✨ Add support for a secondary control plane load balancer #4733
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
kind/feature
|
/test pull-cluster-api-provider-aws-test |
|
/retest-required |
|
I'm now able to create a 2nd load balancer within my AWS clusters. 
The target group associated with it is also healthy. 
I just have rebasing, writing automated tests, and writing docs left before I can remove the WIP. |
nrb
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
nrb
force-pushed
the
secondary-lb
branch
3 times, most recently
from
0e71456
to
b08fe0c
Compare
|
Confirming that nodes within the cluster can reach the load balancer: |
api/v1beta2/awscluster_webhook.go
Outdated
| // TODO(nrb): The validate-on-update default test was failing when newlb was nil | ||
| // Upon investigation, both values were nil, which is unlikely in a real world scenario | ||
| if oldlb == nil && newlb == nil { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
newLoadBalancer := &AWSLoadBalancerSpec{}
existingLoadBalancer := &AWSLoadBalancerSpec{}
if r.Spec.ControlPlaneLoadBalancer != nil {
newLoadBalancer = r.Spec.ControlPlaneLoadBalancer.DeepCopy()
}
if oldC.Spec.ControlPlaneLoadBalancer != nil {
existingLoadBalancer = oldC.Spec.ControlPlaneLoadBalancer.DeepCopy()
}
This was previously handled this way
There was a problem hiding this comment.
Which to be honest, maybe better to restructure, given that it was a bit confusing
|
/milestone v2.4.0 |
|
/milestone v2.4.0 |
* A secondary control plane load balancer can be added. * It will be a network load balancer. * Its scheme must not match that of the ControlPlaneLoadBalancer. Previously, NLBs could not have security groups attached. This has now changed, and an NLB can have a security group attached at creation. If a security group is _not_ present at creation, then the NLB can never have security groups added.
|
/test pull-cluster-api-provider-aws-e2e |
|
/test ? |
|
@vincepri: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-cluster-api-provider-aws-apidiff-main |
|
Looks like some sort of account lookup issue with Boskos; it fails here with a 404. |
|
/test pull-cluster-api-provider-aws-e2e-blocking |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
k8s-ci-robot
added
the
lgtm
|
cc @JoelSpeed |
There was a problem hiding this comment.
Great work @nrb . We should try to get this covered via e2e in the future.
| @@ -37,6 +37,9 @@ type NetworkStatus struct { | |||
| // APIServerELB is the Kubernetes api server load balancer. | |||
| APIServerELB LoadBalancer `json:"apiServerElb,omitempty"` | |||
|
|
|||
| // SecondaryAPIServerELB is the secondary Kubernetes api server load balancer. | |||
| SecondaryAPIServerELB LoadBalancer `json:"secondaryAPIServerELB,omitempty"` | |||
There was a problem hiding this comment.
nit: would be good to mark it optional
| @@ -331,7 +332,8 @@ func (r *AWSMachineReconciler) reconcileDelete(machineScope *scope.MachineScope, | |||
| if err := r.reconcileLBAttachment(machineScope, elbScope, instance); err != nil { | |||
| // We are tolerating AccessDenied error, so this won't block for users with older version of IAM; | |||
| // all the other errors are blocking. | |||
| if !elb.IsAccessDenied(err) && !elb.IsNotFound(err) { | |||
| // Because we are reconciling all load balancers, attempt to treat the error as a list of errors. | |||
| if err = kerrors.FilterOut(err, elb.IsAccessDenied, elb.IsNotFound); err != nil { | |||
There was a problem hiding this comment.
I didn't know about kerrors.FilterOut. Excellent.
| This secondary control plane load balancer is primarily meant to be used for internal cluster traffic, for use cases where traffic between nodes and pods should be kept internal to the VPC network. | ||
| This adds a layer of privacy to traffic, as well as potentially saving on egress costs for traffic to the Kubernetes API server. | ||
|
|
||
| A dual load balancer topology is not used as a default in order to maintain backward compatibility with existing CAPA clusters. |
There was a problem hiding this comment.
We should consider adding a template for this. Also, we should think about whether we think having a 2nd internal LB is a good default for the future (i.e. then you opt out).
There was a problem hiding this comment.
Yeah, I'll make an issue for the template.
One thing I'm looking at upstream is to support a slice of ControlPlaneEndpoints, which I think would tend toward a default set up of two LBs, but I'm not positive. This PR is sort of a trial run, though I think CAPZ already supports internal/external LBs.
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it:
Certain topologies of clusters may use an internal load balancer for the API server for a few reasons. A primary reason is to keep traffic within the cloud provider in order to reduce egress costs.
This PR adds support for a secondary control plane load balancer, internal to the Kubernetes cluster for such a use case.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #4554
Special notes for your reviewer:
Previously, it was believed that security groups could not be added to a network load balancer, which meant that there were exceptions and exclusions around NLBs in the code. This is only true if the load balancer was created without any security groups - SGs cannot be added after creation. If the network load balancer is created with at least one security group, more can be added or removed.
See the Network Load Balancer docs for more details.
Checklist:
Release note: