cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Protect from `AllocateLoadBalancerNodePorts=false`

Open dulek opened this issue 2 years ago • 7 comments

When aforementioned option is set on the Service .spec, the NodePorts stop being set, effectively defaulting .spec.ports[*].nodePort to 0. When cloud provider tries to create a member with such a port, Octavia fails.

This commit makes sure we are not adding members when nodePort value is 0. We also omit the SG manipulations for such ports.

  • openstack-cloud-controller-manager (occm)

What this PR does / why we need it: It's to make sure we are not making requests to Octavia that it cannot fulfill.

Which issue this PR fixes(if applicable): fixes #1996

Special notes for reviewers:

Release note:

NONE

dulek avatar Sep 06 '22 14:09 dulek

Hi @dulek. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Sep 06 '22 14:09 k8s-ci-robot

@mdbooth, you might want to take a quick look here.

dulek avatar Sep 06 '22 14:09 dulek

/ok-to-test

jichenjc avatar Sep 06 '22 23:09 jichenjc

When aforementioned option is set on the Service .spec, the NodePorts stop being set, effectively defaulting .spec.ports[*].nodePort to 0. When cloud provider tries to create a member with such a port, Octavia fails.

do you mind create a bug to track this? just want to keep record and know the impact /reason etc as reference

jichenjc avatar Sep 08 '22 01:09 jichenjc

code looks reasonable @dulek but I guess if there's more info in the issue talk about AllocateLoadBalancerNodePorts in commit msg will be helpful as I think it's come from k8s core defintion which lack some background in the PR itself

jichenjc avatar Sep 15 '22 09:09 jichenjc

@jichenjc: I created #1996 as an issue explaining the problem in more details.

dulek avatar Sep 20 '22 14:09 dulek

@dulek could you please help rebase this? Thanks

jichenjc avatar Oct 09 '22 07:10 jichenjc

Don't we also need to add a guard to ensureAndUpdateOctaviaSecurityGroup() as well?

edit: replying to myself, yes, most likely. The code was added in #1984 after you first submitted your PR.

Done, thanks for spotting this!

dulek avatar Oct 19 '22 15:10 dulek

@jichenjc: Hi! I've updated the commit message a bit, can you take another look at this?

dulek avatar Nov 02 '22 12:11 dulek

/lgtm /approve

jichenjc avatar Nov 04 '22 06:11 jichenjc

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jichenjc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Nov 04 '22 06:11 k8s-ci-robot