-
Notifications
You must be signed in to change notification settings - Fork 910
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IP address sharing + externalTrafficPolicy: Local; exact same selector mixes traffic between pods #271
Comments
Thanks for the report. You're right, I tried to be generic in the documentation, but I actually need to be more specific: to use the This is because MetalLB can only control traffic flow at L3, so it's all-or-nothing. MetalLB can't tell the outside world "I want traffic for IP 1.2.3.4, but only port 80", it can only say "I want all traffic for 1.2.3.4". This is fine with the So, we have 2 constraints:
There are 2 ways to work with these constraints:
MetalLB picks the second option, because the first leads to a bunch of confusing behaviors that would mean a lot more bugs. Unfortunately this means that IP sharing with It's pretty clear that I need to make the docs more explicit about the limitations for your scenario. If you have suggestions on how to make this behavior better (e.g. how to remove this constraint without a flood of bug reports about confusing traffic routing because of what I explained above), I'd love to make IP sharing more generally useful. |
Tanks for your elaborate answer and I see your point. But IMHO a bare-metal k8s system will never be as "forgiving" as e.g GCE so one may assume a somewhat better knowledge from those users. The local traffic policy is often a very desired, if not required, feature for the source address preseravtion. I think a reasonable division of responsibility would be;
Most likely an application will be assigned one external IP but will be implemented as several services with different functions and ports for external traffic which is why I want both shared-ip and local traffic policy. I also foresee a scaling problem that I hope will be possible to turn into a feature using local traffic policy; In a large system all nodes can't be ECMP targets. In that case I would like to use "frontend" PODs (e.g. Ingress Controllers) forming some "load-balancing-tier" and using local traffic policy to avoid an unnecessary hop. External traffic flow would become very efficient I think, and the source would always be preserved. I would suggest some "expert" option to metallb, like For now I can patch |
Is this a bug report or a feature request?:
Bug
What happened:
The metallb documentation states that if address sharing and
externalTrafficPolicy: Local
is combined the services must "have the exact same selector".But the implementing pods must then also have the same selector or Kubernetes complains. However Kubernetes seem to regard the pods exactly equal and distributes traffic to all sevices with the shared ip (and the same selector) to all pods, regardless of which ports they serve.
Hence my two pods serving ports 22 and 5001 will get a mix of traffic to the ports and half the traffic is lost.
What you expected to happen:
Traffic to a service should be distributed to the pods implementing the service only.
How to reproduce it (as minimally and precisely as possible):
I have 2 services and deployments;
and
When started every other attempt to e.g. port 1022 will fail;
The source is preserved (
192.168.0.201
) as seen in the first attempt, so far so good. But the second attempt fails because it is routed to the other serving only port 5001.I run proxy-mode=ipvs so it is quite easy to visualize the problem;
The loadBalancerIP
10.0.0.2
is distributed locally (good) but for port 1022 it is distributed to both local pods which is a bug IMO. Maybe not inmetallb
though.Anything else we need to know?:
Actually I can't understand the restriction of exact the same selector.
By removing the check i can make it work perfectly the way I want it.
Environment:
Built from source. commit; d38ad1e
v1.10.5-beta
gobgp
Own busyBox based
uname -a
):Linux vm-003 4.16.2 #2 SMP Mon Jun 11 16:02:46 CEST 2018 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: