Add possibility to disable kube-proxy #2088
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @brb! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @brb. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/M
This commit introduces the new kube-proxy mode "none" which is used to disable kube-proxy when provisioning (via kubeadm init's skip-phase=addon/kube-proxy). The motivation for the change is to use Kind for testing Cilium's kube-proxy replacement [1]. [1]: https://docs.cilium.io/en/v1.9/gettingstarted/kubeproxy-free/ Signed-off-by: Martynas Pumputis <[email protected]>
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
pkg/internal/apis/config/types.go
Outdated
| @@ -167,6 +167,8 @@ const ( | |||
| IPTablesMode ProxyMode = "iptables" | |||
| // IPVSMode sets ProxyMode to iptables | |||
| IPVSMode ProxyMode = "ipvs" | |||
| // NoneMode disables kube-proxy | |||
| NoneMode ProxyMode = "none" | |||
There was a problem hiding this comment.
what is the alternative value of this field?
if "" implies kube-proxy mode this should be reflected in a comment above.
for the API change, as is, this could be useful if one day kind decides to implement it's own proxy ALA Cilium.
adding another ProxyMode.
but if there are no plans for that and if the demand to skip kube-proxy is not high, the better alternative would have been to configure this via kubeadm's v1beta3 ClusterConfiguration.
of course, a couple of problems with that are:
- kubeadm v1beta3 is not ready yet, but this exact skip phases feature is tracked here
- it would only work with kubeadm / k8s latest
a more flexible feature in kind would be to allow passing extra args to the kubeadm init/join commands the same way kubeadm allows passing such to the kubelet / control-plane. as per how cobra, go's CLI works, subsequent flags with the same key would override prior ones.
There was a problem hiding this comment.
what is the alternative value of this field?
if "" implies kube-proxy mode this should be reflected in a comment above.
"" implies iptables mode.
but if there are no plans for that and if the demand to skip kube-proxy is not high, the better alternative would have been to configure this via kubeadm's v1beta3 ClusterConfiguration.
Once it's ready, we can change the way we disable kube-proxy.
but if there are no plans for that and if the demand to skip kube-proxy is not high, the better alternative would have been to configure this via kubeadm's v1beta3 ClusterConfiguration.
If we need to pass more flags to kubeadm, then it makes sense. At the moment, it's only one flag.
There was a problem hiding this comment.
for the API of this field I think it should be
- "iptables" : default value
- "ipvs"
- "none"
if there are other proxies they should provide their installation, same we are doing with the cni
a more flexible feature in kind would be to allow passing extra args to the kubeadm init/join commands the same way kubeadm allows passing such to the kubelet / control-plane. as per how cobra, go's CLI works, subsequent flags with the same key would override prior ones.
I think we already discussed this in another issue 🤔
There was a problem hiding this comment.
a more flexible feature in kind would be to allow passing extra args to the kubeadm init/join commands the same way kubeadm allows passing such to the kubelet / control-plane. as per how cobra, go's CLI works, subsequent flags with the same key would override prior ones.
kubelet etc though are moving away from this in favor of config, which also seems to be the case for kubeadm (phases in v1beta3), I don't think we should promote reliance on dependency flags versus structured configuration.
There was a problem hiding this comment.
flags are indeed the riskier option.
|
The CI failure seems to be unrelated: |
There was a problem hiding this comment.
Ordinarily I'd ask that a feature request issue be filed first per our contributing guide 1
This feature seems relatively straightforward and well contained within the existing API surface though.
In concept this seems reasonable enough to support, and difficult to work around cleanly without it 👍
Some nits (see comments)
pkg/internal/apis/config/types.go
Outdated
| @@ -167,6 +167,8 @@ const ( | |||
| IPTablesMode ProxyMode = "iptables" | |||
| // IPVSMode sets ProxyMode to iptables | |||
| IPVSMode ProxyMode = "ipvs" | |||
| // NoneMode disables kube-proxy | |||
| NoneMode ProxyMode = "none" | |||
There was a problem hiding this comment.
a more flexible feature in kind would be to allow passing extra args to the kubeadm init/join commands the same way kubeadm allows passing such to the kubelet / control-plane. as per how cobra, go's CLI works, subsequent flags with the same key would override prior ones.
kubelet etc though are moving away from this in favor of config, which also seems to be the case for kubeadm (phases in v1beta3), I don't think we should promote reliance on dependency flags versus structured configuration.
This changes {IPTables,IPVS,None}Mode => {IPTables,IPVS,None}ProxyMode
for the sake of readability.
Suggested-by: Benjamin Elder <[email protected]>
Signed-off-by: Martynas Pumputis <[email protected]>
|
@BenTheElder I addressed your comment. PTAL. |
|
Both CI failures above look unrelated to my changes. |
There was a problem hiding this comment.
/lgtm
/approve
thanks for your patience, it's been super busy with code freeze in kubernetes and kubernetes/kubernetes#99561
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, brb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
lgtm
|
dockerhub rate limits on github actions flake on 1.19 |
50seconds latency for endpoints is not a healthy environment to run e2e tests |
|
@brb: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This commit introduces the new kube-proxy mode "none" which is used
to disable kube-proxy when provisioning (via kubeadm init's
skip-phase=addon/kube-proxy).
The motivation for the change is to use Kind for testing Cilium's
kube-proxy replacement [1].
[1]: https://docs.cilium.io/en/v1.9/gettingstarted/kubeproxy-free/