pkg/default: set AddressScopeMax default value#41778
Conversation
|
/test |
1 similar comment
|
/test |
bimmlerd
left a comment
There was a problem hiding this comment.
If this change is going through, then I don't see the point of retaining the AddressScopeMax constant. But I'm more worried about not knowing whether this has more impact than I can foresee.
b599f98 to
86c973d
Compare
|
/test |
|
Thanks for the fix. We (GKE team people @Bigdelle @sypakine) have recently been looking into using Cilium LRP with GKE MDS, so this helps. I'm adding @sypakine as a reviewer here, since he has some more context on this and probably wants to take a look. So this PR in conjunction with #41671 should fix #41671? |
yes(I guess you have a typo on #41645). Based on my own test. I think you could just use the image from #41645 and manually configure This is reported here #28655 (comment) from the beginning. Where I can see that's the new behavior from newer GKE meta data server. |
|
For context, the diff is basically as follows: Without flag: With ... when the loopback has: So essentially it is detecting the non-default |
|
Original work back then: ea75a72 (so this basically affects ipcache / ep maps when such address is present and considers it as "host" from Cilium PoV) |
bimmlerd
left a comment
There was a problem hiding this comment.
OK, I'll trust your judgement :)
86c973d to
7e8b44b
Compare
|
/test |
|
@liyihuang could you add some more context to the commit message? I feel like right now its lacking too many details, would be good to elaborate more, feel free to take the additional context from the comments in here. Just so we have it for future reference. |
7e8b44b to
06a2426
Compare
In GKE, metadata-server configures a secondary address
on the loopback interface.
Here is the example
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 169.254.169.252/32 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
Cilium uses 252 as the default value, so it will skip
the scope host ip address.
With the old default value, Cilium will not consider the loopback
address 169.254.169.252 as the localhost address since its
scope is host. We could have the following bpf endpoint list
cilium-dbg bpf endpoint list
IP ADDRESS LOCAL ENDPOINT INFO
10.99.45.18:0 (localhost)
147.28.227.91:0 (localhost)
10.25.132.3:0 (localhost)
With the new default value or using --local-max-addr-scope=254
We will get the following bpf endpoint list
cilium-dbg bpf endpoint list
IP ADDRESS LOCAL ENDPOINT INFO
169.254.169.252:0 (localhost)
10.99.45.18:0 (localhost)
147.28.227.91:0 (localhost)
10.25.132.3:0 (localhost)
With the old default value could cause the problem for eBPF host routing
since we can't redirect the packet to unknown endpoint. We have to ask
users to use hostLegacyRouting or change the local-max-addr-scope to
254. However, local-max-addr-scope is a hidden flag where users dont
know about it. That's why this PR is bumping the default value to 254.
Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
06a2426 to
26533c6
Compare
|
/test |
|
I'm surprised that we're not calling out this change (and how to roll it back) in the release notes. And slightly concerned about the suggestion to also change the default behavior in the (btw the correct tag would be |
Agree, we should not backport this until ~v1.19.2 or such if there haven't been reports on regressions. |
Thanks for the help. I have updated release notes. I'm trying to see if I need to attach some tag or I need to add the Is there still any problem to merge this to the main? I'm asking because I will need this PR and #41645 together to solve #41671 |
I believe this caused a regression in |
see the commit message.
Move this commit to seperate PR so we can backport this one for other use cases based on discussion #41645 (comment)
Fixes: #41671