Allow delegated IPAM to specify uplink interface #34779
Conversation
|
Commit 2916ed4 does not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
2916ed4 to
1bc3a26
Compare
|
As the title still has |
|
Hi @joestringer @gandro , could you please help review the PR as we discussed. |
|
I'm not so familiar with delegated IPAM, but one crucial part of this will be to test that this doesn't break existing delegated IPAM setups. I see that issue #34788 is filed to create automated testing for that. |
|
/test |
|
I see that there is now #34839 out for review, so it should be possible to combine that test with this PR and test it out on your own repository? |
|
@dylandreimerink I don't think it's meaningful to run |
Sure, l will run the test provided in #34839 . The Cilium e2e and k8s conformance tests have been verified on Volcengine cloud combined with Volcengine delegated IPAM:
With one minor error, but it doesn't matters.
|
|
hi @tamilmani1989. We're discussing whether it is better to install node routes for Pod in Cilium or in delegated IPAM plugin. I have a few of questions about the Delegated Azure IPAM mode. Could you please help me with them?
Do you think it would be helpful if delegated IPAM plugin only handle IP/interface management and Cilium controls all Pod routes(implemented by linux routes or bpf forwarding rules)? |
azure-ipam currently handles only IP address management, not installing routes or multiple network interfaces. I mentioned this in the parent issue, but my understanding is that a conforming delegated IPAM plugin is not allowed to return |
Thanks @wedaly for your reply. Dose the single uplink(eth0) is enough for AKS? The IPs and bandwidth of single ENI may be limited by the |
|
Adding @dylandreimerink, who added the "uplink" or "parent" mechanism for ENI. |
|
CNI spec author here :-). There's nothing that says the IPAM result is not allowed to contain interfaces; it's not done out of convention. However, if we would like to change the interpretation of the types, I would be amenable to revisiting that in the spec. The best part is that it wouldn't require any code changes, so we could "ship" it entirely in text. |
Thanks @squeed for the clarification, it's extremely helpful for the current discussion. We also created another PR to update the deletation IPAM result part, could you help review containernetworking/cni#1121 So it's reasonable to handle the returned uplink hints. Install the routes according to the uplink info could help Cilium have full control of the Pod traffic in delegate IPAM mode. Based on the current code modifications, we might also consider adding an option for users to decide whether the routing is controlled by Cilium or controlled by the user. |
|
Late to the party. We have a similar requirement where pod egress traffic to leave via secondary interface instead of primary interface. i noticed eni ipam mode already does this. https://docs.cilium.io/en/latest/network/concepts/routing/#egress. @ruicao93 Does this PR follow the same pattern/code? |
Yes @tamilmani1989 , we reused the logic(codes) with ENI IPAM mode. For the long term, ENI IPAM mode could consider to be migrated to Delegation IPAM mode and can be developed and evolved independently of Cilium. |
fca87d4 to
2f16485
Compare
@gandro Okay, done. I thought just need to squash on merge. |
|
/test |
2f16485 to
752988b
Compare
|
/test |
|
/test |
a0d6e75 to
2fb3e11
Compare
|
/test |
Support uplink interface info from IPAM result and install related ingress/egress routes. Signed-off-by: Rui Cao <caorui.io@bytedance.com>
|
@ruicao93 There is no need to rebase if CI fails. We can restart individual tests separately (assuming those are flakes). In fact. You should only rebase if a) there are conflicts or b) there are persistent CI failures because the tests have been updated on |
|
/test |
@gandro Finally... all CI cases has passed. Dose the PR could be merged? |
|
There is still a review needed from the @cilium/api CODEOWNER before we can merge. The designated reviewer is @learnitall |
|
@squeed @gandro I take it from the above discussion that with the spec loosening in containernetworking/cni#1137 we are happy with this solution? Just want to check given that this is now approved by all codeowners and the MLH bot has marked the PR as ready-to-merge. |
Yes, from my side I'm happy with the proposed solution. The functionality in this PR is opt-in, so I the risk of Cilium accidentally misinterpreting a delegated plugin's result is very low. |
|
@ruicao93 Do you have a timeline for the additional V6 changes that would be needed, or could you tell us what would need to be added so that we can try working on it from our side? |
@rjdenney Let me create a PR for v6 this week. We need to modify it carefully to avoid disrupting the ENI feature. A draft PR will be available soon for early discussion. |
For the scenario where there are multiple interfaces on a Node and delegated IPAM is used to determine the IP and the uplink interface of a Pod. The "interfaces" field can be used by IPAM plugin to pass uplink interface info to Cilium. And then Cilium can setup host routes for the Pod according to the uplink interface info.
The "interfaces" field is allowed to specify the related host interface according to the CNI spec and is already widely used by existing plugins, such as bridge and ptp plugin. It's actually not used by any IPAM plugin for now, but I think it's reasonable and conforms to the original definition of the field.
Motivations/Benefits of the PR for the native routing mode:
-
interfaces: An array of all interfaces created by the attachment, including any host-level interfaces:bridge.go
bridge plugin result:
{ "ips": [ { "address": "10.1.0.5/16", "gateway": "10.1.0.1", "interface": 2 } ], "routes": [ { "dst": "0.0.0.0/0" } ], "interfaces": [ { "name": "cni0", "mac": "00:11:22:33:44:55" }, { "name": "veth3243", "mac": "55:44:33:22:11:11" }, { "name": "eth0", "mac": "99:88:77:66:55:44", "sandbox": "/var/run/netns/blue" } ], "dns": { "nameservers": [ "10.1.0.1" ] } }Fixes: #34604