search

kubernetes-sigs / kind

Kubernetes IN Docker - local clusters for testing Kubernetes
https://kind.sigs.k8s.io/
Apache License 2.0
13.02k stars 1.51k forks source link

[RFC] Network policies #3611

Closed aojea closed 1 week ago

aojea commented 1 month ago

Add support for network policies in KIND

/hold

Fixes: https://github.com/kubernetes-sigs/kind/issues/842

  1. Build kind 
make
go build -v -o "/usr/local/google/home/aojea/src/kind/bin/kind" -trimpath -ldflags="-buildid= -w -X=sigs.k8s.io/kind/pkg/cmd/kind/version.gitCommit=d3c7631e37eed1714a7a1ea923a7393842a384d3 -X=sigs.k8s.io/kind/pkg/cmd/kind/version.gitCommitCount=6"

  1. Create node image

    bin/kind build node-image ~/src/kubernetes/
Starting to build Kubernetes
+++ [0514 11:25:11] Verifying Prerequisites....
+++ [0514 11:25:11] Building Docker image kube-build:build-300e2a667e-5-v1.31.0-go1.22.3-bullseye.0
+++ [0514 11:26:57] Creating data container kube-build-data-300e2a667e-5-v1.31.0-go1.22.3-bullseye.0
+++ [0514 11:27:02] Syncing sources to container
+++ [0514 11:27:21] Running build command...
+++ [0514 11:27:28] Building go targets for linux/amd64
k8s.io/kubernetes/cmd/kube-apiserver (static)
k8s.io/kubernetes/cmd/kube-controller-manager (static)
k8s.io/kubernetes/cmd/kube-proxy (static)
k8s.io/kubernetes/cmd/kube-scheduler (static)
k8s.io/kubernetes/cmd/kubeadm (static)
k8s.io/kubernetes/cmd/kubectl (static)
k8s.io/kubernetes/cmd/kubelet (non-static)
+++ [0514 11:28:37] Syncing out of container
+++ [0514 11:28:45] Building images: linux-amd64
+++ [0514 11:28:45] Starting docker build for image: kube-apiserver-amd64
+++ [0514 11:28:45] Starting docker build for image: kube-controller-manager-amd64
+++ [0514 11:28:45] Starting docker build for image: kube-scheduler-amd64
+++ [0514 11:28:45] Starting docker build for image: kube-proxy-amd64
+++ [0514 11:28:45] Starting docker build for image: kubectl-amd64
+++ [0514 11:28:51] Deleting docker image registry.k8s.io/kubectl-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:51] Deleting docker image registry.k8s.io/kube-scheduler-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:51] Deleting docker image registry.k8s.io/kube-proxy-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:52] Deleting docker image registry.k8s.io/kube-controller-manager-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:53] Deleting docker image registry.k8s.io/kube-apiserver-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:53] Docker builds done
Finished building Kubernetes
Building node image ...
Building in container: kind-build-1715686140-869641220
Image "kindest/node:latest" build completed.

  2. Create cluster 

bin/kind create cluster --config kind-config.yaml --name netpol --image kindest/node:latest
Creating cluster "netpol" ...
 āœ“ Ensuring node image (kindest/node:latest) šŸ–¼
 āœ“ Preparing nodes šŸ“¦  
 āœ“ Writing configuration šŸ“œ 
 āœ“ Starting control-plane šŸ•¹ļø 
 āœ“ Installing CNI šŸ”Œ 
 āœ“ Installing Network Policies šŸ”’ 
 āœ“ Installing StorageClass šŸ’¾ 
Set kubectl context to "kind-netpol"
You can now use your cluster with:

kubectl cluster-info --context kind-netpol

Have a nice day! šŸ‘‹
  1. Check network policies pods are running
 kubectl -n kube-system get pods | grep network-policies
kube-network-policies-lvmvz                    1/1     Running   0          3m7s
k8s-ci-robot commented 1 month ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/kind/blob/main/OWNERS)~~ [aojea] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
aojea commented 1 month ago

/assign @BenTheElder

aojea commented 1 month ago

@neolit123 the alternative is to ship it with kindnet https://github.com/kubernetes-sigs/kind/pull/3612 and no API required

neolit123 commented 1 month ago

@neolit123 the alternative is to ship it with kindnet #3612 and no API required

i think making it not part of kindnet seems better to me. 2c

BenTheElder commented 2 weeks ago

Making it part of kindnetd would make it easier for projects that are swapping out kindnet to exclude it, and for projects that aren't swapping out kindet ... I'm not sure why it would be a problem to include it in kindnet?

I think that's the simpler approach, and consistent with e.g. ip masquerade just being built in to kindnet.

In the future we may also look into if we can ship it in a single image / container by importing the controller or something like that (to share resources & patching better).