Disable podCIDR allocation from control-plane when using calico #10639
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Hi @VannTen. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/S
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
Thanks @VannTen The CI has been repaired, would you please repush it to trige the CI agiain :-) |
|
/retest |
VannTen
force-pushed
the
fix/calica/dont_allocate_cidr
branch
2 times, most recently
from
96fe1b6 to
daee34d
Compare
|
Looks like the CI broke again. Could it be that too many PR pipelines at once tend to cause some overload and break the "docker+machine" executor ? |
VannTen
force-pushed
the
fix/calica/dont_allocate_cidr
branch
from
daee34d to
259755f
Compare
HI @VannTen The CI seems has been fixed: https://github.com/kubernetes-sigs/kubespray/pull/10639/checks?check_run_id=18979639785 :-) |
VannTen
force-pushed
the
fix/calica/dont_allocate_cidr
branch
5 times, most recently
from
00086d4 to
c323567
Compare
Calico does not use the .spec.podCIDR field for its IP address management. Furthermore, it can false positives from the kube controller manager if kube_network_node_prefix and calico_pool_blocksize are unaligned, which is the case with the default shipped by kubespray. If the subnets obtained from using kube_network_node_prefix are bigger, this would result at some point in the control plane thinking it does not have subnets left for a new node, while calico will work without problems. Explicitely set a default value of false for calico_ipam_host_local to facilitate its use in templates.
They have different semantics: kube_network_node_prefix is intended to be the size of the subnet for all pods on a node, while there can be more than on calico block of the specified size (they are allocated on demand). Besides, this commit does not actually change anything, because the current code is buggy: we don't ever default to kube_network_node_prefix, since the variable is defined in the role defaults.
VannTen
force-pushed
the
fix/calica/dont_allocate_cidr
branch
from
c323567 to
be555fd
Compare
|
Relevant : tigera/operator#2712 |
| @@ -223,7 +223,7 @@ | |||
| "name": "{{ calico_pool_name }}", | |||
| }, | |||
| "spec": { | |||
| "blockSize": {{ calico_pool_blocksize | default(kube_network_node_prefix) }}, | |||
| "blockSize": {{ calico_pool_blocksize }}, | |||
There was a problem hiding this comment.
That's already in defaults/main.yml, I'd rather avoid duplicating.
| @@ -292,11 +292,15 @@ controllerManager: | |||
| cluster-cidr: "{{ kube_pods_subnet }}{{ ',' + kube_pods_subnet_ipv6 if enable_dual_stack_networks else '' }}" | |||
| {% endif %} | |||
| service-cluster-ip-range: "{{ kube_service_addresses }}{{ ',' + kube_service_addresses_ipv6 if enable_dual_stack_networks else '' }}" | |||
| {% if kube_network_plugin is defined and kube_network_plugin == "calico" and not calico_ipam_host_local %} | |||
| allocate-node-cidrs: "false" | |||
There was a problem hiding this comment.
Do we really need this? The default value is true. I believe it won't affect the operation of calico-ipam, as calico-ipam does not allocate addresses from node.PodCIDR; it allocates from blocks it creates on its own. These two are not correlated.
There was a problem hiding this comment.
It does not affect calico, it affects kube-controller-manager.
The current kubespray defaults are kube_network_node_prefix = 24 and calico_pool_blocksize = 26.
We faced the following situation during upgrade, ( described in projectcalico/calico#7722).
While calico is fine, the controller-manager thinks it has no more cidrs to allocate, and give the node the CIDRNotAvailable condition.
|
/cc @EppO @cyclinder @mzaian |
|
sorry for delay, it looks lgtm for now, need ack for other reviewers. |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mzaian, VannTen The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
…rnetes-sigs#10639) * Disable control plane allocating podCIDR for nodes when using calico Calico does not use the .spec.podCIDR field for its IP address management. Furthermore, it can false positives from the kube controller manager if kube_network_node_prefix and calico_pool_blocksize are unaligned, which is the case with the default shipped by kubespray. If the subnets obtained from using kube_network_node_prefix are bigger, this would result at some point in the control plane thinking it does not have subnets left for a new node, while calico will work without problems. Explicitely set a default value of false for calico_ipam_host_local to facilitate its use in templates. * Don't default to kube_network_node_prefix for calico_pool_blocksize They have different semantics: kube_network_node_prefix is intended to be the size of the subnet for all pods on a node, while there can be more than on calico block of the specified size (they are allocated on demand). Besides, this commit does not actually change anything, because the current code is buggy: we don't ever default to kube_network_node_prefix, since the variable is defined in the role defaults.
…) (#10715) * Disable control plane allocating podCIDR for nodes when using calico Calico does not use the .spec.podCIDR field for its IP address management. Furthermore, it can false positives from the kube controller manager if kube_network_node_prefix and calico_pool_blocksize are unaligned, which is the case with the default shipped by kubespray. If the subnets obtained from using kube_network_node_prefix are bigger, this would result at some point in the control plane thinking it does not have subnets left for a new node, while calico will work without problems. Explicitely set a default value of false for calico_ipam_host_local to facilitate its use in templates. * Don't default to kube_network_node_prefix for calico_pool_blocksize They have different semantics: kube_network_node_prefix is intended to be the size of the subnet for all pods on a node, while there can be more than on calico block of the specified size (they are allocated on demand). Besides, this commit does not actually change anything, because the current code is buggy: we don't ever default to kube_network_node_prefix, since the variable is defined in the role defaults.
…rnetes-sigs#10639) * Disable control plane allocating podCIDR for nodes when using calico Calico does not use the .spec.podCIDR field for its IP address management. Furthermore, it can false positives from the kube controller manager if kube_network_node_prefix and calico_pool_blocksize are unaligned, which is the case with the default shipped by kubespray. If the subnets obtained from using kube_network_node_prefix are bigger, this would result at some point in the control plane thinking it does not have subnets left for a new node, while calico will work without problems. Explicitely set a default value of false for calico_ipam_host_local to facilitate its use in templates. * Don't default to kube_network_node_prefix for calico_pool_blocksize They have different semantics: kube_network_node_prefix is intended to be the size of the subnet for all pods on a node, while there can be more than on calico block of the specified size (they are allocated on demand). Besides, this commit does not actually change anything, because the current code is buggy: we don't ever default to kube_network_node_prefix, since the variable is defined in the role defaults.
|
The phrasing of the release note didn't really make sense to me (our current value is undefined, aka non-true, so why would we need to change it to true?). Then I had a closer look at the previous behaviour of It had the surprising and unusual result that if calico_ipam_host_local was defined as any value, even false (!!), it would enable the host local IPAM mode. With that in mind it makes sense to interpret the release note as "users who were relying on enabling host local mode by using a non-true value for calico_ipam_host_local will need to explicitly change it to Anyway thanks for fixing this! |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Calico does not use the .spec.podCIDR field for its IP address
management.
Furthermore, it can false positives from the kube controller manager if
kube_network_node_prefix and calico_pool_blocksize are unaligned, which
is the case with the default shipped by kubespray.
If the subnets obtained from using kube_network_node_prefix are bigger,
this would result at some point in the control plane thinking it does
not have subnets left for a new node, while calico will work without
problems.
Which issue(s) this PR fixes:
Not in this repo, but it avoids the issue described here projectcalico/calico#7722
Closes #9843
Special notes for your reviewer:
Does this PR introduce a user-facing change?: