Merge pull request #3441 from mikhail-sakhnov/deprecate-tunneled-mode

Drop tunneled networking mode support

cmd/controller/controller.go

@@ -214,7 +214,7 @@ func (c *command) start(ctx context.Context) error {
 
 	enableKonnectivity := !c.SingleNode && !slices.Contains(c.DisableComponents, constant.KonnectivityServerComponentName)
 	disableEndpointReconciler := !slices.Contains(c.DisableComponents, constant.APIEndpointReconcilerComponentName) &&
-		(nodeConfig.Spec.API.ExternalAddress != "" || nodeConfig.Spec.API.TunneledNetworkingMode)
+		nodeConfig.Spec.API.ExternalAddress != ""
 
 	nodeComponents.Add(ctx, &controller.APIServer{
 		ClusterConfig:             nodeConfig,
@@ -384,14 +384,7 @@ func (c *command) start(ctx context.Context) error {
 		clusterComponents.Add(ctx, controller.NewCRD(manifestsSaver, []string{"autopilot"}))
 	}
 
-	if nodeConfig.Spec.API.TunneledNetworkingMode {
-		clusterComponents.Add(ctx, controller.NewTunneledEndpointReconciler(
-			leaderElector,
-			adminClientFactory,
-		))
-	}
-
-	if !slices.Contains(c.DisableComponents, constant.APIEndpointReconcilerComponentName) && nodeConfig.Spec.API.ExternalAddress != "" && !nodeConfig.Spec.API.TunneledNetworkingMode {
+	if !slices.Contains(c.DisableComponents, constant.APIEndpointReconcilerComponentName) && nodeConfig.Spec.API.ExternalAddress != "" {
 		clusterComponents.Add(ctx, controller.NewEndpointReconciler(
 			nodeConfig,
 			leaderElector,

docs/configuration.md

@@ -57,7 +57,6 @@ spec:
     port: 6443
     sans:
     - 192.168.68.104
-    tunneledNetworkingMode: false
   controllerManager: {}
   extensions:
     helm:
@@ -135,7 +134,6 @@ spec:
 | `extraArgs`              | Map of key-values (strings) for any extra arguments to pass down to Kubernetes api-server process.                                                                                                                          |
 | `port`¹                  | Custom port for kube-api server to listen on (default: 6443)                                                                                                                                                                |
 | `k0sApiPort`¹            | Custom port for k0s-api server to listen on (default: 9443)                                                                                                                                                                 |
-| `tunneledNetworkingMode` | Whether to tunnel Kubernetes access from worker nodes via local port forwarding. (default: `false`)                                                                                                                         |
 
 ¹ If `port` and `k0sApiPort` are used with the `externalAddress` element, the loadbalancer serving at `externalAddress` must listen on the same ports.
 

docs/nllb.md

@@ -37,9 +37,6 @@ following:
 * The cluster doesn't use an externally managed load balancer, i.e. the cluster
   configuration doesn't specify a non-empty
   [`spec.api.externalAddress`][specapi].
-* The cluster doesn't use tunneled networking mode, i.e. the cluster
-  configuration doesn't specify [`spec.api.tunneledNetworkingMode`][specapi] as
-  `true`.
 * K0s isn't running as a [single node](../k0s-single-node/), i.e. it isn't
   started using the `--single` flag.
 * The cluster should have multiple controller nodes. Node-local load balancing

embedded-bins/Makefile.variables

@@ -51,7 +51,7 @@ etcd_build_go_ldflags = "-w -s"
 #etcd_build_go_ldflags_extra =
 
 konnectivity_buildimage = $(golang_buildimage)
-konnectivity_version = 0.0.33-k0s.1
+konnectivity_version = 0.1.4
 #konnectivity_build_go_tags =
 konnectivity_build_go_cgo_enabled = 0
 #konnectivity_build_go_cgo_cflags =

embedded-bins/konnectivity/Dockerfile

@@ -4,7 +4,7 @@ FROM $BUILDIMAGE AS build
 RUN apk add build-base git make protoc
 
 ARG VERSION
-RUN git -c advice.detachedHead=false clone -b v$VERSION --depth=1 https://github.com/k0sproject/apiserver-network-proxy.git /apiserver-network-proxy
+RUN git -c advice.detachedHead=false clone -b v$VERSION --depth=1 https://github.com/kubernetes-sigs/apiserver-network-proxy.git /apiserver-network-proxy
 WORKDIR /apiserver-network-proxy
 
 ARG TARGET_OS \
@@ -14,9 +14,9 @@ ARG TARGET_OS \
   BUILD_GO_LDFLAGS \
   BUILD_GO_LDFLAGS_EXTRA
 
-RUN go version
 RUN go install github.com/golang/mock/[email protected] && \
-    go install github.com/golang/protobuf/[email protected] && \
+    go install google.golang.org/protobuf/cmd/[email protected] && \
+    go install google.golang.org/grpc/cmd/[email protected] && \ 
     make gen && \
     CGO_ENABLED=${BUILD_GO_CGO_ENABLED} \
     GOOS=linux \

inttest/Makefile.variables

@@ -53,5 +53,4 @@ smoketests := \
 	check-psp \
 	check-singlenode \
 	check-statussocket \
-	check-tunneledkas \
 	check-upgrade \

pkg/apis/k0s/v1beta1/api.go

@@ -37,8 +37,6 @@ type APISpec struct {
 
 	// The loadbalancer address (for k0s controllers running behind a loadbalancer)
 	ExternalAddress string `json:"externalAddress,omitempty"`
-	// TunneledNetworkingMode indicates if we access to KAS through konnectivity tunnel
-	TunneledNetworkingMode bool `json:"tunneledNetworkingMode"`
 	// Map of key-values (strings) for any extra arguments to pass down to Kubernetes api-server process
 	ExtraArgs map[string]string `json:"extraArgs,omitempty"`
 	// Custom port for k0s-api server to listen on (default: 9443)
@@ -59,12 +57,11 @@ func DefaultAPISpec() *APISpec {
 	addresses, _ := iface.AllAddresses()
 	publicAddress, _ := iface.FirstPublicAddress()
 	return &APISpec{
-		Port:                   defaultKasPort,
-		K0sAPIPort:             9443,
-		SANs:                   addresses,
-		Address:                publicAddress,
-		ExtraArgs:              make(map[string]string),
-		TunneledNetworkingMode: false,
+		Port:       defaultKasPort,
+		K0sAPIPort: 9443,
+		SANs:       addresses,
+		Address:    publicAddress,
+		ExtraArgs:  make(map[string]string),
 	}
 }
 
@@ -142,8 +139,5 @@ func (a *APISpec) Validate() []error {
 	if a.ExternalAddress != "" {
 		validateIPAddressOrDNSName(field.NewPath("externalAddress"), a.ExternalAddress)
 	}
-	if a.TunneledNetworkingMode && a.Port == defaultKasPort {
-		errors = append(errors, fmt.Errorf("can't use default kubeapi port if TunneledNetworkingMode is enabled"))
-	}
 	return errors
 }

pkg/apis/k0s/v1beta1/api_test.go

@@ -68,14 +68,6 @@ func (s *APISuite) TestValidation() {
 			s.ErrorContains(errors[0], `sans[0]: Invalid value: "something.that.is.not.valid//(())": invalid IP address / DNS name`)
 		}
 	})
-	s.T().Run("TunneledNetworkingMode_and_default_kas_port_is_invalid", func(t *testing.T) {
-		a := DefaultAPISpec()
-		a.TunneledNetworkingMode = true
-		errors := a.Validate()
-		s.NotNil(errors)
-		s.Len(errors, 1)
-		s.Contains(errors[0].Error(), "can't use default kubeapi port if TunneledNetworkingMode is enabled")
-	})
 }
 
 func TestApiSuite(t *testing.T) {

pkg/apis/k0s/v1beta1/clusterconfig_types.go

@@ -345,10 +345,6 @@ func (s *ClusterSpec) ValidateNodeLocalLoadBalancing() (errs field.ErrorList) {
 	}
 
 	path := field.NewPath("network", "nodeLocalLoadBalancing", "enabled")
-	if s.API.TunneledNetworkingMode {
-		detail := "node-local load balancing cannot be used in tunneled networking mode"
-		errs = append(errs, field.Forbidden(path, detail))
-	}
 
 	if s.API.ExternalAddress != "" {
 		detail := "node-local load balancing cannot be used in conjunction with an external Kubernetes API server address"

pkg/component/controller/konnectivity.go

@@ -259,14 +259,6 @@ func (k *Konnectivity) writeKonnectivityAgent() error {
 		PullPolicy:      k.clusterConfig.Spec.Images.DefaultPullPolicy,
 	}
 
-	if k.NodeConfig.Spec.API.TunneledNetworkingMode {
-		cfg.HostNetwork = true
-		cfg.BindToNodeIP = true // agent needs to listen on the node IP to be on pair with the tunneled network reconciler
-		cfg.APIServerPortMapping = fmt.Sprintf("6443:localhost:%d", k.clusterConfig.Spec.API.Port)
-	} else {
-		cfg.FeatureGates = "NodeToMasterTraffic=false"
-	}
-
 	if k.clusterConfig.Spec.Network != nil {
 		nllb := k.clusterConfig.Spec.Network.NodeLocalLoadBalancing
 		if nllb.IsEnabled() {