Configure network-validator and repair-controller to work with IPv6 (#12874)

* Configure network-validator and repair-controller to work with IPv6

Fixes #12864

The linkerd-cni network-validator container was binding to the IPv4 wildcard and connecting to an IPv4 address. This wasn't breaking things in IPv6 clusters but it was only validating the iptables rules and not the ip6tables ones. This change introduces logic to use addresses according to the value of `disableIPv6`. If IPv6 is enabled, then the ip6tables rules would get exercised. Note that a more complete change would also exercise both iptables and ip6tables, but for now we're defaulting to ip6tables.

Similarly was the case with repair-controller, but given the IPv4 wildcard was used for the admin server, in IPv6 clusters the kubelet wasn't able to reach the probe endpoints and the container was failing. In this case the fix is just have the admin server bind to `[::]`, which works for IPv4 and IPv6 clusters.

charts/linkerd-control-plane/README.md

@@ -187,9 +187,9 @@ Kubernetes: `>=1.22.0-0`
 | kubeAPI.clientBurst | int | `200` | Burst value over clientQPS |
 | kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) |
 | linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version |
-| networkValidator.connectAddr | string | `"1.1.1.1:20001"` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP  for public clusters and a private IP for air-gapped clusters with a port like 20001. |
+| networkValidator.connectAddr | string | `""` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. |
 | networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec |
-| networkValidator.listenAddr | string | `"0.0.0.0:4140"` | Address to which network-validator listens to requests from itself |
+| networkValidator.listenAddr | string | `"[::]:4140"` | Address to which network-validator listens to requests from itself |
 | networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator |
 | networkValidator.logLevel | string | debug | Log level for the network-validator |
 | networkValidator.timeout | string | `"10s"` | Timeout before network-validator fails to validate the pod's network connectivity |

charts/linkerd-control-plane/values.yaml

@@ -324,11 +324,12 @@ networkValidator:
   # @default -- plain
   logFormat: plain
   # -- Address to which the network-validator will attempt to connect. This should be an IP
-  # that the cluster is expected to be able to reach but a port it should not, e.g., a public IP 
+  # that the cluster is expected to be able to reach but a port it should not, e.g., a public IP
   # for public clusters and a private IP for air-gapped clusters with a port like 20001.
-  connectAddr: "1.1.1.1:20001"
+  # If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively.
+  connectAddr: ""
   # -- Address to which network-validator listens to requests from itself
-  listenAddr: "0.0.0.0:4140"
+  listenAddr: "[::]:4140"
   # -- Timeout before network-validator fails to validate the pod's network connectivity
   timeout: "10s"
   # -- Include a securityContext in the network-validator pod spec

charts/linkerd2-cni/templates/cni-plugin.yaml

@@ -312,7 +312,8 @@ spec:
         command:
           - /usr/lib/linkerd/linkerd-cni-repair-controller
         args:
-          - --admin-addr=0.0.0.0:9990
+          - --admin-addr
+          - "[::]:9990"
           - --log-format
           - {{ .Values.repairController.logFormat }}
           - --log-level

charts/partials/templates/_network-validator.tpl

@@ -24,9 +24,15 @@ args:
   - --log-level
   - {{ .Values.networkValidator.logLevel }}
   - --connect-addr
-  - {{ .Values.networkValidator.connectAddr }}
+    {{- if .Values.networkValidator.connectAddr }}
+  - {{ .Values.networkValidator.connectAddr | quote }}
+    {{- else if .Values.disableIPv6}}
+  - "1.1.1.1:20001"
+    {{- else }}
+  - "[fd00::1]:20001"
+    {{- end }}
   - --listen-addr
-  - {{ .Values.networkValidator.listenAddr }}
+  - {{ .Values.networkValidator.listenAddr | quote }}
   - --timeout
   - {{ .Values.networkValidator.timeout }}
 

cli/cmd/install_test.go

@@ -141,7 +141,7 @@ func TestRender(t *testing.T) {
 			LogLevel:    "debug",
 			LogFormat:   "plain",
 			ConnectAddr: "1.1.1.1:20001",
-			ListenAddr:  "0.0.0.0:4140",
+			ListenAddr:  "[::]:4140",
 			Timeout:     "10s",
 		},
 		Configs: charts.ConfigJSONs{

cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml

@@ -201,7 +201,7 @@ spec:
         - --connect-addr
         - 1.1.1.1:20001
         - --listen-addr
-        - 0.0.0.0:4140
+        - '[::]:4140'
         - --timeout
         - 10s
         command:

cli/cmd/testdata/install_controlplane_tracing_output.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_custom_domain.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_custom_registry.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_default.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_default_override_dst_get_nets.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_default_token.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_gid_output.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_ha_output.golden

@@ -611,9 +611,9 @@ data:
     imagePullSecrets: null
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -927,6 +927,7 @@ spec:
     matchLabels:
       linkerd.io/control-plane-component: identity
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_ha_with_overrides_output.golden

@@ -611,9 +611,9 @@ data:
     imagePullSecrets: null
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -927,6 +927,7 @@ spec:
     matchLabels:
       linkerd.io/control-plane-component: identity
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_heartbeat_disabled_output.golden

@@ -515,9 +515,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -806,6 +806,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_helm_control_plane_output.golden

@@ -561,9 +561,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: linkerd-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -848,6 +848,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_helm_control_plane_output_ha.golden

@@ -588,9 +588,9 @@ data:
     imagePullSecrets: null
     linkerdVersion: linkerd-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -900,6 +900,7 @@ spec:
     matchLabels:
       linkerd.io/control-plane-component: identity
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_helm_control_plane_output_ha_with_gid.golden

@@ -588,9 +588,9 @@ data:
     imagePullSecrets: null
     linkerdVersion: linkerd-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -900,6 +900,7 @@ spec:
     matchLabels:
       linkerd.io/control-plane-component: identity
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_helm_output_ha_labels.golden

@@ -588,9 +588,9 @@ data:
     imagePullSecrets: null
     linkerdVersion: linkerd-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -904,6 +904,7 @@ spec:
     matchLabels:
       linkerd.io/control-plane-component: identity
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden

@@ -583,9 +583,9 @@ data:
     imagePullSecrets: null
     linkerdVersion: linkerd-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -890,6 +890,7 @@ spec:
     matchLabels:
       linkerd.io/control-plane-component: identity
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_no_init_container.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -1137,9 +1138,9 @@ spec:
           - --log-level
           - debug
           - --connect-addr
-          - 1.1.1.1:20001
+          - "1.1.1.1:20001"
           - --listen-addr
-          - 0.0.0.0:4140
+          - "[::]:4140"
           - --timeout
           - 10s
       securityContext:
@@ -1612,9 +1613,9 @@ spec:
           - --log-level
           - debug
           - --connect-addr
-          - 1.1.1.1:20001
+          - "1.1.1.1:20001"
           - --listen-addr
-          - 0.0.0.0:4140
+          - "[::]:4140"
           - --timeout
           - 10s
       securityContext:
@@ -1965,9 +1966,9 @@ spec:
           - --log-level
           - debug
           - --connect-addr
-          - 1.1.1.1:20001
+          - "1.1.1.1:20001"
           - --listen-addr
-          - 0.0.0.0:4140
+          - "[::]:4140"
           - --timeout
           - 10s
       securityContext:

cli/cmd/testdata/install_proxy_ignores.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

cli/cmd/testdata/install_values_file.golden

@@ -584,9 +584,9 @@ data:
     imagePullSecrets: []
     linkerdVersion: install-control-plane-version
     networkValidator:
-      connectAddr: 1.1.1.1:20001
+      connectAddr: ""
       enableSecurityContext: true
-      listenAddr: 0.0.0.0:4140
+      listenAddr: '[::]:4140'
       logFormat: plain
       logLevel: debug
       timeout: 10s
@@ -875,6 +875,7 @@ spec:
     port: 8080
     targetPort: 8080
 ---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

pkg/charts/linkerd2/values_test.go

@@ -212,8 +212,8 @@ func TestNewValues(t *testing.T) {
 		NetworkValidator: &NetworkValidator{
 			LogLevel:              "debug",
 			LogFormat:             "plain",
-			ConnectAddr:           "1.1.1.1:20001",
-			ListenAddr:            "0.0.0.0:4140",
+			ConnectAddr:           "",
+			ListenAddr:            "[::]:4140",
 			Timeout:               "10s",
 			EnableSecurityContext: true,
 		},