Add revised IPv4/IPv6 dual stack KEP

[lachie83]

Fixes #563

This PR adds to the great work in #648. Specifically we have expanded the scope of authors in include community members that have expressed interest in helping with the KEP and implementation.

At PR submission the following changes have been made to the KEP in #648:

• Add new authors
• Update last-updated
• Add Implementation Plan section

/cc @leblancd @rpothier @khenidak @feiskyer @thockin

[k8s-ci-robot]

@lachie83: GitHub didn't allow me to request PR reviews from the following users: leblancd, rpothier.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

Fixes #563

This PR adds to the great work in #648. Specifically we have expanded the scope of authors in include community members that have expressed interest in helping with the KEP and implementation.

At PR submission the following changes have been made to the KEP in #648:

• Add new authors
• Update last-updated
• Add Implementation Plan section

/cc @leblancd @rpothier @khenidak @feiskyer @thockin

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[lachie83]

If we are in agreement that the work continue on this PR then we should address all outstanding comments in #648 then update issue #563 to reference this PR

[thockin]

Yes, please..

@leblancd @rpothier FYI

[khenidak]

I think i had this as an offline discussion with @lachie83, so re-sharing here. There is an impact on node struct and kubenet ipam et al , right now node struct has one field for cidr, with this design it should have a similar approach to pod.ip as described here https://github.com/kubernetes/enhancements/pull/808/files#diff-df06b6d8f252f5f3711baaaf155ed3eaR193

[lachie83]

Associated PR kubernetes/kubernetes#73977

[lachie83]

Current unresolved comments from previous KEP PR:

• Add IPv4/IPv6 dual stack KEP #648 (comment)

We should probably change this to CIDRs and assume that "no size portion" == "/32"

• Add IPv4/IPv6 dual stack KEP #648 (comment)

This is my least favorite part of this KEP. I'd rather we not do this for now and instead add full support via something like a new ipFamily field either for the whole service (including cluster IP) or even per-port. Semantics of it TBD, since I am advocating punting.

• Add IPv4/IPv6 dual stack KEP #648 (comment)

How will we want this to work if/when we support dual-stack service IPs?

[lachie83]

@thockin - I believe this is ready for another review. I'm punting on the implementation details TBD for both Single-family services and Muti-family services in order to proceed with the first phase of "pod-to-pod dual-stack routing and non-vip services" as detailed in the implementation plan.

Following a clean review I would like to merge then proceed with the creation of a PR to set the status of this KEP to implementable.

[lachie83]

@aojea - Should I add you as an author of this KEP as well?

[aojea]

@aojea - Should I add you as an author of this KEP as well?

Thanks @lachie83 , but I don't think I've done enough merits 😅

[aojea]

I'm working in adding IPv6 support to kind and I plan to add jobs to test IPv6 and DualStack scenarios later with kind

kubernetes-sigs/kind#348

[lachie83]

Will add this to the KEP

[aojea]

currently in kubeadm if the advertiseAddress is empty it takes the first IPv4 address
Looking at the code, we are giving priority to IPv4 over IPv6 , do we need to change this behavior?
If affirmative, this makes me think about all the defaults option of the different components (kubelet --address and --healthz-bind-address , ...) that IMHO it is too big to define in this KEP.

Should we add a section to define what will be the configuration options default behavior for ip addresses?, i.e..

### Configuration options defaults

For all the configuration options that require an IP address or Subnet, in case this option is not provided or set, it should look equally for both IPv4 and IPv6 addresses or networks.

[neolit123]

Looking at the code, we are giving priority to IPv4 over IPv6 , do we need to change this behavior?

no, we cannot. ipv4 should still take precedence over ipv6.
ipv6 needs to be explicit.

from the KEP:

The kubeadm configuration options for advertiseAddress and podSubnet will need to be changed to handle a comma-separated list of CIDRs:

ideally, this has to be discussed during a kubeadm office hours meeting before jumping into PRs.
https://docs.google.com/document/d/130_kiXjG7graFNSnIAgtMS1G8zPDwpkshgfRYS0nggo/edit

overall dual stack is out-of-scope for the kubeadm team for this cycle, because we are overbooked.

[khenidak]

true, it is too big to define in one KEP.
The KEP does not prioritize one family over another. as a matter of fact users will be able to define ip cidrs in any order they like. This means i can doipv6,ipv4 or ipv4,ipv6. for kubeadm it can still work provisioning a single family clusters even when this change is PRed. But for dual stack some options and behaviors will have to change. These changes are unlikely to be needed in 1.14 or 1.15.

I am happy to jump in and discuss in kubeadm office hours.

[lachie83]

Thanks @neolit123. The current plan is that once we have support for dual-stack in core Kubernetes with the appropriate documentation we will focus on helping the tooling ecosystem get onboard. In the case of kubeadm this might be a little different if it's absolutely necessary for the purposes of testing. We will be sure to show up at the office hours and determine the best course of action in close consult with the team that works on kubeadm.

[dcbw]

"per node maximum"?

[dcbw]

I feel like there's gotta a better way to do this than asking app devs to specify an IP family (even if there is a default). What will that default be anyway, v4?

Can we just health-check both v4 and v6 and if at least one responds call the pod healthy?

[aojea]

seems that IPv4 is the default if you look at the code of the different components #808 (comment)

[thockin]

I agree that forcing end-users to do something here should be the exception.The default should probably be to probe both, but that would not be backwards compatible. Probing and accepting either is probably max compatible. For users who need both, a field might be OK

[dcbw]

To be fair it's really the CRI that does this, not Kubernetes itself. So dockershim/CRI-O/etc are the things that need to transmit the multiple IPs back to kubelet via the CRI API.

[feiskyer]

Since dockershim is in-tree, the feature is still depending on CRI/CNI to support multiple IPs.

[aojea]

It seems the goal is to move dockershim out-of-tree in 1.18 #866, @dcbw do you think that this KEP can be affected by the deprecation plan https://github.com/kubernetes/enhancements/pull/866/files#diff-8e35fdc72dca61e8e5f9c0ebe13ffd33R95 ?

[dcbw]

Do we want to have the same kind of "IP + metadata" that we have for PodIPs? Seems like that would be useful here too.

[aojea]

the metadata option for PodIPs has a use case

refer to the "Properties" map below) will not be used by the dual-stack feature, but is added as a placeholder for future enhancements, e.g. to allow CNI network plugins to indicate to which physical network that an IP is associated

I can´t envision any use case for a metadata field in this case with IP endpoints but I think that we should add an example if we want to add it.

[thockin]

@dcbw - do you have concrete use cases? Remember that most endpoints objects are auto-created by the controller

[dcbw]

Could you clarify the "second proxier interface"? Would it be cleaner to just build both v4 and v6 iptables rules while processing each ServicePort and then do two restores at the same time (one for v4 and one for v6) when the service map is done being processed?

[uablrek]

I think "Two proxier instances" would be a better description. The proxier is already instantiated either for ipv4 or ipv6. In dual-stack the cleanest way is to instantiate both. Perhaps with a "meta proxier" in between hiding the instances and calls one or the other or both depending on setup. As a side remark, the ipv4 and ipv6 operations are disjunkt and can be executed simultaneously.

If not having two proxier instances you would get something like;

  if ipv4Enabled {
    // Setup ipv4 stuff
  }
  if ipv6Enabled {
    // Setup ipv6 stuff
  }

all over the place, a construct that should be avoided. @dcbw I don't think this is what you suggest but just to clearify.

[thockin]

As above, I think dual-stack kube-proxy can push to phse 2 (or 1.5 -- after all the work and testing for phase 1)

[khenidak]

couple of things to add here

• Internal to kubernetes types: Section "Awareness of Multiple IPs per Pod" shades a little light on an interesting problem. So let me expand: CNI provides list of ips and their versions. Kubernetes just choose to ignore this and use a single IP. This means this struct Will need to follow the pod.Pod ip style of primary IP as is, and another slice of IPs, having Pod.IPs[0] == Pod.IP to look like the following

type PodNetworkStatus struct {
	metav1.TypeMeta `json:",inline"`

	// IP is the primary ipv4/ipv6 address of the pod. Among other things it is the address that -
	//   - kube expects to be reachable across the cluster
	//   - service endpoints are constructed with
	//   - will be reported in the PodStatus.PodIP field (will override the IP reported by docker)
	IP net.IP `json:"ip" description:"Primary IP address of the pod"`
        IPs  []net.IP `json:"ips" description:"list of ips"`
}

CNI as of today does not provide additional metadata to the IP. So this Properties field - speced in this KEP - will be empty until CNI spec includes properties. Although in theory we can copy the interface name, gateway etc. into this Properties map.

• Required changes to CRI: The PLEG loop + status manager of kubelet makes an extensive use of PodSandboxStatus call to wire up PodIP to api server, as a patch call to Pod Resources. The problem with this is the response message wraps PodSandboxNetworkStatus struct . And this struct only carries one IP. And will have to change similar to the change described above. I am in the process of reaching out CRI folks to start the discussion to become

type PodSandboxNetworkStatus struct {
	// IP address of the PodSandbox.
	Ip string `protobuf:"bytes,1,opt,name=ip,proto3" json:"ip,omitempty"`
        Ips []string `protobuf:"bytes,1,opt,name=ip,proto3" json:"ip,omitempty"`
}

@thockin @lachie83

Also @justaugustus who wanted to know about this KEP

[feiskyer]

Required changes to CRI: The PLEG loop + status manager of kubelet makes an extensive use of PodSandboxStatus call to wire up PodIP to api server, as a patch call to Pod Resources. The problem with this is the response message wraps PodSandboxNetworkStatus struct . And this struct only carries one IP. And will have to change similar to the change described above. I am in the process of reaching out CRI folks to start the discussion to become

Looks good. CRI should be extended to support multiple IPs. Meanwhile, for in-tree dockershim, CNI should be upgraded as well.

[lachie83]

Added changes as requested @khenidak

[khenidak]

per node not pod ..

[khenidak]

true, it is too big to define in one KEP.
The KEP does not prioritize one family over another. as a matter of fact users will be able to define ip cidrs in any order they like. This means i can doipv6,ipv4 or ipv4,ipv6. for kubeadm it can still work provisioning a single family clusters even when this change is PRed. But for dual stack some options and behaviors will have to change. These changes are unlikely to be needed in 1.14 or 1.15.

I am happy to jump in and discuss in kubeadm office hours.

[Random-Liu]

We may also need to update UpdateRuntimeConfig to support dual stack. For some CNI plugins, e.g. kubenet, we use that function to pass in the node CIDR.

[lachie83]

Agreed. Thanks

[thockin]

Almost all my comments are about sequencing -- leaving anything kube-proxy related for phase 2 (or 1.5, stritcly behind phase 1) will hopefully allow us to focus on the API semantics and make sure we get good testing of those things without muddying the waters.

Thoughts? I'd love to approve this, but need consensus on that part of the plane.

[thockin]

In #648 (comment) We talked about excluding this from phase 1.

Is there a reason it's back in? I ACK that a lot of the functionality of dual-stack is deferred by not including NodePorts and External IPs, and I am not AGAINST adding them in phase 1 if it turns out to be feasible. I just don't think we should block pod IPs, hostPorts, node IPs, etc from supporting v6 for them. And I don't think we should prioritize them or muddle the careful review and testing that will be required for phase 1.

It seems OK to add endpoints support to what I described as step1, so headless services work.

Can we consider NodePorts, external IPs, LB IPs and Ingress IPs (basically all the things that require dual-stack kube-proxy) as phase 2, with an option to pull them in early if feasible?

[lachie83]

We've updated the implementation plan to explicitly call out this as part of phase 2.

[thockin]

I agree that forcing end-users to do something here should be the exception.The default should probably be to probe both, but that would not be backwards compatible. Probing and accepting either is probably max compatible. For users who need both, a field might be OK

[thockin]

we don't need to add the annotations field if we don't have a concrete case. Just knowing it CAn be added is what maters

[thockin]

If the versioned defaulting works, it should not be possible, but good to be safe about it and spec it

[thockin]

As above, I think we should move this to phase 2

[lachie83]

kube-proxy and kubelet prober will work with the default IP as-is at the end of phase 1. Updated implementation plan to reflect that changes to both kube-proxy and kubelet prober will be actioned in phase 2.

[thockin]

As above, I think dual-stack kube-proxy can push to phse 2 (or 1.5 -- after all the work and testing for phase 1)

[thockin]

several components have flags that are similar and probably all need to be updated

[thockin]

phase 2

[thockin]

I ACK the value of this, but I think it is phase 1.5 or 2

[thockin]

why comma-seperated rather than space seperated?

[thockin]

Do we need access to other fields in the PodIPInfo struct? Maybe the field selector here should be "status.podIPs[].ip" or even "[*]" ? Not sure we have any precedent here

[lachie83]

We expect that users that would need this data would be advanced users and would advise going to the API server to get this information. Environment variables doesn't seem to the correct place for this dictionary based data for each IP.

[thockin]

We don't need to lock down the API for this KEP, but when we get to this part of details, I'd like to discuss. I don't want to make incomplete or partial designs when we don't have to, and I don't want to "make up" new syntax where we have existing mechanisms to describe things :)

[aojea]

what is considered "multi-network"?

[lachie83]

Updating to multi-IPs

[thockin]

Thanks!

/lgtm
/approve

[thockin]

This could be either phase, I think - seems easy enough but not critical.

[thockin]

I'm going to approve this but we should start thinking about this, too. Specifically:

• do we want to GA the multi-IP suppot (phase 1) independent of the dual-stack services work?
• what criteria will we be monitoring?

[khenidak]

Having dual stack on pod ip is useful for those offering ingress as ipv4 and doing downstream server calls to ipv6 (or the otherway around). I can not speak to the volume of users. I think as we release phase 1 to alpha we will hear from users and we can adjust accordingly.

@lachie83

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lachie83, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-network/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[GeorgeGuo2018]

"There may be some some clients or applications that only work with (bind to) IPv4 or or only work with (bind to) IPv6. "----small syntaxt error in this sentence

[Arvinderpal]

Since the current goal is have single-family services, I don't think we need to support a list of CIDRs in --service-cluster-ip-range
Further down in this KEP, the variation of Dual-Stack Service CIDRs is discussed but that's a non-goal. There this change would be applicable and has already been noted.

[s1061123]

Q about IPv6 K8s Service/Endpoints. Does Service/Endpoints allows users to add Anycast IPv6 address?