New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nodeipam: align eTP=Cluster to kubernetes cloud-providers service lb #31406
Conversation
fd66434
to
6722a57
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Helm-wise this looks good to me, thanks! I'll defer the other bits to the corresponding CODEOWNERs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not super familiar with node IPAM so I'll leave the review of the behaviour change to others. Doc change looks good overall, although I have minor improvement suggestions on grammar and style (please see inline below).
Thanks!
6722a57
to
57c45de
Compare
0adfa10
to
ef44b60
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! 💯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs look better, thanks! I still have a few suggestions on the new paragraph, but it's just trivial changes.
ef44b60
to
d0dfdbb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
/test |
d0dfdbb
to
4d2994d
Compare
I rebased to fix the conflict on the helm values and related generated files ~ |
/test |
nodeipam was always looking at the related EndpointSlices of the Service LoadBalancer to decide which nodes should be "advertised". This is a problem when Service LoadBalancers are created with dummy endpoints which is the case for Cilium Ingress/GatewayAPI for instance. This commit attempts to replicate a bit more the behavior that a CCM would do to select nodes when eTP=Cluster. In that case we select all Nodes we consider all nodes as potential candidate instead of checking where the pods are scheduled via their EndpointSlices. In the case of eTP=Local, we fallback to the previous behavior of checking the EndpointSlice to know which Nodes are backing your corresponding Service. This is not the behavior done in classic CCM as eTP local seems to be typically implemented by Cloud providers via an health check mechanism that we currently don't have in nodeipam. And at this very moment is not planned to be implemented because of the extra complexity. If this gets implemented at some point nodeipam could also align with CCM on the eTP=Local case though. Also in both eTP=Cluster/Local we will respect KEP-3458 that is becoming stable in Kubernetes 1.30 and dictate how CCM does their first node filtering. The Predicates were extracted as is from kubernetes/cloud-provider repo where this is normally implemented for CCM. Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
Now that nodeipam consider all nodes as potential candidate in the eTP=Cluster case, a way for user to filter nodes become way more critical and thus this commit is implementing this. Co-authored-by: Brendan Dalpe <bdalpe@gmail.com> Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
Head branch was pushed to by a user without write access
4d2994d
to
e3b13d0
Compare
Rebased again because the ipsec upgrade job was failing because of this: https://cilium.slack.com/archives/C7PE7V806/p1711615975498649?thread_ts=1711592330.743979&cid=C7PE7V806 |
/test |
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
Fixes: <commit-id>
tag, thenplease add the commit author[s] as reviewer[s] to this issue.
This aligns Node IPAM eTP=Cluster with how kubernetes CCM handle service lb node selection meaning that it will consider all nodes instead of only the node where your selected pods are scheduled. As a result of this change nodeipam will be compatible to Cilium Ingress/GatewayAPI by default which use a dummy endpoint which would fail with the previous behavior. See the first commit description for more details about this.
It also add
nodeipam.cilium.io/match-node-labels
annotation now that by default select all nodes and that nodeipam might be less usable if this wasn't added on anything that is not a really small cluster.Fixes: #31356