Update kube-router to 2.1.x #4322
Conversation
Signed-off-by: Natanael Copa <[email protected]>
| @@ -177,6 +177,7 @@ func (k *KubeRouter) Start(_ context.Context) error { | |||
| return nil | |||
| } | |||
|
|
|||
| // from https://github.com/cloudnativelabs/kube-router/blob/master/daemonset/ | |||
There was a problem hiding this comment.
NB: The diff of generic-kuberouter.yaml between v1.6.1 and v2.1.0:
diff --git a/daemonset/generic-kuberouter.yaml b/daemonset/generic-kuberouter.yaml
index 8d812848..0179d35c 100644
--- a/daemonset/generic-kuberouter.yaml
+++ b/daemonset/generic-kuberouter.yaml
@@ -60,6 +60,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
- name: KUBE_ROUTER_CNI_CONF_FILE
value: /etc/cni/net.d/10-kuberouter.conflist
livenessProbe:
@@ -98,13 +102,19 @@ spec:
TMP=/etc/cni/net.d/.tmp-kuberouter-cfg;
cp /etc/kube-router/cni-conf.json ${TMP};
mv ${TMP} /etc/cni/net.d/10-kuberouter.conflist;
- fi
+ fi;
+ if [ -x /usr/local/bin/cni-install ]; then
+ /usr/local/bin/cni-install;
+ fi;
volumeMounts:
- mountPath: /etc/cni/net.d
name: cni-conf-dir
- mountPath: /etc/kube-router
name: kube-router-cfg
+ - name: host-opt
+ mountPath: /opt
hostNetwork: true
+ hostPID: true
tolerations:
- effect: NoSchedule
operator: Exists
@@ -126,6 +136,9 @@ spec:
hostPath:
path: /run/xtables.lock
type: FileOrCreate
+ - name: host-opt
+ hostPath:
+ path: /opt
---
apiVersion: v1
@@ -169,7 +182,29 @@ rules:
- get
- list
- watch
-
+ - apiGroups:
+ - "coordination.k8s.io"
+ resources:
+ - leases
+ verbs:
+ - get
+ - create
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - update
+ - apiGroups:
+ - "discovery.k8s.io"
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1The cni-install and /opt mounting is related to the CNI binary installation, which the official kube-router image is capable of. K0s has its own CNI installation image, so it's fine to leave that out.
| @@ -272,6 +273,7 @@ spec: | |||
| - mountPath: /etc/kube-router | |||
| name: kube-router-cfg | |||
| hostNetwork: true | |||
| hostPID: true | |||
There was a problem hiding this comment.
This is necessary due to some upstream fixes to hairpinning. I do know that we are testing hairpinning in the inttests, bit from the fix's description it sounds as it has been broken before?
With this fix, kube-router now passes the Kubernetes end-to-end conformance test for hairpinning traffic.
🤔
| @@ -313,6 +315,10 @@ spec: | |||
| valueFrom: | |||
| fieldRef: | |||
| fieldPath: spec.nodeName | |||
| - name: POD_NAME | |||
There was a problem hiding this comment.
This (and the RBAC change) has been introduced in afdf553f add loadbalancer address allocator.
This adds a simple controller that will watch for services of type LoadBalancer and try to allocated addresses from the specified IPv4 and/or IPv6 ranges. It's assumed that kube-router (or another network controller) will announce the addresses.
As the controller uses leases for leader election and updates the service status new RBAC permissions are required.
Is that something that we need to be aware of?
There was a problem hiding this comment.
Partially yes. I mean we do provide extraArgs via which user can enable LB feature. Thus IMO we should have these in place.
Description
Update to kube router 2.1.
Fixes #3814
Testing the IPv6 is done in separate PR. #3954
Type of change
How Has This Been Tested?
Checklist: