kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cilium: disable masquerade by default when in ENI IPAM mode

This commit is contained in:
John Gardiner Myers 2021-06-13 16:42:17 -07:00
parent b29c612b9c
commit 3cf8234d01
12 changed files with 38 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/networking/cilium.md
View File

@ -103,11 +103,19 @@ kops rolling-update cluster --yes
### Enabling Cilium ENI IPAM ### Enabling Cilium ENI IPAM
This feature is in beta state as of kOps 1.18. {{ kops_feature_table(kops_added_default='1.18') }}
As of kOps 1.18, you can have Cilium provision AWS managed addresses and attach them directly to Pods much like Lyft VPC and AWS VPC. See [the Cilium docs for more information](https://docs.cilium.io/en/v1.6/concepts/ipam/eni/) This feature is in beta state.
When using ENI IPAM you need to disable masquerading in Cilium as well. You can have Cilium provision AWS managed addresses and attach them directly to Pods much like Lyft VPC and AWS VPC. See [the Cilium docs for more information](https://docs.cilium.io/en/v1.6/concepts/ipam/eni/)
```yaml
networking:
cilium:
ipam: eni
```
In kOps versions before 1.22, when using ENI IPAM you need to explicitly disable masquerading in Cilium as well.
```yaml ```yaml
networking: networking:

2
pkg/apis/kops/networking.go
View File

@ -396,7 +396,7 @@ type CiliumNetworkingSpec struct {
// Setting this has no effect. // Setting this has no effect.
LogstashProbeTimer uint32 `json:"logstashProbeTimer,omitempty"` LogstashProbeTimer uint32 `json:"logstashProbeTimer,omitempty"`
// DisableMasquerade disables masquerading traffic to external destinations behind the node IP. // DisableMasquerade disables masquerading traffic to external destinations behind the node IP.
DisableMasquerade bool `json:"disableMasquerade,omitempty"` DisableMasquerade *bool `json:"disableMasquerade,omitempty"`
// Nat6Range is not implemented and may be removed in the future. // Nat6Range is not implemented and may be removed in the future.
// Setting this has no effect. // Setting this has no effect.
Nat46Range string `json:"nat46Range,omitempty"` Nat46Range string `json:"nat46Range,omitempty"`

2
pkg/apis/kops/v1alpha2/networking.go
View File

@ -394,7 +394,7 @@ type CiliumNetworkingSpec struct {
// Setting this has no effect. // Setting this has no effect.
LogstashProbeTimer uint32 `json:"logstashProbeTimer,omitempty"` LogstashProbeTimer uint32 `json:"logstashProbeTimer,omitempty"`
// DisableMasquerade disables masquerading traffic to external destinations behind the node IP. // DisableMasquerade disables masquerading traffic to external destinations behind the node IP.
DisableMasquerade bool `json:"disableMasquerade,omitempty"` DisableMasquerade *bool `json:"disableMasquerade,omitempty"`
// Nat6Range is not implemented and may be removed in the future. // Nat6Range is not implemented and may be removed in the future.
// Setting this has no effect. // Setting this has no effect.
Nat46Range string `json:"nat46Range,omitempty"` Nat46Range string `json:"nat46Range,omitempty"`

5
pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go generated
View File

@ -531,6 +531,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
(*out)[key] = val (*out)[key] = val
} }
} }
if in.DisableMasquerade != nil {
in, out := &in.DisableMasquerade, &out.DisableMasquerade
*out = new(bool)
**out = **in
}
if in.EnableRemoteNodeIdentity != nil { if in.EnableRemoteNodeIdentity != nil {
in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity
*out = new(bool) *out = new(bool)

2
pkg/apis/kops/validation/validation.go
View File

@ -855,7 +855,7 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
if c.CloudProvider != string(kops.CloudProviderAWS) { if c.CloudProvider != string(kops.CloudProviderAWS) {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("ipam"), "Cilum ENI IPAM is supported only in AWS")) allErrs = append(allErrs, field.Forbidden(fldPath.Child("ipam"), "Cilum ENI IPAM is supported only in AWS"))
} }
if !v.DisableMasquerade { if v.DisableMasquerade != nil && !*v.DisableMasquerade {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("disableMasquerade"), "Masquerade must be disabled when ENI IPAM is used")) allErrs = append(allErrs, field.Forbidden(fldPath.Child("disableMasquerade"), "Masquerade must be disabled when ENI IPAM is used"))
} }
} }

11
pkg/apis/kops/validation/validation_test.go
View File

@ -790,8 +790,7 @@ func Test_Validate_Cilium(t *testing.T) {
}, },
{ {
Cilium: kops.CiliumNetworkingSpec{ Cilium: kops.CiliumNetworkingSpec{
DisableMasquerade: true, Ipam: "eni",
Ipam: "eni",
}, },
Spec: kops.ClusterSpec{ Spec: kops.ClusterSpec{
CloudProvider: "aws", CloudProvider: "aws",
@ -799,7 +798,7 @@ func Test_Validate_Cilium(t *testing.T) {
}, },
{ {
Cilium: kops.CiliumNetworkingSpec{ Cilium: kops.CiliumNetworkingSpec{
DisableMasquerade: true, DisableMasquerade: fi.Bool(true),
Ipam: "eni", Ipam: "eni",
}, },
Spec: kops.ClusterSpec{ Spec: kops.ClusterSpec{
@ -814,7 +813,8 @@ func Test_Validate_Cilium(t *testing.T) {
}, },
{ {
Cilium: kops.CiliumNetworkingSpec{ Cilium: kops.CiliumNetworkingSpec{
Ipam: "eni", DisableMasquerade: fi.Bool(false),
Ipam: "eni",
}, },
Spec: kops.ClusterSpec{ Spec: kops.ClusterSpec{
CloudProvider: "aws", CloudProvider: "aws",
@ -823,8 +823,7 @@ func Test_Validate_Cilium(t *testing.T) {
}, },
{ {
Cilium: kops.CiliumNetworkingSpec{ Cilium: kops.CiliumNetworkingSpec{
DisableMasquerade: true, Ipam: "eni",
Ipam: "eni",
}, },
Spec: kops.ClusterSpec{ Spec: kops.ClusterSpec{
CloudProvider: "gce", CloudProvider: "gce",

5
pkg/apis/kops/zz_generated.deepcopy.go generated
View File

@ -615,6 +615,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
(*out)[key] = val (*out)[key] = val
} }
} }
if in.DisableMasquerade != nil {
in, out := &in.DisableMasquerade, &out.DisableMasquerade
*out = new(bool)
**out = **in
}
if in.EnableRemoteNodeIdentity != nil { if in.EnableRemoteNodeIdentity != nil {
in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity in, out := &in.EnableRemoteNodeIdentity, &out.EnableRemoteNodeIdentity
*out = new(bool) *out = new(bool)

4
pkg/commands/set_cluster_test.go
View File

@ -288,7 +288,7 @@ func TestSetClusterFields(t *testing.T) {
Spec: kops.ClusterSpec{ Spec: kops.ClusterSpec{
Networking: &kops.NetworkingSpec{ Networking: &kops.NetworkingSpec{
Cilium: &kops.CiliumNetworkingSpec{ Cilium: &kops.CiliumNetworkingSpec{
DisableMasquerade: true, DisableMasquerade: fi.Bool(true),
}, },
}, },
}, },
@ -367,7 +367,7 @@ func TestSetCiliumFields(t *testing.T) {
Cilium: &kops.CiliumNetworkingSpec{ Cilium: &kops.CiliumNetworkingSpec{
Ipam: "eni", Ipam: "eni",
EnableNodePort: true, EnableNodePort: true,
DisableMasquerade: true, DisableMasquerade: fi.Bool(true),
}, },
}, },
}, },

4
pkg/model/components/cilium.go
View File

@ -85,6 +85,10 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
} }
} }
if c.DisableMasquerade == nil {
c.DisableMasquerade = fi.Bool(c.Ipam == "eni")
}
if c.Tunnel == "" { if c.Tunnel == "" {
if c.Ipam == "eni" { if c.Ipam == "eni" {
c.Tunnel = "disabled" c.Tunnel = "disabled"

2
upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template
View File

@ -149,7 +149,7 @@ data:
# - auto (automatically detect the container runtime) # - auto (automatically detect the container runtime)
# #
container-runtime: "{{ .ContainerRuntimeLabels }}" container-runtime: "{{ .ContainerRuntimeLabels }}"
masquerade: "{{- if .DisableMasquerade -}}false{{- else -}}true{{- end -}}" masquerade: "{{- if WithDefaultBool .DisableMasquerade false -}}false{{- else -}}true{{- end -}}"
install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}" install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}"
auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}" auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"
{{ if .EnableHostReachableServices }} {{ if .EnableHostReachableServices }}

2
upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template
View File

@ -170,7 +170,7 @@ data:
# - auto (automatically detect the container runtime) # - auto (automatically detect the container runtime)
# #
container-runtime: "{{ .ContainerRuntimeLabels }}" container-runtime: "{{ .ContainerRuntimeLabels }}"
masquerade: "{{- if .DisableMasquerade -}}false{{- else -}}true{{- end -}}" masquerade: "{{- if WithDefaultBool .DisableMasquerade false -}}false{{- else -}}true{{- end -}}"
install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}" install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}"
auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}" auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"
{{ if .EnableHostReachableServices }} {{ if .EnableHostReachableServices }}

2
upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template
View File

@ -170,7 +170,7 @@ data:
# - auto (automatically detect the container runtime) # - auto (automatically detect the container runtime)
# #
container-runtime: "{{ .ContainerRuntimeLabels }}" container-runtime: "{{ .ContainerRuntimeLabels }}"
masquerade: "{{- if .DisableMasquerade -}}false{{- else -}}true{{- end -}}" masquerade: "{{- if WithDefaultBool .DisableMasquerade false -}}false{{- else -}}true{{- end -}}"
install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}" install-iptables-rules: "{{- if .IPTablesRulesNoinstall -}}false{{- else -}}true{{- end -}}"
auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}" auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}"
{{ if .EnableHostReachableServices }} {{ if .EnableHostReachableServices }}