Sets HostNetwork to False for tests which do not require it

[claudiubelu]

What type of PR is this?

/kind failing-test

/sig testing

What this PR does / why we need it:

Some tests are setting HostNetwork=true, even if it is not required for them to pass.

This patch will set the HostNetwork to false for those tests, allowing them to be run on Windows nodes as well.

Running the tests affected by this PR on Linux nodes on different environments, yielded the following results:

• azure-vnet-cni: https://paste.ubuntu.com/p/gYxsvWVqDc/
• flannel l2bridge: https://paste.ubuntu.com/p/55YDFFHZzR/
• flannel overlay: https://paste.ubuntu.com/p/mtrnP5JyxF/

Which issue(s) this PR fixes:

Fixes #69559
Original PR: #69525

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[MrHohn]

Haven't looked deep into this, qq that why not reusing #69525 as I see valid comments there?

[MrHohn]

I was reading the comments from previous thread (#69525 (comment)). Isn't that still true?

[johnbelamaric]

@BCLAU This function must be able to access kube-proxy running on the node, so running in non-hostNetwork doesn't work at all. You didn't see a problem because apparently RunHostCmd doesn't return an error when the curl command times out or gets a connection refused. So basically the test was then going on assuming it's not in user proxy mode. How is kube-proxy done in Windows, given there is no iptables? Does it run the user space proxy? If so then an "if windows, return userspace" might be the right solution for this function.

Alternately, the issue is that Windows doesn't support hostNetwork, and we need to talk to kube-proxy in the host network namespace in order to determine the proxy mode. So how do we get this info without hostNetwork? Does kube-proxy only make status available on localhost, or could we get it by passing status.hostIP via the downward API? If we can do that, then the pod can get this info using that IP instead of localhost.

[claudiubelu]

Will remove this from the PR for the time being. Didn't notice that the test actually skips if it doesn't have 2 Ready nodes, so I've missed this.

[bgrant0607]

Multiple nodes are required now.

No conformance tests should have Skips in them. If they do, they cannot be promoted.

[claudiubelu]

Haven't looked deep into this, qq that why not reusing #69525 as I see valid comments there?

True, but I cannot reopen that PR for some issue, I would have otherwise.

As for the comments, I should reply to them, but as you can see in this PR's pastes, I've run those tests on Linux with different networking plugins (azure-vnet-cni, flannel overlay, flannel l2bridge) and they passed.

[MrHohn]

As for the comments, I should reply to them, but as you can see in this PR's pastes, I've run those tests on Linux with different networking plugins (azure-vnet-cni, flannel overlay, flannel l2bridge) and they passed.

It is important to ensure that the test not only passes, but also that it verifies what it should be. Specifically for that ProxyMode() func, it makes a HTTP call to kube-proxy's status port and parse out what proxy mode it is using. kube-proxy runs in hostnetwork, using a exec pod without hostnetwork that curls from localhost:10249 won't give us the correct info.

That ProxyMode() is currently used in test that won't work with userspace proxy mode. They explicitly check if proxy mode is userspace and skip the test. They didn't fail in your setup just because userspace proxy mode is not used.

[timothysc]

I'm going to defer to @kubernetes/sig-node-pr-reviews
/assign @johnbelamaric

[yujuhong]

/cc @lzang

[k8s-ci-robot]

@yujuhong: GitHub didn't allow me to request PR reviews from the following users: lzang.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @lzang

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[johnbelamaric]

In general, YES to removing hostNetwork from these intra-pod and node-pod tests. With hostNetwork enabled they don't even really test what they were supposed to be testing. But we need to figure out what to do about ProxyMode which definitely doesn't work as written when run in hostNetwork: false

[johnbelamaric]

@BCLAU This function must be able to access kube-proxy running on the node, so running in non-hostNetwork doesn't work at all. You didn't see a problem because apparently RunHostCmd doesn't return an error when the curl command times out or gets a connection refused. So basically the test was then going on assuming it's not in user proxy mode. How is kube-proxy done in Windows, given there is no iptables? Does it run the user space proxy? If so then an "if windows, return userspace" might be the right solution for this function.

Alternately, the issue is that Windows doesn't support hostNetwork, and we need to talk to kube-proxy in the host network namespace in order to determine the proxy mode. So how do we get this info without hostNetwork? Does kube-proxy only make status available on localhost, or could we get it by passing status.hostIP via the downward API? If we can do that, then the pod can get this info using that IP instead of localhost.

[johnbelamaric]

/priority important-soon

[johnbelamaric]

/sig network

[claudiubelu]

/test pull-kubernetes-e2e-gce

[kikisdeliveryservice]

As an update Bug triage had the incorrect date. Freeze is Nov 14.

[alejandrox1]

ping @johnbelamaric
could you take a look please?

[johnbelamaric]

I will block out some time on Friday.

[johnbelamaric]

Ok. I think I have figured out why this is so confusing. It comes down to that PR #71468 should not have been merged as it is written. It separates "host neworking" from the HostTestContainerPod. But that's the whole raison d'être of the HostTestContainerPod.

Instead, it should have just added a boolean that defined whether or not to create the HostTestContainerPod at all. If you look at the tests where you are passing in false, they use DialFromTestContainer or DialFromEndpointContainer, neither of which use the HostTestContainerPod.

So, I cannot approve this. In fact, we should go back and fix the others, I could approve something that doesn't create the HostTestContainerPod in all cases.

[kikisdeliveryservice]

@alejandrox1 @johnbelamaric : Should this be bumped to 1.18?

-Bug Triage Team

[johnbelamaric]

yes, probably that would make sense.

[kikisdeliveryservice]

/milestone v1.18

[claudiubelu]

/test pull-kubernetes-e2e-kind
/test pull-kubernetes-e2e-gce

[johnbelamaric]

Not sure why it says approved from me, going to make sure that's cancelled until I hear back on my most recent comments.

/approve cancel

[claudiubelu]

Not sure why it says approved from me, going to make sure that's cancelled until I hear back on my most recent comments.

/approve cancel

Yeah, sorry. I've addressed your comments, but haven't commented on it.

Ok. I think I have figured out why this is so confusing. It comes down to that PR #71468 should not have been merged as it is written. It separates "host neworking" from the HostTestContainerPod. But that's the whole raison d'être of the HostTestContainerPod.

This PR now removes test/e2e/windows/network.go

Instead, it should have just added a boolean that defined whether or not to create the HostTestContainerPod at all. If you look at the tests where you are passing in false, they use DialFromTestContainer or DialFromEndpointContainer, neither of which use the HostTestContainerPod.

Added. HostTestContainerPod is no longer created if host networking is not required. Although, technically, even DialFromTestContainer and DialFromEndpointContainer were exec-ing into HostTestContainerPod (even though it was unnecessary). Had to address that as well.

So, I cannot approve this. In fact, we should go back and fix the others, I could approve something that doesn't create the HostTestContainerPod in all cases.

Done.

[claudiubelu]

@johnbelamaric So, is it alright with you now?

[johnbelamaric]

Yes!
/lgtm
/approve

[spiffxp]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: claudiubelu, johnbelamaric, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/e2e/common/OWNERS [spiffxp]
• test/e2e/framework/OWNERS [spiffxp]
• test/e2e/network/OWNERS [johnbelamaric,spiffxp]
• test/e2e/windows/OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment