IPVS does not RR with hostPort on service's POD and running on the same node #60688
Comments
|
@kubernetes/sig-network-bugs |
k8s-ci-robot
added
the
sig/network
|
@CallMeFoxie: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/area ipvs |
|
Actually I can use any svcIP from kube-ipvs0 iface and the port 4041 and it will always end up on the local hostPort :) It looks like the kube-ipvs0 is working like |
|
Thanks for the thorough research. |
|
It is probably related to this iptables rule being created: (ignore different IP) |
|
@CallMeFoxie Is this rule created by CNI?
That's true, we would suggest service address don't have the same port with hostport. We will try to figure out how to fix this problem, but gonna need some time. |
|
Yeah you may be right, it may be created by Calico :) It's mostly legacy reasons, we're removing hostports, but I am sure others will run into it as well |
|
@CallMeFoxie #62718 suppose to fix this issue. |
|
Thanks! Will test when it gets pulled into a release :) |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Fix problem that ipvs can't work with hostPort **What this PR does / why we need it**: Make ipvs proxy mode can work with pods that have hostPort. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes #61938 #60688 and #60305 are related too. **Special notes for your reviewer**: IPVS proxier will create dummy device named `kube-ipvs0`, which will maintain all ipvs virtual service address. That means all ipvs maintained clusterIP/externalIP/ingress will be treat as local address. Then if we have a pod with hostPort, cni will attach this rule to `PREROUTING` chain: ``` KUBE-HOSTPORTS all -- 0.0.0.0/0 0.0.0.0/0 /* kube hostport portals */ ADDRTYPE match dst-type LOCAL ``` so if a service have same port with pod's hostport, then this service can't be access. In this pr, we added `ACCESS` rule for traffic that aim to ipvs virtual service, to prevent those traffic from be blocked by other rules. **Release note**: ```release-note NONE ```
|
/close Please check the HEAD. |
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
(I think? Or at least possibly undocumented -- I couldn't find any docs about it -- feature?)
** Kube-Proxy IPVS mode only **
What happened:
If you have let's say a Service which is targetting port
4041on a set of pods that export this port not just as containerPort but also as hostPort,and now one of these pods runs on a node from where you're trying to reach the service (either the host or any pod on it) it will always target the local POD rather than run the normal RR in IPVS. Does not happen with Iptables backend.
note how the AcctConn/InAcctConn is 0 no matter how long you keep CURLing that service.
When you move the pod off the node it will be RRing just fine. just as well when you remove the hostPort.
I wonder if it is related to this:
in combination with the hostPort marking the packet for local delivery rather than going through the IPVS machinery?
Also it might be the cause of #60305 issue quite possibly.
What you expected to happen:
RR even when the pod is running locally.
How to reproduce it (as minimally and precisely as possible):
Set up a pod on a node with hostPort, run a service on top of it and do a request on the service via svcIP, it will always target the local node without RR.
Environment:
kubectl version): 1.9.3uname -a): debian latest stableCheers
Ashley
/sig networking
The text was updated successfully, but these errors were encountered: