fix: improve IPv6 support in local Kind cluster setup#3693
Open
matejvasek wants to merge 3 commits intoknative:mainfrom
Open
fix: improve IPv6 support in local Kind cluster setup#3693matejvasek wants to merge 3 commits intoknative:mainfrom
matejvasek wants to merge 3 commits intoknative:mainfrom
Conversation
Contour defaults its xDS server, Envoy HTTP/HTTPS listeners, and stats endpoint to 0.0.0.0 (IPv4-only). On IPv6-only clusters this prevents the control plane from communicating with Envoy and blocks all ingress traffic. Patch the Contour deployment at install time to bind xds-address, envoy-service-http-address, envoy-service-https-address, and stats-address to :: so all components listen on IPv6. Signed-off-by: Matej Vašek <matejvasek@gmail.com>
Docker's embedded DNS proxy only listens on IPv4 (moby/moby#41651), and Kind's entrypoint replaces the node's nameserver with the IPv4 bridge gateway (e.g. 172.18.0.1). On IPv6-only clusters CoreDNS pods cannot reach this IPv4 address, breaking all DNS resolution. Work around this by detecting IPv4-only nameservers on the Kind node and installing a socat UDP/TCP proxy that forwards DNS from the node's IPv6 address to the IPv4 nameserver. The CoreDNS Corefile is then patched to forward to the node's IPv6 address instead of /etc/resolv.conf. This preserves full container-runtime DNS resolution including container names and search domains. Signed-off-by: Matej Vašek <matejvasek@gmail.com>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: matejvasek The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
Bot
added
approved
matejvasek
changed the title
matejvasek
changed the title
matejvasek
requested review from
gauron99 and
lkingland
and removed request for
dsimansk and
jrangelramos
Contributor
Author
|
PTAL @gauron99 @lkingland |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3693 +/- ##
=======================================
Coverage 56.91% 56.91%
=======================================
Files 181 181
Lines 20933 20933
=======================================
+ Hits 11913 11915 +2
+ Misses 7811 7810 -1
+ Partials 1209 1208 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
knative-prow
Bot
added
size/M
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes two IPv6-related issues in
hack/cluster.shthat break the local Kind development cluster on IPv6-only and dual-stack Docker networks:Contour IPv6 bindings: Contour defaults its xDS server, Envoy listeners, and stats endpoint to
0.0.0.0(IPv4-only). On IPv6-only clusters the control plane cannot reach Envoy and ingress traffic is blocked. The Contour deployment is now patched at install time to rebind--xds-addressand--stats-addressto::alongside the existing HTTP/HTTPS address overrides.Note:
::listens on both IPv4 and IPv6 on Linux by default. However if machines completely disables IPv6 or deliberately setsnet.ipv6.bindv6only = 1the it might not listen on IPv4, but people doing that had it coming anyway.CoreDNS DNS forwarding via socat: Docker's embedded DNS proxy only listens on IPv4 (
moby/moby#41651), and Kind replaces the node's nameserver with the IPv4 bridge gateway (e.g.172.18.0.1). On IPv6-only clusters CoreDNS pods cannot reach this address, breaking all DNS resolution. A socat UDP/TCP proxy is now installed on the Kind node when IPv4-only nameservers are detected, forwarding DNS from the node's IPv6 address to the IPv4 nameserver. The CoreDNS Corefile is patched to use this proxy instead of/etc/resolv.conf. See also DNS resolution broken on IPv6-only clusters with Docker: enable_network_magic() is IPv4-only kubernetes-sigs/kind#4152Test plan
hack/cluster.shon a Docker host with an IPv6-only Kind cluster and verify DNS resolution works inside podshack/cluster.shon a dual-stack Kind cluster and verify both IPv4 and IPv6 DNS resolution workhack/cluster.shon a standard IPv4-only Kind cluster and verify no regressions (socat proxy should be skipped, Contour bindings are additive)