How can I detect CNI type/version in Kubernetes cluster?

Question

Is there a Kubectl command or config map in the cluster that can help me find what CNI is being used?

Answer 1

First of all checking presence of exactly one config file in /etc/cni/net.d is a good start:

$ ls /etc/cni/net.d
10-flannel.conflist

and ip a s or ifconfig helpful for checking existence of network interfaces. e.g. flannel CNI should setup flannel.1 interface:

$ ip a s flannel.1
3: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default 
    link/ether de:cb:d1:d6:e3:e7 brd ff:ff:ff:ff:ff:ff
    inet 10.244.1.0/32 scope global flannel.1
       valid_lft forever preferred_lft forever
    inet6 fe80::dccb:d1ff:fed6:e3e7/64 scope link 
       valid_lft forever preferred_lft forever

When creating a cluster, CNI installation is typically installed using:

kubectl apply -f <add-on.yaml>

thus the networking pod will be called kube-flannel*, kube-calico* etc. depending on your networking configuration.

Then crictl will help you inspect running pods and containers.

crictl pods ls

On a controller node in a healthy cluster you should have all pods in Ready state.

crictl pods ls
POD ID              CREATED             STATE               NAME                                          NAMESPACE           ATTEMPT             RUNTIME
dc90dd87e18cf       3 minutes ago       Ready               coredns-6d4b75cb6d-r2j9s                      kube-system         0                   (default)
d1ab9d0aa815a       3 minutes ago       Ready               kubernetes-dashboard-cd4778d69-xmtkz          kube-system         0                   (default)
0c151fdd92e71       3 minutes ago       Ready               coredns-6d4b75cb6d-bn8hr                      kube-system         0                   (default)
40f18ce56f776       4 minutes ago       Ready               kube-flannel-ds-d4fd7                         kube-flannel        0                   (default)
0e390a68380a5       4 minutes ago       Ready               kube-proxy-r6cq2                              kube-system         0                   (default)
cd93e58d3bf70       4 minutes ago       Ready               kube-scheduler-c01            kube-system         0                   (default)
266a33aa5c241       4 minutes ago       Ready               kube-apiserver-c01            kube-system         0                   (default)
0910a7a73f5aa       4 minutes ago       Ready               kube-controller-manager-c01   kube-system         0                   (default)

If your cluster is properly configured you should be able to list containers using kubectl:

kubectl get pods -n kube-system

if kubectl is not working (kube-apiserver is not running) you can fallback to crictl.

On an unhealthy cluster kubectl will show pods in CrashLoopBackOff state. crictl pods ls command will give you similar picture, only displaying pods from single node. Also check documentation for common CNI errors.

$ kubectl get pods -n kube-system
NAME                                          READY   STATUS              RESTARTS         AGE
coredns-6d4b75cb6d-brb9d                      0/1     ContainerCreating   0                25m
coredns-6d4b75cb6d-pcrcp                      0/1     ContainerCreating   0                25m
kube-apiserver-cm01            1/1     Running             27 (18m ago)     26m
kube-apiserver-cm02            0/1     Running             31 (8m11s ago)   23m
kube-apiserver-cm03            0/1     CrashLoopBackOff    33 (2m22s ago)   26m
kube-controller-manager-cm01   0/1     CrashLoopBackOff    13 (50s ago)     24m
kube-controller-manager-cm02   0/1     CrashLoopBackOff    7 (15s ago)      24m
kube-controller-manager-cm03   0/1     CrashLoopBackOff    15 (3m45s ago)   26m
kube-proxy-2dvfg                              0/1     CrashLoopBackOff    8 (97s ago)      25m
kube-proxy-7gnnr                              0/1     CrashLoopBackOff    8 (39s ago)      25m
kube-proxy-cqmvz                              0/1     CrashLoopBackOff    8 (19s ago)      25m
kube-scheduler-cm01            1/1     Running             28 (7m15s ago)   12m
kube-scheduler-cm02            0/1     CrashLoopBackOff    28 (4m45s ago)   18m
kube-scheduler-cm03            1/1     Running             36 (107s ago)    26m
kubernetes-dashboard-cd4778d69-g8jmf          0/1     ContainerCreating   0                2m27s

crictl ps will give you containers (like docker ps), watch for high number of attempts:

CONTAINER           IMAGE               CREATED             STATE               NAME                      ATTEMPT             POD ID              POD
d54c6f1e45dea       2ae1ba6417cbc       2 seconds ago       Running             kube-proxy                1                   347fef3ae1e98       kube-proxy-7gnnr
d6048ef9e30c7       d521dd763e2e3       41 seconds ago      Running             kube-apiserver            27                  640658b58d1ae       kube-apiserver-cm03
b6b8c7a24914e       3a5aa3a515f5d       41 seconds ago      Running             kube-scheduler            28                  c7b710a0acf30       kube-scheduler-cm03
b0a480d2c1baf       586c112956dfc       42 seconds ago      Running             kube-controller-manager   8                   69504853ab81b       kube-controller-manager-cm03

and check logs using

crictl logs d54c6f1e45dea

Last not least /opt/cni/bin/ path usually contains binaries required for networking. Another PATH might defined in add on setup or CNI config.

$ ls /opt/cni/bin/
bandwidth  bridge  dhcp  firewall  flannel  host-device  host-local  ipvlan  loopback  macvlan  portmap  ptp  sbr  static  tuning  vlan

Finally crictl reads /etc/crictl.yaml config, you should set proper runtime and image endpoint to match you container runtime:

runtime-endpoint: unix:///var/run/containerd/containerd.sock
image-endpoint: unix:///var/run/containerd/containerd.sock
timeout: 10