ipam: Fix ENI routing for secondary CIDRs #15303
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69158d6 to
75f668b
Compare
75f668b to
4628a4e
Compare
A VPC on EC2 can have secondary CIDRs which are routable within the VPC. Subnets which are used in Cilium's ENI IPAM mode might be derived from these secondary CIDRs, therefore we must also install routes for these secondary CIDRs. This commit ensures that we populate the `CiliumNode.Status.ENI.ENIS[].VPC.CIDRs` field with these secondary CIDRs if present. The IPAM code on the agent is already set up to install routes for these additional CIDRs [1], but since this field was never populated, the rules were also missing. Therefore, this fixes a bug where routes were missing in ENI IPAM mode, causing arbitrary connecitivty issues. With this commit, routes are only added for CIDRs which are present when the IP is allocated. A subsequent PR will add the functionality to update the routes dynamically in case CIDRs are added or removed from a VPC. [1] https://github.com/cilium/cilium/blob/2110b11c989fe7ef8c7d9c5510c53a55cdaaa54c/pkg/ipam/crd.go#L488 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
4628a4e to
40c5066
Compare
|
test-me-please |
|
Note that the ConformanceKind1.9 / installation-and-connectivity failure is a known flake. |
tgraf
approved these changes
Mar 11, 2021
|
Great work! |
christarazi
approved these changes
Mar 11, 2021
gandro
added a commit
to gandro/cilium
that referenced
this pull request
Apr 12, 2021
When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. cilium#15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
aanm
pushed a commit
that referenced
this pull request
Apr 15, 2021
When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. #15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
jrfastab
pushed a commit
to jrfastab/cilium
that referenced
this pull request
Apr 15, 2021
[ upstream commit 793d45a ] When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. cilium#15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
jrfastab
pushed a commit
that referenced
this pull request
Apr 15, 2021
[ upstream commit 793d45a ] When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. #15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
aanm
pushed a commit
that referenced
this pull request
Apr 16, 2021
[ upstream commit 793d45a ] When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. #15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
This was referenced Apr 20, 2021
joestringer
pushed a commit
that referenced
this pull request
Apr 24, 2021
[ upstream commit 793d45a ] When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. #15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
joestringer
pushed a commit
to joestringer/cilium
that referenced
this pull request
Apr 26, 2021
[ upstream commit 793d45a ] When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. cilium#15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
This was referenced Apr 28, 2021
joestringer
pushed a commit
that referenced
this pull request
May 5, 2021
[ upstream commit 793d45a ] When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. #15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
jrajahalme
pushed a commit
that referenced
this pull request
May 6, 2021
[ upstream commit 793d45a ] When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. #15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442 ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A VPC on EC2 can have secondary CIDRs which are routable within the VPC.
Subnets which are used in Cilium's ENI IPAM mode might be derived from
these secondary CIDRs, therefore we must also install routes for these
secondary CIDRs.
This commit ensures that we populate the
CiliumNode.Status.ENI.ENIS[].VPC.CIDRsfield with these secondaryCIDRs if present. The IPAM code on the agent is already set up to
install routes for these additional CIDRs [1], but since this field was
never populated, the rules were also missing. Therefore, this fixes a
bug where routes were missing in ENI IPAM mode, causing arbitrary
connecitivty issues.
With this commit, routes are only added for CIDRs which are present when
the IP is allocated. A subsequent PR will add the functionality to
update the routes dynamically in case CIDRs are added or removed from a
VPC.
[1]
cilium/pkg/ipam/crd.go
Line 488 in 2110b11