Open killianmuldoon opened 1 year ago
/triage accepted just as a reference the upstream code where Kubernetes components validate CIDR
(see https://github.com/kubernetes-sigs/cluster-api/pull/7420#issuecomment-1290764699)
note: this is initially considered an API change because currently we are not prescriptive on what Cluster.Network CIDRs are for, we saw some borderline usage of that info, and we want to move to a place where it is clear that those values are meant for defining values to be passed to Kubernetes components only, so it makes sense to apply the same validations rules /help
@fabriziopandini: This request has been marked as needing help from a contributor.
Please ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help
command.
/assign
I would like to help with this.
@viveksyngh Thanks for the interest! But this issue isn't ready to be worked on yet - we've added the label api-change
which means we can't add this until we have a new API version, which I don't think there's been any planning for as of yet. That means this work is at least months away.
/help remove
(to avoid confusion)
Thanks for the info @killianmuldoon
Just rememberd something from a different life :).
The "normal" use case is that the Pod CIDRs are passed through to the kube-controller-manager. The kube-controller-manager takes this CIDR and splits it up to assign Node CIDRs to Nodes. Then the "host-local" IPAM plugin on the nodes assigns IPs from the Node CIDR to individual Pods.
I don't remember how this works e.g. when Calico takes over the IPAM part:
Just wondering if there are scenarios where the baked in kube-controller-manager validation doesn't matter because the whole Node/Pod IPAM stuff is outsourced to e.g. something like Calico.
This issue has not been updated in over 1 year, and should be re-triaged.
You can:
/triage accepted
(org members only)/close
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/
/remove-triage accepted
/priority important-longterm
In pipeline for the next API version
/triage accepted /remove-priority important-longterm /priority backlog
Add a check in the Cluster webhook to ensure each CIDR block only contains valid CIDR blocks with the following rules:
This change ensures Clusters can not be created or updated with invalid CIDR blocks. This is the value that the Kubernetes control plane components take - e.g. the kube-apiserver flag
--service-cluster-ip-range
is documented:Related to: https://github.com/kubernetes-sigs/cluster-api/pull/7420
/kind feature /area api /kind api-change