Make Kubernetes aware of the LoadBalancer behaviour #118895
Conversation
k8s-ci-robot
added
release-note
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
|
|
||
| if utilfeature.DefaultFeatureGate.Enabled(features.LoadBalancerIPMode) { | ||
| if len(ingress.IP) > 0 && ingress.IPMode == nil { | ||
| allErrs = append(allErrs, field.Required(idxPath.Child("ipMode"), "must be specified when `ip` is set")) |
There was a problem hiding this comment.
I believe defaulting only occurs when creating new objects, but validation will happen when updating existing objects, so this would prevent you from updating existing old Service objects that use IP but don't have IPMode set.
I think overall it might be better to make IPMode be required, and do default-on-read to handle existing objects where it's not set... (?)
There was a problem hiding this comment.
Why the backticks here? Error messages aren't Markdown.
There was a problem hiding this comment.
AFAIK status is only updated
When a new version of an object is POSTed or PUT, the spec is updated and available immediately. Over time the system will work to bring the status into line with the spec.
but I do not think we should default, do we? https://github.com/kubernetes/kubernetes/pull/118895/files#r1247552003
There was a problem hiding this comment.
I believe defaulting only occurs when creating new objects
Nope! it magically happens any time a versioned object is created, including upon reading from storage. Occasionally this is bad, but mostly it is good for us. In this case it is good! The defaultOnRead() stuff was added because:
// defaultOnRead sets interlinked fields that were not previously set on read.
// We can't do this in the normal defaulting path because that same logic
// applies on Get, Create, and Update, but we need to distinguish between them.
Why the backticks here?
We wrote this down as a convention a looooooong time back, in an effort to make error messages clearer. It's not to render markdown, but to denote "this is a field name". I'm happy to revisit the convention (seriously!) but we should fix all the places that do it.
There was a problem hiding this comment.
We wrote this down as a convention a looooooong time back, in an effort to make error messages clearer. It's not to render markdown, but to denote "this is a field name". I'm happy to revisit the convention (seriously!) but we should fix all the places that do it.
Is that convention documented somewhere user visible? Would be nice.
I think changing it might be a KEP… - possible, but more than trivial effort.
There was a problem hiding this comment.
Is that convention documented somewhere user visible?
Probably not - we never considered the error messages to be API and made no guarantees on them. As such, I don't think a KEP would be needed, just a clearly better convention.
There was a problem hiding this comment.
@pacoxu has found some test failures that appear to be related to this (links above). I'm not sure what the solution is, but this specific validation appears to be backwards incompatible in practice.
pkg/apis/core/types.go
Outdated
| // this load-balancer is delivered with the destination IP and port set to the load-balancer's IP and port. | ||
| // Setting this to "Proxy" indicates that the load-balancer acts like a proxy, | ||
| // delivering traffic with the destination IP and port set to the node's IP and nodePort or to the pod's IP and targetPort. | ||
| // This field can only be set when the ip field is also set, and defaults to "VIP" if not specified. |
There was a problem hiding this comment.
Proxy basically describes the behavior for when Hostname is set but IP is not, right? I think it would be better to say that:
- it defaults to
ProxyifIPis not set - it defaults to
VIPifIPis set - it can't be
VIPifIPis not set
(This would also allow for clear semantics when both Hostname and IP are set in the future.)
There was a problem hiding this comment.
Can there ever be a case where the value here is misleading, because a cloud provider is compatible with v1 (generally available) Service and that code is unaware of the defaulting mechanism?
If so, let's work out how we'll document that. End users need to know about places where the API can say one thing and the truth is another, especially if that behavior arrives in a minor release update to a stable API.
We should have an answer to the docs question before we graduate this feature to beta.
There was a problem hiding this comment.
No; the defaulting behavior described here matches the current semantics: if the cloud LB sets IP then kube-proxy will assume it wants VIP behavior, and if it doesn't set IP then kube-proxy will assume it wants proxy behavior.
There was a problem hiding this comment.
I don't understand this description well.
Proxy means "internal cluster traffic directed to the loadbalancer is sent to the external loadbalancer because the loadbalancer is expected to act as a proxy" and VIP is "traffic directed to the loadbalancer inside the cluster is sent to the VIP directly instead of sending it back to the external loadbalancer, no?
There was a problem hiding this comment.
@aojea You are right. "Proxy" means the traffic will actually pass through the external loadbalancer and "VIP" means that kube-proxy will create a forwarding rule on the node using the ingress.ip, directly forwarding the traffic to the backend pods.
The default value for this field is "VIP" which keeping the current behaviour, it does not have any impact on the existing cloud providers. BTW, we don't care about the value of ingress.hostname here. @danwinship @sftim
Comments in the code may not be very clear. I'll try to update it accordingly.
There was a problem hiding this comment.
There was a problem hiding this comment.
I like Dan's thinking, with a tweak:
- it defaults to
"VIP"whenipis set - otherwise it defaults to
"Proxy"whenhostnameis set - otherwise it is not defaulted
- it may not be
"VIP"ifipis not set
There was a problem hiding this comment.
I don't understand this description well.
So this can be described either from the CloudProvider's perspective or from kube-proxy's perspective. Probably the docs need to explain both.
pkg/proxy/service.go
Outdated
| // Obtain Load Balancer Ingress IPs | ||
| var ips []string | ||
| // Obtain Load Balancer Ingress | ||
| var invalidIps []string |
There was a problem hiding this comment.
invalidIPs (ie, capitalize the "P" if you capitalize the "I")
pkg/proxy/service.go
Outdated
| var ips []string | ||
| for _, ing := range bsvcPortInfo.loadBalancerStatus.Ingress { | ||
| ips = append(ips, ing.IP) | ||
| if proxyutil.IsVIPMode(ing) { | ||
| ips = append(ips, ing.IP) |
There was a problem hiding this comment.
So I noticed recently that pkg/proxy/service.go is sort of dumb about LoadBalancerIPs: it copies the entire LoadBalancerStatus object into BaseServicePortInfo, but then only allows callers to access the individual IPs. So if you're changing this code anyway, can you change BaseServicePortInfo.loadBalancerStatus v1.LoadBalancerStatus to BaseServicePortInfo.loadBalancerVIPs []string and do the filtering by IsVIPMode in newBaseServiceInfo rather than here?
|
/remove-sig api-machinery |
k8s-ci-robot
removed
the
sig/api-machinery
pkg/apis/core/types.go
Outdated
| // this load-balancer is delivered with the destination IP and port set to the load-balancer's IP and port. | ||
| // Setting this to "Proxy" indicates that the load-balancer acts like a proxy, | ||
| // delivering traffic with the destination IP and port set to the node's IP and nodePort or to the pod's IP and targetPort. | ||
| // This field can only be set when the ip field is also set, and defaults to "VIP" if not specified. |
There was a problem hiding this comment.
Can there ever be a case where the value here is misleading, because a cloud provider is compatible with v1 (generally available) Service and that code is unaware of the defaulting mechanism?
If so, let's work out how we'll document that. End users need to know about places where the API can say one thing and the truth is another, especially if that behavior arrives in a minor release update to a stable API.
We should have an answer to the docs question before we graduate this feature to beta.
|
|
||
| if utilfeature.DefaultFeatureGate.Enabled(features.LoadBalancerIPMode) { | ||
| if len(ingress.IP) > 0 && ingress.IPMode == nil { | ||
| allErrs = append(allErrs, field.Required(idxPath.Child("ipMode"), "must be specified when `ip` is set")) |
There was a problem hiding this comment.
Why the backticks here? Error messages aren't Markdown.
|
|
||
| if ingress.IPMode != nil { | ||
| if len(ingress.IP) == 0 { | ||
| allErrs = append(allErrs, field.Forbidden(idxPath.Child("ipMode"), "may not be used when `ip` is not set")) |
There was a problem hiding this comment.
Why the backticks here? Error messages aren't Markdown.
|
|
||
| const ( | ||
| // LoadBalancerIPModeVIP indicates that the traffic passing through this LoadBalancer | ||
| // is delivered with the destination IP set to the specified LoadBalancer IP |
There was a problem hiding this comment.
| // is delivered with the destination IP set to the specified LoadBalancer IP | |
| // is delivered with the destination IP address set to the specified LoadBalancer IP address |
| // is delivered with the destination IP set to the specified LoadBalancer IP | ||
| LoadBalancerIPModeVIP LoadBalancerIPMode = "VIP" | ||
| // LoadBalancerIPModeProxy indicates that the specified LoadBalancer acts like a proxy, | ||
| // changing the destination IP to the node IP and the source IP to the LoadBalancer (mostly private) IP |
There was a problem hiding this comment.
| // changing the destination IP to the node IP and the source IP to the LoadBalancer (mostly private) IP | |
| // so that packets arrive at nodes with the destination IP address set as the node's IP address, | |
| // and the source IP address set to the load balancer's IP address. The load balancer's IP address | |
| // might be a private / internal IP address rather than the same IP address that the client sees. |
There was a problem hiding this comment.
Could we ever support a configuration where the destination IP address belongs to a specific pod, rather than a node? If it could, I think I'd prefer the value to be ProxyToNode here, which leaves room for another proxy-to-pod option later on.
I didn't see the related KEP to provide this feedback before we started on implementation.
There was a problem hiding this comment.
As mentioned above, "Proxy" means that the traffic will actually be sent to the external load balancer without caring about whether the backend consists of nodes or pods. I will update the code comment here.
|
cc @thockin |
| @@ -22575,3 +22575,87 @@ func TestValidateDynamicResourceAllocation(t *testing.T) { | |||
| } | |||
| }) | |||
| } | |||
|
|
|||
| func TestValidateLoadBalancerStatus(t *testing.T) { | |||
| defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, true)() | |||
There was a problem hiding this comment.
you should add another variable to the testCase to test with the feature gate to true and false
|
This needs api-review and add integration tests on https://github.com/kubernetes/kubernetes/blob/bd1435dccdd3f06de36b20d49afdd04ce431fcc5/test/integration/service/loadbalancer_test.go , check the git history to find examples and adapt to your change, per example #103129 |
pkg/apis/core/types.go
Outdated
| type LoadBalancerIPMode string | ||
|
|
||
| const ( | ||
| // LoadBalancerIPModeVIP indicates that kube-proxy will create a forwarding rule |
There was a problem hiding this comment.
Same here. Doc it in terms of the meaning, not how kube-proxy reacts to the meaning
k8s-ci-robot
added
the
needs-rebase
|
this needs rebase |
k8s-ci-robot
added
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
@RyanAoh: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| return v1.IPv6Protocol | ||
| } | ||
| return v1.IPv4Protocol | ||
|
|
||
| return "" |
There was a problem hiding this comment.
We have IPFamilyUnknown for this
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 442f8346692ecc4d2f62a601eaf4d9a3c08c4f6c
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RyanAoh, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Revert "Merge pull request #118895 from RyanAoh/kep-1860"
What type of PR is this?
/kind feature
What this PR does / why we need it:
Implementation of KEP-1860
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: