Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create service with ipFamilyPolicy RequireDualStack when service cidr is bigger then /112 #129797

Closed
chrischdi opened this issue Jan 24, 2025 · 3 comments · Fixed by #129798
Closed

Unable to create service with ipFamilyPolicy RequireDualStack when service cidr is bigger then /112 #129797

chrischdi opened this issue Jan 24, 2025 · 3 comments · Fixed by #129798
Assignees
@aojea
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/network Categorizes an issue or PR as relevant to SIG Network. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@chrischdi
Copy link
Member

chrischdi commented Jan 24, 2025
edited
Loading

What happened?

We run periodic conformance tests in github.com/kubernetes-sigs/cluster-api and they started to fail https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api#capi-e2e-latestk8s-main

These currently

  • use https://dl.k8s.io/ci/latest-1.33.txt to build kind images from source with that version
  • create a Cluster with that version by using Cluster API and cluster-api-provider-docker (and in this case with dualstack ip enabled)
  • They set --service-cluster-ip-range=10.128.0.0/12,fd00:100:64::/108 in kube-apiserver (and kube-controller-manager)
  • And after finishing cluster creation run conformance tests, including the selector for the IPv6DualStack feature tests.

Several conformace tests for IPv6DualStack then failed with e.g. the following message:

I0124 07:48:52.822155 16 utils.go:776] Unexpected error: Failed to create node-port-service service: Internal error occurred: failed to allocate a serviceIP: range is full: 
    <*errors.StatusError | 0xc0031bb9a0>: 
    Internal error occurred: failed to allocate a serviceIP: range is full
    {
        ErrStatus: 
            code: 500
            details:
              causes:
              - message: 'failed to allocate a serviceIP: range is full'
            message: 'Internal error occurred: failed to allocate a serviceIP: range is full'
            metadata: {}
            reason: InternalError
            status: Failure,
    }
[FAILED] Failure recorded during attempt 1:

Note: The kube-apiserver is able to create the IPAddress object, but the service does not get created.

What did you expect to happen?

Tests to succeed.

How can we reproduce it (as minimally and precisely as possible)?

Build kindest/node image for k/k commit 0798325

# checkout k/k on 0798325ba13643
kind build node-image --image "kindest/node:v1.33.0-alpha.0.614_0798325ba13643" $(pwd)

Create a kind cluster using the following configuration:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
  ipFamily: dual
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          service-cluster-ip-range: "10.96.0.10/12,fd00:100:64::/108"
kind create cluster --name test --config kind-cluster.yaml --image kindest/node:v1.33.0-alpha.0.614_0798325ba13643

Try to create a service with .spec.ipFamilyPolicy set to RequireDualStack or .spec.ipFamilies set to ["IPv6"]:

$ kubectl create svc clusterip --tcp=80:80 foo -o json --dry-run=client | jq '.spec.ipFamilies = ["IPv6"]' | k apply -f -
Error from server (InternalError): error when creating "STDIN": Internal error occurred: failed to allocate a serviceIP: range is full

$ kubectl create svc clusterip --tcp=80:80 foo -o json --dry-run=client | jq '.spec.ipFamilies = ["IPv6"]' | k apply -f -
Error from server (InternalError): error when creating "STDIN": Internal error occurred: failed to allocate a serviceIP: range is full

Note: there's a chance that the ip allocation in kube-apiserver picks an ipv6 address which is then part the first /112 part of and then works.

Anything else we need to know?

Follow-up to #129753 (comment)

I also stepped into kube-apiserver:

  • It fails to validate here that the ip is contained in the CIDR (example configuration: CIDR fd00:100:64::/108, IP fd00:100:64::f:321c
  • The IP is part of that network, but the bitmap is capped to /112

Workarounds:

  • Enable FeatureGate DisableAllocatorDualWrite in kube-apiserver
  • Use a /112 cidr for services

cc @aojea

And Kudos for Antonio helping me to dig into it!

Kubernetes version

kubectl version
Client Version: v1.29.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.33.0-alpha.0.614+0798325ba13643
WARNING: version difference between client (1.29) and server (1.33) exceeds the supported minor version skew of +/-1

Cloud provider

None

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)
@chrischdi chrischdi added the kind/bug Categorizes issue or PR as related to a bug. label Jan 24, 2025
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 24, 2025
This was referenced Jan 24, 2025
Closed
Closed
@aojea aojea mentioned this issue Jan 24, 2025
Merged
@aojea
Copy link
Member

aojea commented Jan 24, 2025

/sig network
/triage accepted
/assign @aojea

Thank you very much for such detailed report, this way is very easy to fix the bugs.

The problem here comes from one odd behavior we have implemented on the ipv6 allocator, the maximum size of the allocator is 64k, that is a /112, but to keep compatibility with the ipv4 part, it is allowed to configure a /108 despite it will only use only the first /112 bits (can't find the issue but I think Dan Winship had one where it explains this in great detail)

The bug is introduced because to allow a safe rollback, we added a feature gate to sync both allocators 9b1bad4

However, when the dual write mode is enabled, it should check first on the old allocator and later confirm the write in the new allocator, not doing so can cause that a random ip is chosen by the new allocator (that does not have the limitation of the IPv6 cidr) that is not valid for the old allocator, hence fail

This will be fixed with #129798

@k8s-ci-robot k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 24, 2025
@chrischdi
Copy link
Member Author

chrischdi commented Jan 24, 2025
edited
Loading

Appreciate the prompt fix. Tested it locally using CAPI e2e tests and works!

Thanks again!

@aojea
Copy link
Member

aojea commented Jan 25, 2025

Testgrid is green again https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api#capi-e2e-latestk8s-main

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aojea aojea

Labels
kind/bug Categorizes issue or PR as related to a bug. sig/network Categorizes an issue or PR as relevant to SIG Network. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cluster ip allocator should check first on the legacy allocators aojea/kubernetes
3 participants
@chrischdi @aojea @k8s-ci-robot