analyzer: check an IP and report if it is valid for Kubernetes

[adamancini]

Describe the rationale for the suggested feature.

An end user may try to implement airgapping by removing the primary interface of the host or by removing routes from the routing table - this may break CNI if there is no interface to use to build a bridge for flannel.

Describe the feature

Pass an IP address to the analyzer and report if it is valid for use with Kubernetes.

Valid IPs must have a gateway and must not be link-local or loopback address.
Valid IPs must also not be part of a bridge device that may be used for VM networking (such as virbr0 in this example.)

analyzers:
  kubeletIP:
    address: 192.168.122.0/24
    outcomes:
      pass:
        when: address == OK
        message: $address is a valid address to use for Kubernetes
      fail:
        message: $address is not a valid address to use for Kubernetes because $reason
  kubeletIP:
    address: 169.254.1.0/24
    outcomes:
      pass:
        when: address == OK
        message: $address is a valid address to use for Kubernetes
      fail:
        message: $address is not a valid address to use for Kubernetes because $reason  

This example analyzer executed against a table that looks like this:

default via 169.254.1.1 dev idrac proto static metric 100
169.254.1.0/24 dev idrac proto kernel scope link src 169.254.1.2 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown

would fail:

169.254.1.0/24 is not a valid address to use for Kubernetes because it is link-local
192.168.122.0/24 is not a valid address to use for Kubernetes because it is a bridge device

Describe alternatives you've considered

something along the lines of what happens during kubeadm init phase preflight which can generate errors like from this interface list:

default via 169.254.1.1 dev idrac proto static metric 100
169.254.1.0/24 dev idrac proto kernel scope link src 169.254.1.2 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown

This token will expire in 24 hours
cannot use "169.254.1.2" as the bind address for the API Server
To see the stack trace of this error execute with --v=5 or higher
Retry 1/3 exited 1, retrying in 1 seconds...
...
cannot use "169.254.1.2" as the bind address for the API Server
To see the stack trace of this error execute with --v=5 or higher
Retry 2/3 exited 1, retrying in 2 seconds...
...
cannot use "169.254.1.2" as the bind address for the API Server
To see the stack trace of this error execute with --v=5 or higher
Retry 3/3 exited 1, no more retries left.

[diamonwiggins]

Per https://kubernetes.io/docs/concepts/services-networking/service/#custom-endpointslices we should consider interfaces in both loopback and link local ranges to not be valid for install.

Also, this is relevant for kubernetes in general not just for kubeadm based installs. I've updated the title to that effect.

[adamancini]

@diamonwiggins thanks for tracking that down

[chris-sanders]

If we improve this we should be sure to update the Embedded Cluster spec when it's available: Ref https://github.com/replicatedhq/embedded-cluster/pull/579/files

[adamancini]

projectcalico/calico#8481

[adamancini]

kubernetes/kubernetes#123120