Add HNS Load Balancer Healthchecks for ExternalTrafficPolicy: Local #99287
Conversation
k8s-ci-robot
added
size/L
anfernee
force-pushed
the
clientip
branch
2 times, most recently
from
b4e8c9b
to
98a3948
Compare
k8s-ci-robot
added
area/provider/gcp
|
/sig windows |
k8s-ci-robot
added
sig/windows
|
/retest |
|
@madhanrm @elweb9858 PTAL. |
pkg/proxy/winkernel/proxier.go
Outdated
| if gceGatewayEndpoint != nil { | ||
| hnsHealthCheckLoadBalancer, err := hns.getLoadBalancer( | ||
| []endpointsInfo{*gceGatewayEndpoint}, | ||
| loadBalancerFlags{isDSR: svcInfo.preserveDIP || proxier.isDSR, useMUX: svcInfo.preserveDIP, preserveDIP: svcInfo.preserveDIP}, |
There was a problem hiding this comment.
Should the flags here be synced with the flags above?
There was a problem hiding this comment.
Actually I am not sure what this annotation means here: preserveDIP := service.Annotations["preserve-destination"] == "true", they are copied over.
The rest is not necessarily synced, because the only targeting client is GCLB health check, the requirement for the service itself doesn't apply to health check.
k8s-ci-robot
added
the
needs-rebase
anfernee
force-pushed
the
clientip
branch
2 times, most recently
from
4a102df
to
2857436
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/approve |
k8s-ci-robot
added
the
approved
|
Thanks everyone for all the help for this PR. Finally almost there. Special thanks for the original author of this PR @jeremyje |
|
When can we merge this PR? |
|
/lgtm |
|
Agree it's fine -> Let's merge and keep an eye out |
|
Double checking that you got the earlier note: we should make sure our externalTrafficPolicy.... tests are covering stuff like this somehow, eventually, on the sig-win side |
I am not exactly familiar with the test setup but I'll check it out. If the test runs on GCE, then we can enable the option there. Existing e2e service test should be able to catch it. |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
|
/retest |
|
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
1 similar comment
|
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
This change adds 2 options for windows: --forward-healthcheck-vip: If true forward service VIP for health check port --root-hnsendpoint-name: The name of the hns endpoint name for root namespace attached to l2bridge, default is cbr0 When --forward-healthcheck-vip is set as true and winkernel is used, kube-proxy will add an hns load balancer to forward health check request that was sent to lb_vip:healthcheck_port to the node_ip:healthcheck_port. Without this forwarding, the health check from google load balancer will fail, and it will stop forwarding traffic to the windows node. This change fixes the following 2 cases for service: - `externalTrafficPolicy: Cluster` (default option): healthcheck_port is 10256 for all services. Without this fix, all traffic won't be directly forwarded to windows node. It will always go through a linux node and get forwarded to windows from there. - `externalTrafficPolicy: Local`: different healthcheck_port for each service that is configured as local. Without this fix, this feature won't work on windows node at all. This feature preserves client ip that tries to connect to their application running in windows pod. Change-Id: If4513e72900101ef70d86b91155e56a1f8c79719
k8s-ci-robot
removed
the
lgtm
|
Fixed |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anfernee, aojea, ibabou, jayunit100, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
area/code-generation
sig/api-machinery
|
This PR requires LGTM again @jayunit100 @jsturtevant |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/retest |
What type of PR is this?
/kind bug
What this PR does / why we need it:
In GCE, the current
externalTrafficPolicy: Locallogic does not work because the nodes that run the pods do not setup load balancer ports. This means that the GCLB does not understand which nodes are serving the pods that can accept traffic. Since all report unhealthy it'll direct traffic to any node. This PR configures the health check ports so that GCLB knows which nodes can handle the traffic.See #62046 for details.
This work is based on #96998
Which issue(s) this PR fixes:
Fixes #62046
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
externalTrafficPolicy: localworks on Windows hosts with DSR support.Release Note