KEP-1645: Add specification for multi-network scenario #3045
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @aattuluri! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @aattuluri. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
size/M
k8s-ci-robot
added
the
sig/multicluster
|
/assign @lauralorenz |
|
/assign aattuluri |
kikisdeliveryservice
changed the title
k8s-ci-robot
added
cncf-cla: yes
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
size/L
keps/sig-multicluster/1645-multi-cluster-services-api/README.md
Outdated
Show resolved
Hide resolved
k8s-ci-robot
removed
the
size/L
| @@ -260,6 +262,12 @@ nitty-gritty. | |||
| The cluster name should be consistent for the life of a cluster and its | |||
| membership in the clusterset. Implementations should treat name mutation as | |||
| a delete of the membership followed by recreation with the new name. | |||
| - **cluster network** - An identifier for the cluster network. Each cluster can have an optional name that can identify the network its running in. The network name must be a valid [RFC | |||
There was a problem hiding this comment.
This makes an implicit assumption that egress network connectivity is mapped via identifiers to figure if given traffic needs to go through a proxy or is a direct connection. Has it been considered whether or not to express that specifically (e.g. the API is focused on "this traffic is proxied" vs saying "we have labeled our networks and this labeling implicitly implies that there is some proxying". The second statement assumes more about the environment and imposes a specific naming, labeling mechanism.
There was a problem hiding this comment.
Yes, will reword this to more generic after the right name is chosen in favor of network
k8s-ci-robot
added
the
needs-rebase
There was a problem hiding this comment.
Coming back to this - do we really need this to enable multi-net MCS? It seems like this may be prematurely standardizing. In some cases MCS implementations won't need this - they will have (or have access to) enough information via other channels. Are there actually implementations that are likely to need such metadata AND which can't get it some other way (e.g. interrogating the cloud provider)?
How will such implementations learn the addresses of the ingress and egress gateways?
k8s-ci-robot
removed
the
needs-rebase
Right now the implementations use different mechanisms (for example Istio uses `topology.istio.io/network annotation on a control plane namespace). This spec is an attempt to standardize how a network can be determined for MCS purposes (that can have other use cases as well) before there are several different implementations of the same and then later we standardize this with a spec that would require these implementations to be rewritten or render them non-compliant. |
| @@ -672,6 +680,12 @@ endpoints: | |||
| The `ServiceImport.Spec.IP` (VIP) can be used to access this service from within | |||
| this cluster. | |||
|
|
|||
|
|
|||
| #### Multi-network scenario | |||
| One or more clusters in a ClusterSet can be running on a discrete network (a non-flat network). An MCS controller can use the `network.k8s.io` `ClusterProperty` to determine if a cluster in a `ClusterSet` is running on a discrete network. Note that the endpoints of the `EndpointSlice` for a cluster on discrete network may only be representative of the pods backing the multi-cluster service and not the real pod addresses. | |||
There was a problem hiding this comment.
Note that the endpoints of the
EndpointSlicefor a cluster on discrete network may only be representative of the pods backing the multi-cluster service
How does the MCS controller know how to populate the endpoint slices with the appropriate endpoints? Does it use the ClusterProperty's network value? Or is that a network name that can signal to the MCS controller to use some mapping of endpoints that exists $somewhere?
Some common API here may be useful, ie: an annotation on either the ServiceImport, or the ServiceExport would allow for different services to leverage different services (may be for some QOS isolation reasons).
The annotation could target an Ingress endpoint, public hostname, IP address, or in-cluster service.
proxy.mcs.k8s.io: <prox-url>
I understand that the MCS controller implementation is not part of the multi cluster API, but it is at the very least useful to think of a full end to end solution to ensure the API is robust.
|
Hi all, just getting up to speed on this KEP so apologies for any misunderstandings, and thanks for all the work put in so far! Is my understanding correct that the gist of this KEP is identifying whether or not specific clusters are part of the same network, but does not solve the issue of how to route to clusters on a different network? |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
Sorry for the delay, yes, this one is to identify if a cluster is on a different network. The routing is left to the implementation. |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aattuluri, thockin The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
aattuluri
changed the title
k8s-ci-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Refer to this draft for more details.