bguzman-3pillar
commented
1 year ago Validated on commit cc87f300a42060b37fd89f7a034b5485b8a758cc
---------------------
Command:
rke2 -v
---------------------
Result:
rke2 version v1.25.11-dev+cc87f300 (cc87f300a42060b37fd89f7a034b5485b8a758cc)
go version go1.19.10 X:boringcrypto
---------------------Environment Details
Infrastructure
- [x] Cloud
- [ ] Hosted
Node(s) CPU architecture, OS, and Version:
UbuntuCluster Configuration:
1 serverConfig.yaml:
cni: canalAdditional files
# Install
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.shTesting Steps
- Copy config.yaml
$ sudo mkdir -p /etc/rancher/rke2 && sudo cp config.yaml /etc/rancher/rke2 - Install RKE2
- Install helm
- Check for the
workloadSourceSpoofingto be present onFelixConfiguration.spec - Check the canal version
v3.25.1-build2023051203
Validation Results:
- rke2 version used for validation:
--------------------- Command: kubectl explain FelixConfiguration.spec --kubeconfig=/tmp/bgrke2-125_kubeconfig | grep workload --------------------- Result: drop IPIP encapsulated traffic from workloads [Default: false] drop VXLAN encapsulated traffic from workloads [Default: false] network. This needs to match the interfaces that Calico workload traffic workload interfaces (usually named cali...). remote workloads. If set to "Tunnel" then both request and response traffic mode for workloads and services. [Default: true - bypass Linux conntrack] Calico workload traffic flows over as well as any interfaces that handle large enough to hold an entry for each device (host + workloads) on a host. large enough to hold one entry per workload and a handful of entries per a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to packets to the "INPUT" chain once it has completed processing workload workloads after processing workload endpoint egress policy. [Default: Drop] workloads or if CPU is constrained. For a list of active subcomponents, see InterfacePrefix is the interface name prefix that identifies workload these ranges to separate host and workload traffic. [Default: 30000:32767]. match workload interfaces (usually named cali...). WorkloadIPs: use workload endpoints to construct routes. - CalicoIPAM: the workloadSourceSpoofing <string> ---------------------
---------------------
Command:
helm ls -A --kubeconfig=/tmp/bgrke2-125_kubeconfig | grep rke2-canal
---------------------
Result:
rke2-canal kube-system 1 2023-07-13 20:45:50.941014496 +0000 UTC deployed rke2-canal-v3.25.1-build2023051203 v3.25.1
---------------------
This is a backport issue for https://github.com/rancher/rke2/issues/4453, automatically created via rancherbot by @rbrtbnfgl
Original issue description:
Environmental Info: RKE2 Version:
Node(s) CPU architecture, OS, and Version:
Cluster Configuration: 3 servers, 4 agents
Describe the bug:
When using the default Canal CNI plugin, the
FelixConfigurationCRD deployed by RKE2 does not have the optionworkloadSourceSpoofing.This option has been added in Calico 3.23.0 (PR here, release notes here). RKE2 seems to deploy Calico v3.25.0 based on the output of
helm lsand container image version. The CRD provided by the RKE2 helm chart here does not containworkloadSourceSpoofing, while the official Calico CRD manifests has it.Steps To Reproduce:
Install RKE2 with the default Canal CNI plugin. Find the attributes present for the FelixConfiguration CRD with
kubectl explain FelixConfiguration.spec.Expected behavior:
The output should contain the
workloadSourceSpoofingoption.Actual behavior: The output does not contain the
workloadSourceSpoofingoption.Additional context / logs:
We have stumbled upon this issue while trying to install Istio Ambient mesh, following their steps for Calico CNI.