Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change health-check port to listen to node port addresses #104742

Merged
merged 2 commits into from Sep 13, 2021
Merged

change health-check port to listen to node port addresses #104742

merged 2 commits into from Sep 13, 2021

Conversation

khenidak
Copy link
Contributor

@khenidak khenidak commented Sep 2, 2021
edited

What type of PR is this?

/kind bug

What this PR does / why we need it:

kube-proxy health check ports used to listen to :<port> for each of the services. This is not needed and opens ports in addresses the cluster user may not have intended. The PR limits listening to all node address which are controlled by --nodeport-addresses flag.

Which issue(s) this PR fixes:

Fixes #103184

Special notes for your reviewer:

WIP don't review yet.

Does this PR introduce a user-facing change?

kube-proxy health check ports used to listen to :<port> for each of the services. This is not needed and opens ports in addresses the cluster user may not have intended. The PR limits listening to all node address which are controlled by `--nodeport-addresses` flag. if no addresses are provided then we default to existing behavior by listening to :<port> for each service

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

/sig network
/hold

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/network Categorizes an issue or PR as relevant to SIG Network. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 2, 2021
@k8s-ci-robot
Copy link
Contributor

@khenidak: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Sep 2, 2021
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 2, 2021
@aojea
Copy link
Member

aojea commented Sep 5, 2021

the unit test failing seems related

    healthcheck_test.go:154: expected 1 open port, got 0
        (sets.String) {
        }
    healthcheck_test.go:157: expected port :9376 to be open
        (sets.String) {
        }
panic: interface conversion: healthcheck.httpServer is nil, not *healthcheck.fakeHTTPServer [recovered]
	panic: interface conversion: healthcheck.httpServer is nil, not *healthcheck.fakeHTTPServer

@aojea
Copy link
Member

aojea commented Sep 5, 2021

I think this should be aligned to current logic

kubernetes/pkg/proxy/iptables/proxier.go

Lines 996 to 1000 in eb72962

localAddrSet := utilproxy.GetLocalAddrSet()
nodeAddresses, err := utilproxy.GetNodeAddresses(proxier.nodePortAddresses, proxier.networkInterfacer)
if err != nil {
klog.ErrorS(err, "Failed to get node ip address matching nodeport cidrs, services with nodeport may not work as intended", "CIDRs", proxier.nodePortAddresses)
}

@khenidak
Copy link
Contributor Author

khenidak commented Sep 7, 2021

Yes. I kept that one failing until i clean up the old code. The current commits are the change i want to make. But i am not happy with unit testing coverage so i am keeping the wip tag on until i figure out a way to cover selective addresses

@khenidak khenidak changed the title WIP: change health-check port to listen to node port addresses change health-check port to listen to node port addresses Sep 9, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 9, 2021
@khenidak
Copy link
Contributor Author

khenidak commented Sep 9, 2021

@danwinship @aojea -- Can you help reviewing this? (it is ready now)

@khenidak
Copy link
Contributor Author

khenidak commented Sep 9, 2021

/test pull-kubernetes-unit

1 similar comment
@khenidak
Copy link
Contributor Author

khenidak commented Sep 9, 2021

/test pull-kubernetes-unit

@danwinship
Copy link
Contributor

This is not needed and opens ports in addresses the cluster user may not have indented

"intended" 🙂
(in the release note text)

danwinship
danwinship reviewed Sep 10, 2021
View reviewed changes
Copy link
Contributor

@danwinship danwinship left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mostly looks good

pkg/proxy/healthcheck/healthcheck_test.go Outdated Show resolved Hide resolved
pkg/proxy/healthcheck/service_health.go Outdated Show resolved Hide resolved
@khenidak khenidak mentioned this pull request Sep 10, 2021
Merged
@khenidak
Copy link
Contributor Author

/test pull-kubernetes-e2e-gci-gce-ipvs

@danwinship
Copy link
Contributor

/lgtm
but not un-holding it since I'm not sure if there was some other reason for that

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 13, 2021
@khenidak
Copy link
Contributor Author

The hold is to get as many eyes as possible on it. One can argue it is a behavior change so i am not sure how to deal with this one. There is no api change, just behavior change. Do we need anything more than release notes?

@thockin ?

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 13, 2021
thockin
thockin reviewed Sep 13, 2021
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems OK to me, but I wonder if there are use-cases we're missing. I guess we'll find out. I expected to see map[types.NamespacedName][]*hcInstance but this works, too :)

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 13, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: khenidak, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@khenidak
Copy link
Contributor Author

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 13, 2021
@k8s-ci-robot k8s-ci-robot merged commit 648559b into kubernetes:master Sep 13, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Sep 13, 2021
@khenidak khenidak deleted the health-check-port branch September 13, 2021 22:52
@vitaliy-sn vitaliy-sn mentioned this pull request Feb 2, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danwinship danwinship danwinship left review comments

@thockin thockin thockin left review comments

@aojea aojea aojea left review comments

@m1093782566 m1093782566 Awaiting requested review from m1093782566

Assignees

@danwinship danwinship

@thockin thockin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ipvs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.

healthCheckNodePort in service object cannot listen on specific ip address
5 participants
@khenidak @k8s-ci-robot @aojea @danwinship @thockin