From 5d168a1d59d445c5afcaa99c853a49628019a40e Mon Sep 17 00:00:00 2001
From: Manuel Buil <mbuil@suse.com>
Date: Tue, 9 Nov 2021 16:44:34 +0100
Subject: [PATCH] Allow svclb pod to enable ipv6 forwarding

Signed-off-by: Manuel Buil <mbuil@suse.com>
---
 pkg/agent/config/config.go       |  1 +
 pkg/agent/run.go                 |  1 +
 pkg/cli/cmds/agent.go            |  1 +
 pkg/cli/server/server.go         |  1 +
 pkg/daemons/agent/agent_linux.go |  5 +++++
 pkg/daemons/config/types.go      |  3 +++
 pkg/servicelb/controller.go      | 21 +++++++++++++++++++++
 7 files changed, 33 insertions(+)

diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go
index b148d36862..c891ff0a6d 100644
--- a/pkg/agent/config/config.go
+++ b/pkg/agent/config/config.go
@@ -567,6 +567,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	nodeConfig.AgentConfig.Rootless = envInfo.Rootless
 	nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, "agent", DefaultPodManifestPath)
 	nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults
+	nodeConfig.AgentConfig.DisableServiceLB = envInfo.DisableServiceLB
 
 	if err := validateNetworkConfig(nodeConfig); err != nil {
 		return nil, err
diff --git a/pkg/agent/run.go b/pkg/agent/run.go
index 6f9d6cb749..4ea4cdd6c5 100644
--- a/pkg/agent/run.go
+++ b/pkg/agent/run.go
@@ -65,6 +65,7 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 		return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration")
 	}
 	syssetup.Configure(enableIPv6, conntrackConfig)
+	nodeConfig.AgentConfig.EnableIPv6 = enableIPv6
 
 	if err := setupCriCtlConfig(cfg, nodeConfig); err != nil {
 		return err
diff --git a/pkg/cli/cmds/agent.go b/pkg/cli/cmds/agent.go
index 3ed4287465..0bdf24c034 100644
--- a/pkg/cli/cmds/agent.go
+++ b/pkg/cli/cmds/agent.go
@@ -16,6 +16,7 @@ type Agent struct {
 	ServerURL                string
 	APIAddressCh             chan string
 	DisableLoadBalancer      bool
+	DisableServiceLB         bool
 	ETCDAgent                bool
 	LBServerPort             int
 	ResolvConf               string
diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go
index 843fb09c33..29b82d9981 100644
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -454,6 +454,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	agentConfig.ServerURL = url
 	agentConfig.Token = token
 	agentConfig.DisableLoadBalancer = !serverConfig.ControlConfig.DisableAPIServer
+	agentConfig.DisableServiceLB = serverConfig.DisableServiceLB
 	agentConfig.ETCDAgent = serverConfig.ControlConfig.DisableAPIServer
 	agentConfig.ClusterReset = serverConfig.ControlConfig.ClusterReset
 
diff --git a/pkg/daemons/agent/agent_linux.go b/pkg/daemons/agent/agent_linux.go
index e2af3aee52..2ad12bb03f 100644
--- a/pkg/daemons/agent/agent_linux.go
+++ b/pkg/daemons/agent/agent_linux.go
@@ -168,5 +168,10 @@ func kubeletArgs(cfg *config.Agent) map[string]string {
 	if cfg.ProtectKernelDefaults {
 		argsMap["protect-kernel-defaults"] = "true"
 	}
+
+	if !cfg.DisableServiceLB && cfg.EnableIPv6 {
+		argsMap["allowed-unsafe-sysctls"] = "net.ipv6.conf.all.forwarding"
+	}
+
 	return argsMap
 }
diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go
index 5d50fa492a..915d121816 100644
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@@ -100,6 +100,8 @@ type Agent struct {
 	DisableNPC              bool
 	Rootless                bool
 	ProtectKernelDefaults   bool
+	DisableServiceLB        bool
+	EnableIPv6              bool
 }
 
 type Control struct {
@@ -122,6 +124,7 @@ type Control struct {
 	ClusterDNS               net.IP
 	ClusterDNSs              []net.IP
 	ClusterDomain            string
+	DisableServiceLB         bool
 	NoCoreDNS                bool
 	KubeConfigOutput         string
 	KubeConfigMode           string
diff --git a/pkg/servicelb/controller.go b/pkg/servicelb/controller.go
index 8ba2bfd826..7f89052fb1 100644
--- a/pkg/servicelb/controller.go
+++ b/pkg/servicelb/controller.go
@@ -351,6 +351,14 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 	name := fmt.Sprintf("svclb-%s", svc.Name)
 	oneInt := intstr.FromInt(1)
 
+	// If ipv6 is present, we must enable ipv6 forwarding in the manifest
+	var ipv6Switch bool
+	for _, ipFamily := range svc.Spec.IPFamilies {
+		if ipFamily == core.IPv6Protocol {
+			ipv6Switch = true
+		}
+	}
+
 	ds := &apps.DaemonSet{
 		ObjectMeta: meta.ObjectMeta{
 			Name:      name,
@@ -398,6 +406,19 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 		},
 	}
 
+	if ipv6Switch {
+		// Add security context to enable ipv6 forwarding
+		securityContext := &core.PodSecurityContext{
+			Sysctls: []core.Sysctl{
+				{
+					Name:  "net.ipv6.conf.all.forwarding",
+					Value: "1",
+				},
+			},
+		}
+		ds.Spec.Template.Spec.SecurityContext = securityContext
+	}
+
 	for _, port := range svc.Spec.Ports {
 		portName := fmt.Sprintf("lb-port-%d", port.Port)
 		container := core.Container{