-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCE Ingress controller (GLBC) should install a firewall rule per Ingress object per cluster #37306
Comments
Re moving firewall logic into the federated controller, you should probably
Both of which are GCP specific, since the on-prem nginx controller and by On Tue, Nov 22, 2016 at 12:13 PM, Madhusudan.C.S notifications@github.com
|
I think that we need to implement the relatively minor fix to bug in the GCE Ingress Controller (GLBC), so that it creates cluster-specific rather than global firewall rule names so that one GLBC does not overwrite the firewall rule created by another GLBC, in another cluster (which is what it erroneously does today). As for the backwards compatibility concern (essentially, how do we cause the old globally named firewall rule to be deleted, eventually, once all cluster's GLBC controllers have been upgraded to the new scheme), I think that we can deal with that through a release note ("please delete this firewall rule when it's no longer required") as having an additional unneeded firewall rule lying around should be benign, and it's deletion can be regarded as a cosmetic cleanup, rather than required. @bprashanth, correct me if I'm missing anything here. I think we can and should avoid moving the cloud-specific firewall management logic from the intentionally cloud specific GLBC to the ideally cloud-agnostic federated ingress controller, for a several reasons:
Q |
Let's please not underestimate this effort. There are production clusters where people are running real stuff. At the very least, it has to go through rigorous upgrade testing. Everything looks conceptually and practically simpler on paper :)
I am not entirely sure what those serious problems are. Could you please elaborate? It is a test fix, a workaround until we get the code working, to give confidence that everything other than the known issues work. |
@madhusudancs You're right, the small GCLB change will need testing. But so equally will the more complex alternative (as if the federation control plane messes up the firewall rules, the clusters will also potentially be bricked). Admittedly the more complex alternative's logic will only be invoked on clusters which join a federation, but those may themselves be production clusters. So I don't think that the risk is significantly less there. Both need good testing. I've added some comments to #37571 |
Other approaches don't need less testing or are relatively easier. Among the alternatives, per-cluster firewall is the relatively the least difficult. But that doesn't mean it is a cake walk. |
Moving to 1.7 as late to happen in 1.6. Feel free to switch back if this is incorrect. |
This was fixed in PRs #41942 and kubernetes/ingress-nginx#278 |
Although this issue is about GLBC which is in its own repo - https://github.com/kubernetes/ingress/commits/master, this affects federation. So filing this issue here.
GLBC uses the UID specified in a ConfigMap in its cluster to construct the names of the GCE L7 load balancer resources it installs. In the multi-cluster Ingress case or the Federated Ingress case, things work as expected for all the resources except the firewall rules. GLBC is conservative about the firewall rules and it exposes only the nodes it is responsible for as the targets clobbering the target list. In the case of Federated Ingress, each GLBC instance running in an underlying cluster in a federation overwrites the targets specified by other instances and this causes GCE L7 load balancer's health checks and backends to flap as described here - #36327.
A workaround is to manually install a firewall rule to expose the targets of all the underlying clusters in a federation for each Federated Ingress object so that the health checks can pass and GCE L7 load balancer is stable. We will document this workaround in v1.5 and fix the issue in v1.6.
The proposed solution is to have each individual GLBC instance install a separate firewall that is responsible for the cluster it is running in. This requires a change in the firewall rule naming scheme. A disadvantage in taking this approach is that, it requires a migration path for the existing firewall rules in the running clusters.
An alternative solution is to have the Federated Ingress Controller program the required firewall rule to allow traffic to all the underlying clusters and a flag to GLBC to disable firewall rule creation. Disadvantages with this approach are:
cc @kubernetes/sig-cluster-federation @nikhiljindal @matchstick @bprashanth
The text was updated successfully, but these errors were encountered: