-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why kube-proxy add external-lb's address to node local iptables rule? #66607
Comments
/sig network |
I think the reason is, traffic from in cluster have no need to go out side(lb) then come back. |
@Lion-Wei Will it be an option to config this behavior?Some functions like TLS,Monitor,Logging doing on |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
We're also seeing this as an issue at DigitalOcean. It's a concern not just for load-balancer TLS termination, but also for supporting proxy protocol as encouraged in ( https://kubernetes.io/docs/tutorials/services/source-ip/ ). Traffic addressed to the LB ip from within the cluster never reaches the load-balancer, and the required proxy header isn't applied, causing a protocol violation. The in-tree AWS service type loadbalancer supports proxy protocol and TLS termination, but because they populate We're willing to put together a PR to address this there's interest from sig-network to accept it. We've considered a kube-proxy flag to disable the optimization, or the more complex option of extending v1.LoadBalancerIngress to include feedback from the cloud provider. |
It seems like what is being implemented here is not modeled all that well in the current kube-proxy construct; your LB is not transparent from an L3/4 perspective and lives somewhere other than the node (it is terminating TLS, adding a proxy protocol field). It seems possible for nothing to break if we remove the external LB IPs from the node as a provider-specific setting, but it will require some thought. |
If I’m being quite honest this behavior goes against the principle of least surprise. If I want kube-proxy to route my traffic I would use a ClusterIP service or similar and configure the application to use it, if I am hitting a LoadBalancer provided by a cloud provider there is likely to be a specific reason for that and kube-proxy shouldn’t try to second guess it. |
We hit this same problem at Brightbox with our cloud controller manager. Our Load Balancers can terminate SSL and support the PROXY protocol. Confirmed with both ipvs and iptables kube-proxy modes. Any IPs we provide as LoadBalancerIngress are used to redirect outgoing connections and keep them within the cluster, breaking things. To put it more clearly (imo), the problem is that kube-proxy assumes all load balancer services are straight TCP/UDP and that it can optimize them internally but that is not the case. So either the assumption is wrong and kube-proxy needs fixing, or the assumption is right and external load balancers should not be doing these fancy things. I obviously think kube-proxy is wrong here :) As @jcodybaker says above, AWS avoids this problem simply but not listing IP addresses as LoadBalancerIngress, only hostnames, which kube-proxy doesn't resolve. We've changed our cloud controller to do the same, listing only hostnames in there, and it's fixed our problem too. This feels a bit like a hack, but maybe it could be argued that's the way for a cloud controller to enable/disable the optimisation - a bit misguiding though. We were also exposing the IPv6 addresses of our load balancers too, which actually didn't look properly supported further down the stack at all, so things do seem to be a bit of a mess here generally. So a kube-proxy flag to disable the optimization would be a great start, but I think this all needs a closer look! Plus, it's worth noting that in ipvs mode, the IP address is actually added locally to each node so it's not possible to selectively support this per-port. As soon as a load balancer lists the IP, it's completely unreachable directly. |
If I create an external loadbalancer I don't expect That completely disregards any functionality the load balancer provides, including TLS termination, proxy protocol, logging, metrics, DPI firewalling, and... the actual the load balancing algorithm! I'm perplexed that this is default behavior? It only seems useful if your external load balancer doesn't actually do anything useful 😄 As @jcodybaker says above, AWS avoids this problem simply but not listing IP addresses as LoadBalancerIngress, only hostnames, which Thanks for raising this @BSWANG. This submerged iceberg could have spoiled my day one day, but now I know to watch out for this 👀 |
reopen due this pr #96454 reverted |
the revert was done because that PR merged accidentally, to avoid misunderstandings, is not that the project doesn't want to implement, is that there are some process to add new features and that PR didn't follow them. @Sh4d1 are you still working on this #97681? if you want to include this in 1.22, the process has changed, please see https://groups.google.com/g/kubernetes-sig-network/c/3NYVEgvE1Uc/m/o68JAIt0DAAJ for more details |
Bugfix for OAuth redirect_url not being http. This is due to an upstream proxy issue with kubernetes/kubernetes#66607
Commenting for support/+1 that self-referencing the cluster from within would be useful @mkreidenweis-schulmngr 's hair-pin solution (kind of) worked but didn't pick up the correct name of the pod(s) to reroute to and would have worked with further digging. Thanks for your work on this |
#101027 was not assigned to me, so I missed it. |
I'm going to close this as a dup, since we do have the KEP open |
how is the progress ? |
Is there any solution for this? |
Unfortunately the work to fix this sort of stalled for lack of someone to
drive it to completion. Help wanted?
…On Tue, Oct 25, 2022 at 8:51 AM Dominic Cardellino ***@***.***> wrote:
Is there any solution for this?
—
Reply to this email directly, view it on GitHub
<#66607 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVAQTN5RNEIQRTB7IQLWE7QVJANCNFSM4FL7W5EQ>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
Hey @thockin 👋 I'd be happy to help pushing this over the finishing line. Is there a place to refresh my memory on where we stand right now and what remains to be done? I vaguely remember that time was spent on a KEP but don't recall the details. Appreciate any starting pointers. |
@timoreimann 👋 you can read kubernetes/enhancements#1860 (comment) So if nothing really changed, my last message still stands I guess! |
This fixes problems with kube-proxy in ipvs mode considering the lb IP as local to the node See kubernetes/kubernetes#66607 This can also be used to access PROXY proto service from the inside
This fixes problems with kube-proxy in ipvs mode considering the lb IP as local to the node See kubernetes/kubernetes#66607 This can also be used to access PROXY proto service from the inside
This fixes problems with kube-proxy in ipvs mode considering the lb IP as local to the node See kubernetes/kubernetes#66607 This can also be used to access PROXY proto service from the inside
/kind friction
What happened:
I have a
LoadBalancer
type service A of address 1.1.1.1. The external loadbalancer of service A is a TLS decoder, it will convert https requests to httphostport
andendpoint
. But since the kube-proxy add the external-lb's address to local iptables rule. Requests ofhttps//1.1.1.1
will hijack to local httpendpoints
. Then https request failed.What you expected to happen:
Kube-proxy don't add external-lb's address to local iptables. And the request will go through external-lb.
Environment:
kubectl version
):1.10.4
Alibaba Cloud
Centos 7.4
uname -a
):3.10.0-693
kubeadm
The text was updated successfully, but these errors were encountered: