New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add HNS Load Balancer Healthchecks for ExternalTrafficPolicy: Local #99287
Conversation
b4e8c9b
to
98a3948
Compare
/sig windows |
/retest |
@madhanrm @elweb9858 PTAL. |
pkg/proxy/winkernel/proxier.go
Outdated
if gceGatewayEndpoint != nil { | ||
hnsHealthCheckLoadBalancer, err := hns.getLoadBalancer( | ||
[]endpointsInfo{*gceGatewayEndpoint}, | ||
loadBalancerFlags{isDSR: svcInfo.preserveDIP || proxier.isDSR, useMUX: svcInfo.preserveDIP, preserveDIP: svcInfo.preserveDIP}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the flags here be synced with the flags above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I am not sure what this annotation means here: preserveDIP := service.Annotations["preserve-destination"] == "true"
, they are copied over.
The rest is not necessarily synced, because the only targeting client is GCLB health check, the requirement for the service itself doesn't apply to health check.
4a102df
to
2857436
Compare
/approve |
Thanks everyone for all the help for this PR. Finally almost there. Special thanks for the original author of this PR @jeremyje |
When can we merge this PR? |
/lgtm |
Agree it's fine -> Let's merge and keep an eye out |
Double checking that you got the earlier note: we should make sure our externalTrafficPolicy.... tests are covering stuff like this somehow, eventually, on the sig-win side |
I am not exactly familiar with the test setup but I'll check it out. If the test runs on GCE, then we can enable the option there. Existing e2e service test should be able to catch it. |
/hold cancel |
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
/retest |
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
1 similar comment
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
This change adds 2 options for windows: --forward-healthcheck-vip: If true forward service VIP for health check port --root-hnsendpoint-name: The name of the hns endpoint name for root namespace attached to l2bridge, default is cbr0 When --forward-healthcheck-vip is set as true and winkernel is used, kube-proxy will add an hns load balancer to forward health check request that was sent to lb_vip:healthcheck_port to the node_ip:healthcheck_port. Without this forwarding, the health check from google load balancer will fail, and it will stop forwarding traffic to the windows node. This change fixes the following 2 cases for service: - `externalTrafficPolicy: Cluster` (default option): healthcheck_port is 10256 for all services. Without this fix, all traffic won't be directly forwarded to windows node. It will always go through a linux node and get forwarded to windows from there. - `externalTrafficPolicy: Local`: different healthcheck_port for each service that is configured as local. Without this fix, this feature won't work on windows node at all. This feature preserves client ip that tries to connect to their application running in windows pod. Change-Id: If4513e72900101ef70d86b91155e56a1f8c79719
Fixed |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anfernee, aojea, ibabou, jayunit100, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR requires LGTM again @jayunit100 @jsturtevant |
/lgtm |
/retest |
What type of PR is this?
/kind bug
What this PR does / why we need it:
In GCE, the current
externalTrafficPolicy: Local
logic does not work because the nodes that run the pods do not setup load balancer ports. This means that the GCLB does not understand which nodes are serving the pods that can accept traffic. Since all report unhealthy it'll direct traffic to any node. This PR configures the health check ports so that GCLB knows which nodes can handle the traffic.See #62046 for details.
This work is based on #96998
Which issue(s) this PR fixes:
Fixes #62046
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
externalTrafficPolicy: local
works on Windows hosts with DSR support.Release Note