Update Calico to v3.16.0 for k8s 1.16+ #9829
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
area/addons
approved
|
/retest |
| awsSrcDstCheck: | ||
| description: 'Set source-destination-check on AWS EC2 instances. Accepted | ||
| value must be one of "DoNothing", "Enabled" or "Disabled". [Default: | ||
| DoNothing]' | ||
| enum: | ||
| - DoNothing | ||
| - Enable | ||
| - Disable | ||
| type: string |
There was a problem hiding this comment.
Do we want to move the logic from
Line 8618 in fc2e70e
k8s-ec2-srcdst pod to here as this is now the supported path?
I think allowing users to enable this will require them to add permissions to worker nodes as we currently only give the required ec2:ModifyInstanceAttribute permissions to masters, at a minimum I think we need to add something to the docs, and make clear that enabling this alongside the existing logic for installing k8s-ec2-srcdst is an untested path.
There was a problem hiding this comment.
Yes, we do, and also enable WireGuard. But best to do it in some follow-up PRs. k8s-ec2-srcdst would be removed completely. No reason to have both, I guess.
There was a problem hiding this comment.
Does calico-node talk to the AWS API for this, or is it the calico-kube-controllers pod? If it's the latter, we could optionally confine it to run only on master nodes, and grant the IAM permissions only to the instance profile used by the masters.
[Time passes...]
It's part of Felix, and therefore part of calico-node.
|
@lwr20 I am a bit lost here and really puzzled about why I cannot make 3.16.0 work. Any idea what I am doing wrong? 😄 |
|
@hakman is there a way to get the actual error that caused validation to fail? |
|
@fasaxc I am not really sure where the issue comes from from. I also tried using https://docs.projectcalico.org/manifests/calico.yaml and still same issue. You can find the logs of the master node from the test here: |
|
Looking at the controller manager logs, I see lots of errors that match what I saw when I tried upgrading etcd directly from version 3.2.24 to version 3.4.3. |
hakman
force-pushed
the
calico-3.16.0
branch
from
f4754c9 to
09bce60
Compare
hakman
force-pushed
the
calico-3.16.0
branch
from
09bce60 to
3a75074
Compare
|
@seh I got some help from @fasaxc and tracked the issue to projectcalico/cni-plugin#942. Thanks again for all your help @fasaxc :). |
|
/hold to decide if should be merge with patch to wait for v3.16.1. |
k8s-ci-robot
added
the
do-not-merge/hold
|
Works pretty well to use during the net few weeks until a new release is available. |
k8s-ci-robot
removed
the
do-not-merge/hold
hakman
force-pushed
the
calico-3.16.0
branch
from
3a75074 to
7a24b82
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
https://docs.projectcalico.org/archive/v3.16/release-notes/