Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable srcAndDstChecksEnabled field from k8s >= v1.22 #386

Merged
merged 2 commits into from
Aug 31, 2021
Merged

Enable srcAndDstChecksEnabled field from k8s >= v1.22 #386

merged 2 commits into from
Aug 31, 2021

Conversation

AxiomSamarth
Copy link
Collaborator

@AxiomSamarth AxiomSamarth commented Aug 5, 2021
edited by prashanth26
Loading

How to categorize this PR?

/area networking
/kind enhancement
/platform aws

What this PR does / why we need it:
This PR introduces a new field in the providerSpec of MachineClass for AWS called srcAndDstChecksEnabled which is true by default and when set to false will disable the source destination check on the AWS Instance (NAT instance in this case). This field shall be used by default from K8s >= v1.22

Which issue(s) this PR fixes:
Fixes #36

Special notes for your reviewer:

Release note:

Introducing a new field in the `providerSpec` of `MachineClass` for AWS called `srcAndDstChecksEnabled ` which is `true` by default and when set to `false` will disable the source destination check on the AWS Instance

@gardener-robot
Copy link

@AxiomSamarth Label area/todo does not exist.

@gardener-robot gardener-robot added kind/enhancement Enhancement, improvement, extension platform/aws Amazon web services platform/infrastructure needs/review Needs review size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) labels Aug 5, 2021
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Aug 5, 2021
@AxiomSamarth
Copy link
Collaborator Author

AxiomSamarth commented Aug 5, 2021
edited
Loading

/invite @prashanth26

@prashanth26 Could you please help with the area label for this draft PR?

@gardener-robot-ci-1 gardener-robot-ci-1 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Aug 5, 2021
@gardener-robot gardener-robot added the area/networking Networking related label Aug 5, 2021
@prashanth26
Copy link

@AxiomSamarth - We would also have to release the new MCM provider AWS version.

@DockToFuture - There would also be calico changes required right? I am guessing some flags in the configuration of the calico?

@gardener-robot
Copy link

@prashanth26 You have pull request review open invite, please check

@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Aug 9, 2021
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Aug 9, 2021
@AxiomSamarth
Copy link
Collaborator Author

/invite @DockToFuture @ScheererJ

Is it okay to set the value of srcAndDstChecksEnabled to true by default if shoot k8s version is >= 1.22 or should it be set based on the boolean value from the network object here?

@DockToFuture
Copy link
Member

srcAndDstChecksEnabled

/invite @DockToFuture @ScheererJ

Is it okay to set the value of srcAndDstChecksEnabled to true by default if shoot k8s version is >= 1.22 or should it be set based on the boolean value from the network object here?

It should either be disabled starting from k8s version >= 1.22 which would makes things easier or it should be set based on the boolean value from the network object. For the latter case I will introduce the boolean field spec.providerConfig.srcAndDstChecks.enabled in the network resource.


  providerConfig:
    apiVersion: calico.networking.extensions.gardener.cloud/v1alpha1
    kind: NetworkConfig
    srcAndDstChecks:
      enabled: false

@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Aug 9, 2021
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Aug 9, 2021
@prashanth26
Copy link

Depends on #387.

@gardener-robot
Copy link

@ScheererJ, @prashanth26, @DockToFuture You have pull request review open invite, please check

@AxiomSamarth AxiomSamarth marked this pull request as ready for review August 18, 2021 05:14
@AxiomSamarth AxiomSamarth requested review from a team as code owners August 18, 2021 05:14
@gardener-robot gardener-robot removed the needs/review Needs review label Aug 19, 2021
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Aug 19, 2021
@prashanth26
Copy link

Should we enable this setting by default on the CNIs? Or will the CNI support both ways? I am guessing it would be the latter. In that case, it should be fine.

cc: @DockToFuture for opinion.

@DockToFuture
Copy link
Member

DockToFuture commented Aug 19, 2021
edited
Loading

@prashanth26 What do you mean with Should we enable this setting by default on the CNIs?
It depends on the networking mode which is used, with an overlay we can use both with native infrastructure routing, we need to disable the checks otherwise it won't work.

@gardener-robot gardener-robot added the needs/review Needs review label Aug 20, 2021
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Aug 20, 2021
@gardener-robot
Copy link

@prashanth26, @ScheererJ You have pull request review open invite, please check

@prashanth26
Copy link

prashanth26 commented Aug 25, 2021
edited
Loading

Apologies for the delayed response.

@prashanth26 What do you mean with Should we enable this setting by default on the CNIs?
It depends on the networking mode which is used, with an overlay we can use both with native infrastructure routing, we need to disable the checks otherwise it won't work.

My question was that with current changes the check would be disabled by default with 1.22. And with this change, I hope both modes will be supported by the CNI. I guess it shouldn't affect the working of CNI in either configuration i.e. with/without IP-in-IP encapsulation right? It should work both ways?

@rfranzke
Copy link
Member

cc @AxiomSamarth @DockToFuture

@AxiomSamarth
Copy link
Collaborator Author

@rfranzke I believe implementation is in place.

@DockToFuture Any more comments?

@DockToFuture
Copy link
Member

was that with current changes the check would be disabled by default with 1.22. And with this change, I hope both modes will be supported by the CNI. I guess it shouldn't affect the working of CNI in either configuration i.e. with/without IP-in-IP encapsulation right? It should work both ways?

yes it will work in both modes with disabled checks

DockToFuture
DockToFuture approved these changes Aug 30, 2021
View reviewed changes
Copy link
Member

@DockToFuture DockToFuture left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/review Needs review labels Aug 30, 2021
@rfranzke
Copy link
Member

Thanks! @prashanth26 any further comments?

prashanth26
prashanth26 approved these changes Aug 30, 2021
View reviewed changes
Copy link

@prashanth26 prashanth26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
Thanks. no further comments.

@ialidzhikov
Copy link
Member

/hold
as there is already ongoing release validation

@gardener-robot gardener-robot added the reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies label Aug 30, 2021
@ialidzhikov
Copy link
Member

/unhold
as v1.28.0 was released

@gardener-robot gardener-robot removed the reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies label Aug 31, 2021
@rfranzke rfranzke merged commit 127e8d7 into gardener:master Aug 31, 2021
@rfranzke
Copy link
Member

cc @timuthy

@AxiomSamarth AxiomSamarth deleted the src/dst-check branch September 2, 2021 04:59
@ialidzhikov ialidzhikov mentioned this pull request Nov 8, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vpnachev vpnachev vpnachev left review comments

@prashanth26 prashanth26 prashanth26 approved these changes

@DockToFuture DockToFuture DockToFuture approved these changes

@rfranzke rfranzke rfranzke left review comments

@ScheererJ ScheererJ Awaiting requested review from ScheererJ

Assignees

@DockToFuture DockToFuture

@prashanth26 prashanth26

Labels
area/networking Networking related kind/enhancement Enhancement, improvement, extension merge/squash Should be merged via 'Squash and merge' needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) platform/aws Amazon web services platform/infrastructure reviewed/lgtm Has approval for merging size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make src/dst checks configurable on awsmachineclass
10 participants
@AxiomSamarth @gardener-robot @prashanth26 @DockToFuture @rfranzke @ialidzhikov @vpnachev @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3