Allow svclb pod to enable ipv6 forwarding

Signed-off-by: Manuel Buil <mbuil@suse.com>
This commit is contained in:
Manuel Buil 2021-11-09 16:44:34 +01:00 committed by manuelbuil
parent d85b2468ea
commit 5d168a1d59
7 changed files with 33 additions and 0 deletions

View File

@ -567,6 +567,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
nodeConfig.AgentConfig.Rootless = envInfo.Rootless nodeConfig.AgentConfig.Rootless = envInfo.Rootless
nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, "agent", DefaultPodManifestPath) nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, "agent", DefaultPodManifestPath)
nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults
nodeConfig.AgentConfig.DisableServiceLB = envInfo.DisableServiceLB
if err := validateNetworkConfig(nodeConfig); err != nil { if err := validateNetworkConfig(nodeConfig); err != nil {
return nil, err return nil, err

View File

@ -65,6 +65,7 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration") return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration")
} }
syssetup.Configure(enableIPv6, conntrackConfig) syssetup.Configure(enableIPv6, conntrackConfig)
nodeConfig.AgentConfig.EnableIPv6 = enableIPv6
if err := setupCriCtlConfig(cfg, nodeConfig); err != nil { if err := setupCriCtlConfig(cfg, nodeConfig); err != nil {
return err return err

View File

@ -16,6 +16,7 @@ type Agent struct {
ServerURL string ServerURL string
APIAddressCh chan string APIAddressCh chan string
DisableLoadBalancer bool DisableLoadBalancer bool
DisableServiceLB bool
ETCDAgent bool ETCDAgent bool
LBServerPort int LBServerPort int
ResolvConf string ResolvConf string

View File

@ -454,6 +454,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
agentConfig.ServerURL = url agentConfig.ServerURL = url
agentConfig.Token = token agentConfig.Token = token
agentConfig.DisableLoadBalancer = !serverConfig.ControlConfig.DisableAPIServer agentConfig.DisableLoadBalancer = !serverConfig.ControlConfig.DisableAPIServer
agentConfig.DisableServiceLB = serverConfig.DisableServiceLB
agentConfig.ETCDAgent = serverConfig.ControlConfig.DisableAPIServer agentConfig.ETCDAgent = serverConfig.ControlConfig.DisableAPIServer
agentConfig.ClusterReset = serverConfig.ControlConfig.ClusterReset agentConfig.ClusterReset = serverConfig.ControlConfig.ClusterReset

View File

@ -168,5 +168,10 @@ func kubeletArgs(cfg *config.Agent) map[string]string {
if cfg.ProtectKernelDefaults { if cfg.ProtectKernelDefaults {
argsMap["protect-kernel-defaults"] = "true" argsMap["protect-kernel-defaults"] = "true"
} }
if !cfg.DisableServiceLB && cfg.EnableIPv6 {
argsMap["allowed-unsafe-sysctls"] = "net.ipv6.conf.all.forwarding"
}
return argsMap return argsMap
} }

View File

@ -100,6 +100,8 @@ type Agent struct {
DisableNPC bool DisableNPC bool
Rootless bool Rootless bool
ProtectKernelDefaults bool ProtectKernelDefaults bool
DisableServiceLB bool
EnableIPv6 bool
} }
type Control struct { type Control struct {
@ -122,6 +124,7 @@ type Control struct {
ClusterDNS net.IP ClusterDNS net.IP
ClusterDNSs []net.IP ClusterDNSs []net.IP
ClusterDomain string ClusterDomain string
DisableServiceLB bool
NoCoreDNS bool NoCoreDNS bool
KubeConfigOutput string KubeConfigOutput string
KubeConfigMode string KubeConfigMode string

View File

@ -351,6 +351,14 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
name := fmt.Sprintf("svclb-%s", svc.Name) name := fmt.Sprintf("svclb-%s", svc.Name)
oneInt := intstr.FromInt(1) oneInt := intstr.FromInt(1)
// If ipv6 is present, we must enable ipv6 forwarding in the manifest
var ipv6Switch bool
for _, ipFamily := range svc.Spec.IPFamilies {
if ipFamily == core.IPv6Protocol {
ipv6Switch = true
}
}
ds := &apps.DaemonSet{ ds := &apps.DaemonSet{
ObjectMeta: meta.ObjectMeta{ ObjectMeta: meta.ObjectMeta{
Name: name, Name: name,
@ -398,6 +406,19 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
}, },
} }
if ipv6Switch {
// Add security context to enable ipv6 forwarding
securityContext := &core.PodSecurityContext{
Sysctls: []core.Sysctl{
{
Name: "net.ipv6.conf.all.forwarding",
Value: "1",
},
},
}
ds.Spec.Template.Spec.SecurityContext = securityContext
}
for _, port := range svc.Spec.Ports { for _, port := range svc.Spec.Ports {
portName := fmt.Sprintf("lb-port-%d", port.Port) portName := fmt.Sprintf("lb-port-%d", port.Port)
container := core.Container{ container := core.Container{