Commit Graph

365 Commits (32a1efa408c97d70c76e29f3895a7ee8572ae385)

Author SHA1 Message Date
Brad Davidson 2835368ecb Bump k3s-root and remove embedded strongswan support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-12-01 12:40:40 -08:00
Manuel Buil 1beecb2e2d
Merge pull request #6531 from manuelbuil/fixLogs
Fix log for flannelExternalIP use case
2022-11-22 16:54:26 +01:00
Brad Davidson 6f2b21c5cd Add rootless IPv6 support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-21 15:23:30 -08:00
Manuel Buil 5188443988 Fix log for flannelExternalIP use case
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-21 17:10:35 +01:00
thomasferrandiz b7d217dbf3
Merge pull request #6405 from thomasferrandiz/log-kube-router-version
log kube-router version when starting netpol controller
2022-11-04 11:07:37 +01:00
Manuel Buil 8aff25e192
Merge pull request #6403 from manuelbuil/logsFlannelExternalIP
Avoid wrong config for `flannel-external-ip` and add warning if unencrypted backend
2022-11-04 09:47:30 +01:00
Manuel Buil 1682172ac1 Add some helping logs to avoid wrong configs
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-03 18:09:17 +01:00
Roberto Bonafiglia 87c7ea81f0 Updated flannel version to 0.20.1
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-11-03 17:49:26 +01:00
Thomas Ferrandiz 68ac954489 log kube-router version when starting netpol controller
Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
2022-11-03 12:26:50 +01:00
Petri Kivikangas 6156059136 Convert containerd config.toml.tmpl Linux template to v2 syntax
Signed-off-by: Petri Kivikangas <36138+Kitanotori@users.noreply.github.com>
2022-10-27 16:55:03 -07:00
Brad Davidson 76729d813b Set default kubeletPort
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 15:08:13 -07:00
Brad Davidson 269563e4d2 Check for RBAC before starting tunnel controllers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 15:08:13 -07:00
Brad Davidson f2585c1671 Add --flannel-external-ip flag
Using the node external IP address for all CNI traffic is a breaking change from previous versions; we should make it an opt-in for distributed clusters instead of default behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-24 10:10:49 -07:00
Derek Nola 06d81cb936
Replace deprecated ioutil package (#6230)
* Replace ioutil package
* check integration test null pointer
* Remove rotate retries

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-10-07 17:36:57 -07:00
Brad Davidson b411864be5 Handle custom kubelet port in agent tunnel
The kubelet port can be overridden by users; we shouldn't assume its always 10250

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-05 21:10:38 -07:00
Manuel Buil 5164cf5345 Add flannel-external-ip when there is a k3s node-external-ip
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-09-26 16:24:00 +02:00
Roberto Bonafiglia 26e9405767 Added warning message for flannel backend additional options deprecation
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-09-09 20:04:04 +02:00
Derek Nola cd49101fc8
Convert deprecated flags to fatal errors for v1.25 (#6069)
* Replace warning with fatal errors.
* Group system-default-registry under (agent/runtime)

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-09-01 09:33:59 -07:00
Roberto Bonafiglia a30971efaa Updated flannel to v0.19.1
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-08-08 09:57:56 +02:00
Brad Davidson 4aca21a1f1 Add cri-dockerd support as backend for --docker flag
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Brad Davidson b1fa63dfb7 Revert "Remove --docker/dockershim support"
This reverts commit 4a3d283bc1.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Roberto Bonafiglia d90ba30353 Added NodeIP autodect in case of dualstack connection
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-08-04 09:54:45 +02:00
Derek Nola 118a68c913
Updates to CLI flag grouping + deprecated flag warnings. (#5937)
* Consolidate data dir flag
* Group cluster flags together
* Reorder and group agent flags
* Add additional info around vmodule flag
* Hide deprecated flags, and add warning about their removal

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-08-02 13:51:16 -07:00
Brad Davidson db2ba7b61d Don't enable unprivileged ports and icmp on old kernels
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-28 14:33:20 -07:00
Brad Davidson bd5fdfce33 Fix server systemd detection
* Use INVOCATION_ID to detect execution under systemd, since as of a9b5a1933f NOTIFY_SOCKET is now cleared by the server code.
* Set the unit type to notify by default for both server and agent, which is what Rancher-managed installs have done for a while.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 13:42:20 -07:00
Brad Davidson afee83dda2 Bump remotedialer
Includes fix for recently identified memory leak.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-07 12:22:37 -07:00
Olli Janatuinen 2968a83bc0 containerd: Enable enable_unprivileged_ports and enable_unprivileged_icmp by default
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2022-06-15 14:49:51 -07:00
Brad Davidson 3399afed83 Ensure that CONTAINERD_ variables are not shadowed by later entries
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-15 10:58:12 -07:00
Derek Nola a9b5a1933f
Delay service readiness until after startuphooks have finished (#5649)
* Move startup hooks wg into a runtime pointer, check before notifying systemd
* Switch default systemd notification to server
* Add 1 sec delay to allow etcd to write to disk
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-06-15 09:00:52 -07:00
Roberto Bonafiglia a693071c74
Merge pull request #5552 from sjoerdsimons/sjoerd/flannel-wireguard-mode
Add cli flag for flannel wireguard mode
2022-06-15 14:28:21 +02:00
Manuel Buil d4522de06a
Merge pull request #5656 from manuelbuil/AddFlannelCniConfFile
Add FlannelCNIConf flag
2022-06-14 10:23:51 +02:00
Brad Davidson b550e1183a Remove control-plane egress context and fix agent mode.
The control-plane context handles requests outside the cluster and
should not be sent to the proxy.

In agent mode, we don't watch pods and just direct-dial any request for
a non-node address, which is the original behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-10 10:14:15 -07:00
Brad Davidson d3242bea3c Refactor egress-selector pods mode to watch pods
Watching pods appears to be the most reliable way to ensure that the
proxy routes and authorizes connections.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-08 09:34:53 -07:00
Manuel Buil c705d34804 Add FlannelConfCNI flag
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-06-08 11:03:17 +02:00
Sjoerd Simons 8643576985 Add ability to pass configuration options to flannel backend
Allow the flannel backend to be specified as
backend=option=val,option2=val2 to select a given backend with extra options.

In particular this adds the following options to wireguard-native
backend:
* Mode - flannel wireguard tunnel mode
* PersistentKeepaliveInterval- wireguard persistent keepalive interval

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
2022-06-07 20:13:28 +02:00
Brad Davidson 9d7230496d Add support for configuring the EgressSelector mode
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-18 13:26:10 -07:00
Brad Davidson 4a3d283bc1 Remove --docker/dockershim support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson c8447dca56 Bump golang to 1.18.1
Also update all use of 'go get' => 'go install', update CI tooling for
1.18 compatibility, and gofmt everything so lint passes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson e6385b2341 Update CNI version in config file
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson 1d4f995edd Move auto-generated resolv.conf out of /tmp to prevent accidental cleanup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-03 20:33:32 -07:00
Manuel Buil 314e3f56dc Check if user has a correct cluster-cidr and service-cidr config
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-05-03 11:01:30 +02:00
Brad Davidson ce5b9347c9 Replace DefaultProxyDialerFn dialer injection with EgressSelector support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 17:54:36 -07:00
Brad Davidson e763fadbba Ensure that WaitForAPIServerReady always re-dials through the loadbalancer
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 14:47:30 -07:00
Brad Davidson 13ca10664f Use ListWatch helpers instead of bare List/Watch
Reduces code complexity a bit and ensures we don't  have to handle closed watch channels on our own

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 12:24:12 -07:00
Michal Rostecki 5f2a4d4209 server: Allow to enable network policies with IPv6-only
After previous changes, network policies are working on IPv6-only
installations.

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
2022-04-29 10:51:38 -07:00
Michal Rostecki c0045f415b agent(netpol): Explicitly enable IPv4 when necessary
Before this change, kube-router was always assuming that IPv4 is
enabled, which is not the case in IPv6-only clusters. To enable network
policies in IPv6-only, we need to explicitly let kube-router know when
to disable IPv4.

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
2022-04-29 10:51:38 -07:00
Brad Davidson a69d635c9b Drop unnecessary intermediate variable
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 09:22:57 -07:00
Brad Davidson 333311c7ee Add systemd cgroup controller support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 09:22:57 -07:00
Brad Davidson 418c3fa858
Fix issue with datastore corruption on cluster-reset (#5515)
* Bump etcd to v3.5.4-k3s1
* Fix issue with datastore corruption on cluster-reset
* Disable unnecessary components during cluster reset

Disable control-plane components and the tunnel setup during
cluster-reset, even when not doing a restore. This reduces the amount of
log clutter during cluster reset/restore, making any errors encountered
more obvious.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-27 13:44:15 -07:00
Brad Davidson b12cd62935 Move IPv4/v6 selection into helpers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson 7e447692c5 Fix issue with RKE2 servers hanging on listing apiserver addresses
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Dirk Müller fa0fa8b1d0 Update golangci-lint to 1.45.2
This requires a further set of gofmt -s improvements to the
code, but nothing major. golangci-lint 1.45.2 brings golang 1.18
support which might be needed in the future.

Signed-off-by: Dirk Müller <dirk@dmllr.de>
2022-04-13 14:48:42 -07:00
Roberto Bonafiglia f04c602c07 Updated wireguard-native options and added log message
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-07 19:31:21 +02:00
Roberto Bonafiglia 47abaf362e Added new flannel backend to use wireguard from flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-07 19:31:13 +02:00
Michal Rostecki 9350016de8
Merge pull request #5387 from vadorovsky/kube-router-dual-stack
netpol: Add dual-stack support
2022-04-07 11:24:38 +02:00
Brad Davidson 49544e0d49 Allow agents to query non-apiserver supervisors for apiserver endpoints
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Michal Rostecki c707948adf netpol: Add dual-stack support
This change allows to define two cluster CIDRs for compatibility with
Kubernetes dual-stuck, with an assumption that two CIDRs are usually
IPv4 and IPv6.

It does that by levearaging changes in out kube-router fork, with the
following downstream release:

https://github.com/k3s-io/kube-router/releases/tag/v1.3.2%2Bk3s

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
2022-04-06 14:43:09 +02:00
Euan Kemp c2e846dc16 Allow using flannel wireguard backend in a custom config
Ideally we'd have fully fleshed out support for it (i.e. #5011), but
that's a potentially breaking change and taking a little while to merge.

This is a much simpler change which won't break anything, but will allow
a "Type": "wireguard" reference in the "--flannel-conf" custom config
file to work.

Signed-off-by: Euan Kemp <euank@euank.com>
2022-04-05 09:44:26 -07:00
Roberto Bonafiglia 4afeb9c5c7
Merge pull request #5325 from rbrtbnfgl/fix-etcd-ipv6-url
Fixed etcd URL in case of IPv6 address
2022-04-05 09:55:42 +02:00
Roberto Bonafiglia 06c779c57d Fixed loadbalancer in case of IPv6 addresses
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-31 11:49:30 +02:00
Luther Monson 13191da58a add a wrapper around the containerd.New call to fix and pass the proper npipe connector
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2022-03-29 18:06:48 -07:00
Roberto Bonafiglia dda409b041 Updated localhost address on IPv6 only setup
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-29 09:35:54 +02:00
Roberto Bonafiglia ff85faa7de Changed ipv6 config on flannel setup
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-09 12:30:33 +01:00
Roberto Bonafiglia 073f155fc4 Added ipv6 only support with flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-09 09:35:01 +01:00
Roberto Bonafiglia 93346904cf
Merge pull request #5215 from rbrtbnfgl/flannel_0.17
Flannel 0.17
2022-03-09 08:51:10 +01:00
Roberto Bonafiglia 3fabc0703b
Merge pull request #4450 from olljanat/support-ipv6-only
Add partial support for IPv6 only mode
2022-03-08 11:38:52 +01:00
Roberto Bonafiglia f3d81544b1 Fixed log in case of ipv6 only config
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-08 09:42:25 +01:00
Roberto Bonafiglia 0c83f50c4c Added switch case to check netMode
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-08 09:34:25 +01:00
Roberto Bonafiglia 2c39febdd2 Fixed in case of empty address
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-07 14:09:29 +01:00
Roberto Bonafiglia d7d4c891e2 Updated flannel to 0.17
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-07 14:09:05 +01:00
Luther Monson 9a849b1bb7
[master] changing package to k3s-io (#4846)
* changing package to k3s-io

Signed-off-by: Luther Monson <luther.monson@gmail.com>

Co-authored-by: Derek Nola <derek.nola@suse.com>
2022-03-02 15:47:27 -08:00
Brad Davidson f090bf2d5e Bootstrap the executor even when the agent is disabled
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-02 02:47:54 -08:00
Brad Davidson 5014c9e0e8 Fix adding etcd-only node to existing cluster
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 19:56:08 -08:00
Manuel Buil 062fe63dd1 Fix annoying netpol log
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-02-10 20:01:27 +01:00
Olli Janatuinen 966f4d6a01 Add support for IPv6 only mode
Automatically switch to IPv6 only mode if first node-ip is IPv6 address

Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2022-02-10 20:34:59 +02:00
Michal Rostecki 4fed9f4052 netpol: Use kube-router as a library
Before this change, we were copying a part of kube-router code to
pkg/agent/netpol directory with modifications, from which the biggest
one was consumption of k3s node config instead of kube-router config.

However, that approach made it hard to follow new upstream versions.
It's possible to use kube-router as a library, so it seems like a better
way to do that.

Instead of modifying kube-router network policy controller to comsume
k3s configuration, this change just converts k3s node config into
kube-router config. All the functionality of kube-router except netpol
is still disabled.

Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-02-07 10:54:08 +01:00
Brad Davidson bc7635f01f Move containerd wait into exported function
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-25 13:09:30 -08:00
Roberto Bonafiglia 8eded2749a Added debug log for IPv6 Masquerading rule
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@gmail.com>
2022-01-17 10:20:12 +01:00
Roberto Bonafiglia 111c1669fc Added flannel-ipv6-masq flag to enable IPv6 nat
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@gmail.com>
2022-01-14 18:35:37 +01:00
Roberto Bonafiglia 2253f64b2a Added iptables masquerade rules for ipv6 on flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@gmail.com>
2022-01-14 18:35:37 +01:00
Brad Davidson 87395e32d6 Update modules for Kubernetes v1.23
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-22 10:47:38 -08:00
Manuel Buil 4eb282edac Move flannel logs to logrus
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-12-21 14:34:51 +01:00
Brad Davidson a70487d5ae Update wharfie usage in windows code path
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-09 13:16:22 -08:00
Alexey Medvedchikov 8f389ab030
Include node-external-ip in serving-kubelet.crt SANs (#4620)
* Include node-external-ip in serving-kubelet.crt SANs

Signed-off-by: Alexey Medvedchikov <alexeymedvedchikov@improbable.io>
2021-12-07 15:42:40 -08:00
Brad Davidson 7d3447ceff Bump wharfie to v0.5.1 and use shared decompression code
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-07 12:50:57 -08:00
Manuel Buil 7685da3e24 Improve flannel logging
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-11-22 21:51:52 +01:00
Brad Davidson 5ab6d21a7d
Increase agent's apiserver ready timeout (#4454)
Since we now start the server's agent sooner and in the background, we
may need to wait longer than 30 seconds for the apiserver to become
ready on downstream projects such as RKE2.

Since this essentially just serves as an analogue for the server's
apiReady channel, there's little danger in setting it to something
relatively high.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-11 14:01:49 -07:00
Manuel Buil 5d168a1d59 Allow svclb pod to enable ipv6 forwarding
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-11-10 18:20:03 +01:00
Luther Monson 36c6634cce
[master] updating to new signals package in wrangler (#4399)
* updating to new signals package in wrangler

Signed-off-by: Luther Monson <luther.monson@gmail.com>
2021-11-08 08:32:43 -07:00
Deshi Xiao f1622129e4 refactor: Use plain channel send or receive
fix issue #4369

should use a simple channel send/receive instead of select with a single
case

Signed-off-by: Deshi Xiao <xiaods@gmail.com>
2021-11-01 15:00:49 -07:00
Brad Davidson 5acd0b9008 Watch the local Node object instead of get/sleep looping
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-29 15:18:14 -07:00
Brad Davidson 3fe460d080 Block scheduler startup on untainted node when using embedded CCM
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-29 15:18:14 -07:00
Brad Davidson 5a923ab8dc Add containerd ready channel to delay etcd node join
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-14 14:03:52 -07:00
Manuel Buil 87524a7ac7 Enable the inheritance of settings for ipv6
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-28 09:42:08 +02:00
Joe Kralicky debb508643
Nvidia container runtime discovery in containerd config template (#3890)
* Update the default containerd config template with support for adding extra container runtimes. Add logic to discover nvidia container runtimes installed via the the gpu operator or package manager.

Signed-off-by: Joe Kralicky <joe.kralicky@suse.com>
2021-09-15 14:31:11 -07:00
Manuel Buil 9fcd79baae Add tests to the dual-stack PR and enable dual-stack with flannel backend
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-15 14:11:54 +02:00
Manuel Buil 681058bb40 Add dual-stack support
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-15 11:44:48 +02:00
Brad Davidson 3449d5b9f9 Wait for apiserver readyz instead of healthz
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 17:04:15 -07:00
Brad Davidson 29c8b238e5 Replace klog with non-exiting fork
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 09:36:16 -07:00
Kohei Tokunaga 8b857eef9c
Ship Stargz Snapshotter (#2936)
* Ship Stargz Snapshotter

Signed-off-by: ktock <ktokunaga.mail@gmail.com>

* Bump github.com/containerd/stargz-snapshotter to v0.8.0

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
2021-09-01 16:27:42 -07:00