From 4d1897ab906201fa2b391ebca87a621e398cafcf Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Mon, 22 Jun 2020 20:51:40 +0200 Subject: [PATCH 1/2] Enable nodeport by default --- cmd/kops/create_cluster.go | 9 ++++++++- docs/networking/cilium.md | 2 +- docs/releases/1.19-NOTES.md | 2 ++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go index 1a2d2aa9ab..68da6f145d 100644 --- a/cmd/kops/create_cluster.go +++ b/cmd/kops/create_cluster.go @@ -1019,7 +1019,14 @@ func RunCreateCluster(ctx context.Context, f *util.Factory, out io.Writer, c *Cr case "amazonvpc", "amazon-vpc-routed-eni": cluster.Spec.Networking.AmazonVPC = &api.AmazonVPCNetworkingSpec{} case "cilium": - cluster.Spec.Networking.Cilium = &api.CiliumNetworkingSpec{} + cluster.Spec.Networking.Cilium = &api.CiliumNetworkingSpec{ + EnableNodePort: true, + } + if cluster.Spec.KubeProxy == nil { + cluster.Spec.KubeProxy = &api.KubeProxyConfig{} + } + enabled := false + cluster.Spec.KubeProxy.Enabled = &enabled case "lyftvpc": cluster.Spec.Networking.LyftVPC = &api.LyftVPCNetworkingSpec{} case "gce": diff --git a/docs/networking/cilium.md b/docs/networking/cilium.md index a8630bd5ff..d8c40e1836 100644 --- a/docs/networking/cilium.md +++ b/docs/networking/cilium.md @@ -64,7 +64,7 @@ Then enable etcd as kvstore: ### Enabling BPF NodePort -As of Kops 1.18 you can safely enable Cilium NodePort. +As of kops 1.19, BPF NodePort is enabled by default for new clusters. It can be safely enabled as of kops 1.18. In this mode, the cluster is fully functional without kube-proxy, with Cilium replacing kube-proxy's NodePort implementation using BPF. Read more about this in the [Cilium docs](https://docs.cilium.io/en/stable/gettingstarted/nodeport/) diff --git a/docs/releases/1.19-NOTES.md b/docs/releases/1.19-NOTES.md index d51f70dcd8..e0854a83ff 100644 --- a/docs/releases/1.19-NOTES.md +++ b/docs/releases/1.19-NOTES.md @@ -9,6 +9,8 @@ * Clusters using the Amazon VPC CNI provider now perform an `ec2.DescribeInstanceTypes` call at instance launch time. In large clusters or AWS accounts this may lead to API throttling which could delay node readiness. If this becomes a problem please open a GitHub issue. * Alpha support for Hashicorp Vault as store for secrets and keys. See the [Vault state store docs](/state/#vault-vault). + +* New clusters running Cilium will have enabled BPF NodePort by default. # Breaking changes From d529afe6377be3adb2d10eb71f76f32139216ce6 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Tue, 23 Jun 2020 08:44:58 +0200 Subject: [PATCH 2/2] Only enable nodeport by default if k8s is 1.12 or newer --- cmd/kops/create_cluster.go | 27 +++++++++++++++++++++------ docs/networking/cilium.md | 2 +- docs/releases/1.19-NOTES.md | 2 +- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go index 68da6f145d..44379bc088 100644 --- a/cmd/kops/create_cluster.go +++ b/cmd/kops/create_cluster.go @@ -29,6 +29,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/ec2" + "github.com/blang/semver" "github.com/spf13/cobra" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" @@ -40,6 +41,7 @@ import ( api "k8s.io/kops/pkg/apis/kops" "k8s.io/kops/pkg/apis/kops/model" "k8s.io/kops/pkg/apis/kops/registry" + version "k8s.io/kops/pkg/apis/kops/util" "k8s.io/kops/pkg/apis/kops/validation" "k8s.io/kops/pkg/assets" "k8s.io/kops/pkg/commands" @@ -1019,14 +1021,27 @@ func RunCreateCluster(ctx context.Context, f *util.Factory, out io.Writer, c *Cr case "amazonvpc", "amazon-vpc-routed-eni": cluster.Spec.Networking.AmazonVPC = &api.AmazonVPCNetworkingSpec{} case "cilium": - cluster.Spec.Networking.Cilium = &api.CiliumNetworkingSpec{ - EnableNodePort: true, + cilium := &api.CiliumNetworkingSpec{} + cluster.Spec.Networking.Cilium = cilium + nodeport := false + if c.KubernetesVersion == "" { + nodeport = true + } else { + k8sVersion, err := semver.ParseTolerant(c.KubernetesVersion) + if err == nil { + if version.IsKubernetesGTE("1.12", k8sVersion) { + nodeport = true + } + } } - if cluster.Spec.KubeProxy == nil { - cluster.Spec.KubeProxy = &api.KubeProxyConfig{} + if nodeport { + cilium.EnableNodePort = true + if cluster.Spec.KubeProxy == nil { + cluster.Spec.KubeProxy = &api.KubeProxyConfig{} + } + enabled := false + cluster.Spec.KubeProxy.Enabled = &enabled } - enabled := false - cluster.Spec.KubeProxy.Enabled = &enabled case "lyftvpc": cluster.Spec.Networking.LyftVPC = &api.LyftVPCNetworkingSpec{} case "gce": diff --git a/docs/networking/cilium.md b/docs/networking/cilium.md index d8c40e1836..40ab8c437a 100644 --- a/docs/networking/cilium.md +++ b/docs/networking/cilium.md @@ -64,7 +64,7 @@ Then enable etcd as kvstore: ### Enabling BPF NodePort -As of kops 1.19, BPF NodePort is enabled by default for new clusters. It can be safely enabled as of kops 1.18. +As of kops 1.19, BPF NodePort is enabled by default for new clusters if the kubernetes version is 1.12 or newer. It can be safely enabled as of kops 1.18. In this mode, the cluster is fully functional without kube-proxy, with Cilium replacing kube-proxy's NodePort implementation using BPF. Read more about this in the [Cilium docs](https://docs.cilium.io/en/stable/gettingstarted/nodeport/) diff --git a/docs/releases/1.19-NOTES.md b/docs/releases/1.19-NOTES.md index e0854a83ff..299cb00b3c 100644 --- a/docs/releases/1.19-NOTES.md +++ b/docs/releases/1.19-NOTES.md @@ -10,7 +10,7 @@ * Alpha support for Hashicorp Vault as store for secrets and keys. See the [Vault state store docs](/state/#vault-vault). -* New clusters running Cilium will have enabled BPF NodePort by default. +* New clusters running Cilium will have enabled BPF NodePort by default if kubernetes version is 1.12 or newer. # Breaking changes