Support multiple CIDR addresses for the pod SDN

[JacobTanenbaum]

Work in progress PR for multiple CIDR address work. addresses can be defined in the master config file by

networkConfig:
  clusterNetworkCIDR: ""
  clusterNetworkConfig:
  - clusterNetworkCIDR: 10.128.0.0/28
  - clusterNetworkCIDR: 12.128.0.0/28
  externalIPNetworkCIDRs: null

or by passing a comma seporated list of them on the command line using --network-cidr="10.128.0.0/28,12.128.0.0/28"

besides general review - I could use some feedback on how to do a few things

• How should I deal with a config file that defined ClusterNetworkCIDR the old way?

• In pkg/sdn/plugin/master.go there where checks to see if the cluster cidr was shrunk, I don't think that check is still required. It should be valid to break a large cluster cidr into it's smaller components. Is checking that all objects are allocated in defined places enough? As done by checkclusterobjects() in pkg/sdn/plugin/common.go

• I need to change oc get clusternetwork to show a comma separated list

• finish the unit testing

review of the work so far and input on the above questions are appreciated
@knobunc @dcbw @danwinship @rajatchopra

[danwinship]

addresses can be defined in the master config file by

networkConfig:
  clusterNetworkCIDR: ""
  clusterNetworkConfig:
  - clusterNetworkCIDR: 10.128.0.0/28
  - clusterNetworkCIDR: 12.128.0.0/28

Hm... Is there any reason you did it that way? It seems like it would be nicer to just have

clusterNetworkCIDRs:
- 10.128.0.0/28
- 12.128.0.0/28

aka

clusterNetworkCIDRs: [ "10.128.0.0/28", "12.128.0.0/28" ]

How should I deal with a config file that defined ClusterNetworkCIDR the old way?

Treat it the same as if it was defined the new way, but with only a single CIDR range

In pkg/sdn/plugin/master.go there where checks to see if the cluster cidr was shrunk, I don't think that check is still required. It should be valid to break a large cluster cidr into it's smaller components. Is checking that all objects are allocated in defined places enough? As done by checkclusterobjects() in pkg/sdn/plugin/common.go

Yes, that sounds right. Make sure the nodes do the right thing on restart as well.

[knobunc]

@openshift/networking

[knobunc]

@danwinship the reason he did it that way is because we will shortly need to accommodate hot-resizing the subnets (or even supporting a way to have different size host subnets per range, perhaps with a way to label the subnets so different nodes can deliberately have different allocations).

[pecameron]

Just a quick pass through. I am learning about this as I go so not certain if this is at all helpful.

[pecameron]

doing them all on one line will mess up the report. I assume that people that like this feature will have a pretty fragments IP space.

[pravisankar]

Yes, it will be hard to read when there are several cidrs. May be one row for each cidr?

for _, cidr := range n.ClusterDef {
   , err := fmt.Fprintf(w, "%s\t%s\t%d\t%s\t%s\n", name, cidr. ...)
}

[pecameron]

might mention that this is a list of cidrs that define the global overlay network's L3 space

[pecameron]

So this is the minimum value that can be in the cidr list above. Might comment about this above.

[pecameron]

In addition to contains, should check for first contained in second (unless second can't be larger than first). Should we check overlap with other defined spaces (service, exportIP, ...)?

[pecameron]

test out of range (> 255) in IP field.
test mask (/xx) > 32, or < min size (at least as big as HostSubnetLength)
test overlap with other well defined spaces (service ip, external ip,...)
I think overlap can be either contained within or contained by.

[pecameron]

bad network also 10.a.0.0/16, 10.256.0.0 and 0.0.0.0/33.

[pecameron]

Isn't this contains the second or is contained in the second?

[pecameron]

I think you need to check each cidr with all other cidrs (except for itself). How many cidrs do we support?

[pravisankar]

Yes, this is needed. Do we want to restrict number of cidrs that we support? If users specify single IPs or sparse cidrs, this could be huge.

[JacobTanenbaum]

What do you mean check each cidr with all other cidrs?

[pravisankar]

This is to verify there is no overlap between the given cidrs, otherwise pods may end up with same IPs.

[pecameron]

"in" ?

[pecameron]

Do we care about externalIP and load balancer IP here?

[danwinship]

looks good as a first draft

[danwinship]

I'd probably go with just ClusterNetworks.

It would be nice if we could get rid of the old ClusterNetworkCIDR field, but I'm not sure how backward-compat works with startup config objects. Old master-config.yaml files need to keep working though, so whatever that requires...

[danwinship]

Maybe just CIDR? You've already got ClusterNetwork in the struct name and field name...

Also, if the plan is to eventually have per-network HostSubnetLength values, I think we should add that here now; if we don't support different values yet, you can just add code to make sure every ClusterNetworkEntry has the same value.

(Also, if we're tweaking HostSubnetLength handling, we might want to consider renaming it and flipping the math around; the fact that it counts bits from the end of the IP address rather than the start is confusing. (Eg, HostSubnetLength of 9 means each node gets a /23 subnet (32 - 9 = 23). I think it would be clearer for most users if the config option was "23" rather than "9".

[pravisankar]

+1 on CIDR.
If you plan to do global/local HostSubnetLength field that I was suggesting, then.

type ClusterNetworkEntry struct {
      ClusterNetworkCIDR string
      HostSubnetLength     uint32
}

[danwinship]

You need to pass an array containing all of the clusternetwork cidr values and the servicenetwork cidr value

[danwinship]

https://github.com/kubernetes/community/blob/master/contributors/devel/api_changes.md has some information on changing kubernetes API objects, and in particular discusses the backward-compatibility snafus that come with trying to turn a single-element field into an array... (The "API Conventions" link near the top of that document is also filled with useful information about how kubernetes APIs work.)

The easiest way to make this work backward-compatibly would be to say that the "default"/first network is still specified by the Network and HostSubnetLength fields, but the 2nd to Nth networks are part of a new array field (which could be called AdditionalNetworks or something like that).

You need a doc comment above the field, and between the doc comment and the actual declaration should be

// +optional

to indicate that it's an optional field

[danwinship]

same comments as in pkg/cmd/server/api/types.go above

[danwinship]

The "unversioned" ClusterNetwork type (the one in pkg/sdn/api/types.go, as opposed to pkg/sdn/api/v1/types.go) is an internal-only object, not part of the API, so it is not subject to backward-compatibility rules. So you could get rid of the old Network and HostSubnetLength fields here and only have the new array.

The one catch with this is that if the unversioned type and the v1 type aren't identical, then you'll need to add some hand-written conversion functions, but this isn't difficult. There are no examples in pkg/sdn/api but you can see examples in other API groups (eg, pkg/image/api/v1/conversion.go).

[danwinship]

same comments as in pkg/cmd/server/api/types.go above

[pravisankar]

With multiple cluster network CIDR support, hostsubnet length don't need to be same for each CIDR. We may not add this support immediately but it will be nice if we can make the config compatible with the future change that is more likely to be added.

How about this master config?

clusterNetworkCIDR:   (deprecate this one)
hostSubnetLength: 2   (global)
clusterNetworkCIDRs:
    - CIDR: 10.128.0.0/28
      hostSubnetLength: 2   (local)
    - CIDR: 12.128.0.0/28
      hostSubnetLength: 2

• If local hostSubnetLength field is not set, apply the global hostSubnetLength (during default conversions)
• If global and any of the local hostSubnetLength fields (if set) are not matching, bail out with an error similar to 'different host subnet lengths for cluster network cidrs are not currently supported'.

How should I deal with a config file that defined ClusterNetworkCIDR the old way?
I have deprecated/renamed fields in master/node config before (retaining backward compatibility),
you can check these PRs for reference:
6557c81
4663c08

[pravisankar]

This was discussed in #13726

[pravisankar]

My understanding is command line arguments is for simple/essential use cases and complex use cases need to be specified in configuration file. If we treat multiple cidr use case as complex then we don't need to support command line args.
Supporting comma separated list here makes it harder to specify different hostsubnetLength for each cidr later.

[pravisankar]

Needs to add protobuf tag

[pravisankar]

Check the error (similar to cidr2 below)

[pravisankar]

Not needed, condition below covers this check.

[JacobTanenbaum]

@danwinship @knobunc @pravisankar Should I change the math for hostSubnetLength field? Won't that How could we upgrade a config from the old math to the new math for hostsubnetlength?

[pravisankar]

From the stand point of user using multiple cidr, with the current implementation user may not use a cidr because it conflicts with global HostSubnetLength (they don't have enough bits in the cidr to allocate for the pod). I feel cidr and hostSubnetLength go hand in hand. Why don't we work on supporting multiple cidr and hostsubnetLength per cidr? This will remove some of these limitations and will avoid unnecessary migration later on.

@openshift/networking

[JacobTanenbaum]

@danwinship @pravisankar is this moving in the right direction? I deprecated the global hostsubnetlength field and added one per cidr. I also changed it so only one could be defined on the cli and others need to be added to the config

[knobunc]

/lgtm

[pravisankar]

/lgtm

[smarterclayton]

Use the external field name - a user won't have any idea what "DeprecatedClusterNetworkCIDR" is without looking at the go code. In general, always use external field names in thees docs, no exceptions.

[smarterclayton]

My comments got lost AGAIN. Basically you can't use external names here. Use the names as they would appear in JSON. Users only see this from the API and documentation, they never see the go code, so the names in Go are meaningless.

clusterNetworkCIDR and hostSubnetLength are the names they see

[knobunc]

@smarterclayton Ok, good to go?

[JacobTanenbaum]

/test cmd

[smarterclayton]

API approved

[knobunc]

/lgtm

@smarterclayton would you approve this please too? Thanks

[eparis]

/approve

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eparis, knobunc, pravisankar

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS [eparis]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[openshift-ci-robot]

@JacobTanenbaum: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/check	d758c79	link	/test check

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[JacobTanenbaum]

flake #16414 /retest

[eparis]

/retest

[openshift-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 14558, 16544).