Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make IPv6 support opt-in in linkerd-cni #12663

Merged
merged 1 commit into from
May 31, 2024

Conversation

alpeb
Copy link
Member

@alpeb alpeb commented May 30, 2024

Followup to 7dbafb2 where we made IPv6 support opt-in for the control plane and proxy init. This follows suit doing the same for linkerd-cni.

Followup to 7dbafb2 where we made IPv6
support opt-in for the control plane and proxy init. This follows suit
doing the same for linkerd-cni.
@alpeb alpeb requested a review from a team as a code owner May 30, 2024 22:24
alpeb added a commit to linkerd/linkerd2-proxy-init that referenced this pull request May 30, 2024
Ignoring these failures can cause IPv6 traffic to bypass the proxy; i.e.
IPv6 traffic can work in a cluster but linkerd might not be configured
with the appropriate iptables flavor (nft or legacy) and so the rules
won't be set.

Back when we had IPv6 support enabled by default we still ran these
ip6tables rules in IPv4-only clusters and so ignored failures to avoid
breaking things unexpectedly. But now that IPv6 support is opt-in, we
should expect the cluster to provide a fully functional IPv6 stack and
linkerd is configured appropriately for it, and so fail early when
things don't work as expected.

This change also explicitly disables IPv6 in the integration tests.

Note that tests won't pass until linkerd/linkerd2#12663 gets included
into an edge.
@mateiidavid mateiidavid merged commit b028db7 into main May 31, 2024
36 checks passed
@mateiidavid mateiidavid deleted the alpeb/linkerd-cni-ipv6-opt-in branch May 31, 2024 10:47
alpeb added a commit to linkerd/linkerd2-proxy-init that referenced this pull request May 31, 2024
Ignoring these failures can cause IPv6 traffic to bypass the proxy; i.e.
IPv6 traffic can work in a cluster but linkerd might not be configured
with the appropriate iptables flavor (nft or legacy) and so the rules
won't be set.

Back when we had IPv6 support enabled by default we still ran these
ip6tables rules in IPv4-only clusters and so ignored failures to avoid
breaking things unexpectedly. But now that IPv6 support is opt-in, we
should expect the cluster to provide a fully functional IPv6 stack and
linkerd is configured appropriately for it, and so fail early when
things don't work as expected.

This change also explicitly disables IPv6 in the integration tests.

Note that tests won't pass until linkerd/linkerd2#12663 gets included
into an edge.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants