Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubenet containerd: match upstream #10759

Merged

Conversation

justinsb
Copy link
Member

@justinsb justinsb commented Feb 7, 2021

Configure kubenet in containerd/CNI mode to match upstream configuration.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 7, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 7, 2021
@justinsb justinsb force-pushed the containerd_kubenet_configuration branch from d49d252 to 691f072 Compare February 7, 2021 22:45
@hakman
Copy link
Member

hakman commented Feb 8, 2021

The current approach is from the containerd project instructions and and results in 1 test failing:
https://github.com/containerd/containerd/blob/master/script/setup/install-cni
https://testgrid.k8s.io/kops-network-plugins#kops-aws-cni-kopeio

[sig-network] Services should preserve source pod IP for traffic thru service cluster IP [LinuxOnly]

The ptp approach from this PR results in 5 tests failing:
#10761
https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/kops/10761/pull-kops-e2e-k8s-containerd/1358693640242728960

[sig-network] Services [It] should have session affinity timeout work for NodePort service [LinuxOnly] [Conformance]
[sig-network] Services [It] should be able to update service type to NodePort listening on same port number but different protocols
[sig-network] Services [It] should be able to switch session affinity for NodePort service [LinuxOnly] [Conformance]
[sig-network] Services [It] should be able to change the type from ExternalName to NodePort [Conformance]
[sig-network] Services [It] should have session affinity work for NodePort service [LinuxOnly] [Conformance]

If you prefer to use the ptp approach then we should skip the NodePort tests.

@justinsb
Copy link
Member Author

justinsb commented Feb 8, 2021

Oh - thanks for confirming where it came from! Losing the pod source IP is ... not good. But I don't think we had this problem before, so I'm wondering if something else also changed.

But having the nodeport tests fail is also ... not good!

Thanks for pointing me in the right direction - I'll take a look and try to figure it out!

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 8, 2021
@hakman
Copy link
Member

hakman commented Feb 8, 2021

Oh - thanks for confirming where it came from! Losing the pod source IP is ... not good. But I don't think we had this problem before, so I'm wondering if something else also changed.

This was always a problem of the containerd kubenet integration.

@justinsb justinsb force-pushed the containerd_kubenet_configuration branch from 691f072 to 600ffb3 Compare February 8, 2021 15:24
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 8, 2021
@justinsb justinsb changed the title kubenet containerd: match upstream WIP: kubenet containerd: match upstream Feb 8, 2021
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 8, 2021
@justinsb justinsb force-pushed the containerd_kubenet_configuration branch from dfab695 to 213b731 Compare February 8, 2021 18:58
@hakman hakman self-requested a review February 8, 2021 20:43
@justinsb justinsb force-pushed the containerd_kubenet_configuration branch from 213b731 to 49982b3 Compare February 9, 2021 02:55
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 9, 2021
@justinsb
Copy link
Member Author

justinsb commented Feb 9, 2021

So after one or two iterations here this is working!

The thing I was missing was that if we don't pass networking=kubenet to kube-proxy it doesn't set up the default destination NAT rules. So all outbound traffic from the pods was broken; that was the NodePort failures AFAICT. (It seems we don't have any tests that check that directly, which is kinda surprising...)

upstream added a more sophisticated masquerade rule than kube-proxy was previously installing.

New way:
https://github.com/kubernetes/kubernetes/blob/e0bba105cca88c897c60ad80d4aa0a54c984dbb5/cluster/gce/gci/configure-helper.sh#L153-L170

Old logic:
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/dockershim/network/kubenet/kubenet_linux.go#L197-L203

I'm inclined to say that we take the CNI/containerd opportunity to sync up with what upstream is doing.

Along those lines, upstream has also switched to ptp (and the code passed with ptp). I'm pretty sure we can make it work with either. I don't know whether there's an advantage to one or the other. I'm inclined to switch to match upstream, open to arguments either way!

@hakman
Copy link
Member

hakman commented Feb 9, 2021

Nicely done! Looks good to me either way, but upstream would probably get better support in the future.

@justinsb justinsb force-pushed the containerd_kubenet_configuration branch 2 times, most recently from f2c71ea to c802344 Compare February 10, 2021 15:10
@justinsb
Copy link
Member Author

OK so cleaned up and containerd is passing. I went with ptp to match upstream, and I went with a NAT configuration that more closely matched what we did before, as I'm not convinced that the upstream configuration is suitable for AWS / anywhere where the routing might not be symmetric. WDYT @hakman et al?

If we agree I can rebase to remove the force-kubenet trick!

@hakman
Copy link
Member

hakman commented Feb 11, 2021

Maybe we can discuss this more in detail during Office Hours, but I think it looks good as is now.
I vote to merge it as is and release 1.19.1, as it contains quite a lot of bug fixes.

@olemarkus Any thoughts?

@justinsb justinsb force-pushed the containerd_kubenet_configuration branch from c5af115 to acc3877 Compare February 11, 2021 13:15
Configure kubenet in containerd/CNI mode to match upstream configuration.

Biggest change is a move to the ptp plugin.

Co-authored-by: Ciprian Hacman <[email protected]>
@justinsb justinsb force-pushed the containerd_kubenet_configuration branch from acc3877 to c921aff Compare February 11, 2021 13:26
@justinsb justinsb changed the title WIP: kubenet containerd: match upstream kubenet containerd: match upstream Feb 11, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 11, 2021
@justinsb
Copy link
Member Author

Yes, I think we can probably reach consensus tomorrow in office hours, and I think it's time for 1.19.1. The last issue I want to look at is 10719, though it looks like we have a fix available :-)

@hakman
Copy link
Member

hakman commented Feb 11, 2021

Storage driver failure, retesting.
/retest

@hakman
Copy link
Member

hakman commented Feb 12, 2021

Seems like it's time to merge :).
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 12, 2021
@justinsb
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 13, 2021
@k8s-ci-robot k8s-ci-robot merged commit ce3f541 into kubernetes:master Feb 13, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.20 milestone Feb 13, 2021
k8s-ci-robot added a commit that referenced this pull request Feb 14, 2021
…59-origin-release-1.20

Automated cherry pick of #10759: kubenet containerd: match upstream configuration
k8s-ci-robot added a commit that referenced this pull request Feb 14, 2021
…59-origin-release-1.19

Automated cherry pick of #10759: kubenet containerd: match upstream configuration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/nodeup cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants