Bug 2045576: [CARRY][Downstream-only] Give warning when ipFamilyPolicy implicitly set

[andreaskaris]

In kube 1.21 and 1.22 (OCP 4.8 and 4.9), the apiserver will default
the value of ipFamilyPolicy to RequireDualStack if you create a
Service with two ipFamilies or two clusterIPs but no explicitly
specified ipFamilyPolicy. In 1.23/4.10, you must explicitly specify
either PreferDualStack or RequireDualStack for DualStack services.
Emit a warning in 4.8 and 4.9 to raise awareness about the upcoming
API changes. See BZ2045576 for a thorough discussion.

- What this PR does and why is it needed

- Special notes for reviewers

- How to verify it

- Description for the changelog

[openshift-ci]

@andreaskaris: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

Details

In response to this:

[CARRY][Downstream-only] Give warning when ipFamilyPolicy implicitly set

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[andreaskaris]

Downstream only, OCP 4.9 and 4.8 hack as an answer to https://bugzilla.redhat.com/show_bug.cgi?id=2045576

The following alternative approaches were tried but were discarded after all all:

• write a validating or mutating webhook --- discarded because webhooks for services are a no go
• hacking he kubeapi-server directly -- discarded due to obvious reasons [release-4.9] Bug 2047676: UPSTREAM: <carry>: Give warning when ipFamilyPolicy implicitly set kubernetes#1151
• metrics and alerts -- discarded because metrics are the wrong tool for this + due to complexity of this solution
• events -- this solution

[andreaskaris]

Verification steps:

Deploy a cluster with IPv4/IPv6 dualstack, e.g.: https://docs.openshift.com/container-platform/4.9/networking/ovn_kubernetes_network_provider/converting-to-dual-stack.html

Then, create the following services:

cat <<'EOF' | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: dualstack-ipfamilies-no-ipfamilypolicy
spec:
  type: ClusterIP
  selector:
    app: test
  ipFamilies:
     - IPv6
     - IPv4
  ports:
    - port: 80
      targetPort: 80
EOF
cat <<'EOF' | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: dualstack-ipfamilies-ipfamilypolicy-requiredualstack
spec:
  type: ClusterIP
  selector:
    app: test
  ipFamilyPolicy: RequireDualStack
  ipFamilies:
     - IPv6
     - IPv4
  ports:
    - port: 80
      targetPort: 80
EOF

One should see the following event for dualstack-ipfamilies-no-ipfamilypolicy and no event for dualstack-ipfamilies-ipfamilypolicy-requiredualstack:

[root@ovnkubernetes contrib]# oc get svc | grep dualstack
dualstack-ipfamilies-ipfamilypolicy-requiredualstack   ClusterIP   fd00:10:96::3928   <none>        80/TCP    31s
dualstack-ipfamilies-no-ipfamilypolicy                 ClusterIP   fd00:10:96::7578   <none>        80/TCP    32s
[root@ovnkubernetes contrib]# oc get events | grep dualstack
36s         Warning   ImplicitDualStackIpFamilyPolicy   service/dualstack-ipfamilies-no-ipfamilypolicy   DualStack ipFamilyPolicy set implicitly for service default/dualstack-ipfamilies-no-ipfamilypolicy
[root@ovnkubernetes contrib]# 

Do the same for clusterIPs - make sure to choose correct IP addresses from within the cluster's IPv4 and IPv6 service range:

oc delete events --all
oc delete svc dualstack-ipfamilies-no-ipfamilypolicy
oc delete svc dualstack-ipfamilies-ipfamilypolicy-requiredualstack
cat <<'EOF' | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: dualstack-clusterips-no-ipfamilypolicy
spec:
  type: ClusterIP
  selector:
    app: test
  clusterIP: fd00:10:96::53b8
  clusterIPs:
  - fd00:10:96::53b8
  - 10.96.8.54
  ports:
    - port: 80
      targetPort: 80
EOF
cat <<'EOF' | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: dualstack-clusterips-ipfamilypolicy-dualstack
spec:
  type: ClusterIP
  selector:
    app: test
  ipFamilyPolicy: PreferDualStack
  clusterIP: fd00:10:96::53b9
  clusterIPs:
  - fd00:10:96::53b9
  - 10.96.8.55
  ports:
    - port: 80
      targetPort: 80
EOF

One should see the following event for dualstack-clusterips-no-ipfamilypolicy and no event for dualstack-clusterips-ipfamilypolicy-dualstack:

[root@ovnkubernetes contrib]# oc get svc | grep dualstack
dualstack-clusterips-ipfamilypolicy-dualstack   ClusterIP   fd00:10:96::53b9   <none>        80/TCP    4s
dualstack-clusterips-no-ipfamilypolicy          ClusterIP   fd00:10:96::53b8   <none>        80/TCP    34s
[root@ovnkubernetes contrib]# oc get events | grep dualstack
37s         Warning   ImplicitDualStackIpFamilyPolicy   service/dualstack-clusterips-no-ipfamilypolicy   DualStack ipFamilyPolicy set implicitly for service default/dualstack-clusterips-no-ipfamilypolicy

Also test SingleStack, just in case:

oc delete events --all
oc delete svc dualstack-clusterips-ipfamilypolicy-dualstack
oc delete svc dualstack-clusterips-no-ipfamilypolicy 
cat <<'EOF' | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: singlestack-clusterip-noipfamilypolicy
spec:
  type: ClusterIP
  selector:
    app: test
  clusterIP: fd00:10:96::53b8
  ports:
    - port: 80
      targetPort: 80
EOF
cat <<'EOF' | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: singlestack-clusterip-ipfamilypolicy-singlestack
spec:
  type: ClusterIP
  selector:
    app: test
  ipFamilyPolicy: SingleStack
  clusterIP: fd00:10:96::53b9
  ports:
    - port: 80
      targetPort: 80
EOF
cat <<'EOF' | oc apply -f -
apiVersion: v1
kind: Service
metadata:
  name: singlestack-ipfamilypolicy-singlestack
spec:
  type: ClusterIP
  selector:
    app: test
  ipFamilyPolicy: SingleStack
  ports:
    - port: 80
      targetPort: 80
EOF

One should see the 3 singlestack services, yet no event that warns about issues with dualstack:

[root@ovnkubernetes contrib]# oc get svc | grep singlestack
singlestack-clusterip-ipfamilypolicy-singlestack   ClusterIP   fd00:10:96::53b9   <none>        80/TCP    8s
singlestack-clusterip-noipfamilypolicy             ClusterIP   fd00:10:96::53b8   <none>        80/TCP    8s
singlestack-ipfamilypolicy-singlestack             ClusterIP   10.96.163.225      <none>        80/TCP    7s
[root@ovnkubernetes contrib]# oc get events
No resources found in default namespace.

[openshift-ci]

@andreaskaris: This pull request references Bugzilla bug 2045576, which is invalid:

• expected the bug to target the "4.9.z" release, but it targets "---" instead
• expected Bugzilla bug 2045576 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Bug 2045576: [CARRY][Downstream-only] Give warning when ipFamilyPolicy implicitly set

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[andreaskaris]

/bugzilla refresh

[openshift-ci]

@andreaskaris: This pull request references Bugzilla bug 2045576, which is invalid:

• expected Bugzilla bug 2045576 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[andreaskaris]

/bugzilla refresh

[openshift-ci]

@andreaskaris: This pull request references Bugzilla bug 2045576, which is invalid:

• expected Bugzilla bug 2045576 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[andreaskaris]

/bugzilla refresh

[andreaskaris]

/bugzilla refresh

[openshift-ci]

@andreaskaris: An error was encountered querying GitHub for users with public email (anusaxen@redhat.com) for bug 2045576 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

non-200 OK status code: 403 Forbidden body: "{\n \"documentation_url\": \"https://docs.github.com/en/free-pro-team@latest/rest/overview/resources-in-the-rest-api#secondary-rate-limits\",\n \"message\": \"You have exceeded a secondary rate limit. Please wait a few minutes before you try again.\"\n}\n"

Please contact an administrator to resolve this issue, then request a bug refresh with /bugzilla refresh.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@andreaskaris: This pull request references Bugzilla bug 2045576, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.z) matches configured target release for branch (4.9.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 2048645 is in the state CLOSED (CURRENTRELEASE), which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 2048645 targets the "4.10.0" release, which is one of the valid target releases: 4.10.0
• bug has dependents

Requesting review from QA contact:
/cc @anuragthehatter

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[andreaskaris]

/retest

[trozet]

/lgtm
/label backport-risk-assessed

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andreaskaris, trozet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [trozet]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[anuragthehatter]

/label cherry-pick-approved

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@andreaskaris: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.9-upgrade-from-stable-4.8-e2e-aws-ovn-upgrade	06338af	link	false	/test 4.9-upgrade-from-stable-4.8-e2e-aws-ovn-upgrade
ci/prow/okd-e2e-gcp-ovn	06338af	link	false	/test okd-e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@andreaskaris: All pull requests linked via external trackers have merged:

• openshift/ovn-kubernetes#938

Bugzilla bug 2045576 has been moved to the MODIFIED state.

Details

In response to this:

Bug 2045576: [CARRY][Downstream-only] Give warning when ipFamilyPolicy implicitly set

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[andreaskaris]

/cherrypick release-4.8

[andreaskaris]

/cherry-pick release-4.8

[openshift-cherrypick-robot]

@andreaskaris: #938 failed to apply on top of branch "release-4.8":

Applying: Give warning when ipFamilyPolicy implicitly set
Using index info to reconstruct a base tree...
M	go-controller/pkg/ovn/controller/services/services_controller.go
Falling back to patching base and 3-way merge...
Auto-merging go-controller/pkg/ovn/controller/services/services_controller.go
CONFLICT (content): Merge conflict in go-controller/pkg/ovn/controller/services/services_controller.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Give warning when ipFamilyPolicy implicitly set
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Details

In response to this:

/cherrypick release-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@andreaskaris: #938 failed to apply on top of branch "release-4.8":

Applying: Give warning when ipFamilyPolicy implicitly set
Using index info to reconstruct a base tree...
M	go-controller/pkg/ovn/controller/services/services_controller.go
Falling back to patching base and 3-way merge...
Auto-merging go-controller/pkg/ovn/controller/services/services_controller.go
CONFLICT (content): Merge conflict in go-controller/pkg/ovn/controller/services/services_controller.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Give warning when ipFamilyPolicy implicitly set
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Details

In response to this:

/cherry-pick release-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.