Skip to content

Commit

Permalink
Configure network-validator and repair-controller to work with IPv6 (#…
Browse files Browse the repository at this point in the history
…12874)

* Configure network-validator and repair-controller to work with IPv6

Fixes #12864

The linkerd-cni network-validator container was binding to the IPv4 wildcard and connecting to an IPv4 address. This wasn't breaking things in IPv6 clusters but it was only validating the iptables rules and not the ip6tables ones. This change introduces logic to use addresses according to the value of `disableIPv6`. If IPv6 is enabled, then the ip6tables rules would get exercised. Note that a more complete change would also exercise both iptables and ip6tables, but for now we're defaulting to ip6tables.

Similarly was the case with repair-controller, but given the IPv4 wildcard was used for the admin server, in IPv6 clusters the kubelet wasn't able to reach the probe endpoints and the container was failing. In this case the fix is just have the admin server bind to `[::]`, which works for IPv4 and IPv6 clusters.
  • Loading branch information
alpeb authored Jul 24, 2024
1 parent 2281e5c commit 6603409
Show file tree
Hide file tree
Showing 26 changed files with 83 additions and 56 deletions.
4 changes: 2 additions & 2 deletions charts/linkerd-control-plane/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -187,9 +187,9 @@ Kubernetes: `>=1.22.0-0`
| kubeAPI.clientBurst | int | `200` | Burst value over clientQPS |
| kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) |
| linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version |
| networkValidator.connectAddr | string | `"1.1.1.1:20001"` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. |
| networkValidator.connectAddr | string | `""` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. |
| networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec |
| networkValidator.listenAddr | string | `"0.0.0.0:4140"` | Address to which network-validator listens to requests from itself |
| networkValidator.listenAddr | string | `"[::]:4140"` | Address to which network-validator listens to requests from itself |
| networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator |
| networkValidator.logLevel | string | debug | Log level for the network-validator |
| networkValidator.timeout | string | `"10s"` | Timeout before network-validator fails to validate the pod's network connectivity |
Expand Down
7 changes: 4 additions & 3 deletions charts/linkerd-control-plane/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -324,11 +324,12 @@ networkValidator:
# @default -- plain
logFormat: plain
# -- Address to which the network-validator will attempt to connect. This should be an IP
# that the cluster is expected to be able to reach but a port it should not, e.g., a public IP
# that the cluster is expected to be able to reach but a port it should not, e.g., a public IP
# for public clusters and a private IP for air-gapped clusters with a port like 20001.
connectAddr: "1.1.1.1:20001"
# If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively.
connectAddr: ""
# -- Address to which network-validator listens to requests from itself
listenAddr: "0.0.0.0:4140"
listenAddr: "[::]:4140"
# -- Timeout before network-validator fails to validate the pod's network connectivity
timeout: "10s"
# -- Include a securityContext in the network-validator pod spec
Expand Down
3 changes: 2 additions & 1 deletion charts/linkerd2-cni/templates/cni-plugin.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,8 @@ spec:
command:
- /usr/lib/linkerd/linkerd-cni-repair-controller
args:
- --admin-addr=0.0.0.0:9990
- --admin-addr
- "[::]:9990"
- --log-format
- {{ .Values.repairController.logFormat }}
- --log-level
Expand Down
10 changes: 8 additions & 2 deletions charts/partials/templates/_network-validator.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,15 @@ args:
- --log-level
- {{ .Values.networkValidator.logLevel }}
- --connect-addr
- {{ .Values.networkValidator.connectAddr }}
{{- if .Values.networkValidator.connectAddr }}
- {{ .Values.networkValidator.connectAddr | quote }}
{{- else if .Values.disableIPv6}}
- "1.1.1.1:20001"
{{- else }}
- "[fd00::1]:20001"
{{- end }}
- --listen-addr
- {{ .Values.networkValidator.listenAddr }}
- {{ .Values.networkValidator.listenAddr | quote }}
- --timeout
- {{ .Values.networkValidator.timeout }}

Expand Down
2 changes: 1 addition & 1 deletion cli/cmd/install_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ func TestRender(t *testing.T) {
LogLevel: "debug",
LogFormat: "plain",
ConnectAddr: "1.1.1.1:20001",
ListenAddr: "0.0.0.0:4140",
ListenAddr: "[::]:4140",
Timeout: "10s",
},
Configs: charts.ConfigJSONs{
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_controlplane_tracing_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_custom_domain.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_custom_registry.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_default.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_default_override_dst_get_nets.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_default_token.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_gid_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_ha_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_ha_with_overrides_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_heartbeat_disabled_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_helm_control_plane_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_helm_control_plane_output_ha.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions cli/cmd/testdata/install_helm_output_ha_labels.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 6603409

Please sign in to comment.