phase 2: ipam filter secondary service cidr

2025-09-10 21:50:05 +00:00 · 2019-08-19 20:53:18 +00:00
parent 93c06821e6
commit 313a5c5734
11 changed files with 128 additions and 55 deletions
--- a/cmd/kube-controller-manager/app/core.go
+++ b/cmd/kube-controller-manager/app/core.go
@@ -83,6 +83,7 @@ func startServiceController(ctx ControllerContext) (http.Handler, bool, error) {
 }
 func startNodeIpamController(ctx ControllerContext) (http.Handler, bool, error) {
 	var serviceCIDR *net.IPNet
+	var secondaryServiceCIDR *net.IPNet

 	// should we start nodeIPAM
 	if !ctx.ComponentConfig.KubeCloudShared.AllocateNodeCIDRs {
@@ -118,12 +119,37 @@ func startNodeIpamController(ctx ControllerContext) (http.Handler, bool, error)
 		}
 	}

+	if len(strings.TrimSpace(ctx.ComponentConfig.NodeIPAMController.SecondaryServiceCIDR)) != 0 {
+		_, secondaryServiceCIDR, err = net.ParseCIDR(ctx.ComponentConfig.NodeIPAMController.SecondaryServiceCIDR)
+		if err != nil {
+			klog.Warningf("Unsuccessful parsing of service CIDR %v: %v", ctx.ComponentConfig.NodeIPAMController.SecondaryServiceCIDR, err)
+		}
+	}
+
+	// the following checks are triggered if both serviceCIDR and secondaryServiceCIDR are provided
+	if serviceCIDR != nil && secondaryServiceCIDR != nil {
+		// should have dual stack flag enabled
+		if !utilfeature.DefaultFeatureGate.Enabled(kubefeatures.IPv6DualStack) {
+			return nil, false, fmt.Errorf("secondary service cidr is provided and IPv6DualStack feature is not enabled")
+		}
+
+		// should be dual stack (from different IPFamilies)
+		dualstackServiceCIDR, err := netutils.IsDualStackCIDRs([]*net.IPNet{serviceCIDR, secondaryServiceCIDR})
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to perform dualstack check on serviceCIDR and secondaryServiceCIDR error:%v", err)
+		}
+		if !dualstackServiceCIDR {
+			return nil, false, fmt.Errorf("serviceCIDR and secondaryServiceCIDR are not dualstack (from different IPfamiles)")
+		}
+	}
+
 	nodeIpamController, err := nodeipamcontroller.NewNodeIpamController(
 		ctx.InformerFactory.Core().V1().Nodes(),
 		ctx.Cloud,
 		ctx.ClientBuilder.ClientOrDie("node-controller"),
 		clusterCIDRs,
 		serviceCIDR,
+		secondaryServiceCIDR,
 		int(ctx.ComponentConfig.NodeIPAMController.NodeCIDRMaskSize),
 		ipam.CIDRAllocatorType(ctx.ComponentConfig.KubeCloudShared.CIDRAllocatorType),
 	)
--- a/cmd/kube-controller-manager/app/options/nodeipamcontroller.go
+++ b/cmd/kube-controller-manager/app/options/nodeipamcontroller.go
@@ -17,6 +17,9 @@ limitations under the License.
 package options

 import (
+	"fmt"
+	"strings"
+
 	"github.com/spf13/pflag"

 	nodeipamconfig "k8s.io/kubernetes/pkg/controller/nodeipam/config"
@@ -32,7 +35,6 @@ func (o *NodeIPAMControllerOptions) AddFlags(fs *pflag.FlagSet) {
 	if o == nil {
 		return
 	}
-
 	fs.StringVar(&o.ServiceCIDR, "service-cluster-ip-range", o.ServiceCIDR, "CIDR Range for Services in cluster. Requires --allocate-node-cidrs to be true")
 	fs.Int32Var(&o.NodeCIDRMaskSize, "node-cidr-mask-size", o.NodeCIDRMaskSize, "Mask size for node cidr in cluster.")
 }
@@ -43,7 +45,15 @@ func (o *NodeIPAMControllerOptions) ApplyTo(cfg *nodeipamconfig.NodeIPAMControll
 		return nil
 	}

-	cfg.ServiceCIDR = o.ServiceCIDR
+	// split the cidrs list and assign primary and secondary
+	serviceCIDRList := strings.Split(o.ServiceCIDR, ",")
+	if len(serviceCIDRList) > 0 {
+		cfg.ServiceCIDR = serviceCIDRList[0]
+	}
+	if len(serviceCIDRList) > 1 {
+		cfg.SecondaryServiceCIDR = serviceCIDRList[1]
+	}
+
 	cfg.NodeCIDRMaskSize = o.NodeCIDRMaskSize

 	return nil
@@ -54,7 +64,12 @@ func (o *NodeIPAMControllerOptions) Validate() []error {
 	if o == nil {
 		return nil
 	}
+	errs := make([]error, 0)
+
+	serviceCIDRList := strings.Split(o.ServiceCIDR, ",")
+	if len(serviceCIDRList) > 2 {
+		errs = append(errs, fmt.Errorf("--service-cluster-ip-range can not contain more than two entries"))
+	}

-	errs := []error{}
 	return errs
 }