Skip to content

[kube-proxy/ipvs] Add flag to enable strict ARP #75295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
k8s-ci-robot merged 1 commit into from
Mar 20, 2019
Merged

[kube-proxy/ipvs] Add flag to enable strict ARP #75295

k8s-ci-robot merged 1 commit into from
Mar 20, 2019

Conversation

@lbernail
Copy link
Contributor

@lbernail lbernail commented Mar 12, 2019
edited
Loading

What type of PR is this?
/kind bug

Not exactly a bug but a regression for some users which use CNI plugins not compatible with this change.

What this PR does / why we need it:
#70530 introduced a change to avoid answering ARP queries for addresses bound to kube-ipvs0 (this broke some setups). However some CNI plugins use unnumbered ptp links between containers and host and this change breaks ARP for them. This PR adds a flag to control this behavior. It's not enabled by default to avoid breaking existing setups when upgrading (not that if a user has run a version that configures the sysctls they will need to change it back, kube-proxy won't do it).

Which issue(s) this PR fixes:
Fixes #71555
Fixes #72779

Not for reviewers:
We discussed alternatives in both issues (see above) and this one seems the best trade-off:

  • does not require an arptable rule per service
  • does not break existing setups
  • add an option to address issues faced by some users

It's the first I'm adding a flag so I may have have missed something. I tried to find a flag name that was clear and not too long but we can change it of course.

Does this PR introduce a user-facing change?:

[IPVS] Introduces flag ipvs-strict-arp to configure stricter ARP sysctls, defaulting to false to preserve existing behaviors. This was enabled by default in 1.13.0, which impacted a few CNI plugins.

/sig network
/area ipvs
/assign @m1093782566

cc @kvaps

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. sig/network Categorizes an issue or PR as relevant to SIG Network. area/ipvs size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 12, 2019
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 12, 2019

Hi @lbernail. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 12, 2019
@k8s-ci-robot k8s-ci-robot requested review from Lion-Wei and bowei March 12, 2019 16:28
@k8s-ci-robot k8s-ci-robot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Mar 12, 2019
@fejta-bot
Copy link

fejta-bot commented Mar 12, 2019

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@m1093782566
Copy link
Contributor

m1093782566 commented Mar 13, 2019

/ok-to-test

/assign @thockin

for API review.

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 13, 2019
@lbernail
Copy link
Contributor Author

lbernail commented Mar 13, 2019

/test pull-kubernetes-kubemark-e2e-gce-big

thockin
thockin reviewed Mar 13, 2019
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll approve, but @m1093782566 holds LGTM

/approve

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 13, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lbernail, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 13, 2019
@m1093782566
Copy link
Contributor

m1093782566 commented Mar 19, 2019

/lgtm

Thanks @lbernail for contributing IPVS 👍

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 19, 2019
@k8s-ci-robot k8s-ci-robot merged commit 59140d6 into kubernetes:master Mar 20, 2019
This was referenced Mar 26, 2019
Merged
Merged
k8s-ci-robot added a commit that referenced this pull request Apr 4, 2019
@k8s-ci-robot
Merge pull request #75720 from DataDog/automated-cherry-pick-of-#7529…
df0d33a 
…5-upstream-release-1.13

Automated cherry pick of #75295 upstream release 1.13
k8s-ci-robot added a commit that referenced this pull request Apr 30, 2019
@k8s-ci-robot
Merge pull request #75719 from DataDog/automated-cherry-pick-of-#7529…
c72a5b2 
…5-upstream-release-1.14

Automated cherry pick of #75295 upstream release 1.14
@lbernail lbernail mentioned this pull request May 13, 2019
Closed
6 tasks
@imroc imroc mentioned this pull request Jul 9, 2019
Closed
champtar added a commit to champtar/kubespray that referenced this pull request Sep 17, 2019
@champtar
kube-proxy/ipvs: allow to configure strict ARP
6d15a94 
strict ARP flag was added by
kubernetes/kubernetes#75295

It's disable by default to not break some CNI, including flannel
so we leave it off by default

We must enable it for MetalLB to work
metallb/metallb#153 (comment)
so fail MetalLB roles if it's not enabled
@kvaps kvaps mentioned this pull request Feb 19, 2020
Closed
@lbernail lbernail mentioned this pull request Jul 17, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thockin thockin thockin left review comments

@bowei bowei Awaiting requested review from bowei

@Lion-Wei Lion-Wei Awaiting requested review from Lion-Wei

Assignees

@m1093782566 m1093782566

@thockin thockin

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ipvs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

kube-proxy v1.13.0 and 1.13.1 brokes services with externalIPs kube-proxy/IPVS: arp_ignore and arp_announce break some CNI plugins

5 participants

@lbernail @k8s-ci-robot @fejta-bot @m1093782566 @thockin