Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: a warning to user as ipv6 site-local is deprecated #99574

Merged
merged 1 commit into from Mar 2, 2021
Merged

kubeadm: a warning to user as ipv6 site-local is deprecated #99574

merged 1 commit into from Mar 2, 2021

Conversation

pacoxu
Copy link
Member

@pacoxu pacoxu commented Mar 1, 2021

What type of PR is this?

/sig network
/kind feature
/cc @aojea

What this PR does / why we need it:

Site local addresses are the ones that belong to the range FEC0::/10 and are deprecated

As it is deprecated, we may disallow this subnet or give a warning when the user uses this subnet.
Or it would be a error.

Which issue(s) this PR fixes:

same as #91935

Special notes for your reviewer:

See details in #89251 (comment)

http://linux-ip.net/html/tools-ip-address.html
Site-local addresses are supposed to be used within a site. Routers will not forward any packet with site-local source or destination address outside the site.

https://tools.ietf.org/html/rfc3879
deprecated in 2004

Does this PR introduce a user-facing change?

kubeadm: a warning to user as ipv6 site-local is deprecated

@k8s-ci-robot k8s-ci-robot requested a review from aojea March 1, 2021 06:28
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. kind/feature Categorizes issue or PR as related to a new feature. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 1, 2021
@k8s-ci-robot
Copy link
Contributor

@pacoxu: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. labels Mar 1, 2021
@aojea
Copy link
Member

aojea commented Mar 1, 2021

I don't know if we should do this, it doesn't look as a deprecation to me, is that basically those addresses will not work due to their properties.
The fact that you can configure something doesn't mean that is supported, i.e., users can use today link-local or multicast addresses, or even public addresses like 8.8.8.8 to their pods, ... they can configure them, but that will not work or will have lot of issues

@pacoxu
Copy link
Member Author

pacoxu commented Mar 1, 2021
edited

Maybe we should forbid the use of those subnets here.
Here is a list in https://en.wikipedia.org/wiki/Reserved_IP_addresses

Site-Local address is something very weird (which seems to be right but cannot be shown in kubernetes cluster with docker).

IPV6

Address type         Binary prefix        IPv6 notation   Section
   ------------         -------------        -------------   -------
   Unspecified          00...0  (128 bits)   ::/128          2.5.2
   Loopback             00...1  (128 bits)   ::1/128         2.5.3
   Multicast            11111111             FF00::/8        2.7
   Link-local unicast   1111111010           FE80::/10       2.5.6
   Site-local unicast   1111111011           FEC0::/10       2.5.6

IPV4

127.0.0.0/8. loopback 
169.254.0.0/16. Link-local

@aojea
Copy link
Member

aojea commented Mar 1, 2021

Maybe we should forbid the use of those subnets here.
Here is a list in https://en.wikipedia.org/wiki/Reserved_IP_addresses

Site-Local address is something very weird (which seems to be right but cannot be shown in kubernetes cluster with docker).

IPV6

Address type         Binary prefix        IPv6 notation   Section
   ------------         -------------        -------------   -------
   Unspecified          00...0  (128 bits)   ::/128          2.5.2
   Loopback             00...1  (128 bits)   ::1/128         2.5.3
   Multicast            11111111             FF00::/8        2.7
   Link-local unicast   1111111010           FE80::/10       2.5.6
   Site-local unicast   1111111011           FEC0::/10       2.5.6

IPV4

127.0.0.0/8. loopback 
169.254.0.0/16. Link-local

yeah, my point is to what point you want to be opinionated, if you read those ip addresses definition you know that you shouldn't use it ...

@pacoxu
Copy link
Member Author

pacoxu commented Mar 1, 2021
edited

To explain something more, I agree with you that users should know that and don't use those subnets as common sense.

However, I worked on some projects that the user may challenge that this is not raising during installation.

  • It would be a problem with the product installation.😓
  • Another reason is that I think that kubeadm cannot update it easily, it will result in re-installing the cluster. (I think this is the only benefits)

@aojea
Copy link
Member

aojea commented Mar 1, 2021

However, I worked on some projects that the user may challenge that this is not raising during installation.

history of my life :)

neolit123
neolit123 reviewed Mar 2, 2021
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pacoxu
i suggested some minor changes.

also release note should be:

kubeadm: warn when a user provided subnet is in site-local range - i.e. contains addresses that belong to FEC0::/10

@aojea @pacoxu
having this warning doesn't seem to hurt much.
but i tend to agree that maybe users should read the specs and understand they should not use a certain range, instead of kubeadm warning them.

@aojea leaving LGTM to you.

cmd/kubeadm/app/apis/kubeadm/validation/validation.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/apis/kubeadm/validation/validation.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/constants/constants.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 2, 2021
@pacoxu pacoxu force-pushed the feature/check-ipv6-site-warnings branch 2 times, most recently from fe0b0c4 to 2dbff4a Compare March 2, 2021 01:46
@pacoxu
Copy link
Member Author

pacoxu commented Mar 2, 2021

/test pull-kubernetes-node-e2e
for test/e2e_node/mirror_pod_grace_period_test.go

@pacoxu pacoxu force-pushed the feature/check-ipv6-site-warnings branch from 2dbff4a to 154cd74 Compare March 2, 2021 08:19
@aojea
Copy link
Member

aojea commented Mar 2, 2021

/lgtm
Thanks

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 2, 2021
@pacoxu pacoxu force-pushed the feature/check-ipv6-site-warnings branch from 2920488 to 1e89c85 Compare March 2, 2021 09:07
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 2, 2021
@aojea
Copy link
Member

aojea commented Mar 2, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 2, 2021
@pacoxu pacoxu force-pushed the feature/check-ipv6-site-warnings branch from 1e89c85 to 5636e37 Compare March 2, 2021 09:39
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 2, 2021
@pacoxu
Copy link
Member Author

pacoxu commented Mar 2, 2021
edited

rebase to latest master
The test failed for dependencies which are removed.

@aojea
Copy link
Member

aojea commented Mar 2, 2021

/lgtm
😄

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Mar 2, 2021
@pacoxu @aojea @neolit123
log a warning if ipv6 site-local addresses is using as it shouldn't b…
3c33cea 
…e deprecated

Signed-off-by: pacoxu <paco.xu@daocloud.io>
Co-authored-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Co-authored-by: Lubomir I. Ivanov <neolit123@gmail.com>
@pacoxu pacoxu force-pushed the feature/check-ipv6-site-warnings branch from 5636e37 to 3c33cea Compare March 2, 2021 13:52
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 2, 2021
neolit123
neolit123 reviewed Mar 2, 2021
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 2, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 2, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, pacoxu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 2, 2021
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit 445cb06 into kubernetes:master Mar 2, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Mar 2, 2021
@pacoxu pacoxu deleted the feature/check-ipv6-site-warnings branch June 23, 2021 05:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@aojea aojea aojea left review comments

@lala123912 lala123912 lala123912 left review comments

Assignees

@neolit123 neolit123

@aojea aojea

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/network Categorizes an issue or PR as relevant to SIG Network. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@pacoxu @k8s-ci-robot @aojea @fejta-bot @neolit123 @lala123912