Add option for Calico to cleanup kube-proxy rules when running in eBPF mode

2020-10-27 07:28:27 +02:00 · 2020-10-27 07:28:27 +02:00 · 7b9a073da9
parent 2fe6ee4b37
commit 7b9a073da9
5 changed files with 14 additions and 0 deletions
--- a/k8s/crds/kops.k8s.io_clusters.yaml
+++ b/k8s/crds/kops.k8s.io_clusters.yaml
@ -2144,6 +2144,9 @@ spec:
                      bpfExternalServiceMode:
                        description: 'BPFExternalServiceMode controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled. In Tunnel mode, packet is tunneled from the ingress host to the host with the backing pod and back again. In DSR mode, traffic is tunneled to the host with the backing pod and then returned directly; this requires a network that allows direct return. Default: Tunnel (other options: DSR)'
                        type: string
+                      bpfKubeProxyIptablesCleanupEnabled:
+                        description: BPFKubeProxyIptablesCleanupEnabled controls whether Felix will clean up the iptables rules created by the Kubernetes kube-proxy; should only be enabled if kube-proxy is not running.
+                        type: boolean
                      bpfLogLevel:
                        description: 'BPFLogLevel controls the log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command tc exec BPF debug. Default: Off (other options: Info, Debug)'
                        type: string
--- a/pkg/apis/kops/networking.go
+++ b/pkg/apis/kops/networking.go
@ -108,6 +108,9 @@ type CalicoNetworkingSpec struct {
 	// this requires a network that allows direct return.
 	// Default: Tunnel (other options: DSR)
 	BPFExternalServiceMode string `json:"bpfExternalServiceMode,omitempty"`
+	// BPFKubeProxyIptablesCleanupEnabled controls whether Felix will clean up the iptables rules
+	// created by the Kubernetes kube-proxy; should only be enabled if kube-proxy is not running.
+	BPFKubeProxyIptablesCleanupEnabled bool `json:"bpfKubeProxyIptablesCleanupEnabled,omitempty"`
 	// BPFLogLevel controls the log level used by the BPF programs. The logs are emitted
 	// to the BPF trace pipe, accessible with the command tc exec BPF debug.
 	// Default: Off (other options: Info, Debug)
--- a/pkg/apis/kops/v1alpha2/networking.go
+++ b/pkg/apis/kops/v1alpha2/networking.go
@ -108,6 +108,9 @@ type CalicoNetworkingSpec struct {
 	// this requires a network that allows direct return.
 	// Default: Tunnel (other options: DSR)
 	BPFExternalServiceMode string `json:"bpfExternalServiceMode,omitempty"`
+	// BPFKubeProxyIptablesCleanupEnabled controls whether Felix will clean up the iptables rules
+	// created by the Kubernetes kube-proxy; should only be enabled if kube-proxy is not running.
+	BPFKubeProxyIptablesCleanupEnabled bool `json:"bpfKubeProxyIptablesCleanupEnabled,omitempty"`
 	// BPFLogLevel controls the log level used by the BPF programs. The logs are emitted
 	// to the BPF trace pipe, accessible with the command tc exec BPF debug.
 	// Default: Off (other options: Info, Debug)
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@ -1327,6 +1327,7 @@ func Convert_kops_CNINetworkingSpec_To_v1alpha2_CNINetworkingSpec(in *kops.CNINe
 func autoConvert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in *CalicoNetworkingSpec, out *kops.CalicoNetworkingSpec, s conversion.Scope) error {
 	out.BPFEnabled = in.BPFEnabled
 	out.BPFExternalServiceMode = in.BPFExternalServiceMode
+	out.BPFKubeProxyIptablesCleanupEnabled = in.BPFKubeProxyIptablesCleanupEnabled
 	out.BPFLogLevel = in.BPFLogLevel
 	out.ChainInsertMode = in.ChainInsertMode
 	out.CPURequest = in.CPURequest
@ -1358,6 +1359,7 @@ func Convert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in *Cali
 func autoConvert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in *kops.CalicoNetworkingSpec, out *CalicoNetworkingSpec, s conversion.Scope) error {
 	out.BPFEnabled = in.BPFEnabled
 	out.BPFExternalServiceMode = in.BPFExternalServiceMode
+	out.BPFKubeProxyIptablesCleanupEnabled = in.BPFKubeProxyIptablesCleanupEnabled
 	out.BPFLogLevel = in.BPFLogLevel
 	out.ChainInsertMode = in.ChainInsertMode
 	out.CPURequest = in.CPURequest
--- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template
@ -3939,6 +3939,9 @@ spec:
            # Controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled
            - name: FELIX_BPFEXTERNALSERVICEMODE
              value: "{{- or .Networking.Calico.BPFExternalServiceMode "Tunnel" }}"
+            # Controls whether Felix will clean up the iptables rules created by the Kubernetes kube-proxy
+            - name: FELIX_BPFKUBEPROXYIPTABLESCLEANUPENABLED
+              value: "{{- .Networking.Calico.BPFKubeProxyIptablesCleanupEnabled }}"
            # Controls the log level used by the BPF programs
            - name: FELIX_BPFLOGLEVEL
              value: "{{- or .Networking.Calico.BPFLogLevel "Off" }}"