-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document the workaround for the Federated Ingress flapping healthchecks problem. #1772
Document the workaround for the Federated Ingress flapping healthchecks problem. #1772
Conversation
install the firewall rules manually to expose the targets of all the | ||
underlying clusters in your federation for each Federated Ingress | ||
object so that the health checks can pass and GCE L7 load balancer | ||
is stable. This can be done using the `gcloud` command line tool as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Link to gcloud?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
``` | ||
|
||
where: | ||
1. `firewall-rule-name` can be any name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unique name (amongst all existing firewall rules in the project)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is implicit. gcloud/Cloud console
will complain otherwise. Saying it should be unique here will add more confusion than clarity here.
|
||
where: | ||
1. `firewall-rule-name` can be any name. | ||
2. `[<service-nodeports>]` is the comma separated list of node ports corresponding to the services that backs the Federated Ingress. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
backs -> back
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
is stable. This can be done using the `gcloud` command line tool as follows: | ||
|
||
```shell | ||
gcloud compute firewall-rules create <firewall-rule-name> \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to mention that it is also possible to do this without having to install gcloud. They can use console.cloud.google.com.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
--network <network-name> | ||
``` | ||
|
||
where: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a line break below. Otherwise it is not rendered as a bullet list (You can see that by clicking on "View")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
where: | ||
1. `firewall-rule-name` can be any name. | ||
2. `[<service-nodeports>]` is the comma separated list of node ports corresponding to the services that backs the Federated Ingress. | ||
3. [<target-tags>] is the comma separated list of the target tags assigned to the nodes in a kubernetes cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
optional: We can mention that they can leave it empty if all the clusters are in this project and all the nodes in this project are part of kubernetes clusters. (targets all nodes by default)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would actually include this statement under "WARNING". Most users are running vms in the same project as the gke cluster and we don't want to end up opening all of that. Suggest always recommending the strictest form of security, unless it is so detrimental to UX (eg selinux).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nikhiljindal @bprashanth I would rather not mention it at all. Why feed wrong ideas?
@nikhiljindal Do we need to update the RELEASE NOTES also? That may be a place where folks will look for things like this. @kubernetes/sig-cluster-federation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nikhiljindal PTAL.
where: | ||
1. `firewall-rule-name` can be any name. | ||
2. `[<service-nodeports>]` is the comma separated list of node ports corresponding to the services that backs the Federated Ingress. | ||
3. [<target-tags>] is the comma separated list of the target tags assigned to the nodes in a kubernetes cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nikhiljindal @bprashanth I would rather not mention it at all. Why feed wrong ideas?
install the firewall rules manually to expose the targets of all the | ||
underlying clusters in your federation for each Federated Ingress | ||
object so that the health checks can pass and GCE L7 load balancer | ||
is stable. This can be done using the `gcloud` command line tool as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
is stable. This can be done using the `gcloud` command line tool as follows: | ||
|
||
```shell | ||
gcloud compute firewall-rules create <firewall-rule-name> \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
--network <network-name> | ||
``` | ||
|
||
where: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
``` | ||
|
||
where: | ||
1. `firewall-rule-name` can be any name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is implicit. gcloud/Cloud console
will complain otherwise. Saying it should be unique here will add more confusion than clarity here.
|
||
where: | ||
1. `firewall-rule-name` can be any name. | ||
2. `[<service-nodeports>]` is the comma separated list of node ports corresponding to the services that backs the Federated Ingress. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
lgtm, thx @matchstick Yes thats a good idea. |
@nikhiljindal added a note in the e2e PR - kubernetes/kubernetes#37571. PR is still WIP. Adding |
@madhusudancs I added a minor commit for wording/clarity. There aren't any tech changes. |
@devin-donnelly super! thanks! |
Ref issue: kubernetes/kubernetes#36327 and kubernetes/kubernetes#37306
cc @kubernetes/sig-cluster-federation @matchstick @bprashanth
This change is![Reviewable](https://camo.githubusercontent.com/2d899f4291d07d3cd2fa4aaae1e3b243f164c23fce87d30a589ace0d496a444c/68747470733a2f2f72657669657761626c652e6b756265726e657465732e696f2f7265766965775f627574746f6e2e737667)