reactive strict konnectivity

2025-02-01 18:15:08 -05:00 · 2022-09-16 03:20:34 +02:00 · 2022-09-16 03:20:34 +02:00 · f6c18a5aca
commit f6c18a5aca
parent 27cf9f880e
3 changed files with 8 additions and 10 deletions
--- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
@ -73,7 +73,7 @@ func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool, k8sV
 						"audit-log-maxsize":   "100",                                    // CIS benchmark - Default value of Rancher
 						"profiling":           "false",                                  // CIS benchmark
 						// Disabled konnectivity until agents have stable connections
-						// "egress-selector-config-file": "/etc/kubernetes/egress-selector-configuration.yaml",
+						"egress-selector-config-file": "/etc/kubernetes/egress-selector-configuration.yaml",
 						"kubelet-certificate-authority": filepath.Join(
 							kubeconstants.KubernetesDir,
 							kubeconstants.DefaultCertificateDir,
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go
@ -113,10 +113,9 @@ func NewKonnectivityAgents(konnectivityServerAddress string) *konnectivityAgents
 									// https://github.com/kubernetes-sigs/apiserver-network-proxy/issues/273
 									"--sync-forever=true",
 									// Ensure stable connection to the konnectivity server.
-									"--keepalive-time=60s",
-									"--sync-interval=1s",
-									"--sync-interval-cap=3s",
-									"--probe-interval=1s",
+									"--sync-interval=1s",     // GKE: 5s
+									"--sync-interval-cap=3s", // GKE: 30s
+									"--probe-interval=1s",    // GKE: 5s
 									"--v=3",
 								},
 								Env: []corev1.EnvVar{
@ -253,9 +252,8 @@ func NewKonnectivityServerStaticPod(nodeCIDR string) *konnectivityServerStaticPo
 							"--agent-service-account=konnectivity-agent",
 							"--kubeconfig=/etc/kubernetes/konnectivity-server.conf",
 							"--authentication-audience=system:konnectivity-server",
-							// "--proxy-strategies=destHost,default",
-							"--proxy-strategies=destHost,defaultRoute",
-							"--node-cidr=" + nodeCIDR, //"--node-cidr=10.9.0.0/16",
+							"--proxy-strategies=destHost,default",
+							"--node-cidr=" + nodeCIDR, //--node-cidr=10.9.0.0/16,
 						},
 						LivenessProbe: &corev1.Probe{
 							ProbeHandler: corev1.ProbeHandler{
--- a/internal/versions/versions.go
+++ b/internal/versions/versions.go
@ -45,8 +45,8 @@ const (
 	// These images are built in a way that they support all versions currently listed in VersionConfigs.
 	KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.32"
 	// TODO: switch back to official image once cilium node2node encryption is enabled.
-	// KonnectivityServerImage  = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.32".
-	KonnectivityServerImage  = "ghcr.io/3u13r/constellation-konnectivity-server:v0.0.33-edgeless@sha256:bf5748999b20576c7c97f25d2762408d705df5ae20640494bcb4cac5d648b583"
+	// KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.32".
+	KonnectivityServerImage  = "ghcr.io/3u13r/constellation-konnectivity-server:v0.0.33-edgeless"
 	JoinImage                = "ghcr.io/edgelesssys/constellation/join-service:v2.0.0"
 	AccessManagerImage       = "ghcr.io/edgelesssys/constellation/access-manager:v2.0.0"
 	KmsImage                 = "ghcr.io/edgelesssys/constellation/kmsserver:v2.0.0"