-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exposed load balancer IP causes cluster internal traffic fail together with the proxy protocol #15
Comments
Thanks for reporting this, together with useful references. I'll analyze this and get back to you. |
An effect out of it is that cert-manager is unable to issue certificates, because the challenge URL is checked ahead, but this verification step fails and prevent issuing the certificate, even if the challenge is outside accessible to Let's encrypt. |
Okay I see the problem with the current implementation. I would probably fix this via an annotation, like Digital Ocean did, together with a similar disclaimer: The only thing is that you would have to provide a domain name that points at the right IP address iiuc. It's worth mentioning that we have a DNS entry for each customer IPv4 address, which could be used (e.g. 1-2-3-4.cust.cloudscale.ch). If you want to automate that on your end, you likely could do it that way (if you do not have a domain ready in all cases). Unless I discover something I'm not seeing I would therefore add an annotation for you to trigger the workaround-behavior. Does that sound reasonable? Do you have a way to work around this issue at the moment for your cluster? How high of a priority is this for you? |
@href The approach to set the hostname is fine. I think it can be any arbitrary name. In difference to the IP the hostname shouldn't be used. As we currently have no clusters on v1.29 spending time right now for a final solution via Currently it blocks the setup of Keycloak, which we require for more depending services. As a short term solution we might remove the proxy protocol, which then removes the capability to have access to the source IP. I think we can work some days, but not weeks without. |
Got it, I'll try to tackle the problem this or next week. I'll get back to you once I have something testable. I assume you can run a test-build against a cluster to try it out, once I have the feature ready. |
This should be duable. |
This is accomplished with two new annotations: - `k8s.cloudscale.ch/loadbalancer-force-hostname` - `k8s.cloudscale.ch/loadbalancer-ip-mode` The former forces a hostname to be reported for loadbalancer ingress, the latter adds support for the new IPMode config available by default on Kubernetes 1.30, and feature-gated on 1.29. This is required for clusters that use the `proxy` or `proxyv2` protocol for any of their loadbalancers, and send traffic from inside the cluster to the loadbalancers. In such a constellation, traffic may not be sent through the loadbalancer, unless the hostname is set (for older clusters). For newer cluster, the default "IP Mode" used is "Proxy", as that is the least surprising setting. References: - https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/ - #15
This is accomplished with two new annotations: - `k8s.cloudscale.ch/loadbalancer-force-hostname` - `k8s.cloudscale.ch/loadbalancer-ip-mode` The former forces a hostname to be reported for loadbalancer ingress, the latter adds support for the new IPMode config available by default on Kubernetes 1.30, and feature-gated on 1.29. This is required for clusters that use the `proxy` or `proxyv2` protocol for any of their loadbalancers, and send traffic from inside the cluster to the loadbalancers. In such a constellation, traffic may not be sent through the loadbalancer, unless the hostname is set (for older clusters). For newer cluster, the default "IP Mode" used is "Proxy", as that is the least surprising setting. References: - https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/ - #15
This is accomplished with two new annotations: - `k8s.cloudscale.ch/loadbalancer-force-hostname` - `k8s.cloudscale.ch/loadbalancer-ip-mode` The former forces a hostname to be reported for loadbalancer ingress, the latter adds support for the new IPMode config available by default on Kubernetes 1.30, and feature-gated on 1.29. This is required for clusters that use the `proxy` or `proxyv2` protocol for any of their loadbalancers, and send traffic from inside the cluster to the loadbalancers. In such a constellation, traffic may not be sent through the loadbalancer, unless the hostname is set (for older clusters). For newer cluster, the default "IP Mode" used is "Proxy", as that is the least surprising setting. References: - https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/ - #15
This is accomplished with two new annotations: - `k8s.cloudscale.ch/loadbalancer-force-hostname` - `k8s.cloudscale.ch/loadbalancer-ip-mode` The former forces a hostname to be reported for loadbalancer ingress, the latter adds support for the new IPMode config available by default on Kubernetes 1.30, and feature-gated on 1.29. This is required for clusters that use the `proxy` or `proxyv2` protocol for any of their loadbalancers, and send traffic from inside the cluster to the loadbalancers. In such a constellation, traffic may not be sent through the loadbalancer, unless the hostname is set (for older clusters). For newer cluster, the default "IP Mode" used is "Proxy", as that is the least surprising setting. References: - https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/ - #15
This is accomplished with two new annotations: - `k8s.cloudscale.ch/loadbalancer-force-hostname` - `k8s.cloudscale.ch/loadbalancer-ip-mode` The former forces a hostname to be reported for loadbalancer ingress, the latter adds support for the new IPMode config available by default on Kubernetes 1.30, and feature-gated on 1.29. This is required for clusters that use the `proxy` or `proxyv2` protocol for any of their loadbalancers, and send traffic from inside the cluster to the loadbalancers. In such a constellation, traffic may not be sent through the loadbalancer, unless the hostname is set (for older clusters). For newer cluster, the default "IP Mode" used is "Proxy", as that is the least surprising setting. References: - https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/ - #15
This is accomplished with two new annotations: - `k8s.cloudscale.ch/loadbalancer-force-hostname` - `k8s.cloudscale.ch/loadbalancer-ip-mode` The former forces a hostname to be reported for loadbalancer ingress, the latter adds support for the new IPMode config available by default on Kubernetes 1.30, and feature-gated on 1.29. This is required for clusters that use the `proxy` or `proxyv2` protocol for any of their loadbalancers, and send traffic from inside the cluster to the loadbalancers. In such a constellation, traffic may not be sent through the loadbalancer, unless the hostname is set (for older clusters). For newer cluster, the default "IP Mode" used is "Proxy", as that is the least surprising setting. References: - https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/ - #15
This is accomplished with two new annotations: - `k8s.cloudscale.ch/loadbalancer-force-hostname` - `k8s.cloudscale.ch/loadbalancer-ip-mode` The former forces a hostname to be reported for loadbalancer ingress, the latter adds support for the new IPMode config available by default on Kubernetes 1.30, and feature-gated on 1.29. This is required for clusters that use the `proxy` or `proxyv2` protocol for any of their loadbalancers, and send traffic from inside the cluster to the loadbalancers. In such a constellation, traffic may not be sent through the loadbalancer, unless the hostname is set (for older clusters). For newer cluster, the default "IP Mode" used is "Proxy", as that is the least surprising setting. References: - https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/ - #15
This is accomplished with two new annotations: - `k8s.cloudscale.ch/loadbalancer-force-hostname` - `k8s.cloudscale.ch/loadbalancer-ip-mode` The former forces a hostname to be reported for loadbalancer ingress, the latter adds support for the new IPMode config available by default on Kubernetes 1.30, and feature-gated on 1.29. This is required for clusters that use the `proxy` or `proxyv2` protocol for any of their loadbalancers, and send traffic from inside the cluster to the loadbalancers. In such a constellation, traffic may not be sent through the loadbalancer, unless the hostname is set (for older clusters). For newer cluster, the default "IP Mode" used is "Proxy", as that is the least surprising setting. References: - https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/ - #15
After a bit of a battle with GitHub CI this feature is ready for testing. I created a preview release that you can use on your cluster: For your pre 1.30 clusters, you can now set the following annotation to a hostname that points at the load balancer:
This in turn cause After 1.30, this should not be needed, as the new @megian Can you try this out on your end and get back to me? |
@href Thanks for the fast update. Will try it beginning of next week! |
@href From my point of view this works as expected. After adding the annotation
Cilium doesn't have an cluster internal service endpoint anymore (which it had before):
All the connections to the proxy protocol enabled OpenShift ingress are working now. Many thanks! Not sure on the new |
Thanks for your feedback. @alakae is doing a code review before we make an official release, but we think we should be able to release tomorrow or Wednesday.
According to the release notes it is: Also, in our integration tests, where we ran Vanilla 1.30.4, the See cloudscale-cloud-controller-manager/pkg/internal/integration/service_test.go Lines 675 to 687 in e3b8612
Testing-bugs not-withstanding I think with 1.30 this should just work. |
This is accomplished with two new annotations: - `k8s.cloudscale.ch/loadbalancer-force-hostname` - `k8s.cloudscale.ch/loadbalancer-ip-mode` The former forces a hostname to be reported for loadbalancer ingress, the latter adds support for the new IPMode config available by default on Kubernetes 1.30, and feature-gated on 1.29. This is required for clusters that use the `proxy` or `proxyv2` protocol for any of their loadbalancers, and send traffic from inside the cluster to the loadbalancers. In such a constellation, traffic may not be sent through the loadbalancer, unless the hostname is set (for older clusters). For newer cluster, the default "IP Mode" used is "Proxy", as that is the least surprising setting. References: - https://kubernetes.io/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/ - #15
We have released 1.1.0: https://github.com/cloudscale-ch/cloudscale-cloud-controller-manager/releases/tag/1.1.0 Let me know if this solves the problem for you, so we can close this ticket. |
@href Many thanks. Upgraded to the v1.1.0 and it seems to work as expected. |
Nice, thanks for confirming! |
The cloudscale cloud controller does set the IP in the service object status
.status.loadBalancer.ingress.ip
. This causes the Kubernetes cluster is routing the traffic internally. Which is a positive behavior, as it is faster and comes along with less overhead.However this effect causes big headache, if the final system expects something the load balancer adds in between. In this case the proxy protocol. Internal traffic sent to the ingress controller is just invalid, because it will not be encapsulated by the proxy protocol.
This seems to be a long standing issue with Kubernetes. As soon as the IP is known by Kubernetes the internal path get's enabled. A solution is planned, but it will take time until this is stable and available in the production environments.
There is a workaround for example AWS has implemented. Just not set the IP but the hostname.
The text was updated successfully, but these errors were encountered: