add kindnet network plugin

Change-Id: Ica436d9debe1efb63a572cb8e8c68432ec2ffd35

cmd/kops/create_cluster.go

@@ -314,7 +314,7 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 	cmd.Flags().StringVar(&options.EtcdStorageType, "etcd-storage-type", options.EtcdStorageType, "The default storage type for etcd members")
 	cmd.RegisterFlagCompletionFunc("etcd-storage-type", completeStorageType)
 
-	cmd.Flags().StringVar(&options.Networking, "networking", options.Networking, "Networking mode.  kubenet, external, flannel-vxlan (or flannel), flannel-udp, calico, canal, kube-router, amazonvpc, cilium, cilium-etcd, cni.")
+	cmd.Flags().StringVar(&options.Networking, "networking", options.Networking, "Networking mode.  kubenet, external, flannel-vxlan (or flannel), flannel-udp, calico, canal, kube-router, amazonvpc, cilium, cilium-etcd, kindnet, cni.")
 	cmd.RegisterFlagCompletionFunc("networking", completeNetworking(options))
 
 	cmd.Flags().StringVar(&options.DNSZone, "dns-zone", options.DNSZone, "DNS hosted zone (defaults to longest matching zone)")
@@ -983,6 +983,7 @@ func completeNetworking(options *CreateClusterOptions) func(cmd *cobra.Command,
 			"cilium",
 			"cilium-eni",
 			"cilium-etcd",
+			"kindnet",
 		}
 
 		if !options.IPv6 {

cmd/kops/integration_test.go

@@ -228,6 +228,7 @@ const (
 	canalAddon   = "networking.projectcalico.org.canal-k8s-1.25"
 	ciliumAddon  = "networking.cilium.io-k8s-1.16"
 	flannelAddon = "networking.flannel-k8s-1.25"
+	kindnetAddon = "networking.kindnet-k8s-1.12"
 
 	certManagerAddon         = "certmanager.io-k8s-1.16"
 	clusterAutoscalerAddon   = "cluster-autoscaler.addons.k8s.io-k8s-1.15"
@@ -642,6 +643,15 @@ func TestPrivateFlannel(t *testing.T) {
 		runTestTerraformAWS(t)
 }
 
+// TestPrivateKindnet runs the test on a configuration with private topology, flannel networking
+func TestPrivateKindnet(t *testing.T) {
+	newIntegrationTest("privatekindnet.example.com", "privatekindnet").
+		withPrivate().
+		withDefaultAddons24().
+		withAddons(kindnetAddon).
+		runTestTerraformAWS(t)
+}
+
 // TestPrivateCalico runs the test on a configuration with private topology, calico networking
 func TestPrivateCalico(t *testing.T) {
 	newIntegrationTest("privatecalico.example.com", "privatecalico").

docs/networking/kindnet.md

@@ -0,0 +1,22 @@
+# Kindnet
+
+* [kindnet](http://kindnet.es)
+
+Kindnet focuses on providing essential networking functionality without unnecessary complexity.
+
+## Installing
+
+To install [kindnet](https://github.com/aojea/kindnet) - use `--networking kindnet`.
+
+```sh
+export ZONES=mylistofzone
+kops create cluster \
+  --zones $ZONES \
+  --networking kindnet \
+  --yes \
+  --name myclustername.mydns.io
+```
+
+## Configuring
+
+### Configuring Kindnet

pkg/apis/kops/networking.go

@@ -78,6 +78,7 @@ type NetworkingSpec struct {
 	Cilium     *CiliumNetworkingSpec     `json:"cilium,omitempty"`
 	LyftVPC    *LyftVPCNetworkingSpec    `json:"lyftvpc,omitempty"`
 	GCP        *GCPNetworkingSpec        `json:"gcp,omitempty"`
+	Kindnet    *KindnetNetworkingSpec    `json:"kindnet,omitempty"`
 }
 
 // UsesKubenet returns true if our networking is derived from kubenet
@@ -553,3 +554,27 @@ type LyftVPCNetworkingSpec struct {
 
 // GCPNetworkingSpec is the specification of GCP's native networking mode, using IP aliases.
 type GCPNetworkingSpec struct{}
+
+// KindnetNetworkingSpec configures Kindnet settings.
+type KindnetNetworkingSpec struct {
+	// Version is the version of the kindnet agent.
+	// Default: stable
+	Version string `json:"version,omitempty"`
+	// Enable network policies
+	NetworkPolicies              *bool `json:"networkPolicies,omitempty"`
+	AdminNetworkPolicies         *bool `json:"adminNetworkPolicies,omitempty"`
+	BaselineAdminNetworkPolicies *bool `json:"baselineAdminNetworkPolicies,omitempty"`
+	// enable dns caching
+	DNSCaching *bool `json:"dnsCaching,omitempty"`
+	// enable nat64 on ipv6 clusters
+	NAT64 *bool `json:"nat64,omitempty"`
+	// number of packets in a connection to offload it to the fast path
+	FastPathThreshold *int32 `json:"fastPathThreshold,omitempty"`
+	// node agent masquerading rules
+	Masquerade *KindnetMasqueradeSpec `json:"masquerade,omitempty"`
+}
+
+type KindnetMasqueradeSpec struct {
+	Enabled            *bool    `json:"enabled,omitempty"`
+	NonMasqueradeCIDRs []string `json:"nonMasqueradeCIDRs,omitempty"`
+}

pkg/apis/kops/v1alpha2/networking.go

@@ -674,3 +674,19 @@ type LyftVPCNetworkingSpec struct {
 
 // GCPNetworkingSpec is the specification of GCP's native networking mode, using IP aliases.
 type GCPNetworkingSpec struct{}
+
+// KindnetNetworkingSpec configures Kindnet settings.
+type KindnetNetworkingSpec struct {
+	NetworkPolicies              *bool                  `json:"networkPolicies,omitempty"`
+	AdminNetworkPolicies         *bool                  `json:"adminNetworkPolicies,omitempty"`
+	BaselineAdminNetworkPolicies *bool                  `json:"baselineAdminNetworkPolicies,omitempty"`
+	DNSCaching                   *bool                  `json:"dnsCaching,omitempty"`
+	NAT64                        *bool                  `json:"nat64,omitempty"`
+	FastPathThreshold            *int32                 `json:"fastPathThreshold,omitempty"`
+	Masquerade                   *KindnetMasqueradeSpec `json:"masquerade,omitempty"`
+}
+
+type KindnetMasqueradeSpec struct {
+	Enabled            *bool    `json:"enabled,omitempty"`
+	NonMasqueradeCIDRs []string `json:"nonMasqueradeCIDRs,omitempty"`
+}

pkg/apis/kops/v1alpha3/networking.go

@@ -510,3 +510,19 @@ type HubbleSpec struct {
 
 // GCPNetworkingSpec is the specification of GCP's native networking mode, using IP aliases.
 type GCPNetworkingSpec struct{}
+
+// KindnetNetworkingSpec configures Kindnet settings.
+type KindnetNetworkingSpec struct {
+	NetworkPolicies              *bool                  `json:"networkPolicies,omitempty"`
+	AdminNetworkPolicies         *bool                  `json:"adminNetworkPolicies,omitempty"`
+	BaselineAdminNetworkPolicies *bool                  `json:"baselineAdminNetworkPolicies,omitempty"`
+	DNSCaching                   *bool                  `json:"dnsCaching,omitempty"`
+	NAT64                        *bool                  `json:"nat64,omitempty"`
+	FastPathThreshold            *int32                 `json:"fastPathThreshold,omitempty"`
+	Masquerade                   *KindnetMasqueradeSpec `json:"masquerade,omitempty"`
+}
+
+type KindnetMasqueradeSpec struct {
+	Enabled            *bool    `json:"enabled,omitempty"`
+	NonMasqueradeCIDRs []string `json:"nonMasqueradeCIDRs,omitempty"`
+}

pkg/apis/kops/validation/validation.go

@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"net/url"
 	"path/filepath"
 	"regexp"
@@ -1226,6 +1227,14 @@ func validateNetworking(cluster *kops.Cluster, v *kops.NetworkingSpec, fldPath *
 		allErrs = append(allErrs, validateNetworkingGCP(cluster, v.GCP, fldPath.Child("gcp"))...)
 	}
 
+	if v.Kindnet != nil {
+		if optionTaken {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("kindnet"), "only one networking option permitted"))
+		}
+
+		allErrs = append(allErrs, validateNetworkingKindnet(cluster, v.Kindnet, fldPath.Child("kindnet"))...)
+	}
+
 	return allErrs
 }
 
@@ -1403,6 +1412,23 @@ func validateNetworkingGCP(cluster *kops.Cluster, v *kops.GCPNetworkingSpec, fld
 	return allErrs
 }
 
+func validateNetworkingKindnet(cluster *kops.Cluster, v *kops.KindnetNetworkingSpec, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if v.Masquerade != nil && v.Masquerade.Enabled != nil && *v.Masquerade.Enabled {
+		for _, cidr := range v.Masquerade.NonMasqueradeCIDRs {
+			if cidr == "" {
+				continue
+			}
+			_, err := netip.ParsePrefix(cidr)
+			if err != nil {
+				allErrs = append(allErrs, field.Invalid(fldPath, cidr, err.Error()))
+			}
+		}
+	}
+	return allErrs
+}
+
 func validateAdditionalPolicy(role string, policy string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 

pkg/apis/kops/validation/validation_test.go

@@ -28,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/utils/ptr"
 )
 
 func Test_Validate_DNS(t *testing.T) {
@@ -458,6 +459,72 @@ func Test_Validate_Networking_Flannel(t *testing.T) {
 	}
 }
 
+func Test_Validate_Networking_Kindnet(t *testing.T) {
+	grid := []struct {
+		Input          kops.KindnetNetworkingSpec
+		ExpectedErrors []string
+	}{
+		{
+			Input: kops.KindnetNetworkingSpec{
+				Masquerade: &kops.KindnetMasqueradeSpec{
+					Enabled: ptr.To(true),
+				},
+			},
+		},
+		{
+			Input: kops.KindnetNetworkingSpec{
+				Masquerade: &kops.KindnetMasqueradeSpec{
+					Enabled:            ptr.To(true),
+					NonMasqueradeCIDRs: []string{"10.0.0.0/24", "2001:db8::/64"},
+				},
+			},
+		},
+		{
+			Input: kops.KindnetNetworkingSpec{
+				Masquerade: &kops.KindnetMasqueradeSpec{
+					Enabled:            ptr.To(true),
+					NonMasqueradeCIDRs: []string{"a.b.c.d/24", "2001:db8::/64"},
+				},
+			},
+			ExpectedErrors: []string{"Invalid value::networking.kindnet"},
+		},
+		{
+			Input: kops.KindnetNetworkingSpec{
+				Masquerade: &kops.KindnetMasqueradeSpec{
+					Enabled:            ptr.To(false),
+					NonMasqueradeCIDRs: []string{"a.b.c.d/24", "2001:db8::/64"},
+				},
+			},
+			ExpectedErrors: []string{},
+		},
+	}
+
+	for _, g := range grid {
+		cluster := &kops.Cluster{
+			Spec: kops.ClusterSpec{
+				KubernetesVersion: "1.27.0",
+				Networking: kops.NetworkingSpec{
+					NetworkCIDR:           "10.0.0.0/8",
+					NonMasqueradeCIDR:     "100.64.0.0/10",
+					PodCIDR:               "100.96.0.0/11",
+					ServiceClusterIPRange: "100.64.0.0/13",
+					Subnets: []kops.ClusterSubnetSpec{
+						{
+							Name: "sg-test",
+							CIDR: "10.11.0.0/16",
+							Type: "Public",
+						},
+					},
+					Kindnet: &g.Input,
+				},
+			},
+		}
+
+		errs := validateNetworking(cluster, &cluster.Spec.Networking, field.NewPath("networking"), true, &cloudProviderConstraints{})
+		testErrors(t, g.Input, errs, g.ExpectedErrors)
+	}
+}
+
 func Test_Validate_Networking_OverlappingCIDR(t *testing.T) {
 	grid := []struct {
 		Name           string

pkg/apis/nodeup/config.go

@@ -328,6 +328,10 @@ func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) (*Confi
 		config.Networking.KubeRouter = &kops.KuberouterNetworkingSpec{}
 	}
 
+	if cluster.Spec.Networking.Kindnet != nil {
+		config.Networking.Kindnet = &kops.KindnetNetworkingSpec{}
+	}
+
 	if instanceGroup.Spec.Kubelet != nil {
 		config.KubeletConfig = *instanceGroup.Spec.Kubelet
 	}

pkg/model/components/kindnet.go

@@ -0,0 +1,55 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package components
+
+import (
+	"k8s.io/kops/pkg/apis/kops"
+	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/upup/pkg/fi/loader"
+)
+
+// KindnetOptionsBuilder adds options for the cilium to the model
+type KindnetOptionsBuilder struct {
+	Context *OptionsContext
+}
+
+var _ loader.ClusterOptionsBuilder = &KindnetOptionsBuilder{}
+
+func (b *KindnetOptionsBuilder) BuildOptions(o *kops.Cluster) error {
+	clusterSpec := &o.Spec
+	c := clusterSpec.Networking.Kindnet
+	if c == nil {
+		return nil
+	}
+
+	if c.Version == "" {
+		c.Version = "stable"
+	}
+
+	if c.Masquerade == nil {
+		c.Masquerade = &kops.KindnetMasqueradeSpec{
+			Enabled: fi.PtrTo(true),
+			NonMasqueradeCIDRs: []string{
+				clusterSpec.Networking.NetworkCIDR,
+				clusterSpec.Networking.PodCIDR,
+				clusterSpec.Networking.ServiceClusterIPRange,
+			},
+		}
+	}
+
+	return nil
+}