Skip to main content
Version: latest

IPAM

Description

In order to avoid IP collisions in the system and ensure a proper IPs distribution, this service is offering some IPAM functionalities that can be consumed using a kubernetes clusterIP service (over the kubernetes primary network). This IPAM Service is a GRPC server listening on port 7777.

The specifications of the IPAM Service are written in a proto file accessible here.

IP/Prefix distribution granularity

The Meridio IPAM distributes IP/Prefixes (always within the trench subnet defined in the configuration by IPAM_PREFIX_IPV4 and IPAM_PREFIX_IPV6) at a few different levels.

The first one is at the conduit level. Represented in blue (Conduit-A) and in red (Conduit-B) in the picture below, they are allocated automatically by the IPAM by watching the conduit list via the NSP service. The conduit subnet prefix lengths are defined in the configuration by IPAM_CONDUIT_PREFIX_LENGTH_IPV4 and IPAM_CONDUIT_PREFIX_LENGTH_IPV6.

The second one is at the node level. Represented in black in the picture below (1 per node per conduit), they are allocated when the Allocate API function is called (note: there is currently no way to unallocate except if the conduit is removed.). The node subnet prefix lengths are defined in the configuration by IPAM_NODE_PREFIX_LENGTH_IPV4 and IPAM_NODE_PREFIX_LENGTH_IPV6.

The third (last one) is at the pod level. Each pod will get assigned a unique IP address with IPAM_NODE_PREFIX_LENGTH_IPV4 or IPAM_NODE_PREFIX_LENGTH_IPV6 as prefix length.

ipam

Picture representing a cluster with 2 nodes (worked-A and worker-B), 2 conduits (Conduit-A and Conduit-B), 4 targets and the corresponding subnets.

  • Target-1 is running on worker-A and connected to Conduit-A
  • Target-2 is running on worker-A and connected to Conduit-B
  • Target-3 is running on worker-B and connected to Conduit-A and Conduit-B
  • Target-4 is running on worker-B and connected to Conduit-B

Data persistence

Running as StatefulSet with a single replica, the IPAM handles restarts and pod deletions by saving the data in a local sqlite stored in a persistent volume requested via a volumeClaimTemplates.

Configuration

https://github.com/Nordix/Meridio/blob/master/cmd/ipam/config.go

Environment variableTypeDescriptionDefault
IPAM_PORTintPort the pod is running the service7777
IPAM_DATA_SOURCEstringPath and file name of the sqlite database/run/ipam/data/registry.db
IPAM_TRENCH_NAMEstringTrench the pod is running on
IPAM_NSP_SERVICEstringIP (or domain) and port of the NSP Service
IPAM_PREFIX_IPV4stringIPv4 prefix from which the proxy prefixes will be allocated169.255.0.0/16
IPAM_CONDUIT_PREFIX_LENGTH_IPV4intConduit prefix length which will be allocated20
IPAM_NODE_PREFIX_LENGTH_IPV4intnode prefix length which will be allocated24
IPAM_PREFIX_IPV6stringIPv6 prefix from which the proxy prefixes will be allocatedfd00::/48
IPAM_CONDUIT_PREFIX_LENGTH_IPV6intConduit prefix length which will be allocated56
IPAM_NODE_PREFIX_LENGTH_IPV6intnode prefix length which will be allocated64
IPAM_IP_FAMILYstringIP family (ipv4, ipv6, dualstack)dualstack
IPAM_LOG_LEVELstringLog level (TRACE, DEBUG, INFO, WARNING, ERROR, FATAL, PANIC)DEBUG
IPAM_GRPC_KEEPALIVE_TIMEtime.DurationgRPC keepalive timeout30s
IPAM_GRPC_PROBE_RPC_TIMEOUTtime.DurationRPC timeout of internal gRPC health probe1s
IPAM_GRPC_MAX_BACKOFFtime.DurationUpper bound on gRPC connection backoff delay5s
IPAM_GARBAGE_COLLECTION_ENABLEDboolIP garbage collection enabled or disabledtrue
IPAM_GARBAGE_COLLECTION_INTERVALtime.DurationInterval at which IP garbage collection is running2h
IPAM_GARBAGE_COLLECTION_THRESHOLDtime.DurationIP record older than threshold is considered leftover40m

Command Line

CommandActionDefault
--helpDisplay a help describing
--versionDisplay the version
--debugPrints meridio-version, unix-time, network-interfaces, rules, route, neighbors, system information, and environment-variables in a json format

Communication

Here are all components the ipam is communicating with:

ComponentSecuredMethodDescription
SpireTBDUnix SocketObtain and validate SVIDs
NSP Serviceyes (mTLS)TCPWatch configuration

An overview of the communications between all components is available here.

Health check

The health check is provided by the GRPC Health Checking Protocol. The status returned can be UNKNOWN, SERVING, NOT_SERVING or SERVICE_UNKNOWN.

ServiceDescription
LivenessA unique service to be used by liveness probe to return status, can aggregate other lesser services
ReadinessA unique service to be used by readiness probe to return status, can aggregate other lesser services
StartupA unique service to be used by startup probe to return status, can aggregate other lesser services
ServiceProbeDescription
NSPCliReadinessMonitor status of the connection to the NSP service
IPAMLivenessMonitor status of the server

Privileges

No privileges required.