From b46ddf35fccd13f369a0c4b612c8eb592335c77d Mon Sep 17 00:00:00 2001
From: Kay Yan <yankay@users.noreply.github.com>
Date: Tue, 30 Aug 2022 15:21:02 +0800
Subject: [PATCH] kube-vip shoud fail if kube_proxy_strict_arp is false in arp
 mod (#9223)

* fix-kube-vip-strict-arp

* fix-kube-vip-strict-arp
---
 docs/kube-vip.md                                          | 8 ++++++++
 inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml   | 2 +-
 .../kubernetes/control-plane/defaults/main/kube-proxy.yml | 2 +-
 roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml     | 7 +++++++
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/docs/kube-vip.md b/docs/kube-vip.md
index 17e4fb127..9ba402d12 100644
--- a/docs/kube-vip.md
+++ b/docs/kube-vip.md
@@ -2,6 +2,14 @@
 
 kube-vip provides Kubernetes clusters with a virtual IP and load balancer for both the control plane (for building a highly-available cluster) and Kubernetes Services of type LoadBalancer without relying on any external hardware or software.
 
+## Prerequisites
+
+You have to configure `kube_proxy_strict_arp` when the kube_proxy_mode is `ipvs` and kube-vip ARP is enabled.
+
+```yaml
+kube_proxy_strict_arp: true
+```
+
 ## Install
 
 You have to explicitly enable the kube-vip extension:
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
index 271466744..5215e1fd9 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
@@ -125,7 +125,7 @@ kube_apiserver_port: 6443  # (https)
 kube_proxy_mode: ipvs
 
 # configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface
-# must be set to true for MetalLB to work
+# must be set to true for MetalLB, kube-vip(ARP enabled) to work
 kube_proxy_strict_arp: false
 
 # A string slice of values which specify the addresses to use for NodePorts.
diff --git a/roles/kubernetes/control-plane/defaults/main/kube-proxy.yml b/roles/kubernetes/control-plane/defaults/main/kube-proxy.yml
index 6c3b113a7..52346fad1 100644
--- a/roles/kubernetes/control-plane/defaults/main/kube-proxy.yml
+++ b/roles/kubernetes/control-plane/defaults/main/kube-proxy.yml
@@ -77,7 +77,7 @@ kube_proxy_exclude_cidrs: []
 kube_proxy_scheduler: rr
 
 # configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface
-# must be set to true for MetalLB to work
+# must be set to true for MetalLB, kube-vip(ARP enabled) to work
 kube_proxy_strict_arp: false
 
 # kube_proxy_tcp_timeout is the timeout value used for idle IPVS TCP sessions.
diff --git a/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml b/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml
index 0f3f5117f..e12bd9bfc 100644
--- a/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml
@@ -1,4 +1,11 @@
 ---
+- name: kube-vip  | Check cluster settings for kube-vip
+  fail:
+    msg: "kube-vip require kube_proxy_strict_arp = true, see https://github.com/kube-vip/kube-vip/blob/main/docs/kubernetes/arp/index.md"
+  when:
+    - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp
+    - kube_vip_arp_enabled
+
 - name: kube-vip | Write static pod
   template:
     src: manifests/kube-vip.manifest.j2
-- 
GitLab