diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 684051d199c1..ae06960907d4 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -38,7 +38,7 @@ jobs: strategy: fail-fast: false matrix: - etest: [startup, s3, btrfs, externalip, privateregistry, embeddedmirror, wasm] + etest: [startup, s3, btrfs, externalip, privateregistry, embeddedmirror, wasm, svcpoliciesandfirewall] max-parallel: 3 steps: - name: "Checkout" diff --git a/pkg/cloudprovider/servicelb.go b/pkg/cloudprovider/servicelb.go index 0f2e6d4bae97..3aa0fa95ab70 100644 --- a/pkg/cloudprovider/servicelb.go +++ b/pkg/cloudprovider/servicelb.go @@ -2,12 +2,12 @@ package cloudprovider import ( "context" + "encoding/json" "fmt" "sort" - "strconv" "strings" "time" - "encoding/json" + "sigs.k8s.io/yaml" "github.com/k3s-io/k3s/pkg/util" @@ -43,6 +43,7 @@ var ( daemonsetNodeLabel = "svccontroller." + version.Program + ".cattle.io/enablelb" daemonsetNodePoolLabel = "svccontroller." + version.Program + ".cattle.io/lbpool" nodeSelectorLabel = "svccontroller." + version.Program + ".cattle.io/nodeselector" + extTrafficPolicyLabel = "svccontroller." + version.Program + ".cattle.io/exttrafficpolicy" priorityAnnotation = "svccontroller." + version.Program + ".cattle.io/priorityclassname" tolerationsAnnotation = "svccontroller." + version.Program + ".cattle.io/tolerations" controllerName = names.ServiceLBController @@ -55,7 +56,7 @@ const ( ) var ( - DefaultLBImage = "rancher/klipper-lb:v0.4.9" + DefaultLBImage = "rancher/mirrored-library-busybox:1.36.1" ) func (k *k3s) Register(ctx context.Context, @@ -435,35 +436,17 @@ func (k *k3s) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) { oneInt := intstr.FromInt(1) priorityClassName := k.getPriorityClassName(svc) localTraffic := servicehelper.RequestsOnlyLocalTraffic(svc) - sourceRangesSet, err := servicehelper.GetLoadBalancerSourceRanges(svc) - if err != nil { - return nil, err - } - sourceRanges := strings.Join(sourceRangesSet.StringSlice(), ",") securityContext := &core.PodSecurityContext{} - for _, ipFamily := range svc.Spec.IPFamilies { - switch ipFamily { - case core.IPv4Protocol: - securityContext.Sysctls = append(securityContext.Sysctls, core.Sysctl{Name: "net.ipv4.ip_forward", Value: "1"}) - case core.IPv6Protocol: - securityContext.Sysctls = append(securityContext.Sysctls, core.Sysctl{Name: "net.ipv6.conf.all.forwarding", Value: "1"}) - if sourceRanges == "0.0.0.0/0" { - // The upstream default load-balancer source range only includes IPv4, even if the service is IPv6-only or dual-stack. - // If using the default range, and IPv6 is enabled, also allow IPv6. - sourceRanges += ",::/0" - } - } - } - ds := &apps.DaemonSet{ ObjectMeta: meta.ObjectMeta{ Name: name, Namespace: k.LBNamespace, Labels: labels.Set{ - nodeSelectorLabel: "false", - svcNameLabel: svc.Name, - svcNamespaceLabel: svc.Namespace, + nodeSelectorLabel: "false", + svcNameLabel: svc.Name, + svcNamespaceLabel: svc.Namespace, + extTrafficPolicyLabel: "Cluster", }, }, TypeMeta: meta.TypeMeta{ @@ -522,6 +505,7 @@ func (k *k3s) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) { Name: portName, Image: k.LBImage, ImagePullPolicy: core.PullIfNotPresent, + Command: []string{"sleep", "inf"}, Ports: []core.ContainerPort{ { Name: portName, @@ -530,57 +514,7 @@ func (k *k3s) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) { Protocol: port.Protocol, }, }, - Env: []core.EnvVar{ - { - Name: "SRC_PORT", - Value: strconv.Itoa(int(port.Port)), - }, - { - Name: "SRC_RANGES", - Value: sourceRanges, - }, - { - Name: "DEST_PROTO", - Value: string(port.Protocol), - }, - }, - SecurityContext: &core.SecurityContext{ - Capabilities: &core.Capabilities{ - Add: []core.Capability{ - "NET_ADMIN", - }, - }, - }, - } - - if localTraffic { - container.Env = append(container.Env, - core.EnvVar{ - Name: "DEST_PORT", - Value: strconv.Itoa(int(port.NodePort)), - }, - core.EnvVar{ - Name: "DEST_IPS", - ValueFrom: &core.EnvVarSource{ - FieldRef: &core.ObjectFieldSelector{ - FieldPath: getHostIPsFieldPath(), - }, - }, - }, - ) - } else { - container.Env = append(container.Env, - core.EnvVar{ - Name: "DEST_PORT", - Value: strconv.Itoa(int(port.Port)), - }, - core.EnvVar{ - Name: "DEST_IPS", - Value: strings.Join(svc.Spec.ClusterIPs, ","), - }, - ) } - ds.Spec.Template.Spec.Containers = append(ds.Spec.Template.Spec.Containers, container) } @@ -608,6 +542,11 @@ func (k *k3s) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) { } ds.Spec.Template.Spec.Tolerations = append(ds.Spec.Template.Spec.Tolerations, tolerations...) + // Change the label to force the DaemonSet to update and call onPodChange if the ExternalTrafficPolicy changes + if localTraffic { + ds.Spec.Template.Labels[extTrafficPolicyLabel] = "Local" + } + return ds, nil } @@ -710,8 +649,8 @@ func (k *k3s) getPriorityClassName(svc *core.Service) string { return k.LBDefaultPriorityClassName } -// getTolerations retrieves the tolerations from a service's annotations. -// It parses the tolerations from a JSON or YAML string stored in the annotations. +// getTolerations retrieves the tolerations from a service's annotations. +// It parses the tolerations from a JSON or YAML string stored in the annotations. func (k *k3s) getTolerations(svc *core.Service) ([]core.Toleration, error) { tolerationsStr, ok := svc.Annotations[tolerationsAnnotation] if !ok { diff --git a/scripts/airgap/image-list.txt b/scripts/airgap/image-list.txt index 3f700553e029..62ee4ef7adc0 100644 --- a/scripts/airgap/image-list.txt +++ b/scripts/airgap/image-list.txt @@ -1,5 +1,4 @@ docker.io/rancher/klipper-helm:v0.9.3-build20241008 -docker.io/rancher/klipper-lb:v0.4.9 docker.io/rancher/local-path-provisioner:v0.0.30 docker.io/rancher/mirrored-coredns-coredns:1.11.3 docker.io/rancher/mirrored-library-busybox:1.36.1 diff --git a/updatecli/updatecli.d/klipper-lb.yaml b/updatecli/updatecli.d/klipper-lb.yaml deleted file mode 100644 index 28fc57e77de2..000000000000 --- a/updatecli/updatecli.d/klipper-lb.yaml +++ /dev/null @@ -1,71 +0,0 @@ ---- -name: "Bump Klipper LB version" -scms: - k3s: - kind: "github" - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - username: "{{ .github.username }}" - token: "{{ requiredEnv .github.token }}" - owner: "{{ .k3s.org }}" - repository: "{{ .k3s.repo }}" - branch: "{{ .k3s.branch }}" - commitmessage: - title: "Bump Klipper LB version" - klipper-lb: - kind: "github" - spec: - user: "{{ .github.user }}" - email: "{{ .github.email }}" - username: "{{ .github.username }}" - token: "{{ requiredEnv .github.token }}" - owner: "{{ .k3s.org }}" - repository: "{{ .klipper_lb.repo }}" - branch: "{{ .klipper_lb.branch }}" - -actions: - github: - title: "Bump Klipper LB version" - kind: "github/pullrequest" - scmid: "k3s" - spec: - automerge: false - mergemethod: "squash" - usetitleforautomerge: true - parent: false - labels: - - "dependencies" - -sources: - klipper-lb: - name: "Get Klipper LB latest release version" - kind: "githubrelease" - spec: - owner: "{{ .klipper_lb.org }}" - repository: "{{ .klipper_lb.repo }}" - branch: "{{ .klipper_lb.branch }}" - token: "{{ requiredEnv .github.token }}" - versionfilter: - kind: "latest" - -conditions: - klipper-lb: - name: "Check rancher/klipper-lb image version in DockerHub" - kind: "dockerimage" - sourceid: "klipper-lb" - spec: - image: "rancher/klipper-lb" - -targets: - klipper-lb: - name: "Update rancher/klipper-lb image versions" - kind: "file" - scmid: "k3s" - sourceid: "klipper-lb" - spec: - files: - - "pkg/cloudprovider/servicelb.go" - - "scripts/airgap/image-list.txt" - matchpattern: 'rancher/klipper-lb:v\d+\.\d+\.\d+(-\w+)?' - replacepattern: 'rancher/klipper-lb:{{ source "klipper-lb" }}' diff --git a/updatecli/values.yaml b/updatecli/values.yaml index 5b46fade560b..3890caedbe3e 100644 --- a/updatecli/values.yaml +++ b/updatecli/values.yaml @@ -11,10 +11,6 @@ klipper_helm: org: "k3s-io" repo: "klipper-helm" branch: "master" -klipper_lb: - org: "k3s-io" - repo: "klipper-lb" - branch: "master" local_path_provisioner: org: "rancher" repo: "local-path-provisioner"