Loadbalancing umbrella issue

[bprashanth]

A non-comprehensive list ordered by an approximation of priority. Mostly for documentation and reducing bus factor:

• Source IP Preservation for external LB services ([Feature] Source IP preservation for Virtual IPs #28647)
• Run ingress controller as static pod on master (Run l7 controller as a static pod on the master #23663)
• Fix beta limitations (gce, nginx)
• Improve e2es (write a single generic E2E for nginx/aws/gce)
• Let different controllers co-exist AKA ingress claims (Allow different ingress controllers to coexist #24393, Ingress claims  #30151)
• Finish other controllers: AWS (AWS Ingress controller kubernetes-retired/contrib#346), Haproxy ([wip] Haproxy ingress kubernetes-retired/contrib#206), F5 (F5 LoadBalancer kubernetes-retired/contrib#12)
• L4 in Ingress - SSL proxy, SNI etc (Ingress and TCP  #23291, HTTPS Ingress controller for SNI based routing #19333, Adding L4 Ingress proposal #25821)
• Health checks - just scrape endpoints for http readiness? (use annotations to redefine health check endpoints kubernetes-retired/contrib#325, b/27217458)
• Cert generation (Ingress controller can generate real certs via letsencrypt client #19899, AWS Feature: CA integration #23482)
• External DNS integration
• Rewrite/redirect rules (lot of context on [ansible] Provide External Access to Cluster Addon Services kubernetes-retired/contrib#679)
• Client Affinity and algorithms (we already do this through annoations)
• Type=LoadBalancer spins up internal lb (Internal proxy/lb #23791)
• DoS protection (DoS protection for ingress #30088)
• Traffic splitting (Traffic splitting through Ingress #25485)
• TLS to backend (More ingress TLS modes #32928)
• Soak tests (LB soak tests #37335)

@kubernetes/goog-cluster

[sputnik13]

created #27294 to address sharing of IPs, hostnames, and other "things" in an Ingress

[pires]

Who's responsible for updating this issue? For instance, the first item in the list is fixed.

[bprashanth]

@pires that's rigth, as is

Let different controllers co-exist

The gce controller will ignore any ingress with the annotation kubernetes.io/ingress.class=gce, I still need to implement that for nginx.

Health checks - just scrape endpoints for http readiness?

Both nginx and gce will scrape your endpoints (the endpoint pods corresponding to the serviceName:servicePort in your Ingress) for an HTTP probe that doesn't require any special http headers or https. If one is found it's used for the health check, otherwise it defaults to "/"

Cert generation

Kube-lego currently only works with the nginx ingress controller, the idea is to get it to work with everything.

Improve e2es (write a single generic E2E for nginx/aws/gce)

A generic cross platform e2e was written: https://github.com/kubernetes/kubernetes/blob/master/test/e2e/ingress.go#L175

E2es could always use improvement though. The next step is to write e2es for nginx and add that to presubmit.

I'll updated it soon there are a couple of points i need to add to the list

[girishkalele]

Adding to this list

#28647 Source IP Preservation for external LB services.

[nvnobelen]

@pires Just tested 1.4-alpha2 for issue #10921/#28467: Does not work in alpha2 as expected (or do I misinterpret the state "closed" here as something is really in the branch):

Log output in an nginx container:

174.6.xx.xx 1 0.000 [12/Aug/2016:21:01:25 +0000]  "GET /favicon.ico HTTP/1.1" 404 199 "http://104.154.234.227/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36" "-" "-"
10.240.0.7 2 0.000 [12/Aug/2016:21:01:25 +0000]  "GET / HTTP/1.1" 200 4 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36" "-" "-"

Source info/bug report in #30531

[bprashanth]

@nvnobelen source ip was never preserved for ingress traffic through services.Type=LoadBalancer. That's what #24145 (comment) is about. For intra cluster traffic through the service vip, you should see the right source ip of the pod in nginx logs, if that doesn't work it's a regression (#27110). If you're using a hostPort pod, you may get source ip, this is a live bug (#29742), but you will get the right source ip in the case that matters most (outside cluster -> node ip:hostport).

[sandys]

@bprashanth is there a bug to preserve source ip for nginx based ingress controllers ? i see lots of bugs in different cases.. but not for nginx ingress.

[pires]

@thockin can we have an owner for this issue?

[ConnorJC3]

Is there an issue for source IP preservation on non-GCE clusters?

[bprashanth]

It needs to be dealt with on a case by case basis (eg #35758)

[thockin]

This issue is sort of a collector, not really actionable. We should probably close it and move info to docs and discrete bugs/FRs.

…

On Wed, Nov 23, 2016 at 12:40 PM, Prashanth B ***@***.***> wrote: It needs to be dealt with on a case by case basis (eg #35758 <#35758>) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#24145 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVJdJygoSleZzhM0mh4NaHLvHZtQQks5rBKTVgaJpZM4IFpPF> .

[InAnimaTe]

Any updates on this? Has it been merged to docs or discrete bugs?

Additionally, unless I'm reading this wrong, it seems SNI Passthrough (L4 in Ingress) is at least somewhat done.

[pires]

The L4 Ingress proposal was closed due to inactivity. The somewhat done you mention is just a workaround for nginx controller.

[bowei]

I'm going to close this bug in favor the individual pieces that are planned and in progress.

/close