✨ IPv6 support for self-managed clusters #5603
Conversation
k8s-ci-robot
added
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
needs-priority
cncf-cla: no
|
Welcome @tthvo! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @tthvo. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/XXL
|
/cc @nrb @sadasu @patrickdillon I am not yet sure what to do with e2e tests or if there are any existing ones for IPv6 clusters...I leave it as an pending TODO. |
|
@tthvo: GitHub didn't allow me to request PR reviews from the following users: sadasu, patrickdillon. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
A quick preview of |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/assign @mtulio Asking you for a review Marco as I know you have been working on this downstream |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
| @@ -53,7 +53,7 @@ const ( | |||
| IPProtocolICMP = "icmp" | |||
|
|
|||
| // IPProtocolICMPv6 is how EC2 represents the ICMPv6 protocol in ingress rules. | |||
| IPProtocolICMPv6 = "58" | |||
| IPProtocolICMPv6 = "icmpv6" | |||
There was a problem hiding this comment.
Could this change break existing clusters that are already using the previous value?
There was a problem hiding this comment.
Ah, I believe not. The accepted values 58 is still the same on the AWSCluster CRD.
This value here is only used internally and I have a block here to convert it from icmpv6 to 58 before proceeding further: https://github.com/kubernetes-sigs/cluster-api-provider-aws/pull/5603/files#diff-59c59dbf183fdde59cf0030bd23388381951860f0002a073a55f330c4733f8ddR932-R937
| // When registering targets by instance ID for an IPv6 target group, | ||
| // the targets must have an assigned primary IPv6 address. | ||
| if s.scope.VPC().IsIPv6Enabled() { | ||
| netInterface.Ipv6AddressCount = aws.Int32(1) | ||
| netInterface.PrimaryIpv6 = aws.Bool(true) |
There was a problem hiding this comment.
Is there a scenario when users wants non-primary IPv6? example using ipv6 only in internet-facing LBs, and private subnets still using only ipv4?
There was a problem hiding this comment.
I did have a thought about it, but the target group (i.e. existing logic) is being created with IpType IPv6 when IPv6 is enabled; thus this primary IPv6 setting is required.
cluster-api-provider-aws/pkg/cloud/services/elb/loadbalancer.go
Lines 1783 to 1785 in 5f62ff6
There was a problem hiding this comment.
I guess the subnets used for IPv6 (or dualstack) should be a dual-stack subnets?
| @@ -170,6 +176,36 @@ func (s *Service) fixMismatchedRouting(specRoute *ec2.CreateRouteInput, currentR | |||
| return nil | |||
| } | |||
|
|
|||
| func (s *Service) fixMissingRoutes(specRoutes []*ec2.CreateRouteInput, currentRoutes []types.Route, rt types.RouteTable) error { | |||
There was a problem hiding this comment.
I am not sure if I followed the requirement of this function. Are this failing into target route conflicts in the routes added by CAPA on default? or is it a additional transformation preventing incorrect APIs failures?
There was a problem hiding this comment.
The issue I observed is that when IPv6 is enabled, a route to egress-only-internet-gateway is missing even though it should be added according to the below code.
cluster-api-provider-aws/pkg/cloud/services/network/routetables.go
Lines 416 to 424 in 5f62ff6
I also observed that sn.IsIPv6 originally returned false in the first reconciliation or so, but later returned true as expected. This lead to the missing route to egress-only-internet-gateway for ::/0 as CAPA didn't make sure desired routes are available.
There was a problem hiding this comment.
The consequences is that cloudinit failed to finish in the EC2 nodes as AWS API creds are invalid due to invalid timestamp (i.e. instance failed to sync time with AWS NTP) 🤔
There was a problem hiding this comment.
I also observed that sn.IsIPv6 originally returned false in the first reconciliation or so, but later returned true as expected.
IIUC, there is a small time gap, where the IPv6 is not yet associated with the subnet. Thus, CAPA does not add the expected route initially. So, this function ensures that eventually, that route is added.
k8s-ci-robot
added
the
needs-rebase
(AWSCluster resource)
AWS requires that when registering targets by instance ID for an IPv6 target group, the targets must have an assigned primary IPv6 address. Note: The default subnets managed by CAPA are already set up to assign IPv6 addresses to newly created ENIs.
The httpProtocolIPv6 field enables or disables the IPv6 endpoint of the instance metadata service. The SDK only applies this field if httpEndpoint is enabled. When running on single-stack IPv6, pods only have IPv6, thus requiring an IPv6 endpoint to query IMDS as IPv4 network is unreachable.
There is a brief period where the IPv6 CIDR is not yet associated with the subnets. Thus, CAPA initially creates a route table without a route to eigw. This change ensures that later reconcilation will add that missing route. Note: Route to eigw for destination "::/0" to eigw is required for EC2 instance time sync on start-up.
This allows IPv6-only workloads to reach IPv4-only services. AWS supports this via NAT64/DNS64. More details: https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html
The API for DescribeEgressOnlyInternetGateways does not support attachment.vpc-id filter. Thus, the call will return all available eigw. Consequences: - CAPA incorrectly selects an unintended eigw for use. Leading to route creation failure since the eigw belongs to a different VPC. - CAPA incorrectly destroys all eigw of all VPCs. This is very catastrophic as it can break other workloads. This commit changes the filter to use cluster tag instead. Additional safeguard is also included to check if the eigw is truly attached the VPC.
k8s-ci-robot
removed
the
needs-rebase
CAPA handles icmpv6 as a protocol number 58. AWS accepts protocol number when creating rules. However, describing a rule from AWS API returns the protocol name, thus causing CAPA to not recognize it and fail.
…ices For IPv4, we have field NodePortIngressRuleCidrBlocks that specifies the allowed source IPv4 CIDR for node NodePort services on port 30000-32767. This extends that field to also accept IPv6 source CIDRs.
We need an option to configure IPv6 source CIDRs for SSH ingress rule of the bastion host. This extends the field allowedCIDRBlocks to also accepts IPv6 CIDR blocks.
When creating a bastion host for an IPv6 cluster, the instance has both public IPv4 and IPv6. Thus, we need to report them in the cluster status if any. This also adds an additional print column to display that bastion IPv6.
This is a minimal template set to install an IPv6-enabled cluster. Both the controlplane and worker nodes must use nitro-based instance type (with IPv6 support).
This is a set of customized calico CNI manifests to support single-stack IPv6 cluster. Note that VXLAN is used since IP-in-IP currently only supports IPv4. References: - https://docs.tigera.io/calico/latest/networking/ipam/ipv6#ipv6 - https://docs.tigera.io/calico/latest/getting-started/kubernetes/self-managed-onprem/config-options#switching-from-ip-in-ip-to-vxlan - https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip
This combines existing docs for IPv6 EKS clusters with non-EKS ones, and also properly register the topic page into the documentation TOC.
Validation for specified VPC and subnet CIDRs is added for early feedback from the webhook. There are already existing checks for bastion and nodePort CIDRs.
The following is added: - [BYO VPC] Mention the required route when enabling DNS64. - [BYO VPC] Mention that CAPA only utilizes the IPv6 aspect of the dual stack VPC.
|
/test pull-cluster-api-provider-aws-e2e-blocking |
What type of PR is this?
/kind feature
What this PR does / why we need it:
As of today, CAPA supports IPv6 on EKS, but not self-managed clusters. Thus, these changes bring IPv6 support for self-managed clusters, specifically single-stack IPv6 (no dualstack support yet)
Which issue(s) this PR fixes:
Fixes #2420 (part 2 for self-managed cluster, part 1 covers EKS)
Special notes for your reviewer:
test/e2e/data/cni/calico_ipv6.yaml. Calico does not support IPv6 with "IP-in-IP" so we need to use VXLAN.Checklist:
Release note: