Container Load Balancer - Load Balancer

[georgeedward2000]

What type of PR is this?

/kind feature

What this PR does / why we need it:

The key changes:

• NRP Service Operations - NRP service create/delete and hooking of LB BP to NRP service
• LocationAndNrpServiceBatchUpdater- Programming ServiceDto in NRP
• Location Update API for Inbound scenarios- Programming of LocationDataDto in NRP(offline POD IP population in BP Pool)
• Node Add/Remove to VMSS

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Added the ability to set the type of backend pool to PodIP. 
This action allows the Load balancer attached to the service to route traffic directly to the containers, 
instead of routing to AKS nodes and then AKS node routing it to the PODs hosting the service.

[linux-foundation-easycla]

• ❌ - login: @georgeedward2000 / name: George Edward Nechitoaia . The commit (52d99b1, ec0944d, bdc02d2, 31fbbc7) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: georgeedward2000
Once this PR has been reviewed and has the lgtm label, please assign feiskyer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @georgeedward2000. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[nilo19]

Can we move this to the beginning? I don't think we need to count a successful operation here as it is skipped.

[nilo19]

What about externalTrafficPolicy:cluster services?

[kartickmsft]

With CLB, the traffic is directed to the POD that's hosting the service and iptables is not used to choose the POD. So, I think CLB applies to only externalTrafficPolicy:local services.

[nilo19]

Can we check and return an error in this podIP+Local case?

[nilo19]

Do we still need reconcile backend pool in this case? Or the batch updater does everything?

[kartickmsft]

reconcileBackendPoolHosts calls EnsureHostsInPool, which is a NOP for the POD IP type backendpool. NRP adds the backendaddresses in the LB backendpool. Batch processor provides the PODs associated with the service to NRP in UpdateLocations API.

[nilo19]

Where is the batching logic of this updater?

[georgeedward2000]

Difftracker keeps on updating the K8S state with multiple cluster updates (batching). At some point, the batch updater is triggered and uses the Difftracker K8S state as the source of truth for updating NRP

[kartickmsft]

I thought we will update NRP at regular intervals, thus batching the updates. Any specific reason why we can't use the same interface?

[kartickmsft]

I think the batchProcessor runs at periodic intervals and updates the NRP based on the K8 state that's set here.

[kartickmsft]

Need to invoke NRP updateService API to remove ref to LB Backendpool here. reconcileLoadBalancer on line 504 will delete the LB/LB Backendpool resource in NRP and batchProcessor will delete NRP service after removing the reference of service from the Locations.

[georgeedward2000]

So we should call the NRP API directly without queuing it to the batch updater?

[kartickmsft]

Yes. For removing reference of BP from NRP Service. Otherwise, NRP will throw validation error while deleting the LB/LB Backendpool resource.

[kartickmsft]

serviceReconcileLock need not be acquired on line 420 as we have CLB per service. Similar comment applies at other places also where we are acquiring serviceReconcileLock.

[nilo19]

This lock is only acuqired when the service is being deleted.

[kartickmsft]

I see it's acquired in functions like EnsureLoadBalancer, which is used to create/update the LB. Am I missing something?

[kartickmsft]

We throw error and fail if ExternalTrafficPolicy is Cluster with StandardV2LB and POD IP backendpooltype??

[kartickmsft]

NRP service create/service ->LB backendpool ref update could happen in the periodic batch processor.

[kartickmsft]

I think we need to modify getExpectedLBRules to pass empty probe property as we don't separately probe for CLB. This change was present in one of the earlier PRs. Maybe, got missed out in this PR.

[georgeedward2000]

I think you are referring to the changes in this PR: #8218
These will be eventually merged in together.

[kartickmsft]

IMO, no.

[kartickmsft]

I think we could log an event like what's done for backendpool updater and return. Continuing to the next set of operations may lead to NRP validation failures, causing NRP API failures.

[kartickmsft]

We should invoke the UpdateNRPLocations API only if locationRequestDTO has non-empty locations for update.

[kartickmsft]

We are doing a LoadOrStore in the batchProcessor. I think that is the right place (more granular) to enable Informer code path to start updating the k8 state in the DiffTracker.

[kartickmsft]

I think when a service is being deleted, should we get the NRP state of the Locations associated with the service from DiffTracker and update NRP to disassociate a Service from a Location. Not sure if NRP will throw validation failures if some new location is passed based on latest k8 state for which NRP doesn't have the corresponding location -> service association. I think we need to check NRP behavior.

[kartickmsft]

NRP behavior ignores Addresses that are not present in it's KV store. So, existing code changes are fine.

[kartickmsft]

We are deleting from the Map during deletion of LB. I think that's the right place because it will prevent further updates of endpoint-slices(k8 location state) in difftracker of locations for which service association is going to be deleted.

[kartickmsft]

I think better to move this to line 487 to prevent further update of locations/addresses in k8 difftracker state a little early.

[nilo19]

ispodip and usev2lb always show together. can we merge them into a func?

[kartickmsft]

process will be called only from one go routine. So, locking is not needed.

[nilo19]

@georgeedward2000 could you please add a design doc here? This feature has many big changes, and a clear documentation may help code review. Thanks.

[kartickmsft]

CLB(podip based backendpool and SLBv2 SKU) allows multiple LBs(LB per service), helping overcome the limitations for which multi-slb is used. So, I think better to ensure that error is returned when using multi-slb with CLB(podip based backendpool and SLBv2 SKU) in the function reconcileMultipleStandardLoadBalancerConfigurations when CLB is used.

[kartickmsft]

I think beginning of reconcileService is the better place to validate this config.

[kartickmsft]

Since, we are not doing interval based batching updates, I think we should trigger the batchupdater from here.

[kartickmsft]

Since, we are not doing interval based batching updates, I think we should trigger the batchupdater from here.

[kartickmsft]

Same comment as for Add/Update.

[kartickmsft]

This should be removals??
"https://github.com/kubernetes-sigs/cloud-provider-azure/pull/8464/files#:~:text=func%20(dt%20*DiffTracker)%20UpdateNRPLoadBalancers(syncServicesReturnType%20SyncServicesReturnType)%20%7B" takes SyncServicesReturnType, which has Additions and Removals.
Has the DiffTracker API changed or am I missing something?

[kartickmsft]

Maybe, we can mention that add/remove operation is handled via the DiffTracker APIs.

[georgeedward2000]

Design Doc to lift review blockers

Background

The following User stands for human users, or any cluster provisioning tools (e.g., AKS).

This design document describes the user-facing design and workflow of the Standard V2 LoadBalancer - Container Based Backendpool.

Design

1. Current users do not need to take any action, and the ongoing changes will not affect them.

2. New Users must create a Container Based Cluster.

3. Then, they must create a Standard V2 sku Load Balancer

4. After that, no further action is needed, as all networking resources will be automatically provisioned when new pods, LoadBalancer services, and egresses are created.

Workflow

1. Introduces DiffTracker API to keep track of the synchronization between the Kubernetes (K8s) cluster and its NRP resources structure.

2. Introduces LocationAndNRPServiceBatchUpdater as a parallel thread worker used as the main engine for DiffTracker synchronization. It runs continuously, waiting for updates in the cluster on a boolean channel and triggering NRP API requests.

3. All updates within the K8s cluster (regarding pods, services, egresses, etc.) are stored within DiffTracker.

4. After each update, a boolean value of true is sent through the LocationAndNRPServiceBatchUpdater channel.

5. The LocationAndNRPServiceBatchUpdater run method waits to consume booleans from the channel. When a value is consumed, it uses all the updates stored in DiffTracker to update NRP using the NRP API. Eventually, all successful NRP API calls are stored back into DiffTracker to assert the equivalence of the two structures (K8s cluster and Azure).

6. DiffTracker also functions as a batch operations aggregator. When a cluster undergoes multiple rapid updates, DiffTracker's state will continuously be updated. Meanwhile, the LocationAndNRPServiceBatchUpdater, running on a single thread, will consume updates from the channel. As a result, multiple updates can accumulate and be ready to be sent to the NRP in a single batch.

[kartickmsft]

I think this should be within the 384-391 if block. I mean we should trigger update only when the corresponding NRP service has been created or is in the process of being created.

[kartickmsft]

Same comment as for UpdateFunc

[kartickmsft]

Same comment as for UpdateFunc

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.