New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow pools dedicated to k8s namespaces in the controller #498
Conversation
@danderson I have deliberately avoided to write unit-tests until a preliminary go/no-go. |
Test have been performed with metallb config; metallb-config.yaml.txt, and service manifests; The services gets addresses as;
|
Re-start of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks reasonable to me. Two questions:
- Do you personally need this for your deployments? I worry about implementing more things "just because", because adding more complexity leads to more bugs. I know one other person requested this in that bug, but I'm wondering how "popular" this request is.
- Can you add "update documentation" to the implementation plan? This needs to be mentioned in the sample config, and probably a section in either "Configuration" or "Usage" on the website.
Thanks for making improvements to MetalLB!
Good question. I get requests for features internally and got some more info; in this case the namespace-pools were just a step towards the goal; Use-caseApplications are developed and deployed individually, but each with it's own namespace. But all applications must update the metallb configmap with their addresses. This PR would remove the need for annotations in all external services, but the central update is still a problem. A solution that is considered is to have a central function that reads metallb configs from applications in some way (probably some API-server object, configmap or other) and updates the "real" metallb config map. Namespace bound pools would remove the need for some annotation convention. I will discuss this a bit further internally... |
Thanks to both of you for a great project and the potential enhancement! I'd like to second the benefit of a feature like this. For our primary use case, we want to reserve our public IPv4 addresses to be used by a small number of ingress points into our cluster (e.g. nginx-ingress and api gateways). Besides accidental misconfiguration by our own developers, we run a number of third-party projects that have services of type LoadBalancer that aren't easily configurable, so we ignore them (since we haven't implemented MetalLB yet) and create our own ingress resources. Having to run all these through kustomize (or something similar), or creating and running a mutating webhook to change the service type automatically would be a pain and somewhat obtuse. Having MetalLB recognize requests from only specific namespaces for pools gives cluster and network administrators a simpler way to define who has access to those IP ranges. Additionally, it would simplify our use-case of giving teams access to a particular pool of addresses. Instead of needing to remember to add the annotation with the correct pool name, services in a particular namespace would grab from a particular pool by default. Gives administrators a way to set some team defaults more easily. Just thought I'd add our use cases as another data point. Thanks again! |
On a closer look this does not solve the entire problem for us. Closing... |
This feature is useful for our use case. Configure a pool of IPs for each tenant in a multi-tenant platform. |
This PR partially implements #383. Only loadBalancer address allocation is considered, i.e only "controller" code is affected.
The configuration now allows a new "namespace" parameter for pools;
In the example services in the "app001" namespace will only get addresses from the "app001" (even if free addresses are available in the "default" pool).
Services in namespaces without any dedicated pool will get addresses from the "default" pool (never from the "app001" pool).
The
Allocator
has a new "nspools" field;Pools with the "namespace" attribute set are added to this map. The lenght of the map is used as "feature-gate" in the code;
This ensures that existing setups not using this new feature are not affected.
The
nspools
maps to a slice of pool-names but this list is currently not used, only the existence of pools dedicated to a namespace is checked.