[backport to 1.9x] Disable session affinity for internal kubernetes service #65178
Conversation
Under following conditions session affinity leads to a deadlock:
- Self hosted controller-manager, where it talks to API servers
via kubernetes service ClusterIP
- default master-count reconcilier is used
- --apiserver-count is set to >1 according to the help message
- number of responsive APIServers goes below `apiserver-count`
- all controller-managers happen to be hashed to APIServers which
are down.
What then happens is that controller managers never be able to
contact APIServer, despite correctly working APIServer available.
Less serious outages also possible for other consumers of kubernetes
service, such as operators, kube-dns, flannel & calico, etc. There is
always non zero chance, that given consumer is hashed to an apiserver
which is down.
Revert "give the kubernetes service client ip session affinity"
This reverts commit e21ebbc.
k8s-ci-robot
added
release-note
k8s-ci-robot
added
the
needs-ok-to-test
|
/assign @derekwaynecarr |
|
This PR is not for the master branch but does not have the |
k8s-github-robot
added
the
do-not-merge/cherry-pick-not-approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: afritzler, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
why this is not an automated cherrypick of #23129? |
|
/retest |
|
@mbohlool is it possible to include this cherrypick into the upcoming 1.9.9 release? |
|
@afritzler We can try. Can you explain why this is not an automated cherrypick? This is the document you need to follow to create an automated cherrypick: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md I am closing this one, if you believe this change cannot be an automated cherrypick of #56690 please open again with an explanation. |
Under following conditions session affinity leads to a deadlock:
via kubernetes service ClusterIP
apiserver-countare down.
What then happens is that controller managers never be able to
contact APIServer, despite correctly working APIServer available.
Less serious outages also possible for other consumers of kubernetes
service, such as operators, kube-dns, flannel & calico, etc. There is
always non zero chance, that given consumer is hashed to an apiserver
which is down.
Revert "give the kubernetes service client ip session affinity"
This reverts commit e21ebbc.
What this PR does / why we need it:
Backporting #56690 to 1.9 release branch.
Which issue(s) this PR fixes
Fixes #23129
Special notes for your reviewer:
Release note: