Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Request] Ability to set "--service-node-port-range" flag in kube-api-server #3052

Closed
felipejfc opened this issue Jul 25, 2017 · 4 comments
Closed

[Request] Ability to set "--service-node-port-range" flag in kube-api-server #3052

felipejfc opened this issue Jul 25, 2017 · 4 comments

Comments

@felipejfc
Copy link
Contributor

I have a kube use case where I need to create a lot of services and because of that, the default pool of ~2700 service ports is not enough for me...

I think that it would be very valuable if I could specify a bigger pool in kops.

Regards
@felipejfc
Copy link
Contributor Author

also it would be nice if someone informs here the biggest range we can set staying safe

@robinpercy robinpercy mentioned this issue Sep 4, 2017
Merged
@robinpercy
Copy link
Contributor

@felipejfc I've just submitted a PR for this. Unfortunately, I don't have any great advice on how large you can safely set the range. Obviously, you can allocate up to port 65535, but you'll want to experiment to see how really large pools work with your specific workloads.

k8s-github-robot pushed a commit that referenced this issue Sep 15, 2017
Merge pull request #3333 from robinpercy/node-port-range
893217f 
Automatic merge from submit-queue

Added ability to set --service-node-port-range

Addresses: #3052 and #3326 

From what I can tell, `--service-node-port-range` has been a valid option forever, so I haven't worried about k8s versions.

@justinsb @chrislovecnm let me know if any changes are required.
@justinsb
Copy link
Member

justinsb commented Sep 15, 2017
edited
Loading

You want to avoid the ephemeral port range aka local port range which ranges from 32768 - 65535 (see e.g. https://www.cyberciti.biz/tips/linux-increase-outgoing-network-sockets-range.html). You can reconfigure this range e.g. 40000 - 65535, in theory, but I don't know that anyone has tested it.

On reducing the lower bound, as long as you avoid any ports that have services listening (e.g. 443, 22) you should be fine.

The reason you want to avoid these if because we allocate NodePorts centrally, and we can't check that they are not in use on every node. For outgoing ports that would be almost impossible anyway, given how quickly they change. We figured the administrator could determine whether they had any services listening on ports < 30000 that needed to be avoided (and note these would be services running on the nodes, or on pods with hostNetwork, not just ordinary pods).

IIRC we try to open a local port anyway before mapping the NodePort, so it won't be catastrophic, except that traffic won't flow to colliding ports on those nodes.

TLDR: Not sure how many ports you need, but you can probably make sure you're running anything listening on port 20000-30000 and take that whole range.

And if you do find services listening, or you need more ports, or want to share the use case, please do post back! And just post back to let us know what you find!

@chrislovecnm
Copy link
Contributor

Closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@justinsb @robinpercy @felipejfc @chrislovecnm