Mirror/k3s
1
0
Fork 0
mirror of https://github.com/k3s-io/k3s.git synced 2024-06-07 19:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow svclb pod to enable ipv6 forwarding

Browse Source 
Signed-off-by: Manuel Buil <mbuil@suse.com>
This commit is contained in:
Manuel Buil 2021-11-09 16:44:34 +01:00 committed by manuelbuil
parent d85b2468ea
commit 5d168a1d59
7 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/agent/config/config.go
View File

@ -567,6 +567,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
nodeConfig.AgentConfig.Rootless = envInfo.Rootless
nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, "agent", DefaultPodManifestPath)
nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults
nodeConfig.AgentConfig.DisableServiceLB = envInfo.DisableServiceLB
if err := validateNetworkConfig(nodeConfig); err != nil {
return nil, err

1
pkg/agent/run.go
View File

@ -65,6 +65,7 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration")
}
syssetup.Configure(enableIPv6, conntrackConfig)
nodeConfig.AgentConfig.EnableIPv6 = enableIPv6
if err := setupCriCtlConfig(cfg, nodeConfig); err != nil {
return err

1
pkg/cli/cmds/agent.go
View File

@ -16,6 +16,7 @@ type Agent struct {
ServerURL string
APIAddressCh chan string
DisableLoadBalancer bool
DisableServiceLB bool
ETCDAgent bool
LBServerPort int
ResolvConf string

1
pkg/cli/server/server.go
View File

@ -454,6 +454,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
agentConfig.ServerURL = url
agentConfig.Token = token
agentConfig.DisableLoadBalancer = !serverConfig.ControlConfig.DisableAPIServer
agentConfig.DisableServiceLB = serverConfig.DisableServiceLB
agentConfig.ETCDAgent = serverConfig.ControlConfig.DisableAPIServer
agentConfig.ClusterReset = serverConfig.ControlConfig.ClusterReset

5
pkg/daemons/agent/agent_linux.go
View File

@ -168,5 +168,10 @@ func kubeletArgs(cfg *config.Agent) map[string]string {
if cfg.ProtectKernelDefaults {
argsMap["protect-kernel-defaults"] = "true"
}
if !cfg.DisableServiceLB && cfg.EnableIPv6 {
argsMap["allowed-unsafe-sysctls"] = "net.ipv6.conf.all.forwarding"
}
return argsMap
}

3
pkg/daemons/config/types.go
View File

@ -100,6 +100,8 @@ type Agent struct {
DisableNPC bool
Rootless bool
ProtectKernelDefaults bool
DisableServiceLB bool
EnableIPv6 bool
}
type Control struct {
@ -122,6 +124,7 @@ type Control struct {
ClusterDNS net.IP
ClusterDNSs []net.IP
ClusterDomain string
DisableServiceLB bool
NoCoreDNS bool
KubeConfigOutput string
KubeConfigMode string

21
pkg/servicelb/controller.go
View File

@ -351,6 +351,14 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
name := fmt.Sprintf("svclb-%s", svc.Name)
oneInt := intstr.FromInt(1)
// If ipv6 is present, we must enable ipv6 forwarding in the manifest
var ipv6Switch bool
for _, ipFamily := range svc.Spec.IPFamilies {
if ipFamily == core.IPv6Protocol {
ipv6Switch = true
}
}
ds := &apps.DaemonSet{
ObjectMeta: meta.ObjectMeta{
Name: name,
@ -398,6 +406,19 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
},
}
if ipv6Switch {
// Add security context to enable ipv6 forwarding
securityContext := &core.PodSecurityContext{
Sysctls: []core.Sysctl{
{
Name: "net.ipv6.conf.all.forwarding",
Value: "1",
},
},
}
ds.Spec.Template.Spec.SecurityContext = securityContext
}
for _, port := range svc.Spec.Ports {
portName := fmt.Sprintf("lb-port-%d", port.Port)
container := core.Container{