Summary
This release fixes a lot of issues that have been present since the release of v2.0.0. v2.0.0 has been gaining adoption slowly and it has only been recently that users have been reporting some of the issues related with dual-stack configurations.
The big additions for this release include:
- Fixing broken compatibility with iptables-legacy systems experienced with the upstream kube-router container since version v2.1.0 (which is when Alpine 3.19 was introduced). There are now tests to ensure that this type of regression doesn't happen again.
- Fixes IPv6 network policy which has been substantially broken since v2.0.0. When IPv6 network policy was introduced, it was missed that iptables statements need to reference these sets via the
inet6
prefix in order to use them correctly. As such, most network policies were not correctly applying. - kube-router no longer activates the hairpin controller which was introduced in v2.1.0, instead relying on user's correctly configuring their CNI with
hairpinMode: true
(see https://www.kube-router.io/docs/user-guide/#hairpin-mode for more details) - Adds fallback logic for referencing
rt_tables
, the path of which changed in versions of iproute2 v6.5.0 and above. Users that have newer systems, enable DSR, and run kube-router within a container should check to ensure this file is mounted correctly within the kube-router container. - kube-router no longer tries and fails to enter pods to setup DSR for pods that are not scheduled on it's node
- kube-router no longer tries and fails to setup DSR for pods that are part of the host's network
- Fixes
--cleanup-config
mode which has been broken since v2.0.0 (please see docs for updated examples of how to run this from within a container)
Special Note for Users that Run Hairpin Mode Enabled Services
If you use hairpin mode either as a service annotation or a CLI parameter to kube-router, we recommend that you check your CNI configuration file to ensure that you are setting "hairpinMode":true
on the bridge
CNI plugin. This is the only way that hairpin mode will work correctly as the previous hairpin controller built into kube-router has now been disabled as it was a tricky implementation and had significant problems with irregular containers.
If you find that you need to add this to your CNI config file, please ensure that kubelet has been restarted, and that any pods that rely on hairpinning have been restarted as well.
See https://www.kube-router.io/docs/user-guide/#hairpin-mode for more information.
Contributions
A big thanks @elchenberg & @xujunjie-cover for contributing fixes for this release!
Changelog
- e42792f - kubeadm-kuberouter-all-features-dsr.yaml: update to include hairpinMode
<Aaron U'Ren>
- 317c754 - fix(hairpin): rely on CNI hairpin mode
<Aaron U'Ren>
- 9d9b796 - fix(service_endpoints_sync): bail out of DSR when HostNetwork detected
<Aaron U'Ren>
- a633849 - feat(NSC.utils): add getPodListForService & getServiceForServiceInfo
<Aaron U'Ren>
- b270750 - fact: nsc.getPodObjectForEndpoint -> nsc.getPodObjectForEndpointIP
<Aaron U'Ren>
- 567c891 - fix(linux_networking): add more information to errors
<Aaron U'Ren>
- e40f46e - fix(user-guide.md): update cleanup example
<Aaron U'Ren>
- ecaad2c - fix(cleanup): add missing handlers for cleanup
<Aaron U'Ren>
- 7755b4a - fix(node.go): improve logic for GetNodeObject
<Aaron U'Ren>
- d12f422 - fix(policy): generate ipv6 names correctly
<Aaron U'Ren>
- 2c7151b - fix(policy.go): use new utility method ipSetName
<Aaron U'Ren>
- c762eaf - feat(ipset): add more name utilities
<Aaron U'Ren>
- ada3179 - fix: wrong ipset name used by ip6tables.
<xujunjie-cover>
- b423b1f - feat(NSC): ensure rp_filter is set correctly
<Aaron U'Ren>
- af1b07a - fix(service_endpoints_sync.go): error to be indicative of failure type
<Aaron U'Ren>
- 421a113 - fix(DSR): setup DSR inside pod on local eps only
<Aaron U'Ren>
- 886c1d7 - feat(Dockerfile): use iptables-wrapper go binary
<elchenberg>
- 683ef6e - feat(Dockerfile): remove obsolete nsswitch.conf creation
<elchenberg>
- c685f2f - feat(Dockerfile): add checks for required binaries
<elchenberg>
- b1cc158 - fix(Dockerfile): install iptables-legacy package
<elchenberg>
- 4b011db - Fix typo
<Jean-Philippe Evrard>
- 5b4975b - build(deps): bump github.com/osrg/gobgp/v3 from 3.23.0 to 3.25.0
<dependabot[bot]>
- f37444f - build(deps): bump golang.org/x/net from 0.22.0 to 0.24.0
<dependabot[bot]>
- 8ab6f49 - build(deps): bump google.golang.org/grpc from 1.62.0 to 1.63.2
<dependabot[bot]>
- bd640c3 - build(deps): bump github.com/aws/aws-sdk-go from 1.51.11 to 1.51.21
<dependabot[bot]>
- 1bae5d5 - build(deps): bump actions/stale from 8 to 9
<dependabot[bot]>
- b1f7b9a - build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0
<dependabot[bot]>
- 58fe139 - build(deps): bump github.com/onsi/gomega from 1.31.1 to 1.32.0
<dependabot[bot]>
- 5c871a5 - build(deps): bump docker/setup-buildx-action from 2 to 3
<dependabot[bot]>
- 5fc2914 - build(deps): bump github.com/aws/aws-sdk-go from 1.51.2 to 1.51.11
<dependabot[bot]>
- a737576 - build(deps): bump docker/login-action from 2 to 3
<dependabot[bot]>
- 260759f - build(deps): bump actions/setup-go from 4 to 5
<dependabot[bot]>
- 1db3438 - fix: rt_tables -> rt-tables in daemonset examples
<Aaron U'Ren>
- 7092060 - fix(rt_tables): add path fallback logic
<Aaron U'Ren>
- 7f67791 - build(deps): bump github.com/docker/docker
<dependabot[bot]>
- 0a2a9d4 - build(deps): bump github/codeql-action from 2 to 3
<dependabot[bot]>
- 614d472 - doc(DSR): add /etc/iproute2/rt_tables caveat
<Aaron U'Ren>
- 1909918 - build(deps): bump the k8s-dependencies group with 4 updates
<dependabot[bot]>
- f9d1528 - build(deps): bump docker/setup-qemu-action from 2 to 3
<dependabot[bot]>
- 603afce - build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
<dependabot[bot]>
- 49bde6e - build(deps): bump goreleaser/goreleaser-action from 4 to 5
<dependabot[bot]>
- ef10568 - build(deps): bump docker/build-push-action from 4 to 5
<dependabot[bot]>
- 1811ae8 - build(deps): bump github.com/aws/aws-sdk-go from 1.50.30 to 1.51.2
<dependabot[bot]>
- 4818624 - build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0
<dependabot[bot]>
- 8c5bdbf - build(deps): bump actions/checkout from 3 to 4
<dependabot[bot]>
- 785f814 - dependabot: Group kubernetes dependencies
<Manuel Rüger>
- 5bbbd13 - doc(CONTRIBUTING.md): fix relative link
<Aaron U'Ren>
- cff45a6 - docs(index.md): improve styling
<Aaron U'Ren>