Kube-router, a turnkey solution for Kubernetes networking.
APACHE-2.0 License
Bot releases are visible (Hide)
Another bugfix release. This one fixes an issue with TCP MSS clamping (e.g. packet MTU's not being properly negotiated during TCP handshake) and an issue where iptables wasn't properly identifying that rules existed in chains causing iptables definitions to increase with every call to sync NetworkPolicy ending up in linear growth of iptables rule definitions.
Special thanks to @rkojedzinszky for fixing the TCP MSS clamping on DSR services.
The iptables definition growth was seemingly caused by iptables user-space tooling v1.8.10 which means that this likely only affected users of the kube-router container that was updated to alpine 3.19. User's using kube-router as a daemon outside a container runtime, may want to be wary of updating the iptables user-space to that version.
<Aaron U'Ren>
<Richard Kojedzinszky>
<Aaron U'Ren>
<Richard Kojedzinszky>
<Richard Kojedzinszky>
Published by github-actions[bot] 5 months ago
Fixes a problem where ipsets were not getting tracked correctly across different IP families for dual-stack clusters. This caused instances where communication with the pod would no longer work correctly after a pod, that had a NetworkPolicy applied to it, got a new IP address such as during restarts or the like.
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
Published by github-actions[bot] 6 months ago
This release fixes a lot of issues that have been present since the release of v2.0.0. v2.0.0 has been gaining adoption slowly and it has only been recently that users have been reporting some of the issues related with dual-stack configurations.
The big additions for this release include:
inet6
prefix in order to use them correctly. As such, most network policies were not correctly applying.hairpinMode: true
(see https://www.kube-router.io/docs/user-guide/#hairpin-mode for more details)rt_tables
, the path of which changed in versions of iproute2 v6.5.0 and above. Users that have newer systems, enable DSR, and run kube-router within a container should check to ensure this file is mounted correctly within the kube-router container.--cleanup-config
mode which has been broken since v2.0.0 (please see docs for updated examples of how to run this from within a container)If you use hairpin mode either as a service annotation or a CLI parameter to kube-router, we recommend that you check your CNI configuration file to ensure that you are setting "hairpinMode":true
on the bridge
CNI plugin. This is the only way that hairpin mode will work correctly as the previous hairpin controller built into kube-router has now been disabled as it was a tricky implementation and had significant problems with irregular containers.
If you find that you need to add this to your CNI config file, please ensure that kubelet has been restarted, and that any pods that rely on hairpinning have been restarted as well.
See https://www.kube-router.io/docs/user-guide/#hairpin-mode for more information.
A big thanks @elchenberg & @xujunjie-cover for contributing fixes for this release!
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<xujunjie-cover>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<elchenberg>
<elchenberg>
<elchenberg>
<elchenberg>
<Jean-Philippe Evrard>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Aaron U'Ren>
<Aaron U'Ren>
<dependabot[bot]>
<dependabot[bot]>
<Aaron U'Ren>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Manuel Rüger>
<Aaron U'Ren>
<Aaron U'Ren>
Published by github-actions[bot] 6 months ago
Just some small fixes for DSR on the v1.6.X release line.
<Aaron U'Ren>
<Aaron U'Ren>
Published by github-actions[bot] 8 months ago
The major theme of this kube-router release is to make kube-router fully conformant with the end-to-end upstream sig-network tests. These are tests that the Kubernetes project provides for testing significant networking features and becoming conformant with the tests means that the networking functionality of kube-router is more consistent with other network providers like kube-proxy, Calico, and Cilium.
HOST_BIN_PATH
within the init container, but will default to /opt/cni/bin
. This is something that all major Kubernetes networking providers do, but kube-router has not done in the past. For more information on CNI plugins, please see: https://github.com/containernetworking/plugins
.spec.healthCheckNodePort
which has long been a part of the Kubernetes service specification, but kube-router hasn't implemented it until now. This port is meant to give visibility about whether or not an endpoint for a service exists on a node to workloads outside the Kubernetes cluster. If a service endpoint is on the node, then this port returns a 200 HTTP response, otherwise it returns a 503 HTTP response if no endpoint exists on the node. By choosing a node that contains an endpoint, a client can ensure source IP preservation.veth
interface inside the container is in promiscuous mode. This used to be handled by kubelet
and then it was handled by docker-shim
and then it was removed entirely. As far as I can tell, it was never ported to containerd
or cri-o
. Without this functionality, return traffic ends up getting black-holed before it is routed outside of the container. For more details see: https://github.com/cloudnativelabs/kube-router/commit/0f3714b9b758f24de0b1911c148bdba8d87de9b6
--metrics-addr
to choose the IP address that kube-router listens on when providing Prometheus metrics--service-tcp-timeout
- (default: 0s
preserves system value, typically 900 seconds)--service-tcpfin-timeout
- (default: 0s
preserves system value, typically 120 seconds)--service-udp-timeout
- (default: 0s
preserves system value, typically 300 seconds)service.kubernetes.io/service-proxy-name
. Setting this label to something other than kube-router
will result in kube-router ignoring the servicespec.internalTrafficPolicy
and implements spec.externalTrafficPolicy
correctly. For more information see: https://kubernetes.io/docs/reference/networking/virtual-ips/#traffic-policies for more informationkube-router now serves traffic to endpoints that that have a status of either ready
or serving
. See: https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/#conditions for more information on the differences between these conditions. Before this release, kube-router only served traffic to ready
endpoints, which improperly ignored pods that were in Terminating
status. This change makes kube-router compliant with the upstream standards.
The release switches from Alpine base 3.18
to 3.19
which changes the iptables backend from iptables to nftables. This is a pretty big change, since the two backends are not mixable. The kube-router project recommends coupling this upgrade with a rolling restart of the nodes in your cluster so that the iptables rules get flushed alongside the upgrade.
hostPID: true
is set on your kube-router pod. This is the only way that kube-router is able to properly set the veth
interface into promiscuous mode. This attribute has now been added to all of the official kube-router DeaemonSet YAML files
This release also updates:
3.18
to 3.19
v1.20
to v1.21
v1.28
to v1.29
Thanks to:
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Manuel Rüger>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Jason Piper>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Martin -nexus- Mlynář>
<dependabot[bot]>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
Published by github-actions[bot] 12 months ago
Fixes a major bug for single stack systems in the service proxy controller. Additionally adds a warning between release v2.0.0 - v2.1.0 about breaking changes.
<Aaron U'Ren>
<Aaron U'Ren>
<dependabot[bot]>
<Aaron U'Ren>
Published by github-actions[bot] about 1 year ago
kube-router v2.0.0 is a major release that the project has been working on for almost a year. We're very excited to finally enable some long-requested features.
Its worth noting, that almost 50% of the existing code base had to be modified in order to bring this release to fruition. We've done testing via the several release candidates that we've released over the last few months (huge thanks to all of the users that engaged that by submitting fixes or reporting bugs), but I'm sure that there are still a few out there that we haven't caught yet.
The project recommends that users approach deploying this release to their production critical clusters with caution. If you do find a bug, please open a new GitHub Issue with the Report a v2.0.0 Release Issue
issue type so that we can resolve it as soon as possible.
--run-firewall
, --run-router
, --run-loadbalancer
, & --run-service-proxy
)LoadBalancer
service types (previously kube-router would only perform BGP, firewall, and proxy functionality and users would need to supplement kube-router with something like MetalLB to get IPs from a pool for their LoadBalancer
services)ipip
was supported)You'll also notice that this has been tagged as a major release version. This is due to the fact that there are breaking changes in this version of kube-router that are not backwards compatible with previous versions of kube-router.
Tunnel names have changed, so if you run kube-router with an overlay network (ipip tunnels), you'll want to deploy this update carefully. At this point, the project recommends doing a rolling-reboot of nodes after the application (or as part of) of this release to ensure that unused tunnels are properly cleaned up and don't have a negative impact on traffic flows.
As part of this work, kube-router now needs to be able to get
, list
, and watch
EndpointSlice
objects. Please make sure to update your ClusterRole RBAC before deploying this release if you use kube-router with the --run-service-proxy
functionality enabled or you'll get an error. For examples of this RBAC please see the daemonset examples.
Dual-stack handling is fairly complex and it comes with a few gotchas. Users that want to enable dual-stack features should carefully read the IPv6 / Dual-Stack Support in kube-router documentation to ensure that they fully understand the feature set, requirements, and limitations.
If you want to run the new load balancer controller (e.g. --run-loadbalancer
) kube-router will need some additional RBAC and requires a few environment variables set. See load-balancer allocation docs for more information.
For more information on enabling or migrating to FoU tunneling and any caveats on doing so, please see the Tunnels in kube-router documentation.
Now that kube-router has dual-stack capability, it doesn't make sense to have an annotation that can only represent a single pod CIDR any longer. As such, with this release we are announcing the deprecation of the kube-router.io/pod-cidr
annotation in favor of the new kube-router.io/pod-cidrs
annotation see the IPv6 / Dual-Stack Support in kube-router documentation for more information.
This release also updates:
3.17
to 3.18
v1.19
to v1.20
v1.25
to v1.27
v3.11.0
to v3.17.0
.A release this big would not be possible without an awesome community. Thanks so much to all of the following people that helped play a part in this release: @brandond, @iggy, @whooo, @BoleynSu, @k-raval, @rwagoner, @vadorovsky, @thomasferrandiz, and @mrueg
1c89be87 - feat(go): upgrade 1.20.7 -> 1.20.9 <Aaron U'Ren>
3db03ccf - feat(dep): upgrade all dependencies <Aaron U'Ren>
d2c3858c - feat(goreleaser): upgrade v1.14.1 -> v1.21.2 <Aaron U'Ren>
1a4896f4 - feat(lint): upgrade golangci-lint v1.50.1 -> v1.54.2 <Aaron U'Ren>
678b7129 - fix(ecmp_vip.go): non-local service advertisement <Aaron U'Ren>
1a891c33 - fix(dsr): add family specific link inside pod <Aaron U'Ren>
514a8af7 - fix(dsr): add family for fwmark <Aaron U'Ren>
c92f76aa - fix(service_endpoints_sync.go): use save command <Aaron U'Ren>
9abe20d5 - fix(NSC): compare all pod IPs for endpoint check <Aaron U'Ren>
9f23cf5a - fix(linux_networking.go): add better error messages <Aaron U'Ren>
7ce09a64 - fix(linux_networking.go): don't return err on warn <Aaron U'Ren>
9d63cc68 - feat(debug): add some extra debug at level 3 <Aaron U'Ren>
4c6e19f2 - feat(ipset): consolidate ipset usage across controllers <Aaron U'Ren>
c62e1b79 - feat(linux_networking.go): add more logging info <Aaron U'Ren>
da73dea6 - feat(NSC): use EndpointSlice instead of Endpoints <Aaron U'Ren>
15cd4eb0 - feat(nsc): add more insight into sync steps <Aaron U'Ren>
81bc9e20 - fix(nsc): don't modify netmask during flag setup <Aaron U'Ren>
903466b7 - fix(nsc): fail fast during init <Aaron U'Ren>
25ecb098 - feat(nsc): add dualstack capabilities <Aaron U'Ren>
f397a1f0 - feat: increase log level for save/restore msgs <Aaron U'Ren>
a6cd5b00 - lint(metrics_controller.go): reduce line length <Aaron U'Ren>
68a7d03b - fix: take family metrics out of defer <Aaron U'Ren>
301e856a - fix(NPC): remove redundant assign <Aaron U'Ren>
b06b4f05 - Move ipset restore outside policy loop <Brad Davidson>
e34ef29f - Add additional save/restore metrics <Brad Davidson>
aa107d63 - Make metrics registerer/gathererer replacable <Brad Davidson>
e6f668cb - fix: syntax updates for Go 1.20.X and k8s 1.27 <Aaron U'Ren>
5cf1265f - fix(NRC): prevent adding routes with mixed families <Aaron U'Ren>
bab0d4ff - feat(bgp_policies.go): don't override-nexthop for internal peers <Aaron U'Ren>
afdf553f - add loadbalancer address allocator <Erik Larsson>
7699d165 - doc(tunnels.md): add info about changing live clusters <Aaron U'Ren>
ddf857de - doc(tunnel): add information about tunnels <Aaron U'Ren>
944ab917 - fix(FoU): make more robust <Aaron U'Ren>
bac4ae62 - fix(FoU): add docs, sanity checking, and logic reduction <Aaron U'Ren>
2a57d6c1 - Adding FoU encapsulation over IPIP tunnel : added checks for restart and multi-node cases <Kartik Raval>
6ce37e61 - Support for FoU encapsulation for IPIP tunnel <Kartik Raval>
48610217 - fix(NPC): update IPBlocks to be ipFamily specific <Aaron U'Ren>
f0d7f1e1 - netpol: Fix ipset only containing one IP when port name is used. <Boleyn Su>
384ed97a - fix(bgp_policy): allow for statement add / remove <Aaron U'Ren>
1d5c9ce2 - fix(ecmp_vip): update VIPs based on svc change <Aaron U'Ren>
f5ac980b - fix(bgp_policies.go): return -> continue on family set evaluation <Aaron U'Ren>
3387f5c1 - use JoinHostPort for GRPC listen address <Erik Larsson>
76ffcbdb - add generation of router id based on hash of primary IP <Erik Larsson>
57c9b086 - fix(ecmp_vip.go): ClusterIP -> ClusterIPs <Aaron U'Ren>
fe939782 - feat(bgp_policies_test.go): use different IP ranges <Aaron U'Ren>
31c22ff6 - fix(bgp_policies.go): don't get BGP peers twice <Aaron U'Ren>
06f5f8ba - feat(go): update package version to /v2 <Aaron U'Ren>
e51ee3ae - fix(NPC): add warning for unsupported family <Aaron U'Ren>
4e1679f0 - fix(NPC): don't add chains for missing family <Aaron U'Ren>
a2bb2ba8 - doc(bgp.md): clean up grammar and syntax <Aaron U'Ren>
0ecb51de - fix(NPC/pod): check drop policy on ipv4 & ipv6 <Aaron U'Ren>
367aedf8 - fix(bgp_policies): add empty DS set checking <Aaron U'Ren>
aeb51ba6 - fact(bgp_policies): rename clusterIPPrefixSet -> serviceVIPIPPrefixSet <Aaron U'Ren>
6e038360 - fact(bgp_policies): abstract get DS for GoBGP <Aaron U'Ren>
67254ad2 - fix(ecmp_vip): handle ipv4 & ipv6 protocols <Aaron U'Ren>
5f952e0f - test(bgp_policies_test): add local address <Aaron U'Ren>
ec12fda8 - fix(node): do nil checking on FindBestIP util funcs <Aaron U'Ren>
5d7f62c5 - fix(NRC): ensure local addr IP is bindable early <Aaron U'Ren>
67abc4b8 - fix(bgp_peers): adv. AfiSafi based on capabability <Aaron U'Ren>
c491bcb4 - fix(bgp_peers): do peer only if IP protos match <Aaron U'Ren>
0023dedc - fix(NRC): error when nec. host IP not found <Aaron U'Ren>
4f284be5 - fix(NRC): add IPv6 logic to bgp-local-addresses <Aaron U'Ren>
51f46964 - feat(ci): run CI on version prep branches and MRs <Aaron U'Ren>
b3e07682 - fix(options): make clusterIP specification similar to other options <Aaron U'Ren>
a31511d9 - fix(NPC): actually separate chain indices for ipv4 / ipv6 <Aaron U'Ren>
096da81f - fact(NPC): pluralize newIPTablesHandler <Aaron U'Ren>
ddb0e63c - feat(NRC): make NRC dual stack <Aaron U'Ren>
01f2ff2a - fact(NRC): convert BGP set names to const <Aaron U'Ren>
85cecb6e - feat(pod_cidr): handle multiple pod CIDRs <Aaron U'Ren>
c18d811f - fix(kube-router.go): metric message -> not error <Aaron U'Ren>
3db482be - fix(NPC): separate chain indices for ipv4 / ipv6 <Aaron U'Ren>
9d2b3c72 - fix(node.go): make node address errors more helpful <Aaron U'Ren>
d7e2a146 - fix golangci issues <Thomas Ferrandiz>
12561f9f - fix test compilation error <Thomas Ferrandiz>
e5f272e9 - go mod <Thomas Ferrandiz>
76e5d20c - use createGenericHashIPSet <Thomas Ferrandiz>
b3dcaa08 - rename utilsnet import to netutils <Thomas Ferrandiz>
4256a607 - syncPodFirewallChains: loop on all NodeIp to find the pods running on a given Node - Load PodIp in podInfo struct and use it instead of pod.ips[0].IP <Thomas Ferrandiz>
92e91df9 - refactor whitelisting of cluster IP Range <Thomas Ferrandiz>
6fea9c2d - Validate that ClusterIP service range type matches the configuration and update documentation <Thomas Ferrandiz>
16d3cd18 - godoc update <Thomas Ferrandiz>
d1f3839b - remove redundant default value <Thomas Ferrandiz>
d6dcf767 - rename Adresses <Thomas Ferrandiz>
26d06c40 - Turn IPTablesSaveRestore into an interface <Thomas Ferrandiz>
3839ec1d - init iptablesCmdHandlers and ipSetHandlers inside NewNetworkPolicyController <Thomas Ferrandiz>
5b7da83c - disable ipv6 by default <Thomas Ferrandiz>
5d04a9fd - netpol: Add dual-stack support <Michal Rostecki>
08f05a80 - fix(moq): chown generated moqs <Aaron U'Ren>
ee85441c - fix(moq): remove previous moqs before generation <Aaron U'Ren>
4556aa3b - fix(lint): convert sh -> bash <Aaron U'Ren>
3c16d3cd - feat(close_stale.yml): increase operations 30 -> 100 <Aaron U'Ren>
0d12e617 - feat(close_stale.yml): add workflow for closing stale issues & PRs <Aaron U'Ren>
b084c2ae - fix: available typo <guoguangwu>
82cd7c97 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.334 to 1.45.1 <dependabot[bot]>
16474cf9 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.332 to 1.44.334 <dependabot[bot]>
0110d1d3 - Partially revert riscv64 support <Manuel Rüger>
9805c79b - Makefile: Bump go + alpine as well <Manuel Rüger>
ade98d6b - Bump go 1.20 + k8s 1.27 <Manuel Rüger>
e7a521a0 - feat(ci.yml): add ppc64le and riscv64 to ci <Aaron U'Ren>
8b76e9c5 - Add RISC-V 64 support <Iggy Jackson>
70defa4d - build(deps): bump github.com/aws/aws-sdk-go from 1.44.313 to 1.44.332 <dependabot[bot]>
8de9b641 - build(deps): bump golang.org/x/net from 0.12.0 to 0.14.0 <dependabot[bot]>
d6a4045d - doc(ipv6): add differences in --override-nexthop <Aaron U'Ren>
85bcde85 - build(deps): bump github.com/coreos/go-iptables from 0.6.0 to 0.7.0 <dependabot[bot]>
099664a7 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.309 to 1.44.313 <dependabot[bot]>
9372d620 - build(deps): bump github.com/osrg/gobgp/v3 from 3.16.0 to 3.17.0 <dependabot[bot]>
c50bdfc3 - build(deps): bump github.com/onsi/gomega from 1.27.7 to 1.27.10 <dependabot[bot]>
98479d8d - build(deps): bump github.com/aws/aws-sdk-go from 1.44.308 to 1.44.309 <dependabot[bot]>
64784c40 - build(deps): bump google.golang.org/grpc from 1.56.2 to 1.57.0 <dependabot[bot]>
b900acbf - .github: Add github-actions dependabot config <Manuel Rüger>
fb37a647 - build(deps): bump golang.org/x/net from 0.10.0 to 0.12.0 <dependabot[bot]>
a42466a8 - build(deps): bump google.golang.org/grpc from 1.56.1 to 1.56.2 <dependabot[bot]>
371a3a83 - build(deps): bump github.com/osrg/gobgp/v3 from 3.14.0 to 3.16.0 <dependabot[bot]>
09940db7 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.273 to 1.44.308 <dependabot[bot]>
5d39fe05 - build(deps): bump github.com/prometheus/client_golang <dependabot[bot]>
68e0fe5b - build(deps): bump k8s.io/cri-api from 0.27.2 to 0.27.4 <dependabot[bot]>
1701f9c7 - build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 <dependabot[bot]>
d5fcc784 - build(deps): bump github.com/docker/docker <dependabot[bot]>
7a3a495a - build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 <dependabot[bot]>
dd3b75a0 - build(deps): bump github.com/docker/docker <dependabot[bot]>
Published by github-actions[bot] about 1 year ago
The big headline of this release is support for dual-stack capabilities in the Network Services Controller (--proxy
option). This was the last major outstanding feature milestone that was left to round out the v2.0.0 release. Now the entire kube-router code base has support for dual-stack capabilities.
As part of this work, kube-router now needs to be able to get
, list
, and watch
EndpointSlice
objects. Please make sure to update your ClusterRole RBAC before deploying this release if you use kube-router with the --proxy
functionality enabled or you'll get an error. For examples of this RBAC please see the daemonset examples from the prep-v2.0 branch.
I want to make this release candidate available for the community to test for the next 1 - 2 weeks, and get a chance to resolve any open issues. After this, if the release candidate is stable, I'll merge the prep-v2.0
branch to master
and make an official v2.0.0
release. This release has been a long time in coming and I'm excited to get it out there! A huge thanks to everyone that has helped test it and contributed to it!
Additionally, this release fixed a significant performance regression with Network Policies that was introduced in the v2.0.0 codebase during dual-stack implementation.
This release also updates Go from 1.19
to 1.20
and adds support for Kubernetes v1.27
. We also upgraded our Alpine base version from 3.17
to 3.18
and GoBGP from v3.11.0
to v3.17.0
.
Big thanks goes to @brandond (and the k3s project) for finding and fixing the Network Policy performance issues and also adding additional metrics to the Network Policy Controller for increased observability.
Thanks @iggy for adding RISC-V 64 support for kube-router binaries. We are not yet building official container images for RISC-V 64 because Alpine doesn't yet officially support it, but when they do we'll enable container builds for RISC-V64 as well.
65ac87d4 - fix(ecmp_vip.go): non-local service advertisement <Aaron U'Ren>
d7806879 - fix(dsr): add family specific link inside pod <Aaron U'Ren>
907565d8 - fix(dsr): add family for fwmark <Aaron U'Ren>
9e865352 - fix(service_endpoints_sync.go): use save command <Aaron U'Ren>
4761bbb5 - fix(NSC): compare all pod IPs for endpoint check <Aaron U'Ren>
6758598f - fix(linux_networking.go): add better error messages <Aaron U'Ren>
b2d2b59b - fix(linux_networking.go): don't return err on warn <Aaron U'Ren>
d2ae639f - feat(debug): add some extra debug at level 3 <Aaron U'Ren>
a3c56949 - feat(ipset): consolidate ipset usage across controllers <Aaron U'Ren>
854440d9 - feat(linux_networking.go): add more logging info <Aaron U'Ren>
327e894c - feat(NSC): use EndpointSlice instead of Endpoints <Aaron U'Ren>
f8d9812c - feat(nsc): add more insight into sync steps <Aaron U'Ren>
b03f3b75 - fix(nsc): don't modify netmask during flag setup <Aaron U'Ren>
859658ab - fix(nsc): fail fast during init <Aaron U'Ren>
d4250779 - feat(nsc): add dualstack capabilities <Aaron U'Ren>
56cd602a - feat: increase log level for save/restore msgs <Aaron U'Ren>
2d4ad45e - lint(metrics_controller.go): reduce line length <Aaron U'Ren>
a1db5175 - fix: take family metrics out of defer <Aaron U'Ren>
fc34ae55 - fix(NPC): remove redundant assign <Aaron U'Ren>
bbcedc83 - Move ipset restore outside policy loop <Brad Davidson>
92201bb7 - Add additional save/restore metrics <Brad Davidson>
df7905bd - Make metrics registerer/gathererer replacable <Brad Davidson>
d3ecb4e3 - fix: syntax updates for Go 1.20.X and k8s 1.27 <Aaron U'Ren>
08f05a80 - fix(moq): chown generated moqs <Aaron U'Ren>
ee85441c - fix(moq): remove previous moqs before generation <Aaron U'Ren>
4556aa3b - fix(lint): convert sh -> bash <Aaron U'Ren>
3c16d3cd - feat(close_stale.yml): increase operations 30 -> 100 <Aaron U'Ren>
0d12e617 - feat(close_stale.yml): add workflow for closing stale issues & PRs <Aaron U'Ren>
b084c2ae - fix: available typo <guoguangwu>
82cd7c97 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.334 to 1.45.1 <dependabot[bot]>
16474cf9 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.332 to 1.44.334 <dependabot[bot]>
0110d1d3 - Partially revert riscv64 support <Manuel Rüger>
9805c79b - Makefile: Bump go + alpine as well <Manuel Rüger>
ade98d6b - Bump go 1.20 + k8s 1.27 <Manuel Rüger>
e7a521a0 - feat(ci.yml): add ppc64le and riscv64 to ci <Aaron U'Ren>
8b76e9c5 - Add RISC-V 64 support <Iggy Jackson>
70defa4d - build(deps): bump github.com/aws/aws-sdk-go from 1.44.313 to 1.44.332 <dependabot[bot]>
8de9b641 - build(deps): bump golang.org/x/net from 0.12.0 to 0.14.0 <dependabot[bot]>
Published by github-actions[bot] about 1 year ago
Adds a new controller for kube-router which allows it to do IP address allocation for load-balancer type services. Previously, one had to use something like MetalLB for this functionality, now kube-router is able to handle this itself. See load-balancer allocation docs for more information.
Huge thanks to @whooo for contributing the load-balancer allocation code
55efa331 - fix(NRC): prevent adding routes with mixed families <Aaron U'Ren>
77009153 - feat(bgp_policies.go): don't override-nexthop for internal peers <Aaron U'Ren>
c94ff7cf - add loadbalancer address allocator <Erik Larsson>
Published by github-actions[bot] about 1 year ago
Updates dependencies and incorporates a bug fix from the mainline branch where advertisement annotations were not being evaluated correctly.
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Manuel Rüger>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Aaron U'Ren>
Published by github-actions[bot] over 1 year ago
It has been a long time since we've done a minor release from the main stable development branch (May of 2022 if you can believe it). This release is less about features and more about bringing a bunch of dependency updates into a stable release.
Special thanks to @juchem, @KSauter, & @tamihiro for their contributions on this release!
Excludes bugfixes that were already present on the 1.5.X release line
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<dependabot[bot]>
<Aaron U'Ren>
<Aaron U'Ren>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Manuel Rüger>
<dependabot[bot]>
<dependabot[bot]>
<Manuel Rüger>
<Manuel Rüger>
<Kevin Sauter>
<Kevin Sauter>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Aaron U'Ren>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Manuel Rüger>
<Manuel Rüger>
<Manuel Rüger>
<Aaron U'Ren>
<Tamihiro Lee>
<Aaron U'Ren>
<dependabot[bot]>
<dependabot[bot]>
<Manuel Rüger>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Marcelo Juchem>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<dependabot[bot]>
<Manuel Rüger>
Published by github-actions[bot] over 1 year ago
This release updates dependencies (including a switch to using Go 1.20 and Alpine 3.18), addresses some problems with IPv6 ipsets when port names are used, and adds FoU tunneling for environments that cannot support IPIP tunnels directly (cough Azure cough).
For more information on enabling FoU tunneling and any caveats on doing so, please see: https://github.com/cloudnativelabs/kube-router/blob/prep-v2.0/docs/tunnels.md
Special thanks to @whooo, @BoleynSu, & @k-raval for their contributions to this release!
<Erik Larsson>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Kartik Raval>
<Kartik Raval>
<Aaron U'Ren>
<Boleyn Su>
Published by github-actions[bot] over 1 year ago
While this is technically a bug fix release as it is fixing a bug with a long deprecated API, it does have the potential to break clients that are running with DSR configurations on unmaintained versions of cri-o or containerd.
The runtime/v1
release is only compatible with >=cri-o v1.21.0
and >=containerd v1.6.0
. If you don't use DSR, or use the docker-shim, this change won't affect you.
On the converse side of things, this release is needed if you are using >=cri-o v1.26.0
or >=containerd v1.7.0
otherwise DSR will break because the runtime/v1alpha2
support was removed in those versions.
If you are between those two releases for your given container runtime, then both v1.5.3
and v1.5.4
will work for you.
<Aaron U'Ren>
Published by github-actions[bot] over 1 year ago
Addresses more of the bugs that were introduced with the initial IPv6 work. Specifically this addresses issues found with the routing functionality where BGP policies weren't updated under some circumstances and also some cases where VIPs weren't being withdrawn.
Noteably the service controller (--run-service-proxy
) functionality is still missing (#1432).
Please test and let us know if you find any issues so that we can fix them up before cutting a 2.0.0 proper release.
Special thanks to @rwagoner for testing and reporting bugs.
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
Published by github-actions[bot] over 1 year ago
Addresses some of the bugs that were introduced with the initial IPv6 work.
Noteably the service controller (--run-service-proxy
) functionality is still missing (#1432).
Please test and let us know if you find any issues so that we can fix them up before cutting a 2.0.0 proper release.
Special thanks to @whooo for contributing fixes and @rwagoner for testing and reporting bugs.
<Erik Larsson>
<Erik Larsson>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
Published by github-actions[bot] over 1 year ago
This is a pre-release or release candidate for the upcoming v2.0.0 release of kube-router. The most prominent feature of this release is the addition of dual-stack support for some parts of kube-router. With this release candidate, the following functions have been upgraded to be dual-stack compatible:
The major outlier here being the Proxy (--run-service-proxy)
portion of kube-router has not had dual-stack support integrated yet. Also, this represents a major refactor on the kube-router code base, so it would be good to get this tested in at least a few different environments before forming a full release.
You'll also notice that this has been tagged as a major release version. This is due to the fact that there are breaking changes in this version of kube-router that are not backwards compatible with previous versions of kube-router. Specifically, tunnel names have changed, so if you run kube-router with an overlay network (ipip tunnels), you'll want to deploy this update carefully. At this point, the project recommends doing a rolling-reboot of nodes after the application of this release candidate to ensure that unused tunnels are properly cleaned up and don't have a negative impact on traffic flows.
More details about this release will be shared in the IPv6 / Dual-Stack documentation page shortly: https://github.com/cloudnativelabs/kube-router/blob/master/docs/ipv6.md
The kube-router project would like to give a big thanks to @vadorovsky and @thomasferrandiz who graciously contributed all of the dual-stack functionality for the Network Policy Controller!
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Aaron U'Ren>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Thomas Ferrandiz>
<Michal Rostecki>
Published by github-actions[bot] almost 2 years ago
Special thanks to Richard Kojedzinszky @rkojedzinszky for contributing to this release!
The above fixes an issues that were generated during the 1.5.X release line where we defaulted the peering address on the kube-router side to the Kubernetes node's primary IP. This secured and simplified the peering interface for most users, but caused issues for some users that wanted to have more control over the peering address from their Kubernetes nodes. User's in this situation can now use the kube-router.io/peer.localips
annotation to define the local IP address that they would like to use for each peer.
Published by github-actions[bot] almost 2 years ago
Special thanks to @makhov and @jnummelin for contributing to this release!
The primary reason for this bug fix was to update Alpine to 3.16 so that we got a more recent version of the iptables user-space binaries in the kube-router container (iptables-1.8.8
). This helps address the issues found by @jnummelin in #1370 where iptables mark
attributes can be lost when the host's user-space version of iptables
is greater than the kube-router container's version.
As per the newly updated docs: https://github.com/cloudnativelabs/kube-router/blob/master/docs/user-guide.md#requirements it is recommended that users who:
--run-firewall
)Keep the host's user-space tooling (e.g. iptables
, ipset
, ipvsadm
, etc.) in sync with the version contained in kube-router's container as much as possible to avoid potential problems with firewall rule data loss.
This will hold true, until there is some resolve to the upstream issue (https://bugzilla.netfilter.org/show_bug.cgi?id=1632) which would help us identify when there might be potential for conflict or loss in the future before writing rules.
Published by github-actions[bot] about 2 years ago
8a17e3e1
- fix(NSC): don't check protocol on DSR svcs (21 minutes ago) <Aaron U'Ren>422edd29
- fix(ipset): remove initval during ipset parse (21 minutes ago) <Aaron U'Ren>86aa942a
- fix(bgp): set graceful restart on enabled family (21 minutes ago) <Aaron U'Ren>b0da24c4
- fix: remove multiple MTU reductions (22 minutes ago) <Aaron U'Ren>Special thanks to @opipenbe & @camrossi for finding and reporting issues
Published by mrueg over 2 years ago
Full Changelog: https://github.com/cloudnativelabs/kube-router/compare/v1.4.0...v1.5.0