New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make VPN Network configurable #9597
Conversation
TL;DR: I pushed a new commit which should fix the e2e test failures for HA clusters. Explanation:
I could reproduce this locally:
This was due to missing routes for the shoot networks in the kube-apiserver:
This in turn was due to the bonding device on the vpn-shoot-client side not using an IP from the configured VPN network but from the default network:
The bonding device was incorrectly configured because the |
/cc @axel7born @ScheererJ |
Thank you for your change. Also, I tested the change with a non-default range in the extension setup with HA VPN without issues. |
Thanks @axel7born for your review. I addressed the suggestions and capitalized |
/lgtm |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for the enhancement. I have a few questions/comments.
## Configurable VPN Network | ||
|
||
The CIDR of the VPN network can be configured using the `Seed.spec.networks.vpn` field. | ||
The field configures the CIDR for all VPN tunnels of shoots running on the given seed. | ||
It defaults to `192.168.123.0/24` for `IPv4` seeds and `fd8f:6d53:b97a:1::/120` for `IPv6` seeds. | ||
The field is mutable and changing it leads to a temporary VPN disconnect during the next reconciliation of all shoots on this seed. | ||
|
||
Similar to the other seed networks (see `Seed.spec.networks`), the configured VPN network must not overlap with any other seed network. | ||
Also, shoot networks (see `Shoot.spec.networking`) must not overlap with any seed network including the VPN network. | ||
This is required for packets to be routed without ambiguity in all components of the seed/shoot architecture. | ||
Migrating the control plane of a shoot to a seed cluster with a different VPN network configuration works as long as network disjointedness is still fulfilled. | ||
|
||
With the requirement for disjoint seed and shoot networks, Gardener users are limited in choosing network ranges for their shoots. | ||
Gardener operators might want to use coherent ranges for their seed networks including the VPN network to give users more freedom of choice and make the limitations simpler to reason about. | ||
For this, configuring a non-default VPN network on the seed-level allows Gardener operators to use for example the [IANA-Reserved IPv4 Shared Address Space](https://datatracker.ietf.org/doc/html/rfc6598#section-7) (`100.64.0.0/10`) for all seed networks (the ones that users can't choose for their shoots). | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, the motivation to make the VPN range configurable seems to come from the desire to make as much private IP space as possible available to shoot owners. As the network used here is not routed within the seed/shoot, i.e. there are no packets on the wire with for example 192.168.123.1
as IP addresses, would it not be a better solution to simply switch the VPN to a pure IPv6 tunnel with potentially IPv4 or IPv6 workload to be transferred? Did you consider this approach?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the motivation to make the VPN range configurable seems to come from the desire to make as much private IP space as possible available to shoot owners
Correct.
As the network used here is not routed within the seed/shoot, i.e. there are no packets on the wire with for example
192.168.123.1
as IP addresses, would it not be a better solution to simply switch the VPN to a pure IPv6 tunnel with potentially IPv4 or IPv6 workload to be transferred?
We didn't consider this approach. Maybe we could have considered it if it had been suggested in the proposal issue 😄
Even if there are no packets on the wire with addresses from the VPN network, I assume that there must not be overlaps between seed/shoot networks and the VPN network. Otherwise, the routes will be ambiguous. Do I get this right?
If so, using an IPv6 VPN network might solve the problem for IPv4 shoots (obviously). Nevertheless, choosing a hard-coded IPv6 network will yield the same "problem" that it imposes additional restrictions (apart from seed networks) on what networks can be chosen for shoots. I quote "problem" because it will be less restrictive in IPv6.
I still think operators would like to put all "restricted" networks (seeds and VPN) into the same IP space, even for IPv6.
Feel free to correct me if my naive thinking doesn't make sense 😄
That being said, I would love to continue with the current approach as it's almost complete. I feel like it doesn't bring too much complexity that it's worth going back to the drawing board and implementing a totally different approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please continue with this approach!
Johannes is on vacation this week. But we had a conversation on Friday, where he said this idea should not block this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could have considered it if it had been suggested in the proposal issue 😄
As you know, feedback can come at any point in time. An idea that does not fit to your timeline is not automatically a bad one.
I disagree with your opinion that with IPv6 it would be a problem. If we would use the hard-coded ULA range as done now with IPv6-only clusters we would only have a very unlikely collision if someone else used the same range. (RFC 4193 requires the global id to be random.)
It would even be possible to reserve a separate global range or use some of the special IPv6 ranges to prevent any chance of collision at all. Therefore, I do believe that you can solve the problem of the scarce IPv4 private address space by using IPv6 for the VPN.
Feel free to convince me otherwise, though.
The overlap concerns between seed and shoot clusters with regards to node, pods and services have not a lot to do with the choice of the VPN range. In other words, the seed/shoot disjointness still needs to be ensured regardless what happens with the VPN.
As the VPN range is not routed in the network, I am not sure if operators are that much interested in it. Of course, if it causes other restrictions it may be relevant, but that is again only relevant in the context of scarce IPv4 space.
Feel free to continue with the approach. As @axel7born already mentioned, I have no hard feelings against this approach, but I do feel that we just use another set of band-aid instead of actually solving the problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An idea that does not fit to your timeline is not automatically a bad one.
Definitely not! I didn't want to say so.
I do feel that we just use another set of band-aid instead of actually solving the problem.
Agreed.
TBH, I do find your suggestion compelling but I lack some knowledge to comprehend it fully.
I would like to discuss the details of your idea. A meeting will probably be difficult this week, so I propose taking this to next week's hackathon :)
In the meantime, I will address the remaining comments in this PR so that we have a finished implementation to go back to if we decide on this approach after all.
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@axel7born I addressed all suggestions added by @ScheererJ. Can you take another look? |
e55856b
to
4e7205d
Compare
Rebased and re-generated |
/hold |
With this, the configuration option is tested explicitly in e2e tests.
63d3915
to
bd1948a
Compare
The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
You can:
/lifecycle stale |
Shall we close this PR in favor of https://github.com/gardener-community/hackathon/blob/main/2024-05_Schelklingen/README.md#%EF%B8%8F-pure-ipv6-based-vpn-tunnel / gardener/vpn2#83? :) |
Definitely! The pure IPv6-based tunnel is the superior solution to the problem. |
@timebertt: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
How to categorize this PR?
/area networking
/kind enhancement
What this PR does / why we need it:
This PR makes use of gardener/vpn2#78 to allow configuring the used VPN network on the seed-level via
Seed.spec.networks.vpn
.The field is defaulted to the current hard-coded values and non-default network CIDRs must have the same size as the current hard-coded values. Network disjointedness with other seed and shoot networks is ensured in validation, admission, and scheduling.
See the umbrella issue and the doc commit for more details on motivation and conditions.
Which issue(s) this PR fixes:
Fixes #8987
Special notes for your reviewer:
Supersedes #8991
Release note: