From 290c7a6aec41877e2563c993ff36fed1b49f87f2 Mon Sep 17 00:00:00 2001 From: Peng Liu Date: Tue, 29 Apr 2025 03:35:56 -0400 Subject: [PATCH 1/6] Pass '--gateway-mode' flag for ovnkube-cluster-manager Some code (EgressSVC and BGP) in cluster-manager needs to know the gateway mode. Signed-off-by: Peng Liu (cherry picked from commit bc5f08ed5ea4c40fe319dff027f6467e1fd1136c) --- .../self-hosted/ovnkube-control-plane.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml b/bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml index 75a2ddff25..fbdf37107e 100644 --- a/bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml +++ b/bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml @@ -148,6 +148,15 @@ spec: route_advertisements_enable_flag="--enable-route-advertisements" fi + if [ "{{.OVN_GATEWAY_MODE}}" == "shared" ]; then + gateway_mode_flags="--gateway-mode shared" + elif [ "{{.OVN_GATEWAY_MODE}}" == "local" ]; then + gateway_mode_flags="--gateway-mode local" + else + echo "Invalid OVN_GATEWAY_MODE: \"{{.OVN_GATEWAY_MODE}}\". Must be \"local\" or \"shared\"." + exit 1 + fi + echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-control-plane - start ovnkube --init-cluster-manager ${K8S_NODE}" exec /usr/bin/ovnkube \ --enable-interconnect \ @@ -165,6 +174,7 @@ spec: ${persistent_ips_enabled_flag} \ ${multi_network_enabled_flag} \ ${network_segmentation_enabled_flag} \ + ${gateway_mode_flags} \ ${route_advertisements_enable_flag} volumeMounts: - mountPath: /run/ovnkube-config/ From ab1a7cc1600cc39a016bee4d490d4c6dc2dcc903 Mon Sep 17 00:00:00 2001 From: Konstantinos Karampogias Date: Wed, 14 May 2025 10:05:20 +0200 Subject: [PATCH 2/6] frr-k8s: stop listening for incoming connection in the bgp daemon frr-k8s will not listen to port 179, and BGP peering can only be established from OCP to external. Signed-off-by: Konstantinos Karampogias (cherry picked from commit 401f7b46b8fd25f1beab79538b70d736096c400b) --- bindata/network/frr-k8s/config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bindata/network/frr-k8s/config.yaml b/bindata/network/frr-k8s/config.yaml index 5f39c32ef3..1b559f70de 100644 --- a/bindata/network/frr-k8s/config.yaml +++ b/bindata/network/frr-k8s/config.yaml @@ -46,7 +46,7 @@ data: # vtysh_enable=yes zebra_options=" -A 127.0.0.1 -s 90000000 --limit-fds 100000" - bgpd_options=" -A 127.0.0.1 --limit-fds 100000" + bgpd_options=" -A 127.0.0.1 -p 0 --limit-fds 100000" ospfd_options=" -A 127.0.0.1" ospf6d_options=" -A ::1" ripd_options=" -A 127.0.0.1" From 95178176e2b909786f560c157eb9e9f8a9af75c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= Date: Wed, 4 Jun 2025 13:36:16 +0000 Subject: [PATCH 3/6] Validate NAD name and spec only in multus admission controller MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This should save up calls to the webhook and reduce latency when a NAD is updated to add labels or annotations. The root cause of the change is the OVNK BGP feature: when BGP is enabled for the cluster default network, reconfiguration might cause temporary disruptions. As part of this reconfiguration and necessary to complete it, OVNK depends on annotating an internal NAD. We want to avoid having to reach the webhook for this annotation because the temporary disruption might prevent it and in that case the reconfiguration won't complete. Another possibility would be to filter out from validation the specific internal NAD but this current approach might be more beneficial overall. Signed-off-by: Jaime CaamaƱo Ruiz (cherry picked from commit 0dae0a03e3f30736afcb0a0150e12c548bdc8c7c) --- bindata/network/multus-admission-controller/003-webhook.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bindata/network/multus-admission-controller/003-webhook.yaml b/bindata/network/multus-admission-controller/003-webhook.yaml index aca1cf39e5..533001a069 100644 --- a/bindata/network/multus-admission-controller/003-webhook.yaml +++ b/bindata/network/multus-admission-controller/003-webhook.yaml @@ -27,6 +27,10 @@ webhooks: apiGroups: ["k8s.cni.cncf.io"] apiVersions: ["v1"] resources: ["network-attachment-definitions"] + matchConditions: + # On updates, only validate if the Spec changes + - name: CreateDeleteOrUpdatedSpec + expression: oldObject == null || object == null || object.spec != oldObject.spec sideEffects: NoneOnDryRun admissionReviewVersions: - v1 From ad555366ed9dad200fe192fb5ff7e519e9e927d2 Mon Sep 17 00:00:00 2001 From: Federico Paolinelli Date: Wed, 25 Jun 2025 07:51:39 +0200 Subject: [PATCH 4/6] FRRK8s webhook: align to upstream Aligning to upstream and: - move the webhook deployment to hostnetworked, so that the api can still be served if an offending FRRConfiguration is applied - openshift only: change the webhook port to one in the allowed range - remove the metrics listening port, as no service monitor was deployed Signed-off-by: Federico Paolinelli (cherry picked from commit 0b29885cc06a36c8c4a23deb47acb551e73dc774) --- bindata/network/frr-k8s/webhook.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/bindata/network/frr-k8s/webhook.yaml b/bindata/network/frr-k8s/webhook.yaml index cb0414ff15..ee8ab79dcb 100644 --- a/bindata/network/frr-k8s/webhook.yaml +++ b/bindata/network/frr-k8s/webhook.yaml @@ -71,17 +71,13 @@ spec: - --webhook-mode=onlywebhook - --disable-cert-rotation=true - --namespace=$(NAMESPACE) - - --metrics-bind-address=:7572 env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: {{.FRRK8sImage}} - name: frr-k8s-webhook-server - ports: - - containerPort: 7572 - name: monitoring + name: frr-k8s-webhook-server securityContext: runAsNonRoot: true resources: @@ -122,3 +118,4 @@ spec: serviceAccountName: frr-k8s-daemon priorityClassName: system-cluster-critical terminationGracePeriodSeconds: 10 + hostNetwork: true From c7bdd07b89146f86ef9173446fb305f896cad758 Mon Sep 17 00:00:00 2001 From: Federico Paolinelli Date: Wed, 25 Jun 2025 07:57:23 +0200 Subject: [PATCH 5/6] FRRK8s CRDs: align to upstream Aligning to upstream and bringing the deprecation of the disableMP flag and the introduction of a "dualStackAddressFamily" flag to bring the behavior back to allow backward compatibility. The default behavior was inconsistent in case of dual stack clusters, as frr was being configured to advertise both ip families over a single session, without being instructed properly to what next hop set for the ip family not corresponding to the ip family of the session. The dualStackAddressFamily flag is introduced to allow users relying on that behavior to keep working. Note that both flags are not documented nor supported d/s. More details in the upstream metallb issue https://github.com/metallb/metallb/issues/2704 Signed-off-by: Federico Paolinelli (cherry picked from commit 7056e67b747afa6880aaea067a80c149801c2fcf) --- bindata/network/frr-k8s/001-crd.yaml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/bindata/network/frr-k8s/001-crd.yaml b/bindata/network/frr-k8s/001-crd.yaml index 264d43a5d6..676d22e4ae 100644 --- a/bindata/network/frr-k8s/001-crd.yaml +++ b/bindata/network/frr-k8s/001-crd.yaml @@ -184,9 +184,15 @@ spec: 0 disableMP: default: false - description: To set if we want to disable MP BGP that - will separate IPv4 and IPv6 route exchanges into - distinct BGP sessions. + description: |- + To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions. + Deprecated: DisableMP is deprecated in favor of dualStackAddressFamily. + type: boolean + dualStackAddressFamily: + default: false + description: |- + To set if we want to enable the neighbor not only for the ipfamily related to its session, + but also the other one. This allows to advertise/receive IPv4 prefixes over IPv6 sessions and vice versa. type: boolean dynamicASN: description: |- @@ -222,6 +228,8 @@ spec: represents an interface name on the host and if user provides an invalid value, only the actual BGP session will not be established. Address and Interface are mutually exclusive and one of them must be specified. + Note: when enabling unnumbered, the neighbor will be enabled for both + IPv4 and IPv6 address families. type: string keepaliveTime: description: |- From d8215b15a9fd65306c52fea79ab09f7bf54a8028 Mon Sep 17 00:00:00 2001 From: Federico Paolinelli Date: Wed, 25 Jun 2025 12:20:13 +0200 Subject: [PATCH 6/6] FRR-K8s webhook: promote to priviledged We need to run the webhook as hostnetworked, so it requires the privileged scc. Signed-off-by: Federico Paolinelli (cherry picked from commit 5cc28c6230fa7411c5cf0abef02185ee3ed428b7) --- bindata/network/frr-k8s/webhook.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/bindata/network/frr-k8s/webhook.yaml b/bindata/network/frr-k8s/webhook.yaml index ee8ab79dcb..b7562400cf 100644 --- a/bindata/network/frr-k8s/webhook.yaml +++ b/bindata/network/frr-k8s/webhook.yaml @@ -61,7 +61,7 @@ spec: component: frr-k8s-webhook-server annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: restricted-v2 + openshift.io/required-scc: privileged spec: containers: - command: @@ -78,8 +78,6 @@ spec: fieldPath: metadata.namespace image: {{.FRRK8sImage}} name: frr-k8s-webhook-server - securityContext: - runAsNonRoot: true resources: requests: cpu: 10m