From 81cb30239910fee6808fc7c97fe9cfe3e0ee5c8b Mon Sep 17 00:00:00 2001
From: Etienne Champetier <champetier.etienne@gmail.com>
Date: Thu, 26 Sep 2019 04:21:06 -0700
Subject: [PATCH] MetalLB: fail if kube_proxy_strict_arp is false (#5180)

When using IPVS, kube_proxy_strict_arp = true is required
https://github.com/danderson/metallb/issues/153#issuecomment-518651132

Add kube_proxy_strict_arp to inventory/sample
---
 contrib/metallb/roles/provision/tasks/main.yml          | 5 +++++
 inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml | 4 ++++
 roles/kubernetes/master/defaults/main/kube-proxy.yml    | 2 ++
 3 files changed, 11 insertions(+)

diff --git a/contrib/metallb/roles/provision/tasks/main.yml b/contrib/metallb/roles/provision/tasks/main.yml
index 66fcc591c..a51eeaf13 100644
--- a/contrib/metallb/roles/provision/tasks/main.yml
+++ b/contrib/metallb/roles/provision/tasks/main.yml
@@ -1,4 +1,9 @@
 ---
+- name: "Kubernetes Apps | Check cluster settings for MetalLB"
+  fail:
+    msg: "MetalLB require kube_proxy_strict_arp = true, see https://github.com/danderson/metallb/issues/153#issuecomment-518651132"
+  when:
+    - "kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp"
 - name: "Kubernetes Apps | Lay Down MetalLB"
   become: true
   template: { src: "{{ item }}.j2", dest: "{{ kube_config_dir }}/{{ item }}" }
diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
index a7aa43873..09a378bf1 100644
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -101,6 +101,10 @@ kube_apiserver_insecure_port: 0  # (disabled)
 # Can be ipvs, iptables
 kube_proxy_mode: ipvs
 
+# configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface
+# must be set to true for MetalLB to work
+kube_proxy_strict_arp: false
+
 # A string slice of values which specify the addresses to use for NodePorts.
 # Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32).
 # The default empty string slice ([]) means to use all local addresses.
diff --git a/roles/kubernetes/master/defaults/main/kube-proxy.yml b/roles/kubernetes/master/defaults/main/kube-proxy.yml
index 102cd009b..49c4198fd 100644
--- a/roles/kubernetes/master/defaults/main/kube-proxy.yml
+++ b/roles/kubernetes/master/defaults/main/kube-proxy.yml
@@ -80,6 +80,8 @@ kube_proxy_exclude_cidrs: []
 # nq: never queue
 kube_proxy_scheduler: rr
 
+# configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface
+# must be set to true for MetalLB to work
 kube_proxy_strict_arp: false
 
 # The IP address and port for the metrics server to serve on
-- 
GitLab