From 7634cc01c596c1bb44b4da4a7170179e4136910c Mon Sep 17 00:00:00 2001 From: Arvinderpal Wander Date: Sat, 1 Jun 2019 10:34:56 -0700 Subject: [PATCH] Fix kubeadm service-cidr mapping to service-cluster-ip-rage for kube-controller-manager. If a service CIDR that overlaps with the cluster CIDR is specified to kube-controller-manager then kube-controller- manager will incorrectly allocate node CIDRs that overlap with the service CIDR. The fix ensure that kubeadm maps the --service-cidr to --service-cluster-ip-range for use by kube-controller-manager. As per docs, --allocate-node-cidrs must be true for --service-cluster-ip-range to be considered. It does not make sense for --cluster-cidr to be unspecified but for --service-cluster-ip-range and --allocate-node-cidrs to be set, since the purpose of these options is to have the controller-manager do the per node CIDR allocation. Also note that --service-cluster-ip-range is passed to the api-server, so the presence of *just* --service-cluster-ip-range should not imply that --allocate-node-cidrs should be true. Resolves: kubernetes/kubeadm/issues/1591 --- .../app/phases/controlplane/manifests.go | 3 ++ .../app/phases/controlplane/manifests_test.go | 36 ++++++++++++++++++- 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go index d4f84d3e27d..b9531eab775 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests.go @@ -297,6 +297,9 @@ func getControllerManagerCommand(cfg *kubeadmapi.ClusterConfiguration, k8sVersio defaultArguments["allocate-node-cidrs"] = "true" defaultArguments["cluster-cidr"] = cfg.Networking.PodSubnet defaultArguments["node-cidr-mask-size"] = maskSize + if cfg.Networking.ServiceSubnet != "" { + defaultArguments["service-cluster-ip-range"] = cfg.Networking.ServiceSubnet + } } command := []string{"kube-controller-manager"} diff --git a/cmd/kubeadm/app/phases/controlplane/manifests_test.go b/cmd/kubeadm/app/phases/controlplane/manifests_test.go index b03b727b600..4882a18a2ed 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go @@ -577,6 +577,36 @@ func TestGetControllerManagerCommand(t *testing.T) { "--node-cidr-mask-size=24", }, }, + { + name: "custom service-cluster-ip-range for " + cpVersion, + cfg: &kubeadmapi.ClusterConfiguration{ + Networking: kubeadmapi.Networking{ + PodSubnet: "10.0.1.15/16", + ServiceSubnet: "172.20.0.0/24"}, + CertificatesDir: testCertsDir, + KubernetesVersion: cpVersion, + }, + expected: []string{ + "kube-controller-manager", + "--bind-address=127.0.0.1", + "--leader-elect=true", + "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf", + "--root-ca-file=" + testCertsDir + "/ca.crt", + "--service-account-private-key-file=" + testCertsDir + "/sa.key", + "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt", + "--cluster-signing-key-file=" + testCertsDir + "/ca.key", + "--use-service-account-credentials=true", + "--controllers=*,bootstrapsigner,tokencleaner", + "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf", + "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/controller-manager.conf", + "--client-ca-file=" + testCertsDir + "/ca.crt", + "--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt", + "--allocate-node-cidrs=true", + "--cluster-cidr=10.0.1.15/16", + "--node-cidr-mask-size=24", + "--service-cluster-ip-range=172.20.0.0/24", + }, + }, { name: "custom extra-args for " + cpVersion, cfg: &kubeadmapi.ClusterConfiguration{ @@ -610,7 +640,10 @@ func TestGetControllerManagerCommand(t *testing.T) { { name: "custom IPv6 networking for " + cpVersion, cfg: &kubeadmapi.ClusterConfiguration{ - Networking: kubeadmapi.Networking{PodSubnet: "2001:db8::/64"}, + Networking: kubeadmapi.Networking{ + PodSubnet: "2001:db8::/64", + ServiceSubnet: "fd03::/112", + }, CertificatesDir: testCertsDir, KubernetesVersion: cpVersion, }, @@ -632,6 +665,7 @@ func TestGetControllerManagerCommand(t *testing.T) { "--allocate-node-cidrs=true", "--cluster-cidr=2001:db8::/64", "--node-cidr-mask-size=80", + "--service-cluster-ip-range=fd03::/112", }, }, }