Request: Add cni-plugins extensions #448
Comments
|
The problem with CNI plugins is that they should be writeable (as many CNIs drop their own plugins there). So the benefit of bundling CNI plugins as a system extension is not what it should be - delivered as part of Talos Linux image and verified to be same. So the same effect might be achieved by simply putting a mirror registry in front of the |
|
I think being able to use the flannel and kube-router charts without patches would still be a big usability win. Not all CNIs behave aggressively like Calico and Cilium. |
|
Yes, that's true as well. So let's keep this open for additional consideration. We could bundle CNI plugins with base Talos as well, as they are always needed (there's no question they won't be needed with almost any CNI). |
smira
added a commit
to smira/talos
that referenced
this issue
Aug 12, 2024
Fixes siderolabs/extensions#448 Bundle some CNI standard plugins plus Flannel CNI plugin (as Flannel is the default CNI in Talos) in the Talos `initramfs`. With this change, no plugin install is required, so the `install-cni` step is dropped from the Flannel default manifest. The bundled plugins: ``` $ talosctl -n 172.20.0.2 ls -lH /opt/cni/bin/ NODE MODE UID GID SIZE(B) LASTMOD NAME 172.20.0.2 drwxr-xr-x 0 0 109 B 7 hours ago . 172.20.0.2 -rwxr-xr-x 0 0 3.2 MB 7 hours ago bridge 172.20.0.2 -rwxr-xr-x 0 0 3.3 MB 7 hours ago firewall 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago flannel 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago host-local 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago loopback 172.20.0.2 -rwxr-xr-x 0 0 2.8 MB 7 hours ago portmap ``` The `initramfs` for amd64 grows 67 -> 73 MiB with this change. The path `/opt/cni/bin` is still an overlay mount, so extra plugins can be dropped to this directory (no change here). Signed-off-by: Andrey Smirnov <[email protected]>
smira
added a commit
to smira/talos
that referenced
this issue
Aug 12, 2024
Fixes siderolabs/extensions#448 Bundle some CNI standard plugins plus Flannel CNI plugin (as Flannel is the default CNI in Talos) in the Talos `initramfs`. With this change, no plugin install is required, so the `install-cni` step is dropped from the Flannel default manifest. The bundled plugins: ``` $ talosctl -n 172.20.0.2 ls -lH /opt/cni/bin/ NODE MODE UID GID SIZE(B) LASTMOD NAME 172.20.0.2 drwxr-xr-x 0 0 109 B 7 hours ago . 172.20.0.2 -rwxr-xr-x 0 0 3.2 MB 7 hours ago bridge 172.20.0.2 -rwxr-xr-x 0 0 3.3 MB 7 hours ago firewall 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago flannel 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago host-local 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago loopback 172.20.0.2 -rwxr-xr-x 0 0 2.8 MB 7 hours ago portmap ``` The `initramfs` for amd64 grows 67 -> 73 MiB with this change. The path `/opt/cni/bin` is still an overlay mount, so extra plugins can be dropped to this directory (no change here). Signed-off-by: Andrey Smirnov <[email protected]>
smira
added a commit
to smira/talos
that referenced
this issue
Aug 13, 2024
Fixes siderolabs/extensions#448 Bundle some CNI standard plugins plus Flannel CNI plugin (as Flannel is the default CNI in Talos) in the Talos `initramfs`. With this change, no plugin install is required, so the `install-cni` step is dropped from the Flannel default manifest. The bundled plugins: ``` $ talosctl -n 172.20.0.2 ls -lH /opt/cni/bin/ NODE MODE UID GID SIZE(B) LASTMOD NAME 172.20.0.2 drwxr-xr-x 0 0 109 B 7 hours ago . 172.20.0.2 -rwxr-xr-x 0 0 3.2 MB 7 hours ago bridge 172.20.0.2 -rwxr-xr-x 0 0 3.3 MB 7 hours ago firewall 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago flannel 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago host-local 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago loopback 172.20.0.2 -rwxr-xr-x 0 0 2.8 MB 7 hours ago portmap ``` The `initramfs` for amd64 grows 67 -> 73 MiB with this change. The path `/opt/cni/bin` is still an overlay mount, so extra plugins can be dropped to this directory (no change here). Signed-off-by: Andrey Smirnov <[email protected]>
nicklasfrahm
pushed a commit
to nicklasfrahm/talos
that referenced
this issue
Aug 14, 2024
Fixes siderolabs/extensions#448 Bundle some CNI standard plugins plus Flannel CNI plugin (as Flannel is the default CNI in Talos) in the Talos `initramfs`. With this change, no plugin install is required, so the `install-cni` step is dropped from the Flannel default manifest. The bundled plugins: ``` $ talosctl -n 172.20.0.2 ls -lH /opt/cni/bin/ NODE MODE UID GID SIZE(B) LASTMOD NAME 172.20.0.2 drwxr-xr-x 0 0 109 B 7 hours ago . 172.20.0.2 -rwxr-xr-x 0 0 3.2 MB 7 hours ago bridge 172.20.0.2 -rwxr-xr-x 0 0 3.3 MB 7 hours ago firewall 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago flannel 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago host-local 172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago loopback 172.20.0.2 -rwxr-xr-x 0 0 2.8 MB 7 hours ago portmap ``` The `initramfs` for amd64 grows 67 -> 73 MiB with this change. The path `/opt/cni/bin` is still an overlay mount, so extra plugins can be dropped to this directory (no change here). Signed-off-by: Andrey Smirnov <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In siderolabs/talos#6729 it was decided that cni-plugins shouldn't be included by default so as to not bloat the main image.
Talos uses
ghcr.io/siderolabs/install-cniby default to copy in the plugins on boot, but this is slower than having them pre-installed. This works well.The advantage is that then the upstream flannel and kube-router helm charts/manifests can be used which allows more fine-grained config over things (e.g. nftables mode, kube-network-policies, etc). Furthemor, it would help boot times as the image pull (after a /var wipe like in an upgrade) and copy in the initContainer could be skipped.
The official way is not super straight forward: siderolabs/talos#7583 as it requires patching.
Now that the factory is live it would be more elegant to provide the plugins as an option.
The text was updated successfully, but these errors were encountered: