Release v1.12.0
2024 Jan 24
Table of contents
NSM Release v1.12.0
NSM v1.12.0 has been tested on:
Changes since last release
Registry k8s can not correctly handle unregister when its scaled
Status: RESOLVED.
Update Spire version in Dockerfile for all cmd-repos
Update Spire version in Dockerfiles for all cmd-repos. Also add support for multi-arch build.
System stability fixes and improvements
About example Kernel2Wireguard2Kernel
Status: RESOLVED.
network service endpoint candidates not found: all forwarders have failed
Status: RESOLVED.
Create a cronjob to check for CVEs in all images presented in this repo once a week
Status: RESOLVED.
Interdomain doesn’t work when cluster internal IP doesn’t have internet access
Status: RESOLVED.
Feature Request: Support configuration of NamespaceSelector
Auto registration creates a MutatingWebhookConfiguration
with no Namespace filters.
The mutation applies to all Namespaces.
The Webhook watching the system namespaces can create circular dependencies. Where system pods are required for Nodes to be made Ready to have the Webhook scheduled onto them.
We would like to configure this selector to exclude some Namespaces which should never be modified.
For example we could configure the webhook to exclude the namespaces: nsm-system
kube-system
and spire
.
Example of current webhook config:
kind: MutatingWebhookConfiguration
metadata:
name: nsm-admission-webhook-k8s-5dfd78487d-26n5b
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: <redacted>
service:
name: admission-webhook-svc
namespace: nsm-system
path: /mutate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: nsm-admission-webhook-k8s-5dfd78487d-26n5b.networkservicemesh.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- deployments
- statefulsets
- daemonsets
- replicasets
scope: '*'
sideEffects: None
timeoutSeconds: 10
Example of desired webhook config:
kind: MutatingWebhookConfiguration
metadata:
name: nsm-admission-webhook-k8s-5dfd78487d-26n5b
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: <redacted>
service:
name: admission-webhook-svc
namespace: nsm-system
path: /mutate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: nsm-admission-webhook-k8s-5dfd78487d-26n5b.networkservicemesh.io
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- nsm-system
- kube-system
- spire
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- deployments
- statefulsets
- daemonsets
- replicasets
scope: '*'
sideEffects: None
timeoutSeconds: 10
Connectivity changes during runtime
Status: RESOLVED.
Improve cronjob for CVEs scanning in docker images
- Add image names in CVEs reports
- Remove old results on every CVEs scanning
- Fix the period of the cronjob
Describe how each component interacts with each other
For new users, it is unclear how NSM components interact with each other, or how NSM works as a whole. For example, how the data packets sent by nsc are passed to nse through forwarder, so that users can have a clear understanding of nsm macroscopically
TestRecvfd/TestRecvfdClosesSingleFile is unstable
Status: RESOLVED.
Broken “cloud.google.com/go/compute/metadata” dependency
Status: RESOLVED.
CVEs Scanner should merge the same CVEs
Currently, CVEs Scanner creates several entries for the same CVE if it’s found in different images. The scanner should merge such entires into one and add all affected images into the entry’s description.
CRITICAL
and HIGH
issues from CVEs scanner
Fix Status: RESOLVED.
Add interface names into NSM metrics
Status: RESOLVED.
alpine cant use curl with NSM dns
It looks like alpine:3.19’s curl doesn’t accept such DNS responses. I tried to manually change the DNS response from greeting.default.svc.cluster.local to greeting.default in ANSWER SECTION and curl (alpine:3.19) accepted that.
External NSC fix interface problem
Hi all, I was testing the example related to the configuration of an external client to the cluster and noticed how the configuration of the MetalLB LoadBalancer needs to be changed. In fact, in the guide offered by Kind, it is pointed out that the method through the ConfigMap is no longer supported. One should run these commands
`kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml`
kubectl wait --namespace metallb-system \
--for=condition=ready pod \
--selector=app=metallb \
--timeout=90s
` kubectl apply -f https://kind.sigs.k8s.io/examples/loadbalancer/metallb-config.yaml`
I tried to open a pull request to make noticed this, but it failed.
I followed the instructions inside the example, but apparently the external docker fails to communicate with the service: in fact the 2 kernel interfaces that should be available, are not created.
I don’t know if it affects the order but this is what I followed:
LoadBalancer , via the commands provided above and offered by the guide;
DNS,
;
External Docker;
Spire;
SPIFFE ;
I then ran the command to configure the cluster with the NSM resources, and finally the deployment for the example.
Do you have any hints for solving this problem?
Test_DNSUsecase is unstable
Status: RESOLVED.
Update repository to go v1.20
Status: RESOLVED.
Test_TCPDNSServerTimeout is unstable
Status: RESOLVED.
Example TestNsm_kuma_universal_vl3 is unstable on kind
Status: RESOLVED.
Remaining bridge interfaces after forwarder stoped
Status: RESOLVED.
About nsm support network topology like this?
Status: RESOLVED.
Feature: automatic nsc connect to nse registered with the NS after nsc is initialized and running
Status: RESOLVED.
Visualizing tool for NSM in Kubernetes environment
Status: RESOLVED.
rate: Wait(n=1) would exceed context deadline
Logs:
{"level":"error","ts":1705506855.7787008,"logger":"admissionWebhookServer","caller":"build/main.go:97","msg":"failed to get namespace by name: client rate limiter Wait returned an error: rate: Wait(n=1) would exceed context deadline","stacktrace":"main.(*admissionWebhookServer).Review\n\t/build/main.go:97\nmain.main.func3\n\t/build/main.go:482\ngithub.com/labstack/echo/v4.(*Echo).add.func1\n\t/go/pkg/mod/github.com/labstack/echo/v4@v4.11.3/echo.go:582\ngithub.com/labstack/echo/v4/middleware.RecoverWithConfig.func1.1\n\t/go/pkg/mod/github.com/labstack/echo/v4@v4.11.3/middleware/recover.go:131\ngithub.com/labstack/echo/v4/middleware.LoggerWithConfig.func2.1\n\t/go/pkg/mod/github.com/labstack/echo/v4@v4.11.3/middleware/logger.go:126\ngithub.com/labstack/echo/v4.(*Echo).ServeHTTP\n\t/go/pkg/mod/github.com/labstack/echo/v4@v4.11.3/echo.go:669\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2936\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1995"}
Build: https://github.com/networkservicemesh/integration-k8s-kind/actions/runs/7558182942/job/20579105121
Add the ability to use a Spire certificate instead of an automatically generated one
Add the ability to use a spire as a source of certs instead of an automatically generated to improve security and safety of NSM webhook.
Release project board
Table of contents