feat: support topology aware hints

[tombokombo]

What this PR does / why we need it:

This PR brings support for topology aware hints service annotation. If annotation is present on service and all conditions are met ( see safeguards in doc ), ingress controller pod will try to use endpoint slices zone hints.
Feature is enabled with service annotation service.kubernetes.io/topology-aware-hints: "auto".
Follow up to #8890
Will work only on not "scoped" controller deployment. It needs a clusterrole to access node, which is running controller pod to extract topology labels. For scoped deployment, it just print warning about inaccessible NODE info and will work as you don't have topology labeled cluster, which means no hints.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• CVE Report (Scanner found CVE and adding report)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added unit and/or e2e tests to cover my changes.
• All new and existing tests passed.
• Added Release Notes.

Does my pull request need a release note?

Any user-visible or operator-visible change qualifies for a release note. This could be a:

• CLI change
• API change
• UI change
• configuration schema change
• behavioral change
• change in non-functional attributes such as efficiency or availability, availability of a new platform
• a warning about a deprecation
• fix of a previous Known Issue
• fix of a vulnerability (CVE)

No release notes are required for changes to the following:

• Tests
• Build infrastructure
• Fixes for unreleased bugs

For more tips on writing good release notes, check out the Release Notes Handbook

Support for topology aware hints service annotation, when set to "auto" ingress pod will try to use endpointslices topology hints 

[k8s-ci-robot]

@tombokombo: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @tombokombo. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tombokombo]

@ElvinEfendi @tao12345666333 could you please take a look? Thx

[tao12345666333]

/assign

[jensoncs]

@tao12345666333 Do we have any update on the review?

[Sharechat-Taran]

any update?

[tombokombo]

@tombokombo We built using the PR but could not get it working, if possible can we connect some time so I could have more clarity?

1. You have to use cluster role, helm chart rbac.scope: false, check controller logs for warning Unable to get NODE information:
2. service needs to have annotation service.kubernetes.io/topology-aware-hints: "auto"
3. check endpointslices for hints

kubectl -n ${namesapce} get endpointslices  -o yaml
there must be hint with zone for every slice endpoint
...
    hints:
      forZones:
      - name: some-zone
...

How do you know that it's not working? How are you checking active endpoints for you ingress/svc?
Please provide controller logs, there are few info level messages which will be very helpful to see what's going on.

[tombokombo]

@tao12345666333 any update?

[abhiroop93]

@tombokombo We built using the PR but could not get it working, if possible can we connect some time so I could have more clarity?

1. You have to use cluster role, helm chart rbac.scope: false, check controller logs for warning Unable to get NODE information:
2. service needs to have annotation service.kubernetes.io/topology-aware-hints: "auto"
3. check endpointslices for hints

kubectl -n ${namesapce} get endpointslices  -o yaml
there must be hint with zone for every slice endpoint
...
    hints:
      forZones:
      - name: some-zone
...

How do you know that it's not working? How are you checking active endpoints for you ingress/svc? Please provide controller logs, there are few info level messages which will be very helpful to see what's going on.

@tombokombo
We managed to get it working, it was an issue with GKE Dataplane V2 as it turns out (they do not support topology aware hints). Thanks!

[rikatz]

why defining a new var when you can just return empty? I would just do return "" and remove this var declaration

[tombokombo]

It's not defined just for one use, it appears here
https://github.com/kubernetes/ingress-nginx/pull/9165/files#diff-e2c540c6da86368f0fa693d5634db0a92e8ef119e5cc2609bd3d24baf6c0fa8aR116
I defined it for better readability, not just comparing against empty string, but against variable which name give some hint what is going on.

[tombokombo]

Now it has even more usage.

[rikatz]

you can move this log to after the for, inside the if, and get rid of this additional "if useTopologyHints" just for this logging

[tombokombo]

All other possible places are inside loops, it will spam logs depending on count of endpointslices objects.

[rikatz]

please add a comment here on why we need the Node information now. BTW, is this already part of the clusterrole we use in ingress? can't remember :)

[tombokombo]

Ok, I will add comment. Yes cluster role is without change and can access nodes.

[tombokombo]

done

[rikatz]

/ok-to-test
@tombokombo change seems fine, I just want to add some safeguards.

Thanks

[brodin]

So much looking forward to this @tombokombo – thanks for taking the time!

Paying a hefty preminum today on GCP with all the Inter-Zone Egress when we run multi-zonal clusters.

[tombokombo]

/retest

[rikatz]

@tombokombo left some minor comment. Looks good to me, if the helm test fails again we need to check what is going on
/approve
/hold

[ElvinEfendi]

Thanks for this feature!

Am I reading it right that an ingress-nginx pod in a zone A, will never proxy requests to endpoints outsize of zone A? Because it seems like kube-proxy can end up proxying to the endpoints outside of its zone: https://kubernetes.io/docs/concepts/services-networking/topology-aware-hints/#implementation-kube-proxy

[tombokombo]

@ElvinEfendi
It depends on k8s endpoint slices controller, if zone hints are provided then ingress-controller pod will build backends list only from endpoints with that zone. If there are no zone hints, ingress-controller pod fallback to normal behavior with all endpoints.

Regarding safeguard, I'm checking if all slices endpoints has hints, if no, fallback to normal.

Safeguard are mostly implemented on endpoint slice controller, not kube-proxy, see
1 Insufficient number of endpoints: ...the controller will not assign any hints....
2. Impossible to achieve balanced allocation: ...The controller does not assign hints if it can't get this "expected overload" value below an acceptable threshold for each zone....
3 One or more Nodes has insufficient information: ...the control plane does not set any topology-aware endpoint hints...

So behaviour should be same as kube-proxy has.

[rikatz]

/label tide/merge-method-squash
/lgtm
/approve
Let's see how this goes on v1.6 :) thanks!
/hold cancel

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz, tombokombo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rikatz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment