update DaemonSet to use host network

[jipperinbham]

addresses #43

[mitchellh]

Hey @jipperinbham, thanks. I am kind of curious why this is necessary as its not super clear to me.

I've previously understood hostNetwork as exposing the host network interfaces into the pod. However, we use hostPort instead which should only expose a single port and bind it to the host IP. These two seem to be separate functionality, and I'm not sure why we want the former.

The Kubernetes networking model1 also states that all containers should be able to communicate to their nodes (and vice versa) without NAT, point 2. We tested this daemonset on a variety of K8S installations and found it to work without issue, without this change.

So my question is: why isn't port 8500 properly binding and accessible to the host IP by setting hostPort alone? Why is hostNetwork necessary as well?

[jipperinbham]

Ok, I think I've found out what is going on. aws/amazon-vpc-cni-k8s#132 states hostPort will not work and it's the CNI plugin I'm using an what I imagine to be the default for EKS.

Given this, would you think an additional option in the values.yaml would be acceptable to toggle the behavior?

[mitchellh]

Yes, I think that'd be acceptable. Thanks for digging into this.

I'm curious if hostNetwork is more broadly supported than hostPort. If so, then just using hostNetwork by default might make sense too. But let's cross that bridge a different time. A toggle for now would be great.

[jipperinbham]

Ok, I've updated the PR to make hostNetwork be opt-in.

As far as the use of hostNetwork in the broader sense, IMO, the use case of running a DaemonSet where you want the Pod to be accessible over a defined port(s) is when it's typically used. I did a naive search of the main helm charts repo but it's hard to say one way or another if it's used more broadly in the community.

[Art3mK]

hostPort works ok for me on EKS with VPC CNI. They have added hostPort support recently, see
aws/amazon-vpc-cni-k8s/pull/153

[adilyse]

Following up on this-- @jipperinbham, does the fix @Art3mK mentioned make the current hostPort implementation work for you?

[jipperinbham]

I haven't been able to test it but good to know it's likely fixed. Since this is an "opt-in" change, is it an issue to make it an option?

[adilyse]

In an effort to keep the helm chart understandable and easy to use, we'd like to be judicious about which configuration values we add. If your underlying issue has been solved by AWS, I would prefer not to add this option at this point in time.

If things change in the future, we can always revisit that decision.

[maskshell]

#194

[hashicorp-cla]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[jipperinbham]

Closed this one since it's quite out of date and I can't really sign the CLA for these changes at this point.