Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Cilium kube-proxy replacement support #7322

Closed
wants to merge 1 commit into from
Closed

Add Cilium kube-proxy replacement support #7322

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions pkg/api/v1alpha1/cluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -834,6 +834,10 @@
// +optional
SkipUpgrade *bool `json:"skipUpgrade,omitempty"`

// EnableKubeProxyReplacement replaces the default kube-proxy with Ciliums builtin functionality.
// +optional
EnableKubeProxyReplacement *bool `json:"enableKubeProxyReplacement,omitempty"`

// RoutingMode indicates the routing tunnel mode to use for Cilium. Accepted values are overlay (geneve tunnel with overlay)
// or direct (tunneling disabled with direct routing)
// Defaults to overlay.
Expand Down Expand Up @@ -863,6 +867,12 @@
return n.SkipUpgrade == nil || !*n.SkipUpgrade
}

// IsKubeProxyReplacementEnabled checks if the EnableKubeProxyReplacement flag is true. Nil
// indicates false.
func (n *CiliumConfig) IsKubeProxyReplacementEnabled() bool {
return n.EnableKubeProxyReplacement != nil && *n.EnableKubeProxyReplacement

Check warning on line 873 in pkg/api/v1alpha1/cluster_types.go

View check run for this annotation

Codecov / codecov/patch

pkg/api/v1alpha1/cluster_types.go#L872-L873 

Added lines #L872 - L873 were not covered by tests
}

// KindnetdConfig contains configuration specific to the Kindnetd CNI.
type KindnetdConfig struct{}

Expand Down
7 changes: 7 additions & 0 deletions pkg/networking/cilium/templater.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,13 @@
}
}

if spec.Cluster.Spec.ClusterNetwork.CNIConfig.Cilium.IsKubeProxyReplacementEnabled() {
// See https://docs.cilium.io/en/v1.13/network/kubernetes/kubeproxy-free/#kube-proxy-hybrid-modes.
// When upgrading to Cilium> v1.13 this needs to be changed to 'true' as Cilium has simplified the
// API.
val["kubeProxyReplacement"] = "strict"
}

Check warning on line 253 in pkg/networking/cilium/templater.go

View check run for this annotation

Codecov / codecov/patch

pkg/networking/cilium/templater.go#L249-L253 

Added lines #L249 - L253 were not covered by tests

return val
}

Expand Down
6 changes: 6 additions & 0 deletions pkg/providers/cloudstack/config/template-cp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,12 @@ spec:
timeAdded: {{ .TimeAdded }}
{{- end }}
{{- end }}
{{- end }}
{{- with .kubeadmSkipPhases }}
skipPhases:
{{- range . }}
- {{ . }}
{{- end }}
Comment on lines +310 to +314
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious. Why was this needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is skipPhases needed or why is end?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

skipPhases

{{- end }}
joinConfiguration:
nodeRegistration:
Expand Down
8 changes: 8 additions & 0 deletions pkg/providers/cloudstack/template.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,7 @@ func buildTemplateMapCP(clusterSpec *cluster.Spec) (map[string]interface{}, erro
"externalEtcdVersion": versionsBundle.KubeDistro.EtcdVersion,
"etcdImage": versionsBundle.KubeDistro.EtcdImage.VersionedImage(),
"eksaSystemNamespace": constants.EksaSystemNamespace,
"kubeadmSkipPhases": []string{},
}

auditPolicy, err := common.GetAuditPolicy(clusterSpec.Cluster.Spec.KubernetesVersion)
Expand Down Expand Up @@ -246,6 +247,13 @@ func buildTemplateMapCP(clusterSpec *cluster.Spec) (map[string]interface{}, erro
values["encryptionProviderConfig"] = conf
}

cni := clusterSpec.Cluster.Spec.ClusterNetwork
if cni.CNIConfig != nil && cni.CNIConfig.Cilium != nil {
if cni.CNIConfig.Cilium.IsKubeProxyReplacementEnabled() {
values["kubeadmSkipPhases"] = append(values["kubeadmSkipPhases"].([]string), "addon/kube-proxy")
}
}

return values, nil
}

Expand Down
18 changes: 18 additions & 0 deletions pkg/providers/cloudstack/template_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,3 +169,21 @@
test.AssertContentToFile(t, string(data), tc.Output)
}
}

func TestTemplateBuilder_KubeProxyReplacement(t *testing.T) {
input := "testdata/cluster_cilium_kube_proxy_replacement.yaml"
output := "testdata/expected_cluster_cilium_kube_proxy_replacement.yaml"

g := NewWithT(t)
clusterSpec := test.NewFullClusterSpec(t, input)

bldr := cloudstack.NewTemplateBuilder(time.Now)

data, err := bldr.GenerateCAPISpecControlPlane(clusterSpec, func(values map[string]interface{}) {
values["controlPlaneTemplateName"] = clusterapi.ControlPlaneMachineTemplateName(clusterSpec.Cluster)
})
g.Expect(err).ToNot(HaveOccurred())

test.AssertContentToFile(t, string(data), output)

Check failure on line 188 in pkg/providers/cloudstack/template_test.go

View workflow job for this annotation

GitHub Actions / lint 

File is not `gofumpt`-ed (gofumpt)
}
69 changes: 69 additions & 0 deletions pkg/providers/cloudstack/testdata/cluster_cilium_kube_proxy_replacement.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: Cluster
metadata:
name: test
namespace: test
spec:
clusterNetwork:
cniConfig:
cilium:
enableKubeProxyReplacement: true
pods:
cidrBlocks:
- 192.168.0.0/16
services:
cidrBlocks:
- 10.96.0.0/12
controlPlaneConfiguration:
count: 1
endpoint:
host: 0.0.0.0
machineGroupRef:
kind: CloudStackMachineConfig
name: test
datacenterRef:
kind: CloudStackDatacenterConfig
name: test
kubernetesVersion: "1.21"
---
apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: CloudStackDatacenterConfig
metadata:
name: test
namespace: test
spec:
availabilityZones:
- account: "admin"
domain: "domain1"
name: "default-az-0"
credentialsRef: "global"
zone:
name: "zone1"
network:
name: "net1"
managementApiEndpoint: "http://127.16.0.1:8080/client/api"
---
apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: CloudStackMachineConfig
metadata:
name: test
namespace: test
spec:
computeOffering:
name: "m4-large"
users:
- name: "mySshUsername"
sshAuthorizedKeys: # The key below was manually generated and not used in any production systems
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1BK73XhIzjX+meUr7pIYh6RHbvI3tmHeQIXY5lv7aztN1UoX+bhPo3dwo2sfSQn5kuxgQdnxIZ/CTzy0p0GkEYVv3gwspCeurjmu0XmrdmaSGcGxCEWT/65NtvYrQtUE5ELxJ+N/aeZNlK2B7IWANnw/82913asXH4VksV1NYNduP0o1/G4XcwLLSyVFB078q/oEnmvdNIoS61j4/o36HVtENJgYr0idcBvwJdvcGxGnPaqOhx477t+kfJAa5n5dSA5wilIaoXH5i1Tf/HsTCM52L+iNCARvQzJYZhzbWI1MDQwzILtIBEQCJsl2XSqIupleY8CxqQ6jCXt2mhae+wPc3YmbO5rFvr2/EvC57kh3yDs1Nsuj8KOvD78KeeujbR8n8pScm3WDp62HFQ8lEKNdeRNj6kB8WnuaJvPnyZfvzOhwG65/9w13IBl7B1sWxbFnq2rMpm5uHVK7mAmjL0Tt8zoDhcE1YJEnp9xte3/pvmKPkST5Q/9ZtR9P5sI+02jY0fvPkPyC03j2gsPixG7rpOCwpOdbny4dcj0TDeeXJX8er+oVfJuLYz0pNWJcT2raDdFfcqvYA0B0IyNYlj5nWX4RuEcyT3qocLReWPnZojetvAG/H8XwOh7fEVGqHAKOVSnPXCSQJPl6s0H12jPJBDJMTydtYPEszl4/CeQ== [email protected]"
template:
name: "kubernetes_1_21"
diskOffering:
name: "Small"
mountPath: "/data-small"
device: "/dev/vdb"
filesystem: "ext4"
label: "data_disk"
symlinks:
/var/log/kubernetes: /data-small/var/log/kubernetes
affinityGroupIds:
- control-plane-anti-affinity
Loading
Loading