hostrouting

package

v0.1.1 Latest Latest Go to latest Published: Jun 10, 2026 License: MIT Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Azure/AKSFlexNode

Links

Open Source Insights

Documentation ¶

Overview ¶

Package hostrouting provides phases.Task implementations that configure IPv4 routing on the host before the nspawn machine starts.

ConfigureStaticRoutes installs explicit routes to prevent provider-installed connected routes (e.g. Azure IB /16 on ND-isr SKUs) from shadowing cluster CIDRs.

CheckRouteOverlap verifies that expected CIDRs all route via the IPv4 default outbound interface, catching unmitigated routing overlaps at boot time.

Index ¶

func CheckRouteOverlap(cfg *config.Config, logger *slog.Logger) phases.Task
func Configure(cfg *config.Config, logger *slog.Logger) phases.Task
func ConfigureStaticRoutes(cfg *config.Config, logger *slog.Logger) phases.Task

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CheckRouteOverlap ¶

func CheckRouteOverlap(cfg *config.Config, logger *slog.Logger) phases.Task

CheckRouteOverlap returns a task that installs a oneshot systemd unit which, before the nspawn machine starts, verifies that expected IPv4 CIDRs all route via the IPv4 default outbound interface.

The classic failure it catches is the Azure ND-isr H200 IB driver shadowing a customer VNet CIDR with a connected /16 on ib0 — in that case `ip -4 route get <cluster-cidr-probe>` returns ib0 instead of eth0, traffic blackholes, and kubelet looks healthy while pods can't reach the API server.

Pair with ConfigureStaticRoutes (which fixes the overlap) for full coverage: the static-routes unit is ordered Before this one, so by the time the check runs the kernel route table reflects any mitigations.

Mode "STRICT" (recommended for production): any overlap causes the unit to exit 1. With RequiredBy=systemd-nspawn@.service the nspawn machine will not start until the overlap is resolved. Mode "WARN" (default): the overlap is logged and written to /run/aks-flex-node/route-overlap.detected but the machine still starts.

func Configure ¶

func Configure(cfg *config.Config, logger *slog.Logger) phases.Task

Configure returns a single phases.Task that installs static routes and verifies no route overlap exists. It sequentially runs ConfigureStaticRoutes then CheckRouteOverlap. Both oneshot units are ordered Before=systemd-nspawn@.service so the kernel route table is correct before the container boots.

func ConfigureStaticRoutes ¶

func ConfigureStaticRoutes(cfg *config.Config, logger *slog.Logger) phases.Task

ConfigureStaticRoutes returns a task that installs a oneshot systemd unit which applies static IPv4 routes via `ip -4 route replace` before the nspawn machine starts. When no routes are configured the task is a no-op.

This is intended for cases where the VM provider's default routing is wrong for the cluster — for example, Azure ND-isr SKUs install connected /16 routes for the InfiniBand fabric that can shadow legitimate cluster CIDRs. More-specific routes added via this task win over the IB /16 without disturbing peer-to-peer IB traffic.

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL