-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kube-proxy: We should be able to override bind addresses for healthz and metrics #108737
Comments
/sig network |
this has been discussed so many times that I honestly lost track current status, there was one time all the flags were going to be deprecated 😄 IIRC kubernetes/enhancements#2158 (comment) current situation is kube-proxy config take precedence over flags |
Ok but here it's not only "precedence" since even if the bind addresses are not defined in the config, the flags are still ignored. |
if the addresses are not defined, they are defaulted ... so they are always "defined" if not by the user, they are by the kube-proxy itself kubernetes/pkg/proxy/apis/proxyconfig/v1alpha1/defaults.go Lines 35 to 46 in 5c8c1f4
yeah, I remember someone reporting this problem too but I think he found a way to solve it, let me try to find the issue ... I agree that this flag/config situation is problematic, but if you read the discussion I linked there are trade offs in all solutions |
Yes sure but to me, those default should come after flags.
A way to solve it, to me something is doable by using an init container that will basically write the kube proxy config but it's sad to need that kind of approach just to set the bind addresses. I agree that it does not necessarily make sense to provide flags for all config args, but it makes sense to provide some flags for instance specific stuff, like bind addresses. |
Or settings the bind address to 0.0.0.0 in the configuration
The problem I see here is that flags allow to use dynamic values automatically, and configuration does not, that leaves us with only one choice as you are saying. @neolit123 is there a simple way to have configuration customized by node using the downward API? |
It's not a solution to me, I do not want to expose metrics on all IPs. TBH I really don't get why we would keep |
yeah, I was trying to provide a workaround meanwhile we sort out the other problem :) |
IIUC this is a problem only if kube proxy is run as a Daemonset. If you are managing it in other ways e.g. systemd you could pass a unique config to separete instances. The OP already has a good attempt at using the downward api. You could also try creating and mounting N config maps that have node specific suffixes in their names. But this sort of defeats the DS purpose. Apparently both kube proxy and kube scheduler made the decision to have config override the flags. This is especially bad given k8s components do not have a clear instance vs global config story. Flags overriding config has been the interim solution for kubelet. But if kube proxy is DS managed the instance specific "fix" using flags is a no-go. |
Ok fine but then how do we manage instance-specific args ? And why are we still able to use the flag for |
IIRC some kube proxy flags were overriding config and some didn't, but i don't know the details. |
It's really sad 😞 |
will bring this topic for today's sig-network meeting https://docs.google.com/document/d/1_w77-zG_Xj0zYvEMfQZTQ-wPP4kXkpGD8smVtW_qqWM/edit , let's see what is the general opinion |
Cool 👍 thank you @aojea |
/triage accepted |
/assign dcbw |
The short story here is "nobody got around to doing something reasonable here". The component-standardization process fizzled out and nobody stepped up to help drive it. Ithink the choices are, in preference order:
When we choose to bind to a port we get all the local interface addresses and intersect that with the set of addresses in this flag, and listen on all of those. We would need a "multi-listen" abstraction and good tests. But then you could say
|
@thockin what about moving those fields from |
would that allow flags to override? |
it will allow to differentiate when users want the field to be defaulted, see #104624 for reference, so they can "force" the configuration option to be "" However, looking at the code, this seems to solve THIS problem but doesn't seem to solve the general problem and we can end in a more inconsistent situation that we have now if we keep adding exceptions kubernetes/cmd/kube-proxy/app/server.go Lines 226 to 236 in 9d18c76
Is there any history about referencing Downward API from configuration files?, that will solve the issue without having to use flags
|
downward API may require the thing to be up and running before they can be resolved, so that seems like a bad idea to me. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
@aojea is there any direction on this issue? If so, I'd like to contribute if possible. |
kube-proxy config vs flags is an existing problem #98302 , that we actually hit recently #119864 We can not change behaviors, so some configurations that were working until now can not stop behaving differently or we'll create a lot of confusion and break the compatibility of these configs. The main problem with the configuration is that is defaulted, I think that override is out scope at this point, but I think that someone proposed some time ago, but I can not find it, that we merge the flags and the passed config options, with the configuration taking precedence to keeps backwards compatibility, and then default after that ... @thockin @danwinship do you remember who proposed that? maybe it was Tim? I think that can be a valid solution |
I think I have paged out all the context on this - it needs a fresh look. Personally, I feel like flags should probably win, but I don't know what other components do. Better would be errors in case of conflicting values, but defaults do make it weird. |
@VigneshSP94 the direction is to do some archaeology to understand all the historical context, I threw some links there, summarize it and make a proposal as KEP on how to implement the kube-proxy config and flags and its behaviors in a backwards compatible way ... it is a considerable amount of work, my advice, before the KEP you may create a google doc to socialize your idea and receive early feedback, you can share it in the sig-network mailing list |
The config file is The new format could either be identical to (I don't think we're ready to jump to |
What happened?
When we use config for kube-proxy we cannot override the bind addresses for healthz and metrics.
What did you expect to happen?
I expect the kube-proxy CLI argument to override the value from the configuration file.
How can we reproduce it (as minimally and precisely as possible)?
A typical use case is, I want to expose the kube-proxy metrics only on the host IP, then I want to use the following pod template:
But today it does not work kube-proxy will just ignore the
healthz-bind-address
andmetrics-bind-address
argumentsAnything else we need to know?
No response
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: