add nodeportisolation filter in yurthub #1209
Conversation
|
@rambohe-ch: GitHub didn't allow me to assign the following users: your_reviewer. Note that only openyurtio members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rambohe-ch The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@Congrool @yuanmaomao PTAL |
rambohe-ch
force-pushed
the
add-nodeportisolation-filter
branch
2 times, most recently
from
0ea2f18 to
a285f94
Compare
Codecov Report
@@ Coverage Diff @@
## master #1209 +/- ##
==========================================
+ Coverage 53.49% 53.58% +0.08%
==========================================
Files 101 102 +1
Lines 12604 12751 +147
==========================================
+ Hits 6742 6832 +90
- Misses 5314 5363 +49
- Partials 548 556 +8
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
| } | ||
|
|
||
| if len(nif.nodeName) == 0 { | ||
| return fmt.Errorf("node name for nodePortIsolationFilter is not ready") |
There was a problem hiding this comment.
"node name for nodePortIsolationFilter is not set" will be more clear
| if len(svc.Annotations[ServiceAnnotationNodePortIsolation]) != 0 { | ||
| enabledNodePools, disabledNodePools := parseNodePoolFromAnnotation(svc.Annotations[ServiceAnnotationNodePortIsolation]) | ||
| if disabledNodePools.Has(nodePoolName) { | ||
| klog.V(2).Infof("nodePort service(%s) is isolated in nodePool(%s) by nodePortIsolationFilter", nsName, nodePoolName) |
There was a problem hiding this comment.
"nodePort service(%s) is disabled in nodePool(%s) by nodePortIsolationFilter"
| return svc | ||
| } | ||
|
|
||
| klog.V(2).Infof("nodePort service(%s) is isolated in nodePool(%s) by nodePortIsolationFilter", nsName, nodePoolName) |
|
|
||
| // node is not located in NodePool, skip this filter | ||
| if len(nodePoolName) == 0 { | ||
| return svc |
There was a problem hiding this comment.
Is it suitable that skipping filter for node that does not in any nodepool?
-
If users only set enabled nodepools for svcs, it looks strange that such nodePort svcs will also work on these orphan nodes.
-
But if users only set disabled nodepools for svcs, it's intuitive that these svcs should work on all nodes in other nodepools and all orphan nodes.
-
If users set both enable nodepools and disable nodepools, it maybe confused because such two sets may overlap. For example, "np1,np2,-np1,-np3", we have to make more clear definition for such case.
There was a problem hiding this comment.
I have updated nodepool definition in #1183 as following:
The details of nodeport.openyurt.io/isolation annotation of service:
key: nodeport.openyurt.io/isolation
value: you can combine [np, -np, *] these three string to configure value, the priority is: [ np > -np > * ]
- np: enable specified NodePort service listening in this nodePool
- -np: disable specified NodePort service listening in this nodePool
- *: enable specified NodePort service listening in all nodePools except specified by -np.
- !: is used for orphan nodes(don't locate in nodepool), if
!is set, disable NodePort service listening on orphan nodes. if!is not set, enable NodePort service listening on orphan nodes.
for example:
*: enable NodePort service listening in all nodePools
nodepool1, nodepool2: enable NodePort service listening in nodePool1 and nodePool2
-nodepool1, *: enable NodePort service listening in all nodePools except nodePool1
nodepool1,-nodepool2: only enable NodePort service listening in nodePool1
nodepool1, *: enable NodePort service listening in all nodePools
nodepool1, -nodepool1, *: enable NodePort service listening in of nodePools except nodePool1
*, !: enable NodePort service listening in of nodePools except orphan nodes.
There was a problem hiding this comment.
nodepool1, -nodepool1, *: enable NodePort service listening in of nodePools except nodePool1
If [ np > -np > * ], I think it should enable NodePort service on all nodepools.
Is there a better way to indicate orphan nodes? Using ! is hard to read I think.
There was a problem hiding this comment.
@Congrool As discussed in community meeting, the design has been changed as following:
I will name the new filter as nodeportisolation, and add a new annotation nodeport.openyurt.io/listen for NodePort service in order to trigger nodeportisolation filter in Yurthub.
The details of nodeport.openyurt.io/listen annotation of service:
- key:
nodeport.openyurt.io/listen - value: A list of nodepool names that separated by ','
-
foo: enable specified NodePort service listening on nodes of NodePool named foo -
-foo: disable specified NodePort service listening on nodes of NodePool named fool -
*: enable specified NodePort service listening on nodes of all NodePools -
if NodePool name is duplicated in the configuration, we will take the first configuration
-
if NodePool name is not configured, we will disable NodePort listening on nodes of these unconfigured NodePools.
-
orphan nodes(don't locate in NodePool) will be kept the same as native Kubernetes, so NodePort will be listened on orphan nodes.
for example:
foo, bar: enable NodePort service listening on nodes in foo and bar NodePool.foo, *: enable NodePort service listening on nodes of all NodePools-foo, -bar: disable NodePort service listening on nodes of all NodePools-foo, *: disable NodePort service listening only on nodes in foo NodePoolfoo,-foo: enable NodePort service listening on nodes in foo NodePool-foo: disable NodePort service listening on nodes of all NodePools(include foo NodePool).
-
| } | ||
|
|
||
| klog.V(2).Infof("nodePort service(%s) is isolated in nodePool(%s) by nodePortIsolationFilter", nsName, nodePoolName) | ||
| return nil |
There was a problem hiding this comment.
In other case, we return nil to disable the nodeport svc. It looks confusing. For example, we have "np1,-np2" which also implicitly disable this svc in np3, np4 and so on. Users may be confused when encountering this scenario.
|
Another problem, this filter seems cannot react to the nodepool change, for example the node is moved to another nodepool. |
rambohe-ch
force-pushed
the
add-nodeportisolation-filter
branch
from
a285f94 to
0b6f4bb
Compare
@Congrool I suppose that node should be reset and re-join when node want to change the nodePool. or maybe we can adapt nodepool change with a new controller in the other pull request. |
If so, we may need to add such instruction to our manual. |
rambohe-ch
force-pushed
the
add-nodeportisolation-filter
branch
2 times, most recently
from
b31b9d3 to
a75b1c7
Compare
|
Refer to the design of #1183 (comment):
When the svc has the annotation key but with no value, like |
rambohe-ch
force-pushed
the
add-nodeportisolation-filter
branch
from
a75b1c7 to
f6eca59
Compare
@Congrool you are right, we need to disable this svc in all nodepools if no value configured. i have fixed it, PTAL |
|
/lgtm |
What type of PR is this?
/kind feature
What this PR does / why we need it:
add a new filter named nodeportisolation in yurthub in order to make only nodes in specified nodepool can listen on nodePort of service.
Which issue(s) this PR fixes:
Fixes #1183
Special notes for your reviewer:
Does this PR introduce a user-facing change?
other Note