From c0045f415bb59da69b029d3d5cb18130c4f8d76f Mon Sep 17 00:00:00 2001 From: Michal Rostecki Date: Wed, 20 Apr 2022 16:01:49 +0200 Subject: [PATCH] agent(netpol): Explicitly enable IPv4 when necessary Before this change, kube-router was always assuming that IPv4 is enabled, which is not the case in IPv6-only clusters. To enable network policies in IPv6-only, we need to explicitly let kube-router know when to disable IPv4. Signed-off-by: Michal Rostecki --- pkg/agent/netpol/netpol.go | 2 +- pkg/agent/run.go | 4 ++++ pkg/daemons/config/types.go | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/agent/netpol/netpol.go b/pkg/agent/netpol/netpol.go index 3c85387559..81861d6d2f 100644 --- a/pkg/agent/netpol/netpol.go +++ b/pkg/agent/netpol/netpol.go @@ -55,7 +55,7 @@ func Run(ctx context.Context, nodeConfig *config.Node) error { krConfig := options.NewKubeRouterConfig() krConfig.ClusterIPCIDR = util.JoinIPNets(nodeConfig.AgentConfig.ServiceCIDRs) - krConfig.EnableIPv4 = true + krConfig.EnableIPv4 = nodeConfig.AgentConfig.EnableIPv4 krConfig.EnableIPv6 = nodeConfig.AgentConfig.EnableIPv6 krConfig.NodePortRange = strings.ReplaceAll(nodeConfig.AgentConfig.ServiceNodePortRange.String(), "-", ":") krConfig.HostnameOverride = nodeConfig.AgentConfig.NodeName diff --git a/pkg/agent/run.go b/pkg/agent/run.go index 92e0950252..d599ce3663 100644 --- a/pkg/agent/run.go +++ b/pkg/agent/run.go @@ -59,15 +59,19 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error { if err != nil { return errors.Wrap(err, "failed to validate node-ip") } + serviceIPv4 := utilsnet.IsIPv4CIDR(nodeConfig.AgentConfig.ServiceCIDR) + clusterIPv4 := utilsnet.IsIPv4CIDR(nodeConfig.AgentConfig.ClusterCIDR) serviceIPv6 := utilsnet.IsIPv6CIDR(nodeConfig.AgentConfig.ServiceCIDR) clusterIPv6 := utilsnet.IsIPv6CIDR(nodeConfig.AgentConfig.ClusterCIDR) + enableIPv4 := dualCluster || dualService || dualNode || serviceIPv4 || clusterIPv4 enableIPv6 := dualCluster || dualService || dualNode || serviceIPv6 || clusterIPv6 conntrackConfig, err := getConntrackConfig(nodeConfig) if err != nil { return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration") } syssetup.Configure(enableIPv6, conntrackConfig) + nodeConfig.AgentConfig.EnableIPv4 = enableIPv4 nodeConfig.AgentConfig.EnableIPv6 = enableIPv6 if err := setupCriCtlConfig(cfg, nodeConfig); err != nil { diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go index a3c6c66a97..e38d956c20 100644 --- a/pkg/daemons/config/types.go +++ b/pkg/daemons/config/types.go @@ -106,6 +106,7 @@ type Agent struct { Rootless bool ProtectKernelDefaults bool DisableServiceLB bool + EnableIPv4 bool EnableIPv6 bool }