Use http/2 for localhost webhook #122558
Use http/2 for localhost webhook #122558
Conversation
k8s-ci-robot
added
size/S
k8s-ci-robot
added
area/apiserver
sig/api-machinery
| @@ -142,7 +143,9 @@ func (cm *ClientManager) HookClient(cc ClientConfig) (*rest.RESTClient, error) { | |||
| // Use http/1.1 instead of http/2. | |||
| // This is a workaround for http/2-enabled clients not load-balancing concurrent requests to multiple backends. | |||
| // See https://issue.k8s.io/75791 for details. | |||
| cfg.NextProtos = []string{"http/1.1"} | |||
| if isLocalHost(cc.URL) { | |||
There was a problem hiding this comment.
Both service and URL-based versions go through this code path. We also are already parsing the URL below.
This would be clearer as a forceHTTP1 := true which we only set to false after parsing u, err := url.Parse(cc.URL) below and checking the hostname there for localhost / loopback
There was a problem hiding this comment.
I think @aojea was suggesting moving the NextProtos assignment down below to where we had already parsed the URL (do it unconditionally in the service branch, and conditionally in the URL branch)
There was a problem hiding this comment.
I don't feel this is simpler since we still need to change it in two places.
There was a problem hiding this comment.
I may be missing something, why do we have such large diff? do we need to breaking it down in func (cm *ClientManager) hookClientConfig(cc ClientConfig) (*rest.Config, error) {
There was a problem hiding this comment.
I may be missing something, why do we have such large diff?
it was due to bringing several dependencies. I removed them since your suggestion doesn't need them.
do we need to breaking it down in func (cm *ClientManager) hookClientConfig(cc ClientConfig) (*rest.Config, error) {
yes, this refactoring would facilitate writing the unit test linxiulei@612c36d#diff-0afdfbb98099d9c00bfb801579318a05e3f226eb384d50561cef6886e7631046R1
|
this definitely needs a test and a release note |
linxiulei
force-pushed
the
webhook-http2
branch
from
6a282a0
to
ad492e1
Compare
k8s-ci-robot
added
release-note
linxiulei
force-pushed
the
webhook-http2
branch
from
ad492e1
to
08ec05b
Compare
k8s-ci-robot
added
size/M
linxiulei
force-pushed
the
webhook-http2
branch
from
08ec05b
to
9e6ec01
Compare
k8s-ci-robot
added
size/L
linxiulei
force-pushed
the
webhook-http2
branch
from
9e6ec01
to
768a3f3
Compare
linxiulei
force-pushed
the
webhook-http2
branch
from
bb3d8cb
to
6b39041
Compare
k8s-ci-robot
removed
the
needs-rebase
I took a hacky approach to mock the dns for resolving |
test/integration/apiserver/admissionwebhook/load_balance_test.go
Outdated
Show resolved
Hide resolved
| if forceHTTP1 { | ||
| cfg.NextProtos = []string{"http/1.1"} | ||
| } |
There was a problem hiding this comment.
oh, I see, for me is easier to read the code top down, and not have to remember that something is going to mutate it later ... it is also less fragile
There was a problem hiding this comment.
I don't have strong preference on either way. But changed as you suggested.
linxiulei
force-pushed
the
webhook-http2
branch
from
6b39041
to
08a7b2b
Compare
test/integration/apiserver/admissionwebhook/load_balance_test.go
Outdated
Show resolved
Hide resolved
linxiulei
force-pushed
the
webhook-http2
branch
from
08a7b2b
to
612c36d
Compare
k8s-ci-robot
added
size/XL
linxiulei
force-pushed
the
webhook-http2
branch
from
612c36d
to
f798519
Compare
|
some comment lefts but overall LGTM, I think we can assume http2 is prefered for localhost webhooks is relatively safe , as Services will not have a ClusterIP that has a localhost address, and webhooks that are listening on localhost are not supposed to require loadbalancing. |
linxiulei
force-pushed
the
webhook-http2
branch
from
f798519
to
4bcca1a
Compare
Signed-off-by: Eric Lin <exlin@google.com>
linxiulei
force-pushed
the
webhook-http2
branch
from
4bcca1a
to
246e69f
Compare
|
/lgtm Thanks |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 5f986a1a4a11a8620b08a2fa8f4f3e7f632c401d
|
| @@ -58,154 +65,191 @@ func TestWebhookLoadBalance(t *testing.T) { | |||
| t.Fatalf("Failed to build cert with error: %+v", err) | |||
There was a problem hiding this comment.
if I recall correctly, we had issues with this test flaking when it was first introduced. Did you run it a bunch of times in a row to check that this reworked version is stable?
There was a problem hiding this comment.
You mean tls.X509KeyPair() here or the whole test, which I'd guess the connection count is not always predictable.
Anyway, I ran more than a dozen times in a row and no failures.
There was a problem hiding this comment.
sorry, the whole test, just had to pick a random line to comment on
There was a problem hiding this comment.
FTR, @aojea suggested stress following https://gist.github.com/liggitt/6a3a2217fa5f846b52519acfc0ffece0#running-integration-tests-to-reproduce-flakes
stress ./admissionwebhook.test -test.run TestWebhookLoadBalance
5s: 0 runs so far, 0 failures
10s: 0 runs so far, 0 failures
15s: 0 runs so far, 0 failures
20s: 0 runs so far, 0 failures
25s: 0 runs so far, 0 failures
30s: 0 runs so far, 0 failures
35s: 3 runs so far, 0 failures
40s: 11 runs so far, 0 failures
45s: 16 runs so far, 0 failures
50s: 16 runs so far, 0 failures
55s: 16 runs so far, 0 failures
1m0s: 16 runs so far, 0 failures
1m5s: 20 runs so far, 0 failures
1m10s: 24 runs so far, 0 failures
1m15s: 31 runs so far, 0 failures
1m20s: 32 runs so far, 0 failures
1m25s: 32 runs so far, 0 failures
1m30s: 32 runs so far, 0 failures
1m35s: 36 runs so far, 0 failures
1m40s: 41 runs so far, 0 failures
1m45s: 46 runs so far, 0 failures
1m50s: 48 runs so far, 0 failures
1m55s: 48 runs so far, 0 failures
2m0s: 48 runs so far, 0 failures
2m5s: 48 runs so far, 0 failures
2m10s: 48 runs so far, 0 failures
2m15s: 50 runs so far, 0 failures
2m20s: 53 runs so far, 0 failures
2m25s: 57 runs so far, 0 failures
2m30s: 60 runs so far, 0 failures
2m35s: 63 runs so far, 0 failures
2m40s: 64 runs so far, 0 failures
2m45s: 64 runs so far, 0 failures
2m50s: 67 runs so far, 0 failures
2m55s: 71 runs so far, 0 failures
3m0s: 75 runs so far, 0 failures
3m5s: 78 runs so far, 0 failures
3m10s: 80 runs so far, 0 failures
3m15s: 80 runs so far, 0 failures
3m20s: 82 runs so far, 0 failures
3m25s: 84 runs so far, 0 failures
3m30s: 89 runs so far, 0 failures
3m35s: 92 runs so far, 0 failures
3m40s: 95 runs so far, 0 failures
3m45s: 96 runs so far, 0 failures
3m50s: 98 runs so far, 0 failures
3m55s: 99 runs so far, 0 failures
4m0s: 104 runs so far, 0 failures
4m5s: 108 runs so far, 0 failures
4m10s: 110 runs so far, 0 failures
4m15s: 112 runs so far, 0 failures
|
change lgtm, one question about making sure the updated integration test is non-flaky |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aojea, liggitt, linxiulei The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Changelog suggestion -The apiserver uses http/2 to communicate with admission webhooks specified with an `URL` of localhost or loopback IP addresses.
+Changed the API server so that for admission webhooks that have a URL matching the hostname
+`localhost`, or a loopback IP address, the connection supports HTTP/2 where it can be negotiated.I presume that other webhooks, eg authz webhooks, use the legacy behavior. Have I got that right? |
|
Changelog changed as suggested.
I don't think this PR touched clients for other webhooks (i.e. only for clients of validating and mutating webhooks). But others might be more knowledgable than me. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Previously we changed to http1 because of #82090. However, the fixed issue shouldn't affect cases where the webhook services are hosted in the same host but the fix did affect performance with using http1.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?