Make Kubernetes aware of the LoadBalancer behaviour

[Sh4d1]

First draft of KEP to allow an option to change kube proxy behaviour regarding the LoadBalancer IPs

Signed-off-by: Patrik Cyvoct [email protected]

[k8s-ci-robot]

Welcome @Sh4d1!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @Sh4d1. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Sh4d1]

/assign @caseydavenport

[jcodybaker]

I'm an engineer with DigitalOcean (called out in the KEP's motivation section), and added some clarification in comments on the motivation.

[jcodybaker]

One additional motivation:

Load-balancers which set status.loadBalancer.ingress[*].hostname instead of setting status.loadBalancer.ingress[*].ip don't exhibit this kube-proxy behavior. Because iptables/ipvs don't support rules based upon potentially dynamic hostnames, they leave the traffic untouched.

DigitalOcean has used this behavioral difference as a workaround the issue for customers who want to hairpin traffic through the LB (for example to get the ProxyProtocol headers appended). But it's hacky, and we much prefer the idea of addressing this functionality as the KEP proposes.

[Sh4d1]

Yep AWS does the same! Forgot to add it 😅

[Sh4d1]

@caseydavenport @thockin the first draft looks good to me

[Sh4d1]

@thockin any updates on this?

[sftim]

/ok-to-test

[MorrisLaw]

Great work! I've found some typos. I've crossed out and highlighted my suggestions to hopefully make it easier to make the changes. LGTM after you go through the comments 👍

[Sh4d1]

Thanks for the review @MorrisLaw 😄 I think it's all resolved!

[Sh4d1]

@thockin any updates? I have a working code that seems to work 😄 Just need to choose the right naming!

[Sh4d1]

KEP is updated with a bit more detail. Not sure what else I can add, open to suggestions 😄

If this were a flag on kube-proxy, I would encourage (for example) GKE to set
the flag correctly and configure nodes to not do this bypass (or to only do it
sometimes).

Devil's advocate: If we are adding a flag to kube-proxy, why not just make that the ONLY mechanism?

As stated at the end of the KEP, it works for managed solutions. If a user uses a self hosted cluster with a cloud's CCM, he then needs to be aware of the LB behaviour and act accordingly. That's why I tend to prefer the cloud controller manager solution.
That said, in fact an additional flag to kube proxy (maybe not in the scope of this kep though?) might be useful as well.

[thockin]

I am OK with this - @uablrek can you say whether this speaks to your need?

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Sh4d1, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-network/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[andrewsykim]

@Sh4d1 can you squash your commits please?

[Sh4d1]

@andrewrynhard squashed!

[andrewrynhard]

@andrewsykim ^ 🙂

[Sh4d1]

Oh 🙄 totally sorry for that HL 😅

[MorrisLaw]

This should fit DigitalOcean's use case, lgtm 👍

[MorrisLaw]

/lgtm

[thockin]

@tgraf You might want to track this, since you have a kube-proxy replacement.