SCTP support implementation for Kubernetes #64973
Conversation
k8s-ci-robot
added
release-note
k8s-github-robot
added
the
kind/api-change
|
/assign @thockin |
|
I know precious little about SCTP - I have no hands-on experience. @kubernetes/sig-network-feature-requests I do know, for example that GCP's load-balancer only supports SCTP in single-endpoint mode: https://cloud.google.com/compute/docs/load-balancing/network/forwarding-rules So at a minimum, all of the cloud implementations need to be checked for compatibility and disabled when not compatible. This should probably start as a proposal to sig-network to gather context (like the above GCP point) and then become a KEP for broader review. |
k8s-ci-robot
added
sig/network
|
@thockin Do I understand right, that you would like us to go back to point 0 and start with a sig-network proposal first, and then after some criteria are met we should create a KEP? In order to check that if a cloud provider API gets an unsupported protocol value then it answers with an error and it is handled right in the relevant cloud provider logic of k8s? |
|
@thockin kubernetes/pkg/cloudprovider/providers/aws/aws.go Line 3249 in 52603a7 Azure: it accepts only "TCP" or "UDP". Otherwise it returns with error. CloudStack: it accepts only "TCP" or "UDP". Otherwise it returns with error. GCE: it allows only "TCP" or "UDP" for external LB. Otherwise it returns with error. For internal LB there is no explicit protocol check. OpenStack: my understanding is, that OpenStack supports SCTP, so I enabled SCTP in the OpenStack cloudprovider code with this PR oVirt, Photon, vSphere: these require the registration of a "cloud provider" and it is then up to the "LoadBalancer" implementation of the cloud provider how it handles the different protocols. pkg/controller/service/service_controller.go also have a nice warning at the point where it calls the EnsureLoadBalancer() function of the relevant cloud provider: As I can see all the supported cloud providers follows this principle, and they handle unsupported protocol values in their code. Of course we are happy to receive comments from Network SIG. Please help in inviting the relevant people here if the "sig/network" label is not enough for a heads-up. |
|
LKSCTP is not loaded by default in Linux OS that allows developers to run user-land SCTP in Linux. With your change LKSCTP will automatically be loaded and it will intercept all incoming SCTP packets which will lead to mess and basically aborting of SCTP associations. In other words, this change will not allow developers to run user-land SCTP in K8s cluster. |
|
@MaximProshin Is there the same effect when those are in different network namespaces? I.e. when the user space SCTP implementation is used inside a pod that does not use the host network namespace? UPDATE: If the network interface of the pod is not a tun/tap-like one, and the user space SCTP stack uses raw socket with IPPROTO_SCTP, then namespace will not save us. On the other hand, considering the world without containers, one had to ensure that such user space SCTP apps are not deployed on the same nodes with such applications that would trigger the loading of lksctp. It drives me into the direction of thinking about a way how nodes could be reserved for such user-land SCTP applications. Assuming of course, that those user-land SCTP applications are deployed as containers/pods that share the same kernel with other pods - i.e. not as e.g. Kata Containers or similar. |
| @@ -25,6 +25,8 @@ import ( | |||
|
|
|||
| "k8s.io/api/core/v1" | |||
| utiliptables "k8s.io/kubernetes/pkg/util/iptables" | |||
|
|
|||
| "github.com/nokia/sctp" | |||
There was a problem hiding this comment.
I think you need to update the BUILD file in this directory to account for this import addition. run 'hack/update-bazel.sh' and I think it'll do that for you.
pkg/proxy/iptables/proxier.go
Outdated
| @@ -33,6 +33,7 @@ import ( | |||
| "time" | |||
|
|
|||
| "github.com/golang/glog" | |||
| "github.com/nokia/sctp" | |||
pkg/proxy/ipvs/proxier.go
Outdated
| @@ -1656,6 +1667,18 @@ func openLocalPort(lp *utilproxy.LocalPort) (utilproxy.Closeable, error) { | |||
| return nil, err | |||
| } | |||
| socket = conn | |||
| case "sctp": | |||
| //SCTP is not supported by golang/net, or any other built-in lib, | |||
There was a problem hiding this comment.
mis-indented whitespace; also there should be a single space after the // in comments.
k8s-ci-robot
added
area/kubeadm
sig/cluster-lifecycle
|
@dcbw Thank you for the comments! Updated with hack/update-gofmt.sh and hack/update-bazel.sh. Also did a rebase to the current master. |
|
Yes, namespaces don't help to isolate user-land SCTP from LKSCTP so there should be a way to not load/unload LKSCTP at least. If I compare K8s with native Linux OS, I would say the PR is non-backward compatible as previously LKSCTP wasn't loaded by default while with K8s it will be so. |
|
@MaximProshin My understanding is that lksctp is not loaded as long as no SCTP Service (with Cluster IP or NodePort) is created, because of the on-demand loading. Once someone creates an SCTP Service the module is loaded, but it is an explicit request from the user. Just like when a user started a native Linux process that wanted to use SCTP. UPDATE: we tested the module load case explicitly with the current code proposed here. My understanding is right: the current solution does not trigger the loading of the SCTP module by default(e.g. when kube-x is loaded at bootup). The SCTP module was loaded only when an SCTP Service was created. So, from this perspective if someone upgrades her k8s to a version that includes this feature, she will not experience any problems as long as she does not create SCTP Services explicitly. |
|
@thockin I created a KEP, the PR is at kubernetes/community#2276 |
|
Thanks for the KEP. This also needs discussion on sig-network. A lot of significant issues in there. |
|
Sure, we can take it to the next SIG Network meeting. Am I allowed to write it on the agenda? |
k8s-ci-robot
added
the
sig/scheduling
|
Hopefully this PR kubernetes/test-infra#9161 solved the GKE test issues on 27th August 2018, so UPDATE (30 minutes later): that PR is not in effect yet. The retest failed. |
thockin
removed
the
do-not-merge/hold
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: janosi, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
Automatic merge from submit-queue (batch tested with PRs 67694, 64973, 67902). If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
@thockin Thank you for guiding me through this adventure, for the review, and for the approval! |
|
Linking the features issue for this: kubernetes/enhancements#614 |
|
I don't think this gets enough attention from the sig-node. This adds a new SCTP protocol to CRI and may require changes in the CRI shims. @kubernetes/sig-node-api-reviews @kubernetes/sig-node-pr-reviews @mrunalp @Random-Liu @resouer @feiskyer |
@yujuhong Should we skip SCTP port mapping in kuberuntime instead? |
|
@feiskyer @yujuhong I wonder whether the same logic could be applied on the CRI side which was selected for the load balancers: k8s itself does not restrict the usage of SCTP as protocol for load balancer reuqests, and it is the task of the cloud provider's load balancer plugin to filter unsupported protocols. |
What this PR does / why we need it: This PR adds SCTP support to Kubernetes, including Service, Endpoint, and NetworkPolicy.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #44485
Special notes for your reviewer:
Release note: