Restrict the number of IPs an ExternalWorkload can have #12026
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zaharidichev
reviewed
Feb 1, 2024
There was a problem hiding this comment.
Looks good overall, left some suggestions. Would be useful to head what @adleong thinks about all that
A Kubernetes pod may be assigned at [most one IP address][pod-docs] for each supported protocol (i.e. IPv6 and IPv4), without the use of specialised CNIs or network configurations. When processing addresses in an endpoint, we will only ever use one address. ExternalWorkload resources have a generic workloadIPs field that allow any number of addresses to be added. We want the behaviour to be similar to a pod -- only one address (of each protcol) should be used for routing. We restrict the CRD server-side validation to allow only one IP address. Since we do not yet support IPv6, this will ensure that two IPv4 addresses will not be declared by the same workload. Once IPv6 support lands, or once we have a dedicated validator, we can relax the CRD validation. [pod-docs]: https://pkg.go.dev/k8s.io/[email protected]/pkg/apis/core#PodStatus Signed-off-by: Matei David <[email protected]>
|
As discussed I think we should decouple these two changes. Lets get the CRD change in and worry about simplifying the destinations service code in a follow-up PR. |
mateiidavid
force-pushed
the
matei/crd-ip-validation
branch
from
8ff0766 to
33cd970
Compare
adleong
approved these changes
Feb 2, 2024
zaharidichev
approved these changes
Feb 2, 2024
alpeb
added a commit
that referenced
this pull request
Feb 2, 2024
This edge release contains performance and stability improvements to the Destination controller, and continues stabilizing support for ExternalWorkloads. * Reduced the load on the Destination controller by only processing Server updates on workloads affected by the Server ([#12017]) * Changed how the Destination controller reacts to target clusters (in multicluster pod-to-pod mode) whose Server CRD is outdated: skip them and log an error instead of panicking ([#12008]) * Improved the leader election of the ExternalWorkloads Endpoints controller to avoid missing events ([#12021]) * Improved naming of EndpointSlices generated by ExternWorkloads ([#12016]) * Restriced the number of IPs an ExternalWorkload can have ([#12026])
alpeb
added a commit
that referenced
this pull request
Feb 2, 2024
This edge release contains performance and stability improvements to the Destination controller, and continues stabilizing support for ExternalWorkloads. * Reduced the load on the Destination controller by only processing Server updates on workloads affected by the Server ([#12017]) * Changed how the Destination controller reacts to target clusters (in multicluster pod-to-pod mode) whose Server CRD is outdated: skip them and log an error instead of panicking ([#12008]) * Improved the leader election of the ExternalWorkloads Endpoints controller to avoid missing events ([#12021]) * Improved naming of EndpointSlices generated by ExternWorkloads ([#12016]) * Restriced the number of IPs an ExternalWorkload can have ([#12026])
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A Kubernetes pod may be assigned at most one IP address for each supported protocol (i.e. IPv6 and IPv4), without the use of specialised CNIs or network configurations. When processing addresses in an endpoint, we will only ever use one address.
ExternalWorkload resources have a generic workloadIPs field that allow any number of addresses to be added. We want the behaviour to be similar to a pod -- only one address (of each protcol) should be used for routing.
We restrict the CRD server-side validation to allow only one IP address. Since we do not yet support IPv6, this will ensure that two IPv4 addresses will not be declared by the same workload. Once IPv6 support lands, or once we have a dedicated validator, we can relax the CRD validation.
How to test
linkerd install --crds).Edit: going to open up a separate PR for the refactor.