From 9a5e54699f46e7dbec68d2f2a1f13a035386e846 Mon Sep 17 00:00:00 2001 From: "Steven E. Harris" Date: Wed, 29 Jul 2020 08:47:23 -0400 Subject: [PATCH] Calico: upgrade "k8s-ec2-srcdst" to version v0.3.0 Upgrading the "k8s-ec2-srcdst" controller to this latest version allows it to work correctly with the objects containing the new "metadata.managedFields" field introduced in Kubernetes version 1.18.0. The previous container image versions used a version of the "client-go" library that was too old to consume these fields correctly, causing the controller to fail repeatedly when trying to read Node objects retrieved from the Kubernetes API server. --- upup/models/bindata.go | 14 +++++++++++--- .../k8s-1.16.yaml.template | 14 +++++++++++--- upup/pkg/fi/cloudup/bootstrapchannelbuilder.go | 2 +- 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/upup/models/bindata.go b/upup/models/bindata.go index aa1bffa541be3..b89867af9f250 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -12620,8 +12620,16 @@ metadata: role.kubernetes.io/networking: "1" {{ if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}} -# This manifest installs the k8s-ec2-srcdst container, which disables -# src/dst ip checks to allow BGP to function for calico for hosts within subnets +# This manifest installs the "k8s-ec2-srcdst" container, which +# disables source/destination IP address checks for ENIs attached to +# EC2 instances hosting Kubernetes nodes. +# +# Disabling these checks allows Calico to send unencapsulated packets +# to and from pods within the same VPC subnet, where either a given +# packet's source address (originating from a pod) may not match the +# sending machine's address or the destination address (heading to a +# pod) may not match the receiving machine's address. +# # This only applies for AWS environments. --- @@ -12699,7 +12707,7 @@ spec: serviceAccountName: k8s-ec2-srcdst priorityClassName: system-cluster-critical containers: - - image: ottoyiu/k8s-ec2-srcdst:v0.2.2 + - image: ottoyiu/k8s-ec2-srcdst:v0.3.0 name: k8s-ec2-srcdst resources: requests: diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index e978351e12498..f5ec9ca94a9bf 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -3947,8 +3947,16 @@ metadata: role.kubernetes.io/networking: "1" {{ if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}} -# This manifest installs the k8s-ec2-srcdst container, which disables -# src/dst ip checks to allow BGP to function for calico for hosts within subnets +# This manifest installs the "k8s-ec2-srcdst" container, which +# disables source/destination IP address checks for ENIs attached to +# EC2 instances hosting Kubernetes nodes. +# +# Disabling these checks allows Calico to send unencapsulated packets +# to and from pods within the same VPC subnet, where either a given +# packet's source address (originating from a pod) may not match the +# sending machine's address or the destination address (heading to a +# pod) may not match the receiving machine's address. +# # This only applies for AWS environments. --- @@ -4026,7 +4034,7 @@ spec: serviceAccountName: k8s-ec2-srcdst priorityClassName: system-cluster-critical containers: - - image: ottoyiu/k8s-ec2-srcdst:v0.2.2 + - image: ottoyiu/k8s-ec2-srcdst:v0.3.0 name: k8s-ec2-srcdst resources: requests: diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index a0e0f7d10574c..7cc5560df8adc 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -714,7 +714,7 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { "k8s-1.7": "2.6.12-kops.1", "k8s-1.7-v3": "3.8.0-kops.2", "k8s-1.12": "3.9.6-kops.1", - "k8s-1.16": "3.15.0-kops.2", + "k8s-1.16": "3.15.0-kops.3", } {