-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubenet containerd: match upstream #10759
kubenet containerd: match upstream #10759
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
d49d252
to
691f072
Compare
The current approach is from the containerd project instructions and and results in 1 test failing:
The
If you prefer to use the |
Oh - thanks for confirming where it came from! Losing the pod source IP is ... not good. But I don't think we had this problem before, so I'm wondering if something else also changed. But having the nodeport tests fail is also ... not good! Thanks for pointing me in the right direction - I'll take a look and try to figure it out! /hold |
This was always a problem of the containerd kubenet integration. |
691f072
to
600ffb3
Compare
dfab695
to
213b731
Compare
213b731
to
49982b3
Compare
So after one or two iterations here this is working! The thing I was missing was that if we don't pass upstream added a more sophisticated masquerade rule than kube-proxy was previously installing. I'm inclined to say that we take the CNI/containerd opportunity to sync up with what upstream is doing. Along those lines, upstream has also switched to ptp (and the code passed with ptp). I'm pretty sure we can make it work with either. I don't know whether there's an advantage to one or the other. I'm inclined to switch to match upstream, open to arguments either way! |
Nicely done! Looks good to me either way, but upstream would probably get better support in the future. |
f2c71ea
to
c802344
Compare
OK so cleaned up and containerd is passing. I went with ptp to match upstream, and I went with a NAT configuration that more closely matched what we did before, as I'm not convinced that the upstream configuration is suitable for AWS / anywhere where the routing might not be symmetric. WDYT @hakman et al? If we agree I can rebase to remove the force-kubenet trick! |
Maybe we can discuss this more in detail during Office Hours, but I think it looks good as is now. @olemarkus Any thoughts? |
c5af115
to
acc3877
Compare
Configure kubenet in containerd/CNI mode to match upstream configuration. Biggest change is a move to the ptp plugin. Co-authored-by: Ciprian Hacman <[email protected]>
acc3877
to
c921aff
Compare
Yes, I think we can probably reach consensus tomorrow in office hours, and I think it's time for 1.19.1. The last issue I want to look at is 10719, though it looks like we have a fix available :-) |
Storage driver failure, retesting. |
Seems like it's time to merge :). |
/hold cancel |
…59-origin-release-1.20 Automated cherry pick of #10759: kubenet containerd: match upstream configuration
…59-origin-release-1.19 Automated cherry pick of #10759: kubenet containerd: match upstream configuration
Configure kubenet in containerd/CNI mode to match upstream configuration.