optionally disable clusterIP for Service Type=LoadBalancer #3623
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @xiaonancc77! |
|
Hi @xiaonancc77. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: xiaonancc77 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
sig/network
| * the number of load balancers is now limited to the number of available clusterIP. | ||
| * clusterIP are allocated for an LB even though they are not used. | ||
|
|
||
| For clusters that have integrations for Service Type=LoadBalancer but don't require clusterIP should have the option to disable clusterIP allocation. |
There was a problem hiding this comment.
how the other Pods in the cluster will be able to reach this Service?
I think this will break the service discovery per example, that uses DNS for the svcname and returns the ClusterIP as A record
There was a problem hiding this comment.
-
In some business scenarios, some services do not need to be accessed by the pods in the cluster, but are accessed by requests from outside the cluster.In some cases, a large number of ClusterIPs that are not needed will be allocated.
-
In some actual production environments, the access within the cluster is also expected to be accessed through the cloud provider loadBalancer(service external ip) instead of ipvs/iptables, because the cloud provider loadBalancer has session retention, health detection, traffic monitoring and more functions .
-
dns: If need access within the cluster, dns can configure the k8s_external plugin(dns can return the ExternalIP for service name)
There was a problem hiding this comment.
those are a lot of exceptions for justifying changing a default behavior 😅
There was a problem hiding this comment.
However, there is indeed a need for LB service not to be accessed by pods in the cluster. In this case, it is really unnecessary to allocate clusterIP.
This is the part I find harder to understand, ClusterIPs come from the ServiceCIDR that use to be private network and you can use up to a /12 , however, load balancer IPs has to be public and those are much expensive and scarce. |
First of all this is true in the private cloud scenario. However, in public cloud scenarios, such as Tencent Cloud and Alibaba Cloud, in a subnet, the network segments of the container network of all k8s clusters cannot overlap, that is to say, the network segment resources determine the number or the size of clusters that can be purchased. In addition, among public cloud vendors, the vip provided by load balancing is also divided into public network ip and internal ip. The internal IP of the load balancer is associated with the external IP of the k8s cluster server, which can also meet the needs of access outside the cluster. At the same time, the internal ip, like the container ip, belongs to the private network and it is not so scarce. Whether it is a private cloud or a public cloud, there is indeed a service bound to a load balancer, and there is no need to be accessed by pods in the cluster. |
but the service ip range can overlap, and there are current limitations on the number of Service supported at scale, with a /20 you'll have the possibility to use 4093 ClusterIPs ... just curious, why don't you use the same Service CIDR for all the clusters? |
In many public cloud providers, multiple clusters on the same subnet are not allowed to use overlapping network segments, including service ip ranges. Even though all the clusters use the same service ip range, if the setting is too large, it will crowd out the container network ip resources. If the setting is too small, it will not be able to expand the IP segment when it is not enough(many public cloud providers currently do not allow the service ip range to be modified after the cluster is created. |
|
In the case where clusterIP is not required, there is really no need for mandatory allocation, and this requirement can be opened as optional. |
|
/assign @danwinship @thockin @khenidak |
|
I appreciate the KEP, but I don't think we want to do this. We did the equivalent for nodePort under duress, but nodePorts are ACTUALLY a limited resource. As @aojea says, you CAN reuse the same service CIDR on many clusters (in most implementations) and those CAN be very large. This new exception would have to propagate pretty far and wide - every discovery mechanism, including but not limited to DNS, would need to be aware that this previously required field could now be empty. The risk of this change is quite large. I'll leave it open for a bit to collect feedback, but I'm -1 on this proposal. |
|
@xiaonancc77 With the upcoming work on Gateway API for L4 load balancing I don't think we'll have any expectations of also provisioning a ClusterIP, maybe it would be more straightforward to invest in that going forward instead of a new KEP on Service? |
|
The motivation is centered around preserving ClusterIPs. This is specially painful to deal with if the cluster was setup with a small ClusterIPs CIRD. I think we have a KEP to allow multiples of these CIDRs which should also solve for the problem this KEP is trying to solve for, right? |
|
@robscott Do you have a link to the relevant documentation, please? Thanks~~ |
|
@khenidak Thank you for your reply, you are right, but being able to configure multiple service CIDRs can solve some of our pain points, but not all. In a private network, container CIDR, service CIDR, and LoadBalancer CIDR cannot overlap. |
|
/cc @shaneutt |
|
"the number of loadbalancers is limited by the number of available clusterIP." <---- What is your service cluster cidr? It would be good to understand why you are running out of clusterIP's |
The project is https://gateway-api.sigs.k8s.io/ and the repository is https://github.com/kubernetes-sigs/gateway-api. One of the long term goals of this project is to enable the We would love to have you join one of the upcoming Gateway API community meetings and talk to us more about your use case and needs (note that they wont be starting back up until January 9th due to the holidays). Please feel free to put something on our agenda for an upcoming meeting, or if you prefer async we have a discussions board and we're in
I'm also very curious about the impetus for this change. Can you please help us to better understand:
|
|
In almost all implementations, the service clusterIP range is virtual - it never hits the wire. That said, you don't want it to overlap with real IPs that you use elsewhere in your network. It can be any range that you can afford to consume - link-local or RFC-1918 or CGNAT or class E or even puplic IPs you know you will never use. IPv6 should be even easier. You can also use the same range in every cluster. Adding more API to economize on these has a real cost for maintenacne and testing, and the cost is forever. I don't think we want to do this proposal this way - Gateway is our way out of the "stacked" model of Services. /close |
|
@thockin: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is useful for VIP-based implementations of Service Type=LoadBalancer where the ClusterIP is not needed. The largest motivations for this feature is:
the number of loadbalancers is limited by the number of available clusterIP.
Optionally Disable ClusterIP for
type: LoadBalancerServices #3622