github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #34906 from luxas/remove_old_networking 

Automatic merge from submit-queue

WIP: Remove the legacy networking mode

<!--  Thanks for sending a pull request!  Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->

**What this PR does / why we need it**:
Removes the deprecated configure-cbr0 flag and networking mode to avoid having untested and maybe unstable code in kubelet, see: #33789

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, #<issue_number>, ...)` format, will close that issue when PR gets merged)*: 
fixes #30589
fixes #31937

**Special notes for your reviewer**: There are a lot of deployments who rely on this networking mode. Not sure how we deal with that: force switch to kubenet or just delete the old deployment?

But please review the code changes first (the first commit)

**Release note**:
<!--  Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access) 
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. 
-->
```release-note
Removed the deprecated kubelet --configure-cbr0 flag, and with that the "classic" networking mode as well
```

PTAL @kubernetes/sig-network @kubernetes/sig-node @mikedanese
pull/6/head
Kubernetes Submit Queue 2016-10-19 01:03:39 -07:00 committed by GitHub
parent cd44cec587 565c5e6268
commit 61e0113019
23 changed files with 2640 additions and 3121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cluster/common.sh
View File

@ -772,7 +772,6 @@ KUBERNETES_CONTAINER_RUNTIME: $(yaml-quote ${CONTAINER_RUNTIME:-rkt})
RKT_VERSION: $(yaml-quote ${RKT_VERSION:-}) RKT_VERSION: $(yaml-quote ${RKT_VERSION:-})
RKT_PATH: $(yaml-quote ${RKT_PATH:-}) RKT_PATH: $(yaml-quote ${RKT_PATH:-})
RKT_STAGE1_IMAGE: $(yaml-quote ${RKT_STAGE1_IMAGE:-}) RKT_STAGE1_IMAGE: $(yaml-quote ${RKT_STAGE1_IMAGE:-})
KUBERNETES_CONFIGURE_CBR0: $(yaml-quote ${KUBERNETES_CONFIGURE_CBR0:-true})
EOF EOF
fi fi
if [[ "${ENABLE_CLUSTER_AUTOSCALER}" == "true" ]]; then if [[ "${ENABLE_CLUSTER_AUTOSCALER}" == "true" ]]; then

1
cluster/gce/coreos/master-docker.yaml
View File

@ -122,7 +122,6 @@ coreos:
--cluster-domain=${DNS_DOMAIN} \ --cluster-domain=${DNS_DOMAIN} \
--logtostderr=true \ --logtostderr=true \
--container-runtime=docker \ --container-runtime=docker \
--configure-cbr0=${KUBERNETES_CONFIGURE_CBR0} \
--pod-cidr=${MASTER_IP_RANGE} \ --pod-cidr=${MASTER_IP_RANGE} \
--register-schedulable=false \ --register-schedulable=false \
--reconcile-cidr=false --reconcile-cidr=false

1
cluster/gce/coreos/master-rkt.yaml
View File

@ -182,7 +182,6 @@ coreos:
--container-runtime=rkt \ --container-runtime=rkt \
--rkt-path=/opt/rkt/rkt \ --rkt-path=/opt/rkt/rkt \
--rkt-stage1-image=${RKT_STAGE_IMAGE} \ --rkt-stage1-image=${RKT_STAGE_IMAGE} \
--configure-cbr0=${KUBERNETES_CONFIGURE_CBR0} \
--pod-cidr=${MASTER_IP_RANGE} \ --pod-cidr=${MASTER_IP_RANGE} \
--register-schedulable=false \ --register-schedulable=false \
--reconcile-cidr=false --reconcile-cidr=false

1
cluster/gce/coreos/node-docker.yaml
View File

@ -102,7 +102,6 @@ coreos:
--cluster-domain=${DNS_DOMAIN} \ --cluster-domain=${DNS_DOMAIN} \
--logtostderr=true \ --logtostderr=true \
--container-runtime=docker \ --container-runtime=docker \
--configure-cbr0=${KUBERNETES_CONFIGURE_CBR0} \
--network-plugin=${NETWORK_PROVIDER} \ --network-plugin=${NETWORK_PROVIDER} \
--reconcile-cidr=true --reconcile-cidr=true
Restart=always Restart=always

1
cluster/gce/coreos/node-rkt.yaml
View File

@ -148,7 +148,6 @@ coreos:
--container-runtime=rkt \ --container-runtime=rkt \
--rkt-path=/opt/rkt/rkt \ --rkt-path=/opt/rkt/rkt \
--rkt-stage1-image=${RKT_STAGE1_IMAGE} \ --rkt-stage1-image=${RKT_STAGE1_IMAGE} \
--configure-cbr0=${KUBERNETES_CONFIGURE_CBR0} \
--network-plugin=kubenet \ --network-plugin=kubenet \
--reconcile-cidr=true --reconcile-cidr=true
Restart=always Restart=always

3
cluster/gce/gci/configure-helper.sh
View File

@ -529,9 +529,6 @@ function start-kubelet {
if [[ -n "${EVICTION_HARD:-}" ]]; then if [[ -n "${EVICTION_HARD:-}" ]]; then
flags+=" --eviction-hard=${EVICTION_HARD}" flags+=" --eviction-hard=${EVICTION_HARD}"
fi fi
if [[ "${ALLOCATE_NODE_CIDRS:-}" == "true" ]]; then
flags+=" --configure-cbr0=${ALLOCATE_NODE_CIDRS}"
fi
if [[ -n "${FEATURE_GATES:-}" ]]; then if [[ -n "${FEATURE_GATES:-}" ]]; then
flags+=" --feature-gates=${FEATURE_GATES}" flags+=" --feature-gates=${FEATURE_GATES}"
fi fi

3
cluster/gce/trusty/configure-helper.sh
View File

@ -176,9 +176,6 @@ assemble_kubelet_flags() {
if [ -n "${NODE_LABELS:-}" ]; then if [ -n "${NODE_LABELS:-}" ]; then
KUBELET_CMD_FLAGS="${KUBELET_CMD_FLAGS} --node-labels=${NODE_LABELS}" KUBELET_CMD_FLAGS="${KUBELET_CMD_FLAGS} --node-labels=${NODE_LABELS}"
fi fi
if [ "${ALLOCATE_NODE_CIDRS:-}" = "true" ]; then
KUBELET_CMD_FLAGS="${KUBELET_CMD_FLAGS} --configure-cbr0=${ALLOCATE_NODE_CIDRS}"
fi
# Add the unconditional flags # Add the unconditional flags
KUBELET_CMD_FLAGS="${KUBELET_CMD_FLAGS} --cloud-provider=gce --allow-privileged=true --cgroup-root=/ --system-cgroups=/system --kubelet-cgroups=/kubelet --babysit-daemons=true --config=/etc/kubernetes/manifests --cluster-dns=${DNS_SERVER_IP} --cluster-domain=${DNS_DOMAIN}" KUBELET_CMD_FLAGS="${KUBELET_CMD_FLAGS} --cloud-provider=gce --allow-privileged=true --cgroup-root=/ --system-cgroups=/system --kubelet-cgroups=/kubelet --babysit-daemons=true --config=/etc/kubernetes/manifests --cluster-dns=${DNS_SERVER_IP} --cluster-domain=${DNS_DOMAIN}"
echo "KUBELET_OPTS=\"${KUBELET_CMD_FLAGS}\"" > /etc/default/kubelet echo "KUBELET_OPTS=\"${KUBELET_CMD_FLAGS}\"" > /etc/default/kubelet

7
cluster/saltbase/salt/kubelet/default
View File

@ -87,11 +87,6 @@
{% set kubelet_root = " --root-dir=" + grains.kubelet_root -%} {% set kubelet_root = " --root-dir=" + grains.kubelet_root -%}
{% endif -%} {% endif -%}
{% set configure_cbr0 = "" -%}
{% if pillar['allocate_node_cidrs'] is defined -%}
{% set configure_cbr0 = "--configure-cbr0=" + pillar['allocate_node_cidrs'] -%}
{% endif -%}
{% set non_masquerade_cidr = "" -%} {% set non_masquerade_cidr = "" -%}
{% if pillar.get('non_masquerade_cidr','') -%} {% if pillar.get('non_masquerade_cidr','') -%}
{% set non_masquerade_cidr = "--non-masquerade-cidr=" + pillar.non_masquerade_cidr -%} {% set non_masquerade_cidr = "--non-masquerade-cidr=" + pillar.non_masquerade_cidr -%}
@ -199,4 +194,4 @@
{% endif -%} {% endif -%}
# test_args has to be kept at the end, so they'll overwrite any prior configuration # test_args has to be kept at the end, so they'll overwrite any prior configuration
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{configure_cbr0}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ reconcile_cidr_args }} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{feature_gates}} {{test_args}}" DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ reconcile_cidr_args }} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{feature_gates}} {{test_args}}"

6
cmd/kubelet/app/options/options.go
View File

@ -177,8 +177,6 @@ func (s *KubeletServer) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.RktAPIEndpoint, "rkt-api-endpoint", s.RktAPIEndpoint, "The endpoint of the rkt API service to communicate with. Only used if --container-runtime='rkt'.") fs.StringVar(&s.RktAPIEndpoint, "rkt-api-endpoint", s.RktAPIEndpoint, "The endpoint of the rkt API service to communicate with. Only used if --container-runtime='rkt'.")
fs.StringVar(&s.RktStage1Image, "rkt-stage1-image", s.RktStage1Image, "image to use as stage1. Local paths and http/https URLs are supported. If empty, the 'stage1.aci' in the same directory as '--rkt-path' will be used.") fs.StringVar(&s.RktStage1Image, "rkt-stage1-image", s.RktStage1Image, "image to use as stage1. Local paths and http/https URLs are supported. If empty, the 'stage1.aci' in the same directory as '--rkt-path' will be used.")
fs.MarkDeprecated("rkt-stage1-image", "Will be removed in a future version. The default stage1 image will be specified by the rkt configurations, see https://github.com/coreos/rkt/blob/master/Documentation/configuration.md for more details.") fs.MarkDeprecated("rkt-stage1-image", "Will be removed in a future version. The default stage1 image will be specified by the rkt configurations, see https://github.com/coreos/rkt/blob/master/Documentation/configuration.md for more details.")
fs.BoolVar(&s.ConfigureCBR0, "configure-cbr0", s.ConfigureCBR0, "If true, kubelet will configure cbr0 based on Node.Spec.PodCIDR.")
fs.MarkDeprecated("configure-cbr0", "Will be removed in a future version. Please use kubenet or other network plugins.")
fs.StringVar(&s.HairpinMode, "hairpin-mode", s.HairpinMode, "How should the kubelet setup hairpin NAT. This allows endpoints of a Service to loadbalance back to themselves if they should try to access their own Service. Valid values are \"promiscuous-bridge\", \"hairpin-veth\" and \"none\".") fs.StringVar(&s.HairpinMode, "hairpin-mode", s.HairpinMode, "How should the kubelet setup hairpin NAT. This allows endpoints of a Service to loadbalance back to themselves if they should try to access their own Service. Valid values are \"promiscuous-bridge\", \"hairpin-veth\" and \"none\".")
fs.BoolVar(&s.BabysitDaemons, "babysit-daemons", s.BabysitDaemons, "If true, the node has babysitter process monitoring docker and kubelet.") fs.BoolVar(&s.BabysitDaemons, "babysit-daemons", s.BabysitDaemons, "If true, the node has babysitter process monitoring docker and kubelet.")
fs.MarkDeprecated("babysit-daemons", "Will be removed in a future version.") fs.MarkDeprecated("babysit-daemons", "Will be removed in a future version.")
@ -202,10 +200,10 @@ func (s *KubeletServer) AddFlags(fs *pflag.FlagSet) {
fs.Float64Var(&s.ChaosChance, "chaos-chance", s.ChaosChance, "If > 0.0, introduce random client errors and latency. Intended for testing. [default=0.0]") fs.Float64Var(&s.ChaosChance, "chaos-chance", s.ChaosChance, "If > 0.0, introduce random client errors and latency. Intended for testing. [default=0.0]")
fs.BoolVar(&s.Containerized, "containerized", s.Containerized, "Experimental support for running kubelet in a container. Intended for testing. [default=false]") fs.BoolVar(&s.Containerized, "containerized", s.Containerized, "Experimental support for running kubelet in a container. Intended for testing. [default=false]")
fs.Int64Var(&s.MaxOpenFiles, "max-open-files", s.MaxOpenFiles, "Number of files that can be opened by Kubelet process. [default=1000000]") fs.Int64Var(&s.MaxOpenFiles, "max-open-files", s.MaxOpenFiles, "Number of files that can be opened by Kubelet process. [default=1000000]")
fs.BoolVar(&s.ReconcileCIDR, "reconcile-cidr", s.ReconcileCIDR, "Reconcile node CIDR with the CIDR specified by the API server. No-op if register-node or configure-cbr0 is false. [default=true]") fs.BoolVar(&s.ReconcileCIDR, "reconcile-cidr", s.ReconcileCIDR, "Reconcile node CIDR with the CIDR specified by the API server. Won't have any effect if register-node is false. [default=true]")
fs.Var(&s.SystemReserved, "system-reserved", "A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for non-kubernetes components. Currently only cpu and memory are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. [default=none]") fs.Var(&s.SystemReserved, "system-reserved", "A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for non-kubernetes components. Currently only cpu and memory are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. [default=none]")
fs.Var(&s.KubeReserved, "kube-reserved", "A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for kubernetes system components. Currently only cpu and memory are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. [default=none]") fs.Var(&s.KubeReserved, "kube-reserved", "A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for kubernetes system components. Currently only cpu and memory are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. [default=none]")
fs.BoolVar(&s.RegisterSchedulable, "register-schedulable", s.RegisterSchedulable, "Register the node as schedulable. No-op if register-node is false. [default=true]") fs.BoolVar(&s.RegisterSchedulable, "register-schedulable", s.RegisterSchedulable, "Register the node as schedulable. Won't have any effect if register-node is false. [default=true]")
fs.StringVar(&s.ContentType, "kube-api-content-type", s.ContentType, "Content type of requests sent to apiserver.") fs.StringVar(&s.ContentType, "kube-api-content-type", s.ContentType, "Content type of requests sent to apiserver.")
fs.Int32Var(&s.KubeAPIQPS, "kube-api-qps", s.KubeAPIQPS, "QPS to use while talking with kubernetes apiserver") fs.Int32Var(&s.KubeAPIQPS, "kube-api-qps", s.KubeAPIQPS, "QPS to use while talking with kubernetes apiserver")
fs.Int32Var(&s.KubeAPIBurst, "kube-api-burst", s.KubeAPIBurst, "Burst to use while talking with kubernetes apiserver") fs.Int32Var(&s.KubeAPIBurst, "kube-api-burst", s.KubeAPIBurst, "Burst to use while talking with kubernetes apiserver")

1
hack/verify-flags/known-flags.txt
View File

@ -92,7 +92,6 @@ concurrent-resource-quota-syncs
concurrent-service-syncs concurrent-service-syncs
concurrent-serviceaccount-token-syncs concurrent-serviceaccount-token-syncs
config-sync-period config-sync-period
configure-cbr0
configure-cloud-routes configure-cloud-routes
conntrack-max conntrack-max
conntrack-max-per-core conntrack-max-per-core

5265
pkg/apis/componentconfig/types.generated.go
View File

File diff suppressed because it is too large Load Diff

12
pkg/apis/componentconfig/types.go
View File

@ -329,18 +329,14 @@ type KubeletConfiguration struct {
// This will cause the kubelet to listen to inotify events on the lock file, // This will cause the kubelet to listen to inotify events on the lock file,
// releasing it and exiting when another process tries to open that file. // releasing it and exiting when another process tries to open that file.
ExitOnLockContention bool `json:"exitOnLockContention"` ExitOnLockContention bool `json:"exitOnLockContention"`
// configureCBR0 enables the kublet to configure cbr0 based on
// Node.Spec.PodCIDR.
ConfigureCBR0 bool `json:"configureCbr0"`
// How should the kubelet configure the container bridge for hairpin packets. // How should the kubelet configure the container bridge for hairpin packets.
// Setting this flag allows endpoints in a Service to loadbalance back to // Setting this flag allows endpoints in a Service to loadbalance back to
// themselves if they should try to access their own Service. Values: // themselves if they should try to access their own Service. Values:
// "promiscuous-bridge": make the container bridge promiscuous. // "promiscuous-bridge": make the container bridge promiscuous.
// "hairpin-veth": set the hairpin flag on container veth interfaces. // "hairpin-veth": set the hairpin flag on container veth interfaces.
// "none": do nothing. // "none": do nothing.
// Setting --configure-cbr0 to false implies that to achieve hairpin NAT // Generally, one must set --hairpin-mode=veth-flag to achieve hairpin NAT,
// one must set --hairpin-mode=veth-flag, because bridge assumes the // because promiscous-bridge assumes the existence of a container bridge named cbr0.
// existence of a container bridge named cbr0.
HairpinMode string `json:"hairpinMode"` HairpinMode string `json:"hairpinMode"`
// The node has babysitter process monitoring docker and kubelet. // The node has babysitter process monitoring docker and kubelet.
BabysitDaemons bool `json:"babysitDaemons"` BabysitDaemons bool `json:"babysitDaemons"`
@ -366,10 +362,10 @@ type KubeletConfiguration struct {
// maxOpenFiles is Number of files that can be opened by Kubelet process. // maxOpenFiles is Number of files that can be opened by Kubelet process.
MaxOpenFiles int64 `json:"maxOpenFiles"` MaxOpenFiles int64 `json:"maxOpenFiles"`
// reconcileCIDR is Reconcile node CIDR with the CIDR specified by the // reconcileCIDR is Reconcile node CIDR with the CIDR specified by the
// API server. No-op if register-node or configure-cbr0 is false. // API server. Won't have any effect if register-node is false.
ReconcileCIDR bool `json:"reconcileCIDR"` ReconcileCIDR bool `json:"reconcileCIDR"`
// registerSchedulable tells the kubelet to register the node as // registerSchedulable tells the kubelet to register the node as
// schedulable. No-op if register-node is false. // schedulable. Won't have any effect if register-node is false.
RegisterSchedulable bool `json:"registerSchedulable"` RegisterSchedulable bool `json:"registerSchedulable"`
// contentType is contentType of requests sent to apiserver. // contentType is contentType of requests sent to apiserver.
ContentType string `json:"contentType"` ContentType string `json:"contentType"`

3
pkg/apis/componentconfig/v1alpha1/defaults.go
View File

@ -162,9 +162,6 @@ func SetDefaults_KubeletConfiguration(obj *KubeletConfiguration) {
if obj.CertDirectory == "" { if obj.CertDirectory == "" {
obj.CertDirectory = "/var/run/kubernetes" obj.CertDirectory = "/var/run/kubernetes"
} }
if obj.ConfigureCBR0 == nil {
obj.ConfigureCBR0 = boolVar(false)
}
if obj.CgroupsPerQOS == nil { if obj.CgroupsPerQOS == nil {
obj.CgroupsPerQOS = boolVar(false) obj.CgroupsPerQOS = boolVar(false)
} }

12
pkg/apis/componentconfig/v1alpha1/types.go
View File

@ -374,18 +374,14 @@ type KubeletConfiguration struct {
// This will cause the kubelet to listen to inotify events on the lock file, // This will cause the kubelet to listen to inotify events on the lock file,
// releasing it and exiting when another process tries to open that file. // releasing it and exiting when another process tries to open that file.
ExitOnLockContention bool `json:"exitOnLockContention"` ExitOnLockContention bool `json:"exitOnLockContention"`
// configureCBR0 enables the kublet to configure cbr0 based on
// Node.Spec.PodCIDR.
ConfigureCBR0 *bool `json:"configureCbr0"`
// How should the kubelet configure the container bridge for hairpin packets. // How should the kubelet configure the container bridge for hairpin packets.
// Setting this flag allows endpoints in a Service to loadbalance back to // Setting this flag allows endpoints in a Service to loadbalance back to
// themselves if they should try to access their own Service. Values: // themselves if they should try to access their own Service. Values:
// "promiscuous-bridge": make the container bridge promiscuous. // "promiscuous-bridge": make the container bridge promiscuous.
// "hairpin-veth": set the hairpin flag on container veth interfaces. // "hairpin-veth": set the hairpin flag on container veth interfaces.
// "none": do nothing. // "none": do nothing.
// Setting --configure-cbr0 to false implies that to achieve hairpin NAT // Generally, one must set --hairpin-mode=veth-flag to achieve hairpin NAT,
// one must set --hairpin-mode=veth-flag, because bridge assumes the // because promiscous-bridge assumes the existence of a container bridge named cbr0.
// existence of a container bridge named cbr0.
HairpinMode string `json:"hairpinMode"` HairpinMode string `json:"hairpinMode"`
// The node has babysitter process monitoring docker and kubelet. // The node has babysitter process monitoring docker and kubelet.
BabysitDaemons bool `json:"babysitDaemons"` BabysitDaemons bool `json:"babysitDaemons"`
@ -411,10 +407,10 @@ type KubeletConfiguration struct {
// maxOpenFiles is Number of files that can be opened by Kubelet process. // maxOpenFiles is Number of files that can be opened by Kubelet process.
MaxOpenFiles int64 `json:"maxOpenFiles"` MaxOpenFiles int64 `json:"maxOpenFiles"`
// reconcileCIDR is Reconcile node CIDR with the CIDR specified by the // reconcileCIDR is Reconcile node CIDR with the CIDR specified by the
// API server. No-op if register-node or configure-cbr0 is false. // API server. Won't have any effect if register-node is false.
ReconcileCIDR *bool `json:"reconcileCIDR"` ReconcileCIDR *bool `json:"reconcileCIDR"`
// registerSchedulable tells the kubelet to register the node as // registerSchedulable tells the kubelet to register the node as
// schedulable. No-op if register-node is false. // schedulable. Won't have any effect if register-node is false.
RegisterSchedulable *bool `json:"registerSchedulable"` RegisterSchedulable *bool `json:"registerSchedulable"`
// contentType is contentType of requests sent to apiserver. // contentType is contentType of requests sent to apiserver.
ContentType string `json:"contentType"` ContentType string `json:"contentType"`

6
pkg/apis/componentconfig/v1alpha1/zz_generated.conversion.go
View File

@ -257,9 +257,6 @@ func autoConvert_v1alpha1_KubeletConfiguration_To_componentconfig_KubeletConfigu
return err return err
} }
out.ExitOnLockContention = in.ExitOnLockContention out.ExitOnLockContention = in.ExitOnLockContention
if err := api.Convert_Pointer_bool_To_bool(&in.ConfigureCBR0, &out.ConfigureCBR0, s); err != nil {
return err
}
out.HairpinMode = in.HairpinMode out.HairpinMode = in.HairpinMode
out.BabysitDaemons = in.BabysitDaemons out.BabysitDaemons = in.BabysitDaemons
out.MaxPods = in.MaxPods out.MaxPods = in.MaxPods
@ -438,9 +435,6 @@ func autoConvert_componentconfig_KubeletConfiguration_To_v1alpha1_KubeletConfigu
return err return err
} }
out.ExitOnLockContention = in.ExitOnLockContention out.ExitOnLockContention = in.ExitOnLockContention
if err := api.Convert_bool_To_Pointer_bool(&in.ConfigureCBR0, &out.ConfigureCBR0, s); err != nil {
return err
}
out.HairpinMode = in.HairpinMode out.HairpinMode = in.HairpinMode
out.BabysitDaemons = in.BabysitDaemons out.BabysitDaemons = in.BabysitDaemons
out.MaxPods = in.MaxPods out.MaxPods = in.MaxPods

7
pkg/apis/componentconfig/v1alpha1/zz_generated.deepcopy.go
View File

@ -273,13 +273,6 @@ func DeepCopy_v1alpha1_KubeletConfiguration(in interface{}, out interface{}, c *
out.LockFilePath = nil out.LockFilePath = nil
} }
out.ExitOnLockContention = in.ExitOnLockContention out.ExitOnLockContention = in.ExitOnLockContention
if in.ConfigureCBR0 != nil {
in, out := &in.ConfigureCBR0, &out.ConfigureCBR0
*out = new(bool)
**out = **in
} else {
out.ConfigureCBR0 = nil
}
out.HairpinMode = in.HairpinMode out.HairpinMode = in.HairpinMode
out.BabysitDaemons = in.BabysitDaemons out.BabysitDaemons = in.BabysitDaemons
out.MaxPods = in.MaxPods out.MaxPods = in.MaxPods

1
pkg/apis/componentconfig/zz_generated.deepcopy.go
View File

@ -281,7 +281,6 @@ func DeepCopy_componentconfig_KubeletConfiguration(in interface{}, out interface
out.RktStage1Image = in.RktStage1Image out.RktStage1Image = in.RktStage1Image
out.LockFilePath = in.LockFilePath out.LockFilePath = in.LockFilePath
out.ExitOnLockContention = in.ExitOnLockContention out.ExitOnLockContention = in.ExitOnLockContention
out.ConfigureCBR0 = in.ConfigureCBR0
out.HairpinMode = in.HairpinMode out.HairpinMode = in.HairpinMode
out.BabysitDaemons = in.BabysitDaemons out.BabysitDaemons = in.BabysitDaemons
out.MaxPods = in.MaxPods out.MaxPods = in.MaxPods

30
pkg/generated/openapi/zz_generated.openapi.go
View File

@ -2596,16 +2596,9 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{
Format: "", Format: "",
}, },
}, },
"configureCbr0": {
SchemaProps: spec.SchemaProps{
Description: "configureCBR0 enables the kublet to configure cbr0 based on Node.Spec.PodCIDR.",
Type: []string{"boolean"},
Format: "",
},
},
"hairpinMode": { "hairpinMode": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "How should the kubelet configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values:\n \"promiscuous-bridge\": make the container bridge promiscuous.\n \"hairpin-veth\": set the hairpin flag on container veth interfaces.\n \"none\": do nothing.\nSetting --configure-cbr0 to false implies that to achieve hairpin NAT one must set --hairpin-mode=veth-flag, because bridge assumes the existence of a container bridge named cbr0.", Description: "How should the kubelet configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values:\n \"promiscuous-bridge\": make the container bridge promiscuous.\n \"hairpin-veth\": set the hairpin flag on container veth interfaces.\n \"none\": do nothing.\nGenerally, one must set --hairpin-mode=veth-flag to achieve hairpin NAT, because promiscous-bridge assumes the existence of a container bridge named cbr0.",
Type: []string{"string"}, Type: []string{"string"},
Format: "", Format: "",
}, },
@ -2675,14 +2668,14 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{
}, },
"reconcileCIDR": { "reconcileCIDR": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "reconcileCIDR is Reconcile node CIDR with the CIDR specified by the API server. No-op if register-node or configure-cbr0 is false.", Description: "reconcileCIDR is Reconcile node CIDR with the CIDR specified by the API server. Won't have any effect if register-node is false.",
Type: []string{"boolean"}, Type: []string{"boolean"},
Format: "", Format: "",
}, },
}, },
"registerSchedulable": { "registerSchedulable": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "registerSchedulable tells the kubelet to register the node as schedulable. No-op if register-node is false.", Description: "registerSchedulable tells the kubelet to register the node as schedulable. Won't have any effect if register-node is false.",
Type: []string{"boolean"}, Type: []string{"boolean"},
Format: "", Format: "",
}, },
@ -2889,7 +2882,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{
}, },
}, },
}, },
Required: []string{"TypeMeta", "podManifestPath", "syncFrequency", "fileCheckFrequency", "httpCheckFrequency", "manifestURL", "manifestURLHeader", "enableServer", "address", "port", "readOnlyPort", "tlsCertFile", "tlsPrivateKeyFile", "certDirectory", "hostnameOverride", "podInfraContainerImage", "dockerEndpoint", "rootDirectory", "seccompProfileRoot", "allowPrivileged", "hostNetworkSources", "hostPIDSources", "hostIPCSources", "registryPullQPS", "registryBurst", "eventRecordQPS", "eventBurst", "enableDebuggingHandlers", "minimumGCAge", "maxPerPodContainerCount", "maxContainerCount", "cAdvisorPort", "healthzPort", "healthzBindAddress", "oomScoreAdj", "registerNode", "clusterDomain", "masterServiceNamespace", "clusterDNS", "streamingConnectionIdleTimeout", "nodeStatusUpdateFrequency", "imageMinimumGCAge", "imageGCHighThresholdPercent", "imageGCLowThresholdPercent", "lowDiskSpaceThresholdMB", "volumeStatsAggPeriod", "networkPluginName", "networkPluginMTU", "networkPluginDir", "cniConfDir", "cniBinDir", "volumePluginDir", "containerRuntime", "remoteRuntimeEndpoint", "remoteImageEndpoint", "lockFilePath", "exitOnLockContention", "configureCbr0", "hairpinMode", "babysitDaemons", "maxPods", "nvidiaGPUs", "dockerExecHandlerName", "podCIDR", "resolvConf", "cpuCFSQuota", "containerized", "maxOpenFiles", "reconcileCIDR", "registerSchedulable", "contentType", "kubeAPIQPS", "kubeAPIBurst", "serializeImagePulls", "nodeLabels", "nonMasqueradeCIDR", "enableCustomMetrics", "podsPerCore", "enableControllerAttachDetach", "systemReserved", "kubeReserved", "protectKernelDefaults", "makeIPTablesUtilChains", "iptablesMasqueradeBit", "iptablesDropBit"}, Required: []string{"TypeMeta", "podManifestPath", "syncFrequency", "fileCheckFrequency", "httpCheckFrequency", "manifestURL", "manifestURLHeader", "enableServer", "address", "port", "readOnlyPort", "tlsCertFile", "tlsPrivateKeyFile", "certDirectory", "hostnameOverride", "podInfraContainerImage", "dockerEndpoint", "rootDirectory", "seccompProfileRoot", "allowPrivileged", "hostNetworkSources", "hostPIDSources", "hostIPCSources", "registryPullQPS", "registryBurst", "eventRecordQPS", "eventBurst", "enableDebuggingHandlers", "minimumGCAge", "maxPerPodContainerCount", "maxContainerCount", "cAdvisorPort", "healthzPort", "healthzBindAddress", "oomScoreAdj", "registerNode", "clusterDomain", "masterServiceNamespace", "clusterDNS", "streamingConnectionIdleTimeout", "nodeStatusUpdateFrequency", "imageMinimumGCAge", "imageGCHighThresholdPercent", "imageGCLowThresholdPercent", "lowDiskSpaceThresholdMB", "volumeStatsAggPeriod", "networkPluginName", "networkPluginMTU", "networkPluginDir", "cniConfDir", "cniBinDir", "volumePluginDir", "containerRuntime", "remoteRuntimeEndpoint", "remoteImageEndpoint", "lockFilePath", "exitOnLockContention", "hairpinMode", "babysitDaemons", "maxPods", "nvidiaGPUs", "dockerExecHandlerName", "podCIDR", "resolvConf", "cpuCFSQuota", "containerized", "maxOpenFiles", "reconcileCIDR", "registerSchedulable", "contentType", "kubeAPIQPS", "kubeAPIBurst", "serializeImagePulls", "nodeLabels", "nonMasqueradeCIDR", "enableCustomMetrics", "podsPerCore", "enableControllerAttachDetach", "systemReserved", "kubeReserved", "protectKernelDefaults", "makeIPTablesUtilChains", "iptablesMasqueradeBit", "iptablesDropBit"},
}, },
}, },
Dependencies: []string{ Dependencies: []string{
@ -14202,16 +14195,9 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{
Format: "", Format: "",
}, },
}, },
"configureCbr0": {
SchemaProps: spec.SchemaProps{
Description: "configureCBR0 enables the kublet to configure cbr0 based on Node.Spec.PodCIDR.",
Type: []string{"boolean"},
Format: "",
},
},
"hairpinMode": { "hairpinMode": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "How should the kubelet configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values:\n \"promiscuous-bridge\": make the container bridge promiscuous.\n \"hairpin-veth\": set the hairpin flag on container veth interfaces.\n \"none\": do nothing.\nSetting --configure-cbr0 to false implies that to achieve hairpin NAT one must set --hairpin-mode=veth-flag, because bridge assumes the existence of a container bridge named cbr0.", Description: "How should the kubelet configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values:\n \"promiscuous-bridge\": make the container bridge promiscuous.\n \"hairpin-veth\": set the hairpin flag on container veth interfaces.\n \"none\": do nothing.\nGenerally, one must set --hairpin-mode=veth-flag to achieve hairpin NAT, because promiscous-bridge assumes the existence of a container bridge named cbr0.",
Type: []string{"string"}, Type: []string{"string"},
Format: "", Format: "",
}, },
@ -14281,14 +14267,14 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{
}, },
"reconcileCIDR": { "reconcileCIDR": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "reconcileCIDR is Reconcile node CIDR with the CIDR specified by the API server. No-op if register-node or configure-cbr0 is false.", Description: "reconcileCIDR is Reconcile node CIDR with the CIDR specified by the API server. Won't have any effect if register-node is false.",
Type: []string{"boolean"}, Type: []string{"boolean"},
Format: "", Format: "",
}, },
}, },
"registerSchedulable": { "registerSchedulable": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "registerSchedulable tells the kubelet to register the node as schedulable. No-op if register-node is false.", Description: "registerSchedulable tells the kubelet to register the node as schedulable. Won't have any effect if register-node is false.",
Type: []string{"boolean"}, Type: []string{"boolean"},
Format: "", Format: "",
}, },
@ -14495,7 +14481,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{
}, },
}, },
}, },
Required: []string{"TypeMeta", "podManifestPath", "syncFrequency", "fileCheckFrequency", "httpCheckFrequency", "manifestURL", "manifestURLHeader", "enableServer", "address", "port", "readOnlyPort", "tlsCertFile", "tlsPrivateKeyFile", "certDirectory", "hostnameOverride", "podInfraContainerImage", "dockerEndpoint", "rootDirectory", "seccompProfileRoot", "allowPrivileged", "hostNetworkSources", "hostPIDSources", "hostIPCSources", "registryPullQPS", "registryBurst", "eventRecordQPS", "eventBurst", "enableDebuggingHandlers", "minimumGCAge", "maxPerPodContainerCount", "maxContainerCount", "cAdvisorPort", "healthzPort", "healthzBindAddress", "oomScoreAdj", "registerNode", "clusterDomain", "masterServiceNamespace", "clusterDNS", "streamingConnectionIdleTimeout", "nodeStatusUpdateFrequency", "imageMinimumGCAge", "imageGCHighThresholdPercent", "imageGCLowThresholdPercent", "lowDiskSpaceThresholdMB", "volumeStatsAggPeriod", "networkPluginName", "networkPluginDir", "cniConfDir", "cniBinDir", "networkPluginMTU", "volumePluginDir", "cloudProvider", "cloudConfigFile", "kubeletCgroups", "runtimeCgroups", "systemCgroups", "cgroupRoot", "containerRuntime", "remoteRuntimeEndpoint", "remoteImageEndpoint", "runtimeRequestTimeout", "rktPath", "rktAPIEndpoint", "rktStage1Image", "lockFilePath", "exitOnLockContention", "configureCbr0", "hairpinMode", "babysitDaemons", "maxPods", "nvidiaGPUs", "dockerExecHandlerName", "podCIDR", "resolvConf", "cpuCFSQuota", "containerized", "maxOpenFiles", "reconcileCIDR", "registerSchedulable", "contentType", "kubeAPIQPS", "kubeAPIBurst", "serializeImagePulls", "outOfDiskTransitionFrequency", "nodeIP", "nodeLabels", "nonMasqueradeCIDR", "enableCustomMetrics", "evictionHard", "evictionSoft", "evictionSoftGracePeriod", "evictionPressureTransitionPeriod", "evictionMaxPodGracePeriod", "evictionMinimumReclaim", "podsPerCore", "enableControllerAttachDetach", "systemReserved", "kubeReserved", "protectKernelDefaults", "makeIPTablesUtilChains", "iptablesMasqueradeBit", "iptablesDropBit"}, Required: []string{"TypeMeta", "podManifestPath", "syncFrequency", "fileCheckFrequency", "httpCheckFrequency", "manifestURL", "manifestURLHeader", "enableServer", "address", "port", "readOnlyPort", "tlsCertFile", "tlsPrivateKeyFile", "certDirectory", "hostnameOverride", "podInfraContainerImage", "dockerEndpoint", "rootDirectory", "seccompProfileRoot", "allowPrivileged", "hostNetworkSources", "hostPIDSources", "hostIPCSources", "registryPullQPS", "registryBurst", "eventRecordQPS", "eventBurst", "enableDebuggingHandlers", "minimumGCAge", "maxPerPodContainerCount", "maxContainerCount", "cAdvisorPort", "healthzPort", "healthzBindAddress", "oomScoreAdj", "registerNode", "clusterDomain", "masterServiceNamespace", "clusterDNS", "streamingConnectionIdleTimeout", "nodeStatusUpdateFrequency", "imageMinimumGCAge", "imageGCHighThresholdPercent", "imageGCLowThresholdPercent", "lowDiskSpaceThresholdMB", "volumeStatsAggPeriod", "networkPluginName", "networkPluginDir", "cniConfDir", "cniBinDir", "networkPluginMTU", "volumePluginDir", "cloudProvider", "cloudConfigFile", "kubeletCgroups", "runtimeCgroups", "systemCgroups", "cgroupRoot", "containerRuntime", "remoteRuntimeEndpoint", "remoteImageEndpoint", "runtimeRequestTimeout", "rktPath", "rktAPIEndpoint", "rktStage1Image", "lockFilePath", "exitOnLockContention", "hairpinMode", "babysitDaemons", "maxPods", "nvidiaGPUs", "dockerExecHandlerName", "podCIDR", "resolvConf", "cpuCFSQuota", "containerized", "maxOpenFiles", "reconcileCIDR", "registerSchedulable", "contentType", "kubeAPIQPS", "kubeAPIBurst", "serializeImagePulls", "outOfDiskTransitionFrequency", "nodeIP", "nodeLabels", "nonMasqueradeCIDR", "enableCustomMetrics", "evictionHard", "evictionSoft", "evictionSoftGracePeriod", "evictionPressureTransitionPeriod", "evictionMaxPodGracePeriod", "evictionMinimumReclaim", "podsPerCore", "enableControllerAttachDetach", "systemReserved", "kubeReserved", "protectKernelDefaults", "makeIPTablesUtilChains", "iptablesMasqueradeBit", "iptablesDropBit"},
}, },
}, },
Dependencies: []string{ Dependencies: []string{

160
pkg/kubelet/container_bridge.go
View File

@ -1,160 +0,0 @@
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubelet
import (
"bytes"
"fmt"
"net"
"os"
"os/exec"
"regexp"
"github.com/golang/glog"
"k8s.io/kubernetes/pkg/util"
"k8s.io/kubernetes/pkg/util/iptables"
"k8s.io/kubernetes/pkg/util/procfs"
"syscall"
)
var cidrRegexp = regexp.MustCompile(`inet ([0-9a-fA-F.:]*/[0-9]*)`)
func createCBR0(wantCIDR *net.IPNet, babysitDaemons bool) error {
// recreate cbr0 with wantCIDR
if err := exec.Command("brctl", "addbr", "cbr0").Run(); err != nil {
glog.Error(err)
return err
}
if err := exec.Command("ip", "addr", "add", wantCIDR.String(), "dev", "cbr0").Run(); err != nil {
glog.Error(err)
return err
}
if err := exec.Command("ip", "link", "set", "dev", "cbr0", "mtu", "1460", "up").Run(); err != nil {
glog.Error(err)
return err
}
// Stop docker so that babysitter process can restart it again with proper configurations and
// checkpoint file (https://github.com/docker/docker/issues/18283). It is safe to kill docker
// process here since CIDR can be changed only once for a given node object, and node is marked
// as NotReady until the docker daemon is restarted with the newly configured custom bridge.
// TODO (dawnchen): Remove this once corrupted checkpoint issue is fixed.
//
// For now just log the error. The containerRuntime check will catch docker failures.
// TODO (dawnchen) figure out what we should do for rkt here.
if babysitDaemons {
if err := procfs.PKill("docker", syscall.SIGKILL); err != nil {
glog.Error(err)
}
} else if util.UsingSystemdInitSystem() {
if err := exec.Command("systemctl", "restart", "docker").Run(); err != nil {
glog.Error(err)
}
} else {
if err := exec.Command("service", "docker", "restart").Run(); err != nil {
glog.Error(err)
}
}
glog.V(2).Info("Recreated cbr0 and restarted docker")
return nil
}
func ensureCbr0(wantCIDR *net.IPNet, promiscuous, babysitDaemons bool) error {
exists, err := cbr0Exists()
if err != nil {
return err
}
if !exists {
glog.V(2).Infof("CBR0 doesn't exist, attempting to create it with range: %s", wantCIDR)
return createCBR0(wantCIDR, babysitDaemons)
}
if !cbr0CidrCorrect(wantCIDR) {
glog.V(2).Infof("Attempting to recreate cbr0 with address range: %s", wantCIDR)
// delete cbr0
if err := exec.Command("ip", "link", "set", "dev", "cbr0", "down").Run(); err != nil {
glog.Error(err)
return err
}
if err := exec.Command("brctl", "delbr", "cbr0").Run(); err != nil {
glog.Error(err)
return err
}
if err := createCBR0(wantCIDR, babysitDaemons); err != nil {
glog.Error(err)
return err
}
}
// Put the container bridge into promiscuous mode to force it to accept hairpin packets.
// TODO: Remove this once the kernel bug (#20096) is fixed.
if promiscuous {
// Checking if the bridge is in promiscuous mode is as expensive and more brittle than
// simply setting the flag every time.
if err := exec.Command("ip", "link", "set", "cbr0", "promisc", "on").Run(); err != nil {
glog.Error(err)
return err
}
}
return nil
}
// Check if cbr0 network interface is configured or not, and take action
// when the configuration is missing on the node, and propagate the rest
// error to kubelet to handle.
func cbr0Exists() (bool, error) {
if _, err := os.Stat("/sys/class/net/cbr0"); err != nil {
if os.IsNotExist(err) {
return false, nil
}
return false, err
}
return true, nil
}
func cbr0CidrCorrect(wantCIDR *net.IPNet) bool {
output, err := exec.Command("ip", "addr", "show", "cbr0").Output()
if err != nil {
return false
}
match := cidrRegexp.FindSubmatch(output)
if len(match) < 2 {
return false
}
cbr0IP, cbr0CIDR, err := net.ParseCIDR(string(match[1]))
if err != nil {
glog.Errorf("Couldn't parse CIDR: %q", match[1])
return false
}
cbr0CIDR.IP = cbr0IP
glog.V(5).Infof("Want cbr0 CIDR: %s, have cbr0 CIDR: %s", wantCIDR, cbr0CIDR)
return wantCIDR.IP.Equal(cbr0IP) && bytes.Equal(wantCIDR.Mask, cbr0CIDR.Mask)
}
// nonMasqueradeCIDR is the CIDR for our internal IP range; traffic to IPs
// outside this range will use IP masquerade.
func ensureIPTablesMasqRule(client iptables.Interface, nonMasqueradeCIDR string) error {
if _, err := client.EnsureRule(iptables.Append, iptables.TableNAT,
iptables.ChainPostrouting,
"-m", "comment", "--comment", "kubelet: SNAT outbound cluster traffic",
"-m", "addrtype", "!", "--dst-type", "LOCAL",
"!", "-d", nonMasqueradeCIDR,
"-j", "MASQUERADE"); err != nil {
return fmt.Errorf("Failed to ensure masquerading for %s chain %s: %v",
iptables.TableNAT, iptables.ChainPostrouting, err)
}
return nil
}

154
pkg/kubelet/container_bridge_test.go
View File

@ -1,154 +0,0 @@
/*
Copyright 2014 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubelet
import (
"testing"
"k8s.io/kubernetes/pkg/util/dbus"
"k8s.io/kubernetes/pkg/util/exec"
"k8s.io/kubernetes/pkg/util/iptables"
"k8s.io/kubernetes/pkg/util/sets"
)
func TestEnsureIPTablesMasqRuleNew(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
// Status 1 on the first call.
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
// Success on the second call.
func() ([]byte, error) { return []byte{}, nil },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
// The second Command() call is checking the rule. Failure of that means create it.
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
runner := iptables.New(&fexec, dbus.NewFake(nil, nil), iptables.ProtocolIpv4)
defer runner.Destroy()
err := ensureIPTablesMasqRule(runner, "127.0.0.0/8")
if err != nil {
t.Errorf("expected success, got %v", err)
}
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
}
if !sets.NewString(fcmd.CombinedOutputLog[2]...).HasAll("iptables", "-t", "nat", "-A", "POSTROUTING",
"-m", "comment", "--comment", "kubelet: SNAT outbound cluster traffic",
"!", "-d", "127.0.0.0/8", "-j", "MASQUERADE") {
t.Errorf("wrong CombinedOutput() log, got %#v", fcmd.CombinedOutputLog[2])
}
}
func TestEnsureIPTablesMasqRuleAlreadyExists(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
// Success.
func() ([]byte, error) { return []byte{}, nil },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
// The second Command() call is checking the rule. Success of that exec means "done".
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
runner := iptables.New(&fexec, dbus.NewFake(nil, nil), iptables.ProtocolIpv4)
defer runner.Destroy()
err := ensureIPTablesMasqRule(runner, "127.0.0.0/8")
if err != nil {
t.Errorf("expected success, got %v", err)
}
if fcmd.CombinedOutputCalls != 2 {
t.Errorf("expected 2 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
}
if !sets.NewString(fcmd.CombinedOutputLog[1]...).HasAll("iptables", "-t", "nat", "-C", "POSTROUTING",
"-m", "comment", "--comment", "kubelet: SNAT outbound cluster traffic",
"!", "-d", "127.0.0.0/8", "-j", "MASQUERADE") {
t.Errorf("wrong CombinedOutput() log, got %#v", fcmd.CombinedOutputLog[1])
}
}
func TestEnsureIPTablesMasqRuleErrorChecking(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
// Status 2 on the first call.
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 2} },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
// The second Command() call is checking the rule. Failure of that means create it.
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
runner := iptables.New(&fexec, dbus.NewFake(nil, nil), iptables.ProtocolIpv4)
defer runner.Destroy()
err := ensureIPTablesMasqRule(runner, "127.0.0.0/8")
if err == nil {
t.Errorf("expected failure")
}
if fcmd.CombinedOutputCalls != 2 {
t.Errorf("expected 2 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
}
}
func TestEnsureIPTablesMasqRuleErrorCreating(t *testing.T) {
fcmd := exec.FakeCmd{
CombinedOutputScript: []exec.FakeCombinedOutputAction{
// iptables version check
func() ([]byte, error) { return []byte("iptables v1.9.22"), nil },
// Status 1 on the first call.
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
// Status 1 on the second call.
func() ([]byte, error) { return nil, &exec.FakeExitError{Status: 1} },
},
}
fexec := exec.FakeExec{
CommandScript: []exec.FakeCommandAction{
// iptables version check
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
// The second Command() call is checking the rule. Failure of that means create it.
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
func(cmd string, args ...string) exec.Cmd { return exec.InitFakeCmd(&fcmd, cmd, args...) },
},
}
runner := iptables.New(&fexec, dbus.NewFake(nil, nil), iptables.ProtocolIpv4)
defer runner.Destroy()
err := ensureIPTablesMasqRule(runner, "127.0.0.0/8")
if err == nil {
t.Errorf("expected failure")
}
if fcmd.CombinedOutputCalls != 3 {
t.Errorf("expected 3 CombinedOutput() calls, got %d", fcmd.CombinedOutputCalls)
}
}

11
pkg/kubelet/kubelet.go
View File

@ -389,13 +389,6 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub
oomWatcher := NewOOMWatcher(kubeDeps.CAdvisorInterface, kubeDeps.Recorder) oomWatcher := NewOOMWatcher(kubeDeps.CAdvisorInterface, kubeDeps.Recorder)
// TODO(mtaufen): remove when internal cbr0 implementation gets removed in favor
// of the kubenet network plugin
var myConfigureCBR0 bool = kubeCfg.ConfigureCBR0
if kubeCfg.NetworkPluginName == "kubenet" {
myConfigureCBR0 = false
}
klet := &Kubelet{ klet := &Kubelet{
hostname: hostname, hostname: hostname,
nodeName: nodeName, nodeName: nodeName,
@ -430,7 +423,6 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub
cgroupRoot: kubeCfg.CgroupRoot, cgroupRoot: kubeCfg.CgroupRoot,
mounter: kubeDeps.Mounter, mounter: kubeDeps.Mounter,
writer: kubeDeps.Writer, writer: kubeDeps.Writer,
configureCBR0: myConfigureCBR0,
nonMasqueradeCIDR: kubeCfg.NonMasqueradeCIDR, nonMasqueradeCIDR: kubeCfg.NonMasqueradeCIDR,
reconcileCIDR: kubeCfg.ReconcileCIDR, reconcileCIDR: kubeCfg.ReconcileCIDR,
maxPods: int(kubeCfg.MaxPods), maxPods: int(kubeCfg.MaxPods),
@ -454,7 +446,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub
iptablesDropBit: int(kubeCfg.IPTablesDropBit), iptablesDropBit: int(kubeCfg.IPTablesDropBit),
} }
if mode, err := effectiveHairpinMode(componentconfig.HairpinMode(kubeCfg.HairpinMode), kubeCfg.ContainerRuntime, kubeCfg.ConfigureCBR0, kubeCfg.NetworkPluginName); err != nil { if mode, err := effectiveHairpinMode(componentconfig.HairpinMode(kubeCfg.HairpinMode), kubeCfg.ContainerRuntime, kubeCfg.NetworkPluginName); err != nil {
// This is a non-recoverable error. Returning it up the callstack will just // This is a non-recoverable error. Returning it up the callstack will just
// lead to retries of the same failure, so just fail hard. // lead to retries of the same failure, so just fail hard.
glog.Fatalf("Invalid hairpin mode: %v", err) glog.Fatalf("Invalid hairpin mode: %v", err)
@ -914,7 +906,6 @@ type Kubelet struct {
// Whether or not kubelet should take responsibility for keeping cbr0 in // Whether or not kubelet should take responsibility for keeping cbr0 in
// the correct state. // the correct state.
configureCBR0 bool
reconcileCIDR bool reconcileCIDR bool
// Traffic to IPs outside this range will use IP masquerade. // Traffic to IPs outside this range will use IP masquerade.

72
pkg/kubelet/kubelet_network.go
View File

@ -20,7 +20,6 @@ import (
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
"net"
"strings" "strings"
"github.com/golang/glog" "github.com/golang/glog"
@ -49,11 +48,10 @@ const (
// effectiveHairpinMode determines the effective hairpin mode given the // effectiveHairpinMode determines the effective hairpin mode given the
// configured mode, container runtime, and whether cbr0 should be configured. // configured mode, container runtime, and whether cbr0 should be configured.
func effectiveHairpinMode(hairpinMode componentconfig.HairpinMode, containerRuntime string, configureCBR0 bool, networkPlugin string) (componentconfig.HairpinMode, error) { func effectiveHairpinMode(hairpinMode componentconfig.HairpinMode, containerRuntime string, networkPlugin string) (componentconfig.HairpinMode, error) {
// The hairpin mode setting doesn't matter if: // The hairpin mode setting doesn't matter if:
// - We're not using a bridge network. This is hard to check because we might // - We're not using a bridge network. This is hard to check because we might
// be using a plugin. It matters if --configure-cbr0=true, and we currently // be using a plugin.
// don't pipe it down to any plugins.
// - It's set to hairpin-veth for a container runtime that doesn't know how // - It's set to hairpin-veth for a container runtime that doesn't know how
// to set the hairpin flag on the veth's of containers. Currently the // to set the hairpin flag on the veth's of containers. Currently the
// docker runtime is the only one that understands this. // docker runtime is the only one that understands this.
@ -64,18 +62,14 @@ func effectiveHairpinMode(hairpinMode componentconfig.HairpinMode, containerRunt
glog.Warningf("Hairpin mode set to %q but container runtime is %q, ignoring", hairpinMode, containerRuntime) glog.Warningf("Hairpin mode set to %q but container runtime is %q, ignoring", hairpinMode, containerRuntime)
return componentconfig.HairpinNone, nil return componentconfig.HairpinNone, nil
} }
if hairpinMode == componentconfig.PromiscuousBridge && !configureCBR0 && networkPlugin != "kubenet" { if hairpinMode == componentconfig.PromiscuousBridge && networkPlugin != "kubenet" {
// This is not a valid combination. Users might be using the // This is not a valid combination, since promiscuous-bridge only works on kubenet. Users might be using the
// default values (from before the hairpin-mode flag existed) and we // default values (from before the hairpin-mode flag existed) and we
// should keep the old behavior. // should keep the old behavior.
glog.Warningf("Hairpin mode set to %q but configureCBR0 is false, falling back to %q", hairpinMode, componentconfig.HairpinVeth) glog.Warningf("Hairpin mode set to %q but kubenet is not enabled, falling back to %q", hairpinMode, componentconfig.HairpinVeth)
return componentconfig.HairpinVeth, nil return componentconfig.HairpinVeth, nil
} }
} else if hairpinMode == componentconfig.HairpinNone { } else if hairpinMode != componentconfig.HairpinNone {
if configureCBR0 {
glog.Warningf("Hairpin mode set to %q and configureCBR0 is true, this might result in loss of hairpin packets", hairpinMode)
}
} else {
return "", fmt.Errorf("unknown value: %q", hairpinMode) return "", fmt.Errorf("unknown value: %q", hairpinMode)
} }
return hairpinMode, nil return hairpinMode, nil
@ -195,60 +189,8 @@ func (kl *Kubelet) cleanupBandwidthLimits(allPods []*api.Pod) error {
return nil return nil
} }
// TODO: remove when kubenet plugin is ready // syncNetworkStatus updates the network state
// NOTE!!! if you make changes here, also make them to kubenet
func (kl *Kubelet) reconcileCBR0(podCIDR string) error {
if podCIDR == "" {
glog.V(5).Info("PodCIDR not set. Will not configure cbr0.")
return nil
}
glog.V(5).Infof("PodCIDR is set to %q", podCIDR)
_, cidr, err := net.ParseCIDR(podCIDR)
if err != nil {
return err
}
// Set cbr0 interface address to first address in IPNet
cidr.IP.To4()[3] += 1
if err := ensureCbr0(cidr, kl.hairpinMode == componentconfig.PromiscuousBridge, kl.babysitDaemons); err != nil {
return err
}
if kl.shapingEnabled() {
if kl.shaper == nil {
glog.V(5).Info("Shaper is nil, creating")
kl.shaper = bandwidth.NewTCShaper("cbr0")
}
return kl.shaper.ReconcileInterface()
}
return nil
}
// syncNetworkStatus updates the network state, ensuring that the network is
// configured correctly if the kubelet is set to configure cbr0:
// * ensure that iptables masq rules are setup
// * reconcile cbr0 with the pod CIDR
func (kl *Kubelet) syncNetworkStatus() { func (kl *Kubelet) syncNetworkStatus() {
var err error
if kl.configureCBR0 {
if err := ensureIPTablesMasqRule(kl.iptClient, kl.nonMasqueradeCIDR); err != nil {
err = fmt.Errorf("Error on adding iptables rules: %v", err)
glog.Error(err)
kl.runtimeState.setNetworkState(err)
return
}
podCIDR := kl.runtimeState.podCIDR()
if len(podCIDR) == 0 {
err = fmt.Errorf("ConfigureCBR0 requested, but PodCIDR not set. Will not configure CBR0 right now")
glog.Warning(err)
} else if err = kl.reconcileCBR0(podCIDR); err != nil {
err = fmt.Errorf("Error configuring cbr0: %v", err)
glog.Error(err)
}
if err != nil {
kl.runtimeState.setNetworkState(err)
return
}
}
kl.runtimeState.setNetworkState(kl.networkPlugin.Status()) kl.runtimeState.setNetworkState(kl.networkPlugin.Status())
} }

3
pkg/kubemark/hollow_kubelet.go
View File

@ -139,8 +139,7 @@ func GetHollowKubeletConfig(
c.EnableDebuggingHandlers = true c.EnableDebuggingHandlers = true
c.EnableServer = true c.EnableServer = true
c.CgroupsPerQOS = false c.CgroupsPerQOS = false
// Since this kubelet runs with --configure-cbr0=false, it needs to use // hairpin-veth is used to allow hairpin packets. Note that this deviates from
// hairpin-veth to allow hairpin packets. Note that this deviates from
// what the "real" kubelet currently does, because there's no way to // what the "real" kubelet currently does, because there's no way to
// set promiscuous mode on docker0. // set promiscuous mode on docker0.
c.HairpinMode = componentconfig.HairpinVeth c.HairpinMode = componentconfig.HairpinVeth