Document the workaround for the Federated Ingress flapping healthchecks problem. #1772
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
| install the firewall rules manually to expose the targets of all the | ||
| underlying clusters in your federation for each Federated Ingress | ||
| object so that the health checks can pass and GCE L7 load balancer | ||
| is stable. This can be done using the `gcloud` command line tool as follows: |
| ``` | ||
|
|
||
| where: | ||
| 1. `firewall-rule-name` can be any name. |
There was a problem hiding this comment.
unique name (amongst all existing firewall rules in the project)
There was a problem hiding this comment.
I think it is implicit. gcloud/Cloud console will complain otherwise. Saying it should be unique here will add more confusion than clarity here.
|
|
||
| where: | ||
| 1. `firewall-rule-name` can be any name. | ||
| 2. `[<service-nodeports>]` is the comma separated list of node ports corresponding to the services that backs the Federated Ingress. |
| is stable. This can be done using the `gcloud` command line tool as follows: | ||
|
|
||
| ```shell | ||
| gcloud compute firewall-rules create <firewall-rule-name> \ |
There was a problem hiding this comment.
Do you want to mention that it is also possible to do this without having to install gcloud. They can use console.cloud.google.com.
| --network <network-name> | ||
| ``` | ||
|
|
||
| where: |
There was a problem hiding this comment.
Add a line break below. Otherwise it is not rendered as a bullet list (You can see that by clicking on "View")
| where: | ||
| 1. `firewall-rule-name` can be any name. | ||
| 2. `[<service-nodeports>]` is the comma separated list of node ports corresponding to the services that backs the Federated Ingress. | ||
| 3. [<target-tags>] is the comma separated list of the target tags assigned to the nodes in a kubernetes cluster. |
There was a problem hiding this comment.
optional: We can mention that they can leave it empty if all the clusters are in this project and all the nodes in this project are part of kubernetes clusters. (targets all nodes by default)
There was a problem hiding this comment.
I would actually include this statement under "WARNING". Most users are running vms in the same project as the gke cluster and we don't want to end up opening all of that. Suggest always recommending the strictest form of security, unless it is so detrimental to UX (eg selinux).
There was a problem hiding this comment.
@nikhiljindal @bprashanth I would rather not mention it at all. Why feed wrong ideas?
|
@nikhiljindal Do we need to update the RELEASE NOTES also? That may be a place where folks will look for things like this. @kubernetes/sig-cluster-federation |
| where: | ||
| 1. `firewall-rule-name` can be any name. | ||
| 2. `[<service-nodeports>]` is the comma separated list of node ports corresponding to the services that backs the Federated Ingress. | ||
| 3. [<target-tags>] is the comma separated list of the target tags assigned to the nodes in a kubernetes cluster. |
There was a problem hiding this comment.
@nikhiljindal @bprashanth I would rather not mention it at all. Why feed wrong ideas?
| install the firewall rules manually to expose the targets of all the | ||
| underlying clusters in your federation for each Federated Ingress | ||
| object so that the health checks can pass and GCE L7 load balancer | ||
| is stable. This can be done using the `gcloud` command line tool as follows: |
| is stable. This can be done using the `gcloud` command line tool as follows: | ||
|
|
||
| ```shell | ||
| gcloud compute firewall-rules create <firewall-rule-name> \ |
| --network <network-name> | ||
| ``` | ||
|
|
||
| where: |
| ``` | ||
|
|
||
| where: | ||
| 1. `firewall-rule-name` can be any name. |
There was a problem hiding this comment.
I think it is implicit. gcloud/Cloud console will complain otherwise. Saying it should be unique here will add more confusion than clarity here.
|
|
||
| where: | ||
| 1. `firewall-rule-name` can be any name. | ||
| 2. `[<service-nodeports>]` is the comma separated list of node ports corresponding to the services that backs the Federated Ingress. |
|
lgtm, thx @matchstick Yes thats a good idea. |
|
@nikhiljindal added a note in the e2e PR - kubernetes/kubernetes#37571. PR is still WIP. Adding |
|
@madhusudancs I added a minor commit for wording/clarity. There aren't any tech changes. |
|
@devin-donnelly super! thanks! |
Ref issue: kubernetes/kubernetes#36327 and kubernetes/kubernetes#37306
cc @kubernetes/sig-cluster-federation @matchstick @bprashanth
This change is