cf-networking/0.19.0
You can find the source of this version on GitHub at cloudfoundry-incubator/cf-networking-release. It was created based on the commit dd113dc.
Release Notes¶
The first release to include a new layer-3 only CNI plugin. Highlights include: - Silk CNI plugin to replace Flannel CNI plugin - NetIn and NetOut rules are configured through CNI - Networking features to enable BOSH DNS for CF apps
We do not recommend using cf-networking-release in production yet, but give it a try and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.
Take a look at known issues for current limitations and known issues. Verified with the following: - CF deployment
Manifest Changes
Changed Properties
- The value for
cf_networking.garden_external_networker.cni_plugin_dirmust be updated to/var/vcap/packages/silk/binif you are not swapping out CNI with your own plugin. (There is no default currently, but we plan to add one in the next release) - The property for global ASG logging has changed from
cf_networking.garden_external_networker.iptables_asg_loggingtocf_networking.iptables_asg_logging.
Removed Properties
cf_networking.flannel_watchdog.no_bridgeis now removed.
New Properties
A new property has been added to support an upcoming feature. Users can specify DNS servers and access will be automatically allowed for link-local DNS servers:
cf_networking.dns_servers
The new feature will require garden-runc-release versions >=1.4.0.
Significant Changes
New CNI plugin
- CF Wrapper plugin fails if there is a subnet theft
- CF Networking Release can use the Silk CNI plugin instead of the flannel + bridge plugins
- Flannel watchdog has a bridgeless mode where it inspects the the container metadata store
- An acceptance environment is running a BOSH deployed silkd
NetIn/NetOut Changes
- Wrapper CNI plugin can configure NetIn and NetOut
- The external networker defers to the CNI plugin to write NetIn/NetOut rules
BOSH DNS support
- An iptables input rule is written for every local DNS server
- DNS servers are returned from the external networker to garden - Requires garden-runc-release versions >1.3.0
Logging enhancements
- Logging for denied outbound non-c2c packets
- As an operator I know how to find the source app using a packet capture
- ASG deny logging is rate limited to a hardcoded interval
- Troubleshooting docs include information about ASG logging through BOSH property
Chores
Usage¶
You can reference this release in your deployment manifest from the releases section:
- name: "cf-networking" version: "0.19.0" url: "https://bosh.io/d/github.com/cloudfoundry-incubator/cf-networking-release?v=0.19.0" sha1: "d9679cc0c17f9bb1456ab5c8d851444294b7a98f"
Or upload it to your director with the upload-release command:
bosh upload-release --sha1 d9679cc0c17f9bb1456ab5c8d851444294b7a98f \ "https://bosh.io/d/github.com/cloudfoundry-incubator/cf-networking-release?v=0.19.0"