Allow svclb pod to enable ipv6 forwarding

Signed-off-by: Manuel Buil <mbuil@suse.com>

pkg/agent/config/config.go

@@ -558,6 +558,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	nodeConfig.AgentConfig.Rootless = envInfo.Rootless
 	nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, "agent", DefaultPodManifestPath)
 	nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults
+	nodeConfig.AgentConfig.DisableServiceLB = envInfo.DisableServiceLB
 
 	if err := validateNetworkConfig(nodeConfig); err != nil {
 		return nil, err

pkg/agent/run.go

@@ -65,6 +65,7 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 		return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration")
 	}
 	syssetup.Configure(enableIPv6, conntrackConfig)
+	nodeConfig.AgentConfig.EnableIPv6 = enableIPv6
 
 	if err := setupCriCtlConfig(cfg, nodeConfig); err != nil {
 		return err

pkg/cli/cmds/agent.go

@@ -16,6 +16,7 @@ type Agent struct {
 	ServerURL                string
 	APIAddressCh             chan string
 	DisableLoadBalancer      bool
+	DisableServiceLB         bool
 	ETCDAgent                bool
 	LBServerPort             int
 	ResolvConf               string

pkg/cli/server/server.go

@@ -471,6 +471,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	agentConfig.ServerURL = url
 	agentConfig.Token = token
 	agentConfig.DisableLoadBalancer = !serverConfig.ControlConfig.DisableAPIServer
+	agentConfig.DisableServiceLB = serverConfig.DisableServiceLB
 	agentConfig.ETCDAgent = serverConfig.ControlConfig.DisableAPIServer
 	agentConfig.ClusterReset = serverConfig.ControlConfig.ClusterReset
 

pkg/daemons/agent/agent_linux.go

@@ -168,5 +168,10 @@ func kubeletArgs(cfg *config.Agent) map[string]string {
 	if cfg.ProtectKernelDefaults {
 		argsMap["protect-kernel-defaults"] = "true"
 	}
+
+	if !cfg.DisableServiceLB && cfg.EnableIPv6 {
+		argsMap["allowed-unsafe-sysctls"] = "net.ipv6.conf.all.forwarding"
+	}
+
 	return argsMap
 }

pkg/daemons/config/types.go

@@ -99,6 +99,8 @@ type Agent struct {
 	DisableNPC              bool
 	Rootless                bool
 	ProtectKernelDefaults   bool
+	DisableServiceLB        bool
+	EnableIPv6              bool
 }
 
 // CriticalControlArgs contains parameters that all control plane nodes in HA must share
@@ -132,6 +134,7 @@ type Control struct {
 	AgentToken               string `json:"-"`
 	Token                    string `json:"-"`
 	ServiceNodePortRange     *utilnet.PortRange
+	DisableServiceLB         bool
 	KubeConfigOutput         string
 	KubeConfigMode           string
 	DataDir                  string

pkg/servicelb/controller.go

@@ -350,6 +350,14 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 	name := fmt.Sprintf("svclb-%s", svc.Name)
 	oneInt := intstr.FromInt(1)
 
+	// If ipv6 is present, we must enable ipv6 forwarding in the manifest
+	var ipv6Switch bool
+	for _, ipFamily := range svc.Spec.IPFamilies {
+		if ipFamily == core.IPv6Protocol {
+			ipv6Switch = true
+		}
+	}
+
 	ds := &apps.DaemonSet{
 		ObjectMeta: meta.ObjectMeta{
 			Name:      name,
@@ -394,6 +402,19 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 		},
 	}
 
+	if ipv6Switch {
+		// Add security context to enable ipv6 forwarding
+		securityContext := &core.PodSecurityContext{
+			Sysctls: []core.Sysctl{
+				{
+					Name:  "net.ipv6.conf.all.forwarding",
+					Value: "1",
+				},
+			},
+		}
+		ds.Spec.Template.Spec.SecurityContext = securityContext
+	}
+
 	for _, port := range svc.Spec.Ports {
 		portName := fmt.Sprintf("lb-port-%d", port.Port)
 		container := core.Container{