Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make src/dst checks configurable on awsmachineclass #36

Closed
DockToFuture opened this issue Aug 17, 2020 · 12 comments · Fixed by #39 or gardener/gardener-extension-provider-aws#386
Closed

Make src/dst checks configurable on awsmachineclass #36

DockToFuture opened this issue Aug 17, 2020 · 12 comments · Fixed by #39 or gardener/gardener-extension-provider-aws#386
Assignees
@AxiomSamarth
Labels
kind/roadmap Roadmap BLI
Milestone
2021-Q3

Comments

@DockToFuture
Copy link
Member

What would you like to be added:
To support calico's "CrossSubnet" mode on gardener clusters for provider type aws the src and dst checks (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck) have to be disabled on machine network interface level. Therefore I would like to expose a field in the awsmachineclass (https://github.com/gardener/machine-controller-manager/blob/master/pkg/apis/machine/v1alpha1/aws_machineclass_types.go#L179) which contains a boolean value which describes if the src/dst checks on the interface level of the machines are enabled or disabled.
I would suggest something like

// Describes a network interface.
// Please also see https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/MachineAWSNetworkInterfaceSpecification
type AWSNetworkInterfaceSpec struct { 
   // If set to false, source and destination checks are disabled, default is true
   SrcAndDstChecksEnabled: bool `json:"srcAndDstChecksEnabled,omitempty"`
}

WDYT?
/cc: @zanetworker
@prashanth26
Copy link

I would suggest having this type as *bool as this a newly added field and in the API. And nil value would mimic the current behavior and only when set overrides it.

With this update, I don't think (need to verify) it will update any existing VMs as we do not update the VMs once created. However, newly created VMs will have this feature enabled.

@hardikdr
Copy link
Member

/add kind/api-change
/add kind/feature
/add platform/aws

@hardikdr
Copy link
Member

This is related to : gardener/machine-controller-manager#441 .

  • This was proposed, discussed and we had not implemented due to other dependencies.
  • cc @zuzzas

We have an atomic Create() call, and I believe the src-dest check can be enabled only via a separate ModifyInstanceAttribute() call.

  • To have a reliable solution, we need better state-management, and also in-place updates to avoid roll-outs of machines.

How critical is the need at the moment, I'd set the normal priority, for now, please change if otherwise.

@hardikdr
Copy link
Member

/kind discussion

@zuzzas
Copy link

zuzzas commented Aug 20, 2020
edited
Loading

If you use AWS cloud-controller-manager (separately or as a legacy part of kube-controller-manager), it'll set this option on every Node. That's why we aren't interested in this feature being part of machine-controller-manager.

@zanetworker
Copy link

@zuzzas correct me if I am wrong, but isn't this the case only if the cloud-controller is set to configure routes? otherwise, src/destination checks are enabled by default. I guess it would be helpful to have more control over when it is enabled / disabled.

@zuzzas
Copy link

zuzzas commented Aug 22, 2020

@zanetworker
That is correct.

@vpnachev
Copy link
Member

The node roll out can be forced by the gardener-extension-provider-aws here https://github.com/gardener/gardener-extension-provider-aws/blob/09bca6c28530090af970a5aeafbd29fef3b26c21/pkg/controller/worker/machines.go#L307 by including this field in the data for computing the hash.

What is not clear to me is whether provider-aws will directly manage this field or the calico extension will implement a mutating webhook to adjust this field?

@zanetworker
Copy link

zanetworker commented Aug 27, 2020
edited
Loading

@vpnachev yea that was the intention. It would have been great though if you can update without rolling the VM, as this procedure is not disruptive and can be done while the VM is running.

Eventually, this is needed for Network config updates, so waiting for the maintenance and the VMs to be rolled can be a bit challenging.

@prashanth26 prashanth26 transferred this issue from gardener/machine-controller-manager May 26, 2021
@prashanth26
Copy link

As discussed overcall. The final approach would be

  • Introduce this flag on MCM provider AWS - Creation of the machine will change to a two-step process
  • Update the provider-aws (worker) extension to use this flag by default from k8s > v1.22
  • Enable the cross subnet flag post k8s > v1.22 by default as well.

@vpnachev
Copy link
Member

vpnachev commented Jun 1, 2021

Why do you want to use flag when you can use field in the MachineClass?
This way you can have worker pools with different settings controller by exactly the same instance of the MCM.

@prashanth26
Copy link

Why do you want to use flag when you can use field in the MachineClass?
This way you can have worker pools with different settings controller by exactly the same instance of the MCM.

Sorry it was a typo. I mean't to keep it as a field

@amshuman-kr amshuman-kr added this to the 2021-Q3 milestone Jun 7, 2021
@AxiomSamarth AxiomSamarth self-assigned this Jul 26, 2021
This was referenced Jul 28, 2021
Merged
Open
@AxiomSamarth AxiomSamarth mentioned this issue Aug 5, 2021
Merged
ScheererJ added a commit to ScheererJ/gardener-extension-provider-aws that referenced this issue Aug 16, 2022
@ScheererJ
Create shoot cluster per default without overlay network for kubernet…
b028638 
…es >= 1.22.

Unless explicitly specified, the overlay network is disabled with a mutating
webhook for new clusters. This only works for clusters >= 1.22 due to the
source/destinations checks being disabled only for those clusters (see
gardener/machine-controller-manager-provider-aws#36
for details).
@ScheererJ ScheererJ mentioned this issue Aug 16, 2022
Merged
ScheererJ added a commit to ScheererJ/gardener-extension-provider-aws that referenced this issue Aug 16, 2022
@ScheererJ
Create shoot cluster per default without overlay network for kubernet…
0262b79 
…es >= 1.22.

Unless explicitly specified, the overlay network is disabled with a mutating
webhook for new clusters. This only works for clusters >= 1.22 due to the
source/destinations checks being disabled only for those clusters (see
gardener/machine-controller-manager-provider-aws#36
for details).
MartinWeindel pushed a commit to MartinWeindel/gardener-extension-provider-aws that referenced this issue Sep 9, 2022
@ScheererJ @MartinWeindel
Create shoot cluster per default without overlay network for kubernet…
7d3a341 
…es >= 1.22.

Unless explicitly specified, the overlay network is disabled with a mutating
webhook for new clusters. This only works for clusters >= 1.22 due to the
source/destinations checks being disabled only for those clusters (see
gardener/machine-controller-manager-provider-aws#36
for details).
@gardener-robot gardener-robot added the kind/roadmap Roadmap BLI label Mar 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AxiomSamarth AxiomSamarth

Labels
kind/roadmap Roadmap BLI
Projects
None yet
Milestone
2021-Q3
9 participants
@zuzzas @zanetworker @vpnachev @hardikdr @DockToFuture @amshuman-kr @AxiomSamarth @prashanth26 @gardener-robot