alt-orchestra/talos
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: disable KubeSpan endpoint harvesting by default

Browse Source 
This disables by default (if not specified in the machine config) the
endpoint harvesting for KubeSpan peers.

The idea was to observe Wireguard endpoints as seen by other peers in
the cluster, and add them to the list of endpoints for the node. This
might be helpful only in case of some special type of NATs which are
almost never seen in the wild today.

So disable by default, but keep an option to enable it.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This commit is contained in:
Andrey Smirnov 2024-02-16 15:43:39 +04:00
parent 7b87c7fe97
commit 7ee999f8a3
No known key found for this signature in database
GPG Key ID: FE042E3D4085A811
8 changed files with 27 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
hack/release.toml
View File

@ -106,6 +106,22 @@ Use `ExtensionServiceConfig` instead.
description = """\
The command `talosctl upgrade-k8s` now supports specifying custom image references for Kubernetes components via `--*-image` flags.
The default behavior is unchanged, and the flags are optional.
"""
[notes.kubespan]
title = "KubeSpan"
description = """\
Talos Linux disables by default a KubeSpan feature to harvest additional endpoints from KubeSpan members.
This feature turned out to be less helpful than expected and caused unnecessary performance issues.
Previous behavior can be restored with:
```yaml
machine:
network:
kubespan:
harvestExtraEndpoints: true
```
"""
[make_deps]

1
internal/app/machined/pkg/controllers/kubespan/config_test.go
View File

@ -60,6 +60,7 @@ func (suite *ConfigSuite) TestReconcileConfig() {
suite.Assert().Equal("I+1In7fLnpcRIjUmEoeugZnSyFoTF6MztLxICL5Yu0s=", spec.SharedSecret)
suite.Assert().True(spec.ForceRouting)
suite.Assert().False(spec.AdvertiseKubernetesNetworks)
suite.Assert().False(spec.HarvestExtraEndpoints)
return nil
},

6
pkg/machinery/config/schemas/config.schema.json
View File

@ -2725,9 +2725,9 @@
"harvestExtraEndpoints": {
"type": "boolean",
"title": "harvestExtraEndpoints",
"description": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u0026gt;50) in the KubeSpan network it can cause performance issues.\n",
"markdownDescription": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u003e50) in the KubeSpan network it can cause performance issues.",
"x-intellij-html-description": "\u003cp\u003eKubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u0026gt;50) in the KubeSpan network it can cause performance issues.\u003c/p\u003e\n"
"description": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, dont enable it\nwith high number of peers (\u0026gt;50) in the KubeSpan network (performance issues).\n",
"markdownDescription": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don't enable it\nwith high number of peers (\u003e50) in the KubeSpan network (performance issues).",
"x-intellij-html-description": "\u003cp\u003eKubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don\u0026rsquo;t enable it\nwith high number of peers (\u0026gt;50) in the KubeSpan network (performance issues).\u003c/p\u003e\n"
},
"mtu": {
"type": "integer",

4
pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go
View File

@ -1118,10 +1118,6 @@ func (k *NetworkKubeSpan) AdvertiseKubernetesNetworks() bool {
// HarvestExtraEndpoints implements KubeSpan interface.
func (k *NetworkKubeSpan) HarvestExtraEndpoints() bool {
if k.KubeSpanHarvestExtraEndpoints == nil {
return true
}
return pointer.SafeDeref(k.KubeSpanHarvestExtraEndpoints)
}

4
pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
View File

@ -2260,8 +2260,8 @@ type NetworkKubeSpan struct {
// description: |
// KubeSpan can collect and publish extra endpoints for each member of the cluster
// based on Wireguard endpoint information for each peer.
// This feature is enabled by default to help discover additional endpoints,
// but with high number of peers (>50) in the KubeSpan network it can cause performance issues.
// This feature is disabled by default, don't enable it
// with high number of peers (>50) in the KubeSpan network (performance issues).
KubeSpanHarvestExtraEndpoints *bool `yaml:"harvestExtraEndpoints,omitempty"`
// description: |
// KubeSpan link MTU size.

2
pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go
View File

@ -3569,7 +3569,7 @@ func (NetworkKubeSpan) Doc() *encoder.Doc {
Name: "harvestExtraEndpoints",
Type: "bool",
Note: "",
Description: "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (>50) in the KubeSpan network it can cause performance issues.",
Description: "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don't enable it\nwith high number of peers (>50) in the KubeSpan network (performance issues).",
Comments: [3]string{"" /* encoder.HeadComment */, "KubeSpan can collect and publish extra endpoints for each member of the cluster" /* encoder.LineComment */, "" /* encoder.FootComment */},
},
{

2
website/content/v1.7/reference/configuration/v1alpha1/config.md
View File

@ -1724,7 +1724,7 @@ machine:
|`enabled` |bool |<details><summary>Enable the KubeSpan feature.</summary>Cluster discovery should be enabled with .cluster.discovery.enabled for KubeSpan to be enabled.</details> | |
|`advertiseKubernetesNetworks` |bool |<details><summary>Control whether Kubernetes pod CIDRs are announced over KubeSpan from the node.</summary>If disabled, CNI handles encapsulating pod-to-pod traffic into some node-to-node tunnel,<br />and KubeSpan handles the node-to-node traffic.<br />If enabled, KubeSpan will take over pod-to-pod traffic and send it over KubeSpan directly.<br />When enabled, KubeSpan should have a way to detect complete pod CIDRs of the node which<br />is not always the case with CNIs not relying on Kubernetes for IPAM.</details> | |
|`allowDownPeerBypass` |bool |<details><summary>Skip sending traffic via KubeSpan if the peer connection state is not up.</summary>This provides configurable choice between connectivity and security: either traffic is always<br />forced to go via KubeSpan (even if Wireguard peer connection is not up), or traffic can go directly<br />to the peer if Wireguard connection can't be established.</details> | |
|`harvestExtraEndpoints` |bool |<details><summary>KubeSpan can collect and publish extra endpoints for each member of the cluster</summary>based on Wireguard endpoint information for each peer.<br />This feature is enabled by default to help discover additional endpoints,<br />but with high number of peers (>50) in the KubeSpan network it can cause performance issues.</details> | |
|`harvestExtraEndpoints` |bool |<details><summary>KubeSpan can collect and publish extra endpoints for each member of the cluster</summary>based on Wireguard endpoint information for each peer.<br />This feature is disabled by default, don't enable it<br />with high number of peers (>50) in the KubeSpan network (performance issues).</details> | |
|`mtu` |uint32 |<details><summary>KubeSpan link MTU size.</summary>Default value is 1420.</details> | |
|`filters` |<a href="#Config.machine.network.kubespan.filters">KubeSpanFilters</a> |<details><summary>KubeSpan advanced filtering of network addresses .</summary><br />Settings in this section are optional, and settings apply only to the node.</details> | |

6
website/content/v1.7/schemas/config.schema.json
View File

@ -2725,9 +2725,9 @@
"harvestExtraEndpoints": {
"type": "boolean",
"title": "harvestExtraEndpoints",
"description": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u0026gt;50) in the KubeSpan network it can cause performance issues.\n",
"markdownDescription": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u003e50) in the KubeSpan network it can cause performance issues.",
"x-intellij-html-description": "\u003cp\u003eKubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is enabled by default to help discover additional endpoints,\nbut with high number of peers (\u0026gt;50) in the KubeSpan network it can cause performance issues.\u003c/p\u003e\n"
"description": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, dont enable it\nwith high number of peers (\u0026gt;50) in the KubeSpan network (performance issues).\n",
"markdownDescription": "KubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don't enable it\nwith high number of peers (\u003e50) in the KubeSpan network (performance issues).",
"x-intellij-html-description": "\u003cp\u003eKubeSpan can collect and publish extra endpoints for each member of the cluster\nbased on Wireguard endpoint information for each peer.\nThis feature is disabled by default, don\u0026rsquo;t enable it\nwith high number of peers (\u0026gt;50) in the KubeSpan network (performance issues).\u003c/p\u003e\n"
},
"mtu": {
"type": "integer",