The nftables implementation made use of concatenation of ranges when
creating the set "firewall-allow", but the support was not available
before kernel 5.6. Therefore, nftables mode couldn't run on earlier
kernels, while 5.4 is still widely used.
An alternative of concatenation of ranges is to create a separate
firewall chain for every service port that needs firewalling, and jump
to the service's firewall chain from the common firewall chain via a
rule with vmap.
Renaming from "firewall" to "firewall-ips" is required when changing the
set to the map to support existing clusters to upgrade, otherwise it
would fail to create the map. Besides, "firewall-ips" corresponds to the
"service-ips" map, later we can add use "firewall-nodeports" if it's
determined that NodePort traffic should be subject to
LoadBalancerSourceRanges.
Signed-off-by: Quan Tian <qtian@vmware.com>
In some cases a chain could change from stale to active, but once it's
added to staleChains it would always be deleted once. When the proxier
tries to delete a previously stale but currently active chain, it would
fail and lead to errors, though it won't cause real problem thanks to
kernel's validation.
The commit removes a chain from staleChains if it becomes active.
Signed-off-by: Quan Tian <qtian@vmware.com>
If the user deletes the /var/lib/kubelet manually, "reset" will throw
an error that the dir is missing. Instead of handling this error,
print it as a warning and skip unmount of directories inside it.
This allows "reset" to continue to be reentrant and can be called
even even if "init/join" are not called yet and some of the
k8s directories on a node do not exist.
Continue to error on individual unmount errors.
Remove the function absoluteKubeletRunDirectory() and
call filepath.EvalSymlinks() directly.
Add ready conditions to the Endpoints of the self-generated
EndpointSlice tests so that the readiness is not ambiguous and it will
work across CNIs that filter for ready endpoints.
Currently, timeouts are only accessible if a kubeadm runtime.Object{}
like InitConfiguration is passed around.
Any time a config is loaded or defaulted, store the Timeouts
structure in a thread-safe way in the main kubeadm API package
with SetActiveTimeouts(). Optionally, a deep-copy can be
performed before calling SetActiveTimeouts(). Make this struct
accessible with GetActiveTimeouts(). Ensure these functions
are thread safe.
On init() make sure the struct is defaulted, so that unit
tests can work with these values.
When upconverting from v1beta3 to v1beta4, it appears there is no
easy way to migrate some of the timeout values such as:
ClusterConfiguration.APIServer.TimeoutForControlPlane
to a new location:
InitConfiguration.Timeouts.<some-timeout-field>
Yes, the internal InitConfiguratio does embed a ClusterConfiguration,
but during conversion the ClusterConfiguration is converted from an
empty source.
K8s' API machinery has ways to register custom conversion functions,
such as v1beta3.ClusterConfiguration -> internal.InitConfiguration,
but these must be triggered explicitly with a decoder.
The overall migration of fields seems very awkward.
There might be hacks around that, such as storing intermediate state,
while trying to make the fuzzer rountrip happy, but instead
mutation functions can be implemented for the internal types when
calling kubeadm's migrate code. This seems much cleaner.
The struct is included in InitConfiguration, JoinConfiguration
and ResetConfiguration.
Add conversion and update defaulters and fuzzers.
Include a timeoututils.go that contains a function
to default the internal Timeouts struct.
Add new a v1beta4.ResetConfiguration.UnmountFlags field that
can be used to pass in Linux unmount2() flags such as MNT_FORCE.
Default value continues to be 0 - i.e. no flags.
EndpointSlices and Endpoints usually become ready pretty fast, but the
test always waited 5s before performing every check and it performed the
check 4 times in total, so unnecessarily extends the test 20s.
The commit changes the poll function to perform a check before waiting,
and reduces the interval to 2 seconds to align with other EndpointSlice
tests. It reduces the test duration from 30s to 4s.
Signed-off-by: Quan Tian <qtian@vmware.com>
