Masters should not be excluded from service load balancers

[ljani]

Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug

What happened:
I'm running a single node cluster on AWS EC2, ie. scheduling work on the master as well. Now that I tried to add an ELB for my service, the EC2 instance is not associated with the ELB. The ELB gets created but there are 0 EC2 instances associated with it. I'm using ELB for SSL termination, if you wonder why I'd like to load balance a single node cluster.

The service controller logs this message:

I0628 17:54:48.853175       1 event.go:221] Event(v1.ObjectReference{Kind:"Service", Namespace:"default", Name:"nginx", UID:"59980933-7afc-11e8-9a8c-0621b993d602", APIVersion:"v1", ResourceVersion:"2052", FieldPath:""}): type: 'Warning' reason: 'UnAvailableLoadBalancer' There are no available nodes for LoadBalancer service default/nginx

What you expected to happen:
The EC2 instance is associated with the ELB.

How to reproduce it (as minimally and precisely as possible):

• Boot an EC2 instance with correct IAM permissions
• Install a single node cluster using kubeadm and cloud-provider=aws
• Untaint the node
• Schedule eg. nginx
• Create an external load balancer for nginx
• View the ELB in AWS console and note the Status: 0 of 0 instances in service

Anything else we need to know?:
The reason for this seems to be the node-role.kubernetes.io/master label. This blocks associating a load balancer with the node. On the other hand this changed what is included, because includeNodeFromNodeList did not check if a node is a master. I'm not sure what would be correct fix. I could try submit a PR, if you guide me how this should behave. Is my scenario even a supported one?

I think this bug should be reproducible on other clouds as well.

Environment:

• Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:08:34Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}

• Cloud provider or hardware configuration: AWS
• OS (e.g. from /etc/os-release):

PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

• Kernel (e.g. uname -a):

Linux ip-x.eu-central-1.compute.internal 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux

• Install tools: kubeadm

[ljani]

#33884 has area/nodecontroller, so I think the correct sig is @kubernetes/sig-node-bugs.

[k8s-ci-robot]

@ljani: Reiterating the mentions to trigger a notification:
@kubernetes/sig-node-bugs

In response to this:

#33884 has area/nodecontroller, so I think the correct sig is @kubernetes/sig-node-bugs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jhorwit2]

@ljani This is by design, load balancers do not include master nodes in the available pool of backend servers. You should remove the node-role.kubernetes.io/master label from your node and ensure it's schedulable & ready in order for it to be a backend. (exact filter logic lives here)

I'm going to close this issue as it's not a bug. If you would like to see the ability to use masters as available backends for LB's then please create another ticket with a feature request.

/close

[ljani]

@jhorwit2 Thanks for the response. So, it's okay to remove the node-role.kubernetes.io/master label even if there's only one node in the cluster? Are there any drawbacks? I was a bit wary of that, because I thought each cluster would need at least one master and you should only remove the NoSchedule taint from it. The kubeadm guide only refers to removing the taint from the master and not the label itself, but yeah, the guide is for a single master cluster, so it would be a little contradictory.

Searching for masterless does not really yield any related results.

Anyhow, if that's a supported scenario, then I'm very happy with it. Otherwise I should open the ticket.

[jhorwit2]

It all depends on how the cluster is setup and if they depend on the labels or not. Single node clusters will probably always have some quirks.

[ljani]

I've been following the Creating a single master cluster with kubeadm guide and thus I'm using kubeadm. I'll try and see how it goes.

[jhorwit2]

The docs are probably incorrect when it comes to this because it wasn't tested. They should be updated.

/reopen
/remove-sig node
/sig cluster-lifecycle

[k8s-ci-robot]

@jhorwit2: Those labels are not set on the issue: sig/node

In response to this:

The docs are probably incorrect when it comes to this because it wasn't tested. They should be updated.

/reopen
/remove-sig node
/sig cluster-lifecycle

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[neolit123]

please, mind that kubeadm documentation will desist from adding cloud provider specific documentation in the future, but instead link to external resources.

/cc @kubernetes/sig-cluster-lifecycle-bugs
/cc @kubernetes/sig-cloud-provider-bugs

[smarterclayton]

My comment in the other issue:

I'm not sure this is correct as we run more things on the master. If I have a service that I want to expose like an API proxy, an aggregated API server that wants its own LB, or a not quite control plane but not quite end user workload. We shouldn't bias towards the master (I.e. a lot of node port services for regular workloads should bypass the master), but this PR as it stands prevents using service load balancers with services that run on masters, which limits options like self hosting and use.

Now that node load balancing is more nuanced (with health checking endpoints), do we even need this? Masters should not be marked as healthy when pods aren't run on them, which means no traffic would go to masters?

I think excluding masters from service load balancer is a bug and needs a more nuanced design. I'm going to bump priority here because I've got users trying to run pods on masters that have service LB on them that can't use service LB.

[smarterclayton]

Changing title to be more accurate.

[smarterclayton]

I think the correct fix here was the service LB health check support for targeting the serving pool to nodes that hold the pod, and now that we have that we don't need this hack.

[andrewsykim]

To be clear, this would only apply for Services with externalTrafficPolicy: Local right? Is it okay to assume that users will always use "Local" for this case?

[andrewsykim]

I'm sure we could add logic in service controller to include master if externalTrafficPolicy == Local, exclude otherwise but that doesn't seem like an elegant solution 🤔

[smarterclayton]

For masters, it seems likely. I mean, in general I expect externalTrafficPolicy: Local to be the correct setting for the vast majority of LB services - is there a reason I would not want that policy in general use?

[andrewsykim]

In general I would agree that LBs would use externalTrafficPolicy: Local. One example where I wouldn't' though is if I have a service that needs to ingress traffic both from an LB and from another service in the same cluster. In that case, I would consider using externalTrafficPolicy: Cluster in which case I may not want the master to be in the pool of LB backends. Though to be fair this may be a rare case not worth looking into.

[jhorwit2]

@smarterclayton this should perhaps be merged with #65013

The service controller today does some filtering based on masters in interesting ways. Historically it seems that masters were marked unschedulable to be excluded from lb services. Then once labels for roles became popular that got added as well.

[jhorwit2]

I'm sure we could add logic in service controller to include master if externalTrafficPolicy == Local, exclude otherwise but that doesn't seem like an elegant solution thinking

This gets a little hacky with how backends are updated today. We would need to keep track of two different backend sets while updating each service.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[wking]

This was addressed via kubernetes/enhancements#1144 (see here) and #90126.