Services allow duplicate targetPort #47222
Comments
thockin
added
area/api
|
@thockin just for the purpose of clarity, are you requesting that duplicate targetPorts |
|
I think that should probably be rejected at validation unless we have a
good reason WHY we need that.
…On Thu, Jun 8, 2017 at 11:21 PM, Emmanuel T Odeke ***@***.***> wrote:
@thockin <https://github.com/thockin> just for the purpose of clarity,
are you requesting that duplicate targetPorts
should be rejected or the opposite?
PS: I am new to Kubernetes so please pardon the dumb question :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#47222 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVH6eTLB4Z_QYaAdxrdqqJy_NgVtNks5sCOR6gaJpZM4N07AA>
.
|
|
Aye aye, thanks for the clarificiation! |
|
/assign |
|
@xiangpengzhao: GitHub didn't allow me to assign the following users: xiangpengzhao. Note that only kubernetes members can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Automatic merge from submit-queue Validate if service has duplicate targetPort **What this PR does / why we need it**: Validate if a service has dup targetport **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #47222 **Special notes for your reviewer**: /cc @thockin @kubernetes/sig-network-pr-reviews **Release note**: ```release-note NONE ```
|
@thockin what problems did this cause with services? This change broke backwards compatibility for services that depended on this feature. For example, lets take the load balancer service The load balancer here terminates SSL so the backend is always port 80; however, you want to make sure you support both protocols so having the same targetPort here is a valid use case. |
|
This is an interesting (ab)use of Service. Not really what I had in mind - the LB in a Service is generally assumed to be L4. I'll try to dredge up the issues that this was causing. @kubernetes/sig-network-api-reviews |
k8s-ci-robot
added
the
kind/api-change
|
FYI, the AWS in-tree provider does non layer4 things as well. |
|
One issue is that this REQUIRES connection tracking when we otherwise might not need it. Consider two ServicePorts:
Let's say we map both services to a backend on port 8080, but we pass-through the VIP, so the pod sees packets as dest = my-service:8080. We MUST conntrack this VIP because we don't know whether to map the src port to 80 or 443. If service backends have unique TargetPorts, then we wouldn't have this issue. Port rewrites are at worst stateless, and at best can engage direct-return mode (no rewrites). It's worth noting that the PR which fixes this, which is proposed for revert, doesn't quite go far enough. It prevents a Service from using a given number twice and from using a given name twice, but not from using a number and a name that resolves to that number. That is a much trickier (impossible to do statically) proposition. :( Kind of a mess for getting high-perf Service networking. |
|
@thockin was this an issue that came up during performance testing or IRL? |
|
Anyone has a workaround to deal with this? I think there is a lot of people using AWS ELBs on this way |
|
@ese, if your use-case is Ingress, then you can set |
|
This is not an abuse of Service, but a quite common and wide-adopted pattern, especially in the AWS world. |
|
@xiangpengzhao: you can't re-open an issue/PR unless you authored it or you are assigned to it. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@xiangpengzhao: you can't re-open an issue/PR unless you authored it or you are assigned to it. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@thockin I suspect we should probably revert the original PR. While I understand it might not have been the intention for Services, if I understand this correctly then it's a breaking change to a v1 API. Can we at least point to any documentation that indicates this was a code bug rather than a supported behavior? |
|
Sentiment on today's sig call was that we should revert the original commit, since it broke lots of users, and then revisit to see if there's another solution. |
|
FYI: the revert PR is #53576. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
It is possible to express a Service where multiple front-side ports target the same back-side port. This is not very useful and may cause trouble for implementations of Services.
The text was updated successfully, but these errors were encountered: