add env vars for ip auto allocate ipv4/v6 cidr prefixes#56276
add env vars for ip auto allocate ipv4/v6 cidr prefixes#56276istio-testing merged 8 commits intoistio:masterfrom
Conversation
|
😊 Welcome @slickwilli! This is either your first contribution to the Istio istio repo, or it's been You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
|
Hi @slickwilli. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/ok-to-test |
| v4allocator: newPrefixUse(netip.MustParsePrefix(features.IPAutoallocateIPv4Prefix)), | ||
| v6allocator: newPrefixUse(netip.MustParsePrefix(features.IPAutoallocateIPv6Prefix)), |
There was a problem hiding this comment.
Let me know if you want me to change these, I added validation in initControllers so it should be okay to still use this. However, I could also refactor the initialization of the ipallocate controller to take the parsed netip.Prefix and remove MustParsePrefix.
|
Any input on this would be great, currently this is causing us issues with running Windows server on ambient, thanks |
|
Hi @slickwilli, Rather than arbitrarily configurable ranges, which opens up possibilities for misconfiguration, could we instead offer an alternative range option which we've chosen ahead of time? That way we know it will parse and is reasonable in size. The user just flips alt range to "true" if they are on a platform that requires it. |
|
@ilrudie No worries. Thanks for taking a look! While I’m in favor of preventing misconfiguration, I’m hesitant to enforce predefined alternative range(s), as end-users may have specific reasons for choosing certain range(s). Would additional validation on the supplied range(s) be sufficient? For example, we could enforce minimum usable space requirements or validate against other relevant criteria. Additionally, appending OVERRIDE to the environment variable names might help clarify their intended use. That being said, I think |
|
yeah, there's definitely some options. I'll try to capture my view of the tradeoffs here:
|
|
I imagine these ranges won't be touched by 99.99% of Istio users, and those who are looking to use them are probably pretty advanced users. For example, we only ran into this issue while running Windows VMs via KubeVirt and hit a limitation in the Windows networking stack with the default range (definitely not a common use case, lol). I’m aligned on guarding against the sharper edge cases:
That said, this is my first Istio PR, so happy to defer to whatever direction you all feel is most appropriate. |
|
Hi @slickwilli, I brought this up in the combined WG call today to help unblock. The consensus among the folks who joined in on the discussion is:
To that end, the proposal would be to define the current ranges as We can then have an env var which specifies a csv list of ranges to use. If the list is empty, unspecified, invalid, anything else which renders it unusable: we just use the |
|
@ilrudie what if the second set of ranges that is deemed as "alternate" doesn't fit a user's use case? what then? We back to this original PR....how can you possibly define an alternate CIDR to use that will fit every single person's use case? This is a HIGHLY advanced feature....anybody using this will likely know what they are doing and are accepting the risk in doing so. By limiting this to a CIDR(s) determined by whatever group of folks, all you are doing is kicking the bucket down the road until those ranges don't work for the next user. My 2 cents. |
|
Hi @jbilliau-rcd, We did consider the possibility that both the default and alt1 ranges might be unsuitable for some unlucky folks (hence the name alt1, allowing for alt2...N in the future if need arises). We thought it to be sufficiently unlikely that this was a step forward which is likely to solve for most uses. Using a list (as opposed to a binary "enable alt range") does allow the flexibility to enable free-form CIDR in the same API as well if we see a need for having that, so it's not ruled out so much as not the first step. |
|
It's not feasible to predict why an end user might want to change this subnet or what specific configuration they intend to use, Istio shouldn't need to account for that. Validating a proper subnet is straightforward compared to the complexity introduced by the proposed logic. The suggested approach introduces unnecessary ambiguity, making it unclear which subnet will be used under varying conditions. This complexity not only risks confusion for the user but may also fail to solve the underlying issue given the unpredictable nature of the inputs involved, especially now that kubevirt opened the door to Istio in front of virtually every operating system in existence. If 99% of users will never change this, why would the desired state for those 1% of users not be the goal if it's less arduous to implement in addition? |
|
My 2c, wasn't in the meeting -- should allow arbitrary CIDR
…On Wed, Jun 18, 2025 at 12:10 PM Chris Farhood ***@***.***> wrote:
*cpfarhood* left a comment (istio/istio#56276)
<#56276 (comment)>
It's not feasible to predict why an end user might want to change this
subnet or what specific configuration they intend to use, Istio shouldn't
need to account for that. Validating a proper subnet is straightforward
compared to the complexity introduced by the proposed logic. The suggested
approach introduces unnecessary ambiguity, making it unclear which subnet
will be used under varying conditions. This complexity not only risks
confusion for the user but may also fail to solve the underlying issue
given the unpredictable nature of the inputs involved, especially now that
kubevirt opened the door to Istio in front of virtually every operating
system in existence. If 99% of users will never change this, why would the
desired state for those 1% of users not be the goal if it's less arduous to
implement in addition?
—
Reply to this email directly, view it on GitHub
<#56276 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXP5CCFXOKBPTHOBKV33EG2TNAVCNFSM6AAAAAB47G2SKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSOBVGQYTGMBTGQ>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
|
There hasn't been any movement on this PR in a while and we need this functionality to move forward with a kubevirt/Istio project, otherwise we are hosed. @ilrudie where do we stand currently? How can we get this moving forward? |
|
It's unclear if @slickwilli is still looking to work on this. If they don't have time anymore I suppose someone else would need to take over. TBD:
|
|
He's still working on it (he's a co-worker of mine), just hasn't done anything further since, while we've gone back and forth on certain points regarding this, no specific decisions have been made so there isn't any further work for him to do (yet). To respond to your points: if we're going to choose an alternate range to try to avoid input mistakes, what range? Well, that's kind of our point; what alternate range would we pick? and what if it doesn't work for someone else for any other reason? are we just going to keep adding endless alternate ranges? Seems the better fit is to make this an advanced, experimental setting, and let the users use what they want. 99.9% of users won't likely touch this anyway, so trying to add in guardrails isn't worth it imo. if we're going to allow arbitrary range(s), what validation do we do and what to we do when the input isn't usable? Either/or....if the latter, sure, take whatever has been given, and if it can't parse, log error, default to defaults, and move on. how to communicate that this is an experimental/advanced setting and you shouldn't use it in nearly any Istio installation? Same way I assume any other experimental/alpha features are communicated. Examples are here and here So if you agree, let's move forward. If not, we just need to know what changes to make to get this PR approved and pushed through. Appreciate your time on this! |
|
Yep, sorry I just wasn't sure what the status of this discussion was.. A quick parse of the provided ranges and falling back to the defaults is simple enough and provides the most flexibility |
|
/test integ-ambient-dual |
|
If we're all good with arbitrary ranges (/cc @louiscryan if he's around), then we'll need to make sure we manually cherry-pick this to the 1.27 branch |
|
Awesome, thanks for pushing this forward guys! |
|
/cherrypick release-1.27 |
|
it will be part of beta.1 |
|
@zirain: new pull request created: #57189 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
* upstream/master: (21 commits) feat: skip queue for status updates on gw (istio#56962) Automator: update proxy@master in istio/istio@master (istio#56993) Automator: update proxy@master in istio/istio@master (istio#56990) Change host iptables rule addition from Append to Insert to ensure Istio's rules take precedence (istio#56414) support specifying proxy admin port for describe (istio#56854) support reset log level or stack trace level separately for admin log (istio#56642) improve example format for istioctl x describe (istio#56951) Automator: update ztunnel@master in istio/istio@master (istio#56971) Remove flaky test (istio#56919) fix: fixes test which fails for distroless (istio#56965) Automator: update proxy@master in istio/istio@master (istio#56969) Ambient Multicluster SplitHorizon WDS Implementation (istio#56844) Fix log message in cni install.go file (istio#56966) add env vars for ip auto allocate ipv4/v6 cidr prefixes (istio#56276) Update BASE_VERSION to master-2025-07-10T19-01-16 (istio#56967) Add AllowCRDsMismatch parameter to gateway conformance options. (istio#56945) Revert "feat: represent revision tags using services (istio#56851)" (istio#56941) Automator: update proxy@master in istio/istio@master (istio#56954) Automator: update istio/client-go@master dependency in istio/istio@master (istio#56911) Automator: update common-files@master in istio/istio@master (istio#56952) ...
Please provide a description of this PR:
Adds the ability to specify the IPv4/v6 CIDRs for use by the IP auto allocator controller. We have found in testing istio/ambient with Windows/kubevirt the default
240.240.0.0/16range for VIPs does not work with Windows (I think this is an issue with the Windows networking stack?).Changing the defined IPv4 range to something like
10.213.64.0/18and deploying that pilot container (built off of 1.25.2) to our cluster fixed the issue and allowed traffic to properly flow through egress proxy.PILOT_IP_AUTOALLOCATE_IPV4_PREFIX(default:240.240.0.0/16) andPILOT_IP_AUTOALLOCATE_IPV6_PREFIX(default:2001:2::/48) Pilot env varsThis change keeps the default behavior of the ip autoallocator controller while also allowing end users to change the CIDR prefix(es) for whatever reason.
To help us figure out who should review this PR, please put an X in all the areas that this PR affects.