Skip to content

add systemd network config for Cilium and Amazon VPC CNI on Ubuntu 22.04+ and AL2023 to prevent route removal #17438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 19, 2025
Merged

add systemd network config for Cilium and Amazon VPC CNI on Ubuntu 22.04+ and AL2023 to prevent route removal #17438

merged 2 commits into from
Jun 19, 2025

Conversation

mostafahussein
Copy link
Contributor

@mostafahussein mostafahussein commented Jun 14, 2025
edited
Loading

This PR adds support for the configuration below on Ubuntu 22.04+ and AL2023 to prevent breaking Kubernetes networking in case of using Cilium if systemd-networkd is restarted, by instructing it not to remove Cilium routes.

# Do not clobber any routes or rules added by CNI.
[Network]
ManageForeignRoutes=no
ManageForeignRoutingPolicyRules=no

Also, it adds support for the same configuration on Ubuntu 22.04+ in case of using Amazon VPC CNI, fixes #17433

The configuration has been tested manually by creating the file in the target directory to ensure it works as expected.

Note: I did not include MACAddressPolicy=none because, based on my understanding, this is already addressed by Cilium in case you're using a secondary ENI.

@mostafahussein
feat: support systemd config on Ubuntu 22.04+ for Amazon VPC CNI
babe200 
Signed-off-by: (╯°□°)╯︵ uᴉǝssnH ɐɟɐʇsoW <mostafa.hussein91@gmail.com>
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 14, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @mostafahussein. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot requested a review from hakman June 14, 2025 04:26
@k8s-ci-robot k8s-ci-robot requested a review from zetaab June 14, 2025 04:26
@mostafahussein mostafahussein changed the title Support systemd network config for Cilium ENI and Amazon VPC CNI on Ubuntu 22.04+ to prevent route removal on restart Support systemd network config for Cilium and Amazon VPC CNI on Ubuntu 22.04+ to prevent route removal on restart Jun 14, 2025
@mostafahussein mostafahussein changed the title Support systemd network config for Cilium and Amazon VPC CNI on Ubuntu 22.04+ to prevent route removal on restart add systemd network config for Cilium and Amazon VPC CNI on Ubuntu 22.04+ to prevent route removal Jun 14, 2025
@mostafahussein mostafahussein force-pushed the systemd-foreign-routes branch 2 times, most recently from d991782 to 34df7a0 Compare June 15, 2025 07:35
@mostafahussein mostafahussein changed the title add systemd network config for Cilium and Amazon VPC CNI on Ubuntu 22.04+ to prevent route removal add systemd network config for Cilium and Amazon VPC CNI on Ubuntu 22.04+ and AL2023 to prevent route removal Jun 15, 2025
@mostafahussein mostafahussein force-pushed the systemd-foreign-routes branch 2 times, most recently from 13887cc to 857427f Compare June 15, 2025 09:00
@rifelpet
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 15, 2025
@mostafahussein
Copy link
Contributor Author

/retest

@mostafahussein
Copy link
Contributor Author

/assign @hakman

jaredledvina
jaredledvina reviewed Jun 18, 2025
View reviewed changes
@mostafahussein
feat: prevent systemd-networkd from removing Cilium routes on restart
fa2006d 
Signed-off-by: (╯°□°)╯︵ uᴉǝssnH ɐɟɐʇsoW <mostafa.hussein91@gmail.com>
@mostafahussein mostafahussein force-pushed the systemd-foreign-routes branch from 857427f to fa2006d Compare June 18, 2025 12:25
@mostafahussein
Copy link
Contributor Author

@rifelpet can you authorize the pending workflows again, please?

rifelpet
rifelpet approved these changes Jun 18, 2025
View reviewed changes
Copy link
Member

@rifelpet rifelpet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this, we'll have a new set of kops releases shortly.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 18, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rifelpet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 18, 2025
This was referenced Jun 18, 2025
Merged
Merged
@rifelpet
Copy link
Member

/retest

@k8s-triage-robot
Copy link

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

  • The PR does have any do-not-merge/* labels
  • The PR does not have the needs-ok-to-test label
  • The PR is mergeable (does not have a needs-rebase label)
  • The PR is approved (has cncf-cla: yes, lgtm, approved labels)
  • The PR is failing tests required for merge

You can:

/retest

@k8s-ci-robot k8s-ci-robot merged commit b601ff3 into kubernetes:master Jun 19, 2025
30 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.32 milestone Jun 19, 2025
k8s-ci-robot added a commit that referenced this pull request Jun 19, 2025
@k8s-ci-robot
Merge pull request #17445 from rifelpet/automated-cherry-pick-of-#174…
7b75c79 
…38-origin-release-1.32

Automated cherry pick of #17438: add systemd network config for Cilium and Amazon VPC CNI on Ubuntu 22.04+ and AL2023 to prevent route removal
k8s-ci-robot added a commit that referenced this pull request Jun 19, 2025
@k8s-ci-robot
Merge pull request #17446 from rifelpet/automated-cherry-pick-of-#174…
ef183ea 
…38-origin-release-1.31

Automated cherry pick of #17438: add systemd network config for Cilium and Amazon VPC CNI on Ubuntu 22.04+ and AL2023 to prevent route removal
@rifelpet rifelpet modified the milestones: v1.32, v1.33 Jun 23, 2025
@ataut-pai ataut-pai mentioned this pull request Jun 25, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rifelpet rifelpet rifelpet approved these changes

@hakman hakman Awaiting requested review from hakman

@zetaab zetaab Awaiting requested review from zetaab

+1 more reviewer

@jaredledvina jaredledvina jaredledvina left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@rifelpet rifelpet

@hakman hakman

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/nodeup cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.33
Development

Successfully merging this pull request may close these issues.

[ubuntu22.04][amazon-vpc-cni] ip rules flushed when systemd-networkd restarted
6 participants
@mostafahussein @k8s-ci-robot @rifelpet @k8s-triage-robot @jaredledvina @hakman