Add IPv6 support for kindnet

[hakman]

/cc @justinsb @rifelpet @aojea

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[hakman]

/test ?

[hakman]

/test pull-kops-e2e-cni-kindnet-ipv6

[hakman]

/test pull-kops-e2e-cni-kindnet-ipv6

[aojea]

test failing are related to statefulset that can not be scheduled

I0108 21:02:10.663885 49753 dump.go:53] At 2025-01-08 20:52:09 +0000 UTC - event for datadir-ss-0: {ebs.csi.aws.com_ebs-csi-controller-65dbd65d98-v8sgz_184282f2-0eed-4f1d-b96a-af2e043c46a0 } ProvisioningFailed: failed to provision volume with StorageClass "kops-csi-1-21": rpc error: code = Internal desc = Could not create volume "pvc-1e7a5728-e634-490b-8187-78a1627d64e8": could not create volume in EC2: operation error EC2: CreateVolume, get identity: get credentials: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, failed to get rate limit token, retry quota exceeded, 0 available, 5 requested

Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should provide basic identity expand_more10m4s | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should provide basic identity expand_more | 10m4s
-- | -- | --
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should provide basic identity expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should perform rolling updates and roll backs of template modifications with PVCs expand_more10m4s | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should perform rolling updates and roll backs of template modifications with PVCs expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should perform rolling updates and roll backs of template modifications with PVCs expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs after adopting pod (WhenDeleted) expand_more10m4s | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs after adopting pod (WhenDeleted) expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs after adopting pod (WhenDeleted) expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs with a WhenDeleted policy expand_more10m5s | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs with a WhenDeleted policy expand_more | 10m5s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs with a WhenDeleted policy expand_more | 10m5s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should adopt matching orphans and release non-matching pods expand_more10m4s | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should adopt matching orphans and release non-matching pods expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should adopt matching orphans and release non-matching pods expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should not delete PVCs when there is another controller expand_more10m4s | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should not delete PVCs when there is another controller expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should not delete PVCs when there is another controller expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-storage] PVC Protection Verify that PVC in active use by a pod is not removed immediately expand_more5m3s | Kubernetes e2e suite: [It] [sig-storage] PVC Protection Verify that PVC in active use by a pod is not removed immediately expand_more | 5m3s
Kubernetes e2e suite: [It] [sig-storage] PVC Protection Verify that PVC in active use by a pod is not removed immediately expand_more | 5m3s
Kubernetes e2e suite: [It] [sig-storage] PVC Protection Verify that scheduling of a pod that uses PVC that is being deleted fails and the pod becomes Unschedulable expand_more5m3s | Kubernetes e2e suite: [It] [sig-storage] PVC Protection Verify that scheduling of a pod that uses PVC that is being deleted fails and the pod becomes Unschedulable expand_more | 5m3s
Kubernetes e2e suite: [It] [sig-storage] PVC Protection Verify that scheduling of a pod that uses PVC that is being deleted fails and the pod becomes Unschedulable expand_more | 5m3s
Kubernetes e2e suite: [It] [sig-storage] PVC Protection Verify "immediate" deletion of a PVC that is not in active use by a pod expand_more5m3s | Kubernetes e2e suite: [It] [sig-storage] PVC Protection Verify "immediate" deletion of a PVC that is not in active use by a pod expand_more | 5m3s
Kubernetes e2e suite: [It] [sig-storage] PVC Protection Verify "immediate" deletion of a PVC that is not in active use by a pod expand_more | 5m3s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs with a OnScaledown policy expand_more10m4s | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs with a OnScaledown policy expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs with a OnScaledown policy expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs after adopting pod (WhenScaled) expand_more10m4s | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs after adopting pod (WhenScaled) expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should delete PVCs after adopting pod (WhenScaled) expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should not deadlock when a pod's predecessor fails expand_more10m4s | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should not deadlock when a pod's predecessor fails expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Basic StatefulSet functionality [StatefulSetBasic] should not deadlock when a pod's predecessor fails expand_more | 10m4s
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should not delete PVC with OnScaledown policy if another controller owns the PVC expand_more | Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should not delete PVC with OnScaledown policy if another controller owns the PVC expand_more
Kubernetes e2e suite: [It] [sig-apps] StatefulSet Non-retain StatefulSetPersistentVolumeClaimPolicy should not delete PVC with OnScaledown policy if another controller owns the PVC expand_more

all the other 933 tests are passing

the ebs-csi-controller seems to require some permissions

https://storage.googleapis.com/kubernetes-ci-logs/pr-logs/pull/kops/17190/pull-kops-e2e-cni-kindnet-ipv6/1877087283962712064/artifacts/cluster-info/kube-system/ebs-csi-controller-65dbd65d98-v8sgz/csi-provisioner.log

I0108 21:03:04.353521 1 controller.go:843] CreateVolume failed, supports topology = true, node selected true => may reschedule = true => state = Finished: rpc error: code = Internal desc = Could not create volume "pvc-be11211d-1a70-4573-931a-1f1da03eff77": could not create volume in EC2: operation error EC2: CreateVolume, get identity: get credentials: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, failed to get rate limit token, retry quota exceeded, 0 available, 5 requested

[hakman]

Pretty odd, let's retry first 🙂
/test pull-kops-e2e-cni-kindnet-ipv6

[hakman]

/test pull-kops-e2e-cni-kindnet-ipv6

[aojea]

still the same problem

I0109 07:29:50.210015 1 controller.go:843] CreateVolume failed, supports topology = true, node selected true => may reschedule = true => state = Finished: rpc error: code = Internal desc = Could not create volume "pvc-3e9b3371-9520-4b73-bec0-3f626907832f": could not create volume in EC2: operation error EC2: CreateVolume, get identity: get credentials: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.us-west-2.amazonaws.com/": EOF

yeah, it may be to the masquerading, there is an EOF in the request

[aojea]

the kindnet in the same node logs these messages

I0109 07:26:04.498470 1 proxy.go:310] Failed to connect to original destination [[64:ff9b::3477:a3dd]:443]: dial tcp4 52.119.163.221:443: connect: network is unreachable

https://storage.googleapis.com/kubernetes-ci-logs/pr-logs/pull/kops/17190/pull-kops-e2e-cni-kindnet-ipv6/1877249288690470912/artifacts/cluster-info/kube-system/kindnet-k89jm/kindnet-cni.log

that is an amazon ip https://urlscan.io/ip/52.94.181.70

in the docs https://kops.sigs.k8s.io/topology/#private-subnet

If the subnet is capable of IPv6, egress to the internet is typically routed through a connection-tracking firewall, such as an AWS Egress-only Internet Gateway. Egress to the NAT64 range 64:ff9b::/96 is typically routed to a NAT64 device, such as an AWS NAT Gateway.

so maybe to access that Service you need to use the provided nat64 by aws and is not available from the instances?

[aojea]

We need to disable NAT64 in Kindnet If is AWS and if is IPv6 only

[aojea]

... or disable NAT64 gateway and allow IPv4 connectivity from the instance , I just throw the options, no strong opinion

[aojea]

ok, talked offline with @hakman

Kops has a NAT64 gateway setup in aws
The instance does not have IPv4 connectivity
Disabling Kindnet NAT64 on AWS with IPv6 only is one option, so the NAT64 gateway is used.

However, my feedback from users is that they want to avoid NAT gateways at all cost, they are expensive and causes problems, kindnet offers an alternative to this setup if the instance has also IPv4 connectivity by enabling NAT64, right now it fails because the instance does not have IPv4 connectivity

[hakman]

/test pull-kops-e2e-cni-kindnet-ipv6

[aojea]

fantastic

pull-kops-e2e-cni-kindnet-ipv6 — Job succeeded.      

[hakman]

/test pull-kops-e2e-cni-kindnet
/test pull-kops-e2e-cni-kindnet-ipv6

[hakman]

/retest

[aojea]

/lgtm

Thanks

[hakman]

Thanks for all the help getting IPv6 to work, @aojea! 🙂

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rifelpet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rifelpet]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[aojea]

Thanks for all the help getting IPv6 to work, @aojea! 🙂

thanks you all for doing this :)