-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCP Cloud Provider: Source IP preservation for Virtual IPs #27
Comments
Does this involve preserving the visibility of the Source IP of the TCP connection that hits Pod which is behind a Service with an external IP address? Similar to what's discussed in kubernetes/kubernetes#10921 ? |
Yes, this is exactly that feature, sorry I haven't had time to convert the design proposal from Google doc into Markdown. |
@girishkalele great to know. Can I ask a couple of questions for clarification? We're operating Kubernetes for non-HTTP traffic (gRPC, and just plain TCP) on GCE using L3 Load Balancing (Network LB). We direct our L3 LBs to a bunch of Frontend Instances running Ideally, what we'd like is the Frontend Instance Is that roughly what you guys are thinking of doing? |
No...what we are planning is to eliminate the double hop by using GCE load balancer health checks. Instances/VMs that host endpoints in that service will respond healthy, and all other instances will respond unhealthy - thus, the GCE LB will split traffic only across nodes that host the service in local pods. |
Does that mean that Source IP won't be preserved on non-GCE cloud providers? |
Sorry, I should have said "Cloud Load Balancer" instead of GCE. Note: |
@girishkalele ok, that makes sense. But that means that the |
This is very close to what I am working on for node-local services, in that @girishkalele, how do you plan on plumbing the node's IP through? It can be tricky on some cloud providers, namely AWS. And speaking of AWS, if you talk HTTP and X-Forwarded-For works for you, then you can already get the original source IP through the L7 annotations I implemented: https://github.com/kubernetes/kubernetes.github.io/blob/a135f0a717803b35ec80563768d5abb4b45ac4d1/docs/user-guide/services/index.md#ssl-support-on-aws That said, removing extra hops is a great thing. |
Yes, we eliminate the SNAT (and Masquerade rules shouldn't be hit for traffic with external source ips). |
I didn't need to pass the node IP to kube-proxy for this, atleast on GCE, none of the iptables rules need it for my purposes - did you have a need for it for the local-service implementation ? I see the following note in that user-guide - The AWS LB looks like it will do L7 balancing with source ip transferred to the headers but for generic TCP services it wouldn't work. BTW, does it do websockets and HTTP ? |
Please have these discussions on the design proposal. Let's try to keep the On Mon, Jul 25, 2016 at 10:56 AM, Girish Kalele [email protected]
|
Update: Code and docs merged - code activated only with alpha feature-gate flag. |
@girishkalele Please add docs PR numbers in the issue description |
Automatic merge from submit-queue External Load Balancer Source IP Preservation Proposal Proposal for feature kubernetes/enhancements#27
Ping. Can you add the docs PR to the issue description? |
@girishkalele docs PR question is still actual - please, add the links. |
CCed kubernetes/docs in the Docs PR and also added to tracking spreadsheet. |
@idvoretskyi Could you please copy my previous post onto the top one? I don't yet have the privilege to edit post. Thanks! |
@MrHohn thanks! |
Quick update on this feature:
I'm now working on updating the existing docs to reference the new first class fields instead of beta annotations. |
@MrHohn thanks |
I've tried running with NodePort and the OnlyLocal annotation (bare-metal/flannel) but receive no traffic on local pod. When the annotation is applied to the service, packets are not marked for masquerading in iptables but still always dropped by a rule that states "servicexyz has no local endpoints". This is not the case, however - the service does indeed have load endpoints. My guess is that, the health-check is failing. Is this likely the case, and if so, what do I need to do in order that the health-check succeeds? |
@liggetm Please open an issue for this on the main kubernetes repository. |
@cmluciano will do. |
@idvoretskyi This feature is complete for 1.8. Is there anymore to do with this issue or do we just close it? |
This feature was promoted to GA in 1.7 and the release has been shipped. I believe we can close this. /close |
Automatic merge from submit-queue (batch tested with PRs 45623, 45241, 45460, 41162) Promotes Source IP preservation for Virtual IPs from Beta to GA Fixes #33625. Feature issue: kubernetes/enhancements#27. Bullet points: - Declare 2 fields (ExternalTraffic and HealthCheckNodePort) that mirror the ESIPP annotations. - ESIPP alpha annotations will be ignored. - Existing ESIPP beta annotations will still be fully supported. - Allow promoting beta annotations to first class fields or reversely. - Disallow setting invalid ExternalTraffic and HealthCheckNodePort on services. Default ExternalTraffic field for nodePort or loadBalancer type service to "Global" if not set. **Release note**: ```release-note Promotes Source IP preservation for Virtual IPs to GA. Two api fields are defined correspondingly: - Service.Spec.ExternalTrafficPolicy <- 'service.beta.kubernetes.io/external-traffic' annotation. - Service.Spec.HealthCheckNodePort <- 'service.beta.kubernetes.io/healthcheck-nodeport' annotation. ```
I've noticed that on GKE running a NodePort service + Ingress that this feature causes the backend to be marked as "UNHEALTHY" when I inspect the ingress with |
@unclewizard Is your |
@chy168 Yep - here is a simple way to reproduce: Follow the instructions here: https://cloud.google.com/container-engine/docs/tutorials/http-balancer but when you get to Step 2, use the following yaml to create the nginx service:
After you create the Ingress service in Step 3, wait about 10 minutes and then do a
If you visit the Ingress address you'll see that the page loads fine. I suspect the UNHEALTHY message doesn't actually matter but I wanted to make sure this is expected. |
@unclewizard That is expected. When Though backend service could contain multiple backends, the |
|
Sorry for spamming, please ignore what I said on previous post. I need some sleep :( |
Propose convention for storing operator bundle
* Fixing minor issues in Static provisioning and gRPC * Adding Graduation Criteria
Feature Description
The text was updated successfully, but these errors were encountered: