AWS: support node port health check #43585
Conversation
if a custom health check is set from the beta annotation on a service it should be used for the ELB health check. This patch adds support for that.
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @foolusion. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-github-robot
added
size/M
|
This change is |
|
@k8s-bot ok to test |
|
@justinsb can you please take a look |
|
Can you describe what you're trying to archive @foolusion ? I think this annotation was intended for use with ESIPP - so it's actually probably good to get it in. But @thockin can you comment on whether we should be supporting this annotation separately from ESIPP, and who is looking after this? I'll comment on a potential code refactoring directly on the code :-) (Edit: Or is this in fact all that is needed to support ESIPP on AWS?) |
| return nil, fmt.Errorf("Failed to ensure health check for localized service %v on node port %v: %v", loadBalancerName, healthCheckNodePort, err) | ||
| } | ||
| } else { | ||
| glog.V(4).Infof("service %v does not need health checks", apiService.Name) |
There was a problem hiding this comment.
Probably better to say "does not need custom health checks" or "uses default health checks" or similar
|
|
||
| expectedTarget := "HTTP:" + strconv.FormatInt(int64(port), 10) + path | ||
|
|
||
| if expectedTarget == orEmpty(actual.Target) && |
There was a problem hiding this comment.
AFAICT from this point on the two health-check configuration functions are the same (there's a lot of overlap earlier also!) Can we combine the two tails here into a single function? Maybe even just have one function, and build the expected healthCheck in EnsureLoadBalancer ?
|
I'm currently using this to eliminate additional hops when using a load balancer in AWS. Currently the ELB only checks if it can make a connection to the service but this would allow more sophisticated health reporting. |
I changed the function signature to contain protocol, port, and path. When the service has a health check path and port set it will create an HTTP health check that corresponds to the port and path. If those are not set it will create a standard TCP health check on the first port from the listeners that is not nil. As far as I know, there is no way to tell if a Health Check should be HTTP vs HTTPS.
|
@justinsb I've combined those two methods and updated the log output. The main change is moving the logic for TCP health check into the aws.go EnsureLoadBalacner method and changing the function signature of ensureLoadBalancerHealthCheck. Please take another look. |
|
We are very interested in this feature. Is there anything we can do to help get this merged? |
|
… On Fri, May 26, 2017 at 3:02 PM, Emmanuel Gomez ***@***.***> wrote:
We () are very interested in this feature. Is there anything we can do to
help get this merged?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#43585 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVDCy37Kew5A32uonzxvOPB1Vehm3ks5r90wKgaJpZM4MnTZZ>
.
|
|
I should add that I (used to) work with @foolusion and that I believe he won't be available to speak up for this PR any further (he's off on other, wonderful, adventures). So I'm roughly proposing that I, @dhawal55, @SleepyBrett and @mariusgrigoriu carry this PR forward in his stead (all coworkers of foolusion's, till recently). |
|
@emmanuel This is great, I'd happy to see folks are extending the OnlyLocal feature (kubernetes/enhancements#27) to AWS :) |
|
To better clarify current status of ESIPP (External Source IP Preservation):
I'm not sure how would AWS LB behave when forwarding traffic onto nodes (preserving source IP or not). But only for preventing the second hop, I think having the health check properly set up on LB would be sufficient. |
|
I'm still partially available (when i have wifi), just in GMT timezone now. Let me know if you need me to make any further changes. |
|
Just to be clear. ESIPP is what Google called it, because that was the
customer demand. It doesn't preserve IP for ELB because ELB never carried
the client IP in the first place (except in PROXY headers, which kube-proxy
does not deal with).
Only local is still useful, but it's not ESIPP.
And yes, we really do need it to work on other platforms. Fragmentation
bad.
…On May 27, 2017 12:05 AM, "Zihong Zheng" ***@***.***> wrote:
To better clarify current status of ESIPP (External Source IP
Preservation):
- ESIPP is going to GA in v1.7 - #41162
<#41162>.
- The beta annotations (service.beta.kubernetes.io/external-traffic
and service.beta.kubernetes.io/healthcheck-nodeport) have been
promoted as first class fields (Service.Spec.ExternalTrafficPolicy and
Service.Spec.HealthCheckNodePort).
- For now this feature is only supported on GCE.
I'm not sure how would AWS LB behave when forwarding traffic onto nodes
(preserving traffic or not). But only for preventing the second hop, I
think having the health check properly set up on LB would be sufficient.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#43585 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVKUFHNQ-kSis9SW8vdF4O82f6Sarks5r98s0gaJpZM4MnTZZ>
.
|
|
ESIPP sounds lovely and we'd be delighted to have it. That said, we're on AWS and (simply) eliminating the extra hop would be welcome. We're aquainted with |
|
Got it! This sounds great, and now that it is a field my concerns about using the esipp annotations seem misplaced. /lgtm Thanks also for the code changes! |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: foolusion, justinsb
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
justinsb
changed the title
justinsb
added
release-note
|
@k8s-bot pull-kubernetes-e2e-kops-aws test this |
|
Automatic merge from submit-queue |
|
What is reasonable to hope for as far as a release of this change? Is this on track to land in 1.7.0? How about a backport to 1.6.x? |
|
Also, while I'm asking questions... how does this work (w/r/t kube-proxy)? Are NodePort services' iptables rules set up to forward to a host-local pod? If not, how does this eliminate the extra hop? |
|
@emmanuel The beta local only annotation on the service or feature external traffic local only https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/iptables/proxier.go#L193 |
This is on track for 1.7.0 (code freeze will be on Thursday).
Exactly, kube-proxy sets up rules to forward relevant traffic to host-local pods only. More details could be found on this proposal. |
|
With the recent announcement of “Network Load Balancers” on AWS (L4 with source IP/port preservation: https://aws.amazon.com/blogs/aws/new-network-load-balancer-effortless-scaling-to-millions-of-requests-per-second/), true ESIPP is in reach on AWS. In other news, I believe that this PR can be closed, as this code shipped in 1.7.0. |
What this PR does / why we need it:
if a custom health check is set from the beta annotation on a service it
should be used for the ELB health check. This patch adds support for
that.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Special notes for your reviewer:
Let me know if any tests need to be added.
Release note: