networkd: mask out Kubernetes CNI interfaces

[philips]

Desired Feature

Kubernetes may create a number of different interfaces for CNI plugins. CoreOS Linux should not have networkd run over these interfaces.

Here is an example output:

$ ip addr show dev cni0
6: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1472 qdisc noqueue state UP group default qlen 1000
    link/ether 0a:58:0a:02:01:01 brd ff:ff:ff:ff:ff:ff
    inet 10.2.1.1/24 scope global cni0
       valid_lft forever preferred_lft forever
    inet6 fe80::ec7e:9ff:fe5d:192f/64 scope link
       valid_lft forever preferred_lft forever

We have a few different options:

1. Add a mask .network like flannel has into the base system https://github.com/coreos/coreos-overlay/blob/22746580d4ac75ddbbd0a1330c98eb9273d0d699/app-admin/flannel/files/50-flannel.network
2. Ignore based on device type as discussed here networkd: support marking links unmanaged systemd/systemd#4228
3. Install a mask only if kubelet-wrapper is started, similar to Mismatched UID's between PXE image and amd64-user #1

xref flannel-io/flannel#533

[crawford]

This can be fixed with coreos/systemd#73.

[crawford]

The following unit can be used in the next Alpha to prevent networkd from attempting to manage certain interfaces:

[Match]
...

[Link]
Unmanaged=true

[luxas]

We should still add a file to ignore all cni* interfaces, I guess the issue should be open until that's actually fixed. We now have the prerequisite, but we still have to manually verify that it doesn't break the CNI interfaces.

[euank]

@luxas since we don't ship CNI as part of the OS (but do ship flannel and docker) I'm not sure we should ship that file ourselves.

Whatever's used to install CNI (whether ignition or kops or whatever) should probably place the appropriate .network file itself.

Admittedly, our own docs and tools get this wrong iirc.