@m1093782566 @Lion-Wei any ideas if we need this for IPVS proxier?

/priority important-soon

Validated and tested this on a Kind cluster with metallb (thanks @mauilion!) and on GKE by applying the rules manually. @jcodybaker can you test this on DOKS please (re: #66607)?

@andrewsykim - I've tested this and unfortunately it doesn't seemed to have changed the behavior seen in #66607. I've left my test cluster up, and can provide any debug that's helpful--just message on slack. I've started debugging by looking through the iptables counter. I didn't get the full picture tonight, but it's does seem to be taking a different path than we were seeing before.

@jcodybaker can you share the output for sudo iptables-save please?

@andrewsykim
In my testing I was able to reproduce this case:
Bring up a 3 node cluster and schedule pods on 2 of them.
Define a service of type loadbalancer and ensure that the loadbalancer provides an ip address
modify the service and set externalTrafficPolicy to Local
Bring up a pod with hostNetwork: true on the node where there are no endpoints.
before your change I am not able to connect to the service.
after your change I can.

@kinolaev I think I agree with you but not sure yet. Traffic originating from the cluster cidr AND directed at the LB IP goes through the service chain if externalTrafficPolicy=Local. Shouldn't the same policy apply for nodes then? Either way, let me try to test your PR to make sure there's no edge cases missing there. I wonder if the src-type check can lead to interesting behavior if we go back out to the external LB and back into the node pool.

Shouldn't the same policy apply for nodes then?

For externalTrafficPolicy=Local we can remove FW chain on nodes that don’t have local endpoints to send all traffic to LB. This solution looks more consistent, but requires network access from node to LB for traffic from pods and has no benefit (source IP will be lost). I don’t think that we need to choose this solution just for consistency.

So I don’t think that we need to choose this solution just for consistency.

Agreed that it shouldn't just be for consistency sake. The question I have boils down to: if we know the destination IPs for a given external LB IP, do we route back to external IP or route directly to the backend? We route to directly to service backend for the pod cidr case, wondering if there was a valid reason for that which also applies to nodes. Need to test all the scenarios first.

I think routing directly to backend is good solution (and personally I prefer it). But if maintainers will decide that source IP must be preserved they will already have a solution for this.

Please see my comment above about moving routing to SVC after check that node doesn't have local endpoints, because otherwise traffic must be routed locally. Do you agree?

Please see my comment above about moving routing to SVC after check that node doesn't have local endpoints, because otherwise traffic must be routed locally. Do you agree?

I'm not sure, need to put more thought into this because the existing local endpoint logic only applies for external traffic coming into the cluster (hence externalTrafficPolicy=Local). Preferring local endpoint if they exist and falling back to service chain sounds right but I don't think it's that simple, we are possibly changing the expectations for internal traffic in ways that can be unexpected. This would be addressed by on-going work for service topology which I would say is out-of-scope for what we're trying to fix here. I'm not the authoritative source on this though :)

I see now the root of our discussion: we have different borders of "internal") For me "internal" means pods and services but you also include nodes to "internal". So for me nodes' outgoing traffic is "external" traffic and must be routed to local endpoints or load balancer. But if nodes' outgoing traffic is "internal" traffic then your solution is most logical.
@thockin, waiting for you)

Err sorry, forgot to put a milestone on this one. Putting the milestone label so it's on the radar at least. It's a bit last minute so feel free to bump into next release (or we can cherry-pick it later)

/milestone v1.15

Thanks!

/lgtm
/approve

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewsykim, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

@andrewsykim @kinolaev It's not just preserving the source IP that is the issue, the current behavior for routing traffic to LoadBalancer services within the cluster makes a false assumption that the LoadBalancer is always transparent. In the case of DigitalOcean, as an example, this is not the case - the LoadBalancer supports the PROXY protocol as well as TLS termination - sending traffic directly to a pod will often result in unexpected behavior as a result.

This is only an issue when LoadBalancer's provide an IP address in the status spec since k8s does not attempt to magic the LoadBalancer away when a hostname is provided instead, as is the case with ELB's from AWS, for example. If your cloud provider supports network transparent load balancing than I don't think the optimization needs to be thrown away, but cloud controllers should have a way to indicate to the kublet that a LoadBalancer service is not transparent and shouldn't be routed internally.

/cc @RainbowMango

@kevin-wangzefeng: GitHub didn't allow me to request PR reviews from the following users: RainbowMango.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.