-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to start calico when kubeadm cluster does not have podSubnet configured #2712
Comments
BTW running controller manager with with allocate-node-cidrs=false and cluster-cidr=172.20.64.0/18 solved my current problem. I think calico will set up and controller manager will stopped spamming with node cidr allocation errors on such configuration. But the question is still active - What is the reason we can't setup calico using tigera operator on kubeadm clusters without specified networking.podSubnet configuration. |
I dug some additional information:
This parameter is propagated to kube-controller-manager flag --cluster-cidr and kube-proxy flag --cluster-cidr. The kube-controller-manager IPAM controller is enabled by setting --cluster-cidr and --allocate-node-cidrs flags. We have the ability to turn off node CIRD allocation in kube-controller-manager, just not specifiyng networking.podSubnet config in kubeadm. But the tigera operator rely on networking.podSubnet. |
@tmjd what do you think about this case? |
We have the validation that the podSubnet matches the IPPool because kube-proxy might not use the matching CIDR which would break what kube-proxy does and be a significant problem in a cluster. It sounds like kubeadm needs the capability to turn off node CIDR allocation since that is an assumption it makes that podSubnet means node CIDR allocation should be enabled. |
The KubeProxyConfiguration from kubeadm configuration is not present in kubeadm-config configmap.
Actually there is a capability to turn off node CIDR allocation in kubeadm with maintaining networking.podSubnet set. Anyway, we have a workaround.
And we also overridded in kubeadm config the allocate-node-cidrs flag:
This makes starting kube-controller manager with following flags:
And kube-proxy with:
The networking.podSubnet is also present in kubeadm-config configmap - so tigera starts calico pods. |
Expected Behavior
We can configure the default IPPool in calico installation without setting podCIDR in kubeadm configuration.
Current Behavior
When installing calico with an IPPool using tigera operator on kubeadm created cluster without networking.PodCIDR param set in kubeadm configuration, calico is not starting.
Steps to Reproduce (for bugs)
Context
We maintain bare metal clusters with calico networking installed using tigera operator.
Our cluster installation is cia kubeadm with
podCIDR=172.20.64.0/18
and subnet mask for pods/24
configuration.Calico was installed using tigera-operator helm chart with default configuration.
Now we have more than 64 nodes in cluster, so the node-controller can't assign podCIDR for new nodes (172.20.64.0/18 have 64 subnets with /24 mask).
We dug a while and found the next issue.
Also we found that for calico it's not a problem, because it ignores assigned nodes podCIDR
The mask for node subnets in our calico installation is
/26
, which is more than enough for our node workloads and cluster size.Now we are facing the following errors in kubernetes controller manager:
The Controller manager requires allocate-node-cidrs=true flag if cluster-cidr is specified (by official documentation).
On setting networking.podSubnet in kubeadm it enables those 2 flags in Controller manager.
So we can't just set cluster-cidr configuration and disable allocate-node-cidrs flag to avoid node PodCIDR allocation.
If calico ignores the assigned node PodCIDR and the kubernetes cluster can be set up with kubeadm without networking.podSubnet set - we decided to try such installation.
We started a new kubeadm cluster without specifying networking.podSubnet.
We installed tigera operator and tried to create a calico Installation (in operator.tigera.io/v1 API) with specified IPPool:
Calico is not started and tigera operator pod writes following errors in logs:
Your Environment
kubeadm/kubernetes version v1.23.17
tigera-operator v3.23.1
The text was updated successfully, but these errors were encountered: