ffdc748861
This change adds support for IPv6 container/pod addresses to the CNI bridge plugin, both for dual-stack (IPv4 + IPv6) and for IPv6-only network configurations. The proposed changes support multiple IPv6 addresses on a container interface. If isGW is configured, the bridge will also be configured with gateway addresses for each IPv6 subnet. Please note that both the dual-stack functionality and support for multiple IPv6 container/gateway addresses depends upon containernetworking/cni PR 451 "ipam/host-local: support multiple IP ranges". This change could potentially be committed independently from this host-local plugin change, however the dual-stack and multiple IPv6 address functionality that is enabled by this change can't be exercised/tested until the host-local plugin change is committed. There are some IPv6 unit test cases that are currently commented out in the proposed changes because these test cases will fail without the prior commits of the multiple IP range host-local change. This pull request includes a temporary workaround for Kubernetes Issue #32291 (Container IPv6 address is marked as duplicate, or dadfailed). The problem is that kubelet enables hairpin mode on bridge veth interfaces. Hairpin mode causes the container/pod to see echos of its IPv6 neighbor solicitation packets, so that it declares duplicate address detection (DAD) failure. The long-term fix is to use enhanced-DAD when that feature is readily available in kernels. The short-term fix is to disable IPv6 DAD in the container. Unfortunately, this has to be done unconditionally (i.e. without a check for whether hairpin mode is enabled) because hairpin mode is turned on by kubelet after the CNI bridge plugin has completed cmdAdd processing. Disabling DAD should be okay if IPv6 addresses are guaranteed to be unique (which is the case for host-local IPAM plugin).
plugins
Some CNI network plugins, maintained by the containernetworking team. For more information, see the individual READMEs.
Plugins supplied:
Main: interface-creating
bridge: Creates a bridge, adds the host and the container to it.ipvlan: Adds an ipvlan interface in the containerloopback: Creates a loopback interfacemacvlan: Creates a new MAC address, forwards all traffic to that to the containerptp: Creates a veth pair.vlan: Allocates a vlan device.
IPAM: IP address allocation
dhcp: Runs a daemon on the host to make DHCP requests on behalf of the containerhost-local: maintains a local database of allocated IPs
Meta: other plugins
flannel: generates an interface corresponding to a flannel config filetuning: Tweaks sysctl parameters of an existing interfaceportmap: An iptables-based portmapping plugin. Maps ports from the host's address space to the container.
Sample
The sample plugin provides an example for building your own plugin.