering most cases would be allowing extra arguments here. In our case, it would just be adding |
Let me think about it to understand what can be done here. |
I haven't forgotten about the issue, but I still don't have any good ideas |
Thank you both for discussing this and @smira for considering it! @jleeh Would the following suggestion work for your use case as well? Adding With Talos v1.5 introducing predictable Network Interface Names (incl. Mac addressed based NIC names), the --iface-can-reach="":
detect interface to use (IP or name) for inter-host communication
based on which will be used for provided IP. This is exactly the interface to
use of command "ip route get <ip-address>" (example: --iface-can-reach=192.168.1.1
results the interface can be reached to 192.168.1.1 will be selected) I was also looking into a way to bind the apid port to solely the private network interface on the public facing worker nodes (related to #1836). Hmm, could it be an idea to introduce a single Could there be a reason why one would want to configure the overlay network and apid/trustd daemons to use different inter-host communication paths? The potential flannel DaemonSet template change: diff --git a/pkg/flannel/template.go b/pkg/flannel/template.go
index f768939..42adc0a 100644
--- a/pkg/flannel/template.go
+++ b/pkg/flannel/template.go
@@ -147,6 +147,9 @@ spec:
- args:
- --ip-masq
- --kube-subnet-mgr
+ {{- if .bindIfaceCanReach }}
+ - --iface-can-reach={{ .bindIfaceCanReach }}
+ {{- end }}
command:
- /opt/bin/flanneld
env: |
@smira Ah, thank you for pointing out: #4421. Didn't see that one, that's even better! 🎉 Right, passing it through I like your approach. 👍 Feels like the cleanest and most correct way to go about it. |
Thanks @tuhtah, having After this change, we would no longer have any label/spec of the public IP assigned to the node. Currently Flannel adds the IP it communicates over as a label and that's how we fetch the public IP of nodes, needed for some of the apps we run. Flannel has the public IP flag, but that accepts only an IP vs interface in the case of NAT. It's outside the scope of this ticket, but it'd be good for Talos to have support to add external IPs to nodes like found with public subnets in cloud k8s. |
That is Kubernetes cloud controller manager job, not something Talos should do. |
Sure. Will revert to static IP with manual labels, seems overkill to develop a custom CCM just for that. Open to it though if there's any potential other usecase. |
@jleeh On my setup, I found the public IP address recorded in the node resource as an "InternalIP": $ kubectl get node mynode -o yaml
[...]
status:
addresses:
- address: XXX.XXX.XXX.XXX
type: InternalIP
- address: mynode
type: Hostname
[...] To get at it one could use: $ kubectl get node zinc -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}' Now we need to spawn a one time job for each node that invokes that kubectl above for each node to add the desired node label. This we could achieve by specifying the yaml in the Talos worker node config under A bit around the block, but maybe this solves your usecase? |
Please disregard my last message. The kubelet needed to be configured ( @jleeh Maybe scripting something around Are we all happy with the |
I don't have any exact idea, but this should probably be |
Feature Request
Add the ability within Talos configuration to provide interfaces that are used as default for intra-host communication.
Description
By default, Flannel will select the interface that has the default route for the interface for inter-host communication as per their docs:
https://github.com/flannel-io/flannel/blob/master/Documentation/configuration.md#key-command-line-options
Within the bare-metal Talos cluster, I have two interfaces to each host: public and private. Since the public interface has the default route, then flannel uses this interface for all intra-host communication.
I would like the ability to specify in Talos configuration which interfaces is used by default within Flannel to be used for intra-communication so I don't mix public & private traffic within the network.
Eg:
The result of the following config would pass in the following CLI arguments into Flannel:
Since flannel requires an IP not an interface for the
public-ip
argument, Talos would have to grab the assigned IP of the interface and pass into flannel.I've also seen this issue describing a similar request, but this is different due to their NAT with Wireguard:
#6134
There should be the ability to customise Flannel without needed to replace the CNI.
The text was updated successfully, but these errors were encountered: