Skip to content

config: Remove superfluous warning on native routing CIDR #35738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 4, 2024
Merged

config: Remove superfluous warning on native routing CIDR #35738

merged 1 commit into from
Nov 4, 2024

Conversation

gandro
Copy link
Member

@gandro gandro commented Nov 4, 2024

This commit removes a warning that was intended to warn the user that running in native routing mode without a correct native routing CIDR will lead to problems.

However, the conditions for the warning are not fully correct. There are native routing setups where the user does not need to specify a native routing CIDR, namely:

  1. The user is running in ENI or AlibabaCloud IPAM, where the native routing CIDR is auto-detected if not explicitly configured.
  2. The user is running with BPF ip-masq-agent where the native routing CIDR is optional (as there are other means of specifying exclusion CIDRs) (c.f. daemon: Do not require native routing CIDR if ipmasq-agent is enabled #27747)
  3. The user is not running with Cilium-based masquerading.

The existing warning did not trigger for case 1, as the if condition checked for auto-direct-node-routes rather than the routing-mode flag, and auto-direct-node-routes is not used on ENI/AlibabaCloud IPAM modes.

However, the warning would trigger for cases 2 and 3, which is incorrect. Cases 2 and 3 should not emit a warning either. And indeed already have a check on the native routing CIDR that handles all three cases correctly, namely checkIPv{4,6}NativeRoutingCIDR here:

cilium/pkg/option/config.go

Lines 3451 to 3476 in bc26c6d

func (c *DaemonConfig) checkIPv4NativeRoutingCIDR() error {
if c.IPv4NativeRoutingCIDR != nil {
return nil
}
if !c.EnableIPv4 || !c.EnableIPv4Masquerade {
return nil
}
if c.EnableIPMasqAgent {
return nil
}
if c.TunnelingEnabled() {
return nil
}
if c.IPAMMode() == ipamOption.IPAMENI || c.IPAMMode() == ipamOption.IPAMAlibabaCloud {
return nil
}
return fmt.Errorf(
"native routing cidr must be configured with option --%s "+
"in combination with --%s=true --%s=true --%s=false --%s=%s --%s=%s",
IPv4NativeRoutingCIDR,
EnableIPv4Name, EnableIPv4Masquerade,
EnableIPMasqAgent,
RoutingMode, RoutingModeNative,
IPAM, c.IPAMMode())
}

Therefore, we can safely remove the warning in this commit, as the conditions are already covered by checkIPv{4,6}NativeRoutingCIDR. I have also manually tested that the check does take effect if one sets routingMode=native and autoDirectNodeRoutes=true without specifying a native routing CIDR.

Fixes: 6743d28 ("daemon: warn if auto direct node routes is set without a native routing CIDR")

Note: This commit also fixes an issue with the Conformance Multi-Pool workflow where this warning was wrongfully emitted (as that workflow uses BPF ip-masq-agent). Therefore, I have marked this PR to be backported to 1.16 and v1.15, as those versions do allow BPF ip-masq-agent to be run without an explicit native routing CIDR.

@gandro
config: Remove superfluous warning on native routing CIDR
6a537d0 
This commit removes a warning that was intended to warn the user that
running in native routing mode without a correct native routing CIDR
will lead to problems.

However, the conditions for the warning are not fully correct. There are
native routing setups where the user does not need to specify a native
routing CIDR, namely:

  1. The user is running in ENI or AlibabaCloud IPAM, where the native
     routing CIDR is auto-detected if not explicitly configured.
  2. The user is running with BPF ip-masq-agent where the native routing
     CIDR is optional (as there are other means of specifying exclusion
     CIDRs).
  3. The user is not running with Cilium-based masquerading.

The existing warning did not trigger for case 1, as the if condition
checked for `auto-direct-node-routes` rather than the `routing-mode`
flag, and `auto-direct-node-routes` is not used on ENI/AlibabaCloud IPAM
modes.

However, the warning would trigger for cases 2 and 3, which is
incorrect. Cases 2 and 3 should not emit a warning either. And indeed
already have a check on the native routing CIDR that handles all three
cases correctly, namely `checkIPv{4,6}NativeRoutingCIDR` here:

https://github.com/cilium/cilium/blob/bc26c6d3a74e3bfbeb1149e5116de51c496dd254/pkg/option/config.go#L3451-L3476

Therefore, we can safely remove the warning in this commit, as the
conditions are already covered by `checkIPv{4,6}NativeRoutingCIDR`. I
have also manually tested that the check does take effect if one sets
`routingMode=native` and `autoDirectNodeRoutes=true` without specifying
a native routing CIDR.

Fixes: 6743d28 ("daemon: warn if auto direct node routes is set without a native routing CIDR")

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
@gandro gandro added release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.15 needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Nov 4, 2024
@gandro gandro requested review from a team as code owners November 4, 2024 13:02
@gandro gandro requested review from bimmlerd and derailed November 4, 2024 13:02
@gandro
Copy link
Member Author

gandro commented Nov 4, 2024

/test

bimmlerd
bimmlerd approved these changes Nov 4, 2024
View reviewed changes
Copy link
Member

@bimmlerd bimmlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your reasoning makes sense to me, but cc @jibi as the original author.

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 4, 2024
@pchaigno pchaigno added this pull request to the merge queue Nov 4, 2024
Merged via the queue into cilium:main with commit 9ee0ee4 Nov 4, 2024
74 checks passed
@joamaki joamaki mentioned this pull request Nov 5, 2024
Merged
4 tasks
@joamaki joamaki added backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.15 labels Nov 5, 2024
@joamaki joamaki mentioned this pull request Nov 5, 2024
Merged
23 tasks
@joamaki joamaki added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Nov 5, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. labels Nov 7, 2024
This was referenced Nov 13, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derailed derailed derailed approved these changes

@pchaigno pchaigno pchaigno approved these changes

@bimmlerd bimmlerd bimmlerd approved these changes

Assignees
No one assigned
Labels
backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gandro @derailed @pchaigno @bimmlerd @joamaki