Allow svclb pod to enable ipv6 forwarding

Signed-off-by: Manuel Buil <mbuil@suse.com>
2024-06-07 19:41:36 +00:00 · 2021-11-09 16:44:34 +01:00 · 2021-11-09 16:44:34 +01:00 · 5d168a1d59
commit 5d168a1d59
parent d85b2468ea
7 changed files with 33 additions and 0 deletions
--- a/pkg/agent/config/config.go
+++ b/pkg/agent/config/config.go
@ -567,6 +567,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	nodeConfig.AgentConfig.Rootless = envInfo.Rootless
 	nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, "agent", DefaultPodManifestPath)
 	nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults
 	nodeConfig.AgentConfig.DisableServiceLB = envInfo.DisableServiceLB
 	if err := validateNetworkConfig(nodeConfig); err != nil {
 		return nil, err
--- a/pkg/agent/run.go
+++ b/pkg/agent/run.go
@ -65,6 +65,7 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 		return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration")
 	}
 	syssetup.Configure(enableIPv6, conntrackConfig)
 	nodeConfig.AgentConfig.EnableIPv6 = enableIPv6
 	if err := setupCriCtlConfig(cfg, nodeConfig); err != nil {
 		return err
--- a/pkg/cli/cmds/agent.go
+++ b/pkg/cli/cmds/agent.go
@ -16,6 +16,7 @@ type Agent struct {
 	ServerURL                string
 	APIAddressCh             chan string
 	DisableLoadBalancer      bool
 	DisableServiceLB         bool
 	ETCDAgent                bool
 	LBServerPort             int
 	ResolvConf               string
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@ -454,6 +454,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	agentConfig.ServerURL = url
 	agentConfig.Token = token
 	agentConfig.DisableLoadBalancer = !serverConfig.ControlConfig.DisableAPIServer
 	agentConfig.DisableServiceLB = serverConfig.DisableServiceLB
 	agentConfig.ETCDAgent = serverConfig.ControlConfig.DisableAPIServer
 	agentConfig.ClusterReset = serverConfig.ControlConfig.ClusterReset
--- a/pkg/daemons/agent/agent_linux.go
+++ b/pkg/daemons/agent/agent_linux.go
@ -168,5 +168,10 @@ func kubeletArgs(cfg *config.Agent) map[string]string {
 	if cfg.ProtectKernelDefaults {
 		argsMap["protect-kernel-defaults"] = "true"
 	}
 	if !cfg.DisableServiceLB && cfg.EnableIPv6 {
 		argsMap["allowed-unsafe-sysctls"] = "net.ipv6.conf.all.forwarding"
 	}
 	return argsMap
 }
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@ -100,6 +100,8 @@ type Agent struct {
 	DisableNPC              bool
 	Rootless                bool
 	ProtectKernelDefaults   bool
 	DisableServiceLB        bool
 	EnableIPv6              bool
 }
 type Control struct {
@ -122,6 +124,7 @@ type Control struct {
 	ClusterDNS               net.IP
 	ClusterDNSs              []net.IP
 	ClusterDomain            string
 	DisableServiceLB         bool
 	NoCoreDNS                bool
 	KubeConfigOutput         string
 	KubeConfigMode           string
--- a/pkg/servicelb/controller.go
+++ b/pkg/servicelb/controller.go
@ -351,6 +351,14 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 	name := fmt.Sprintf("svclb-%s", svc.Name)
 	oneInt := intstr.FromInt(1)
 	// If ipv6 is present, we must enable ipv6 forwarding in the manifest
 	var ipv6Switch bool
 	for _, ipFamily := range svc.Spec.IPFamilies {
 		if ipFamily == core.IPv6Protocol {
 			ipv6Switch = true
 		}
 	}
 	ds := &apps.DaemonSet{
 		ObjectMeta: meta.ObjectMeta{
 			Name:      name,
@ -398,6 +406,19 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 		},
 	}
 	if ipv6Switch {
 		// Add security context to enable ipv6 forwarding
 		securityContext := &core.PodSecurityContext{
 			Sysctls: []core.Sysctl{
 				{
 					Name:  "net.ipv6.conf.all.forwarding",
 					Value: "1",
 				},
 			},
 		}
 		ds.Spec.Template.Spec.SecurityContext = securityContext
 	}
 	for _, port := range svc.Spec.Ports {
 		portName := fmt.Sprintf("lb-port-%d", port.Port)
 		container := core.Container{