feat(NSC): change service.local internal traffic policy posture #1774
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Over time, feedback from users has been that our interpretation of how the kube-router service.local annotation interacts with the internal traffic policy has been that it is too restrictive. It seems like tuning it to fall in line with the local internal traffic policy is too restrictive. This commit changes that posture, by equating the service.local annotation with External Traffic Policy Local and Internal Traffic Policy Cluster. This means that when service.local is set the following will be true: * ExternalIPs / LoadBalancer IPs will only be available on a node that hosts the workload * ExternalIPs / LoadBalancer IPs will only be BGP advertised (when enabled) by nodes that host the workload * Services will have the same posture as External Traffic Policy set to local * ClusterIPs will be available on all nodes for LoadBalancing * ClusterIPs will only be BGP advertised (when enabled) by nodes that host the workload * Cluster IP services will have the same posture as Internal Traffic Policy set to cluster For anyone desiring the original functionality of the service.local annotation that has been in place since kube-router v2.1.0, all that would need to be done is to set `internalTrafficPolicy` to Local as described here: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@mrueg @twz123 @rbrtbnfgl
Over time, feedback from users has been that our interpretation of how the kube-router service.local annotation interacts with the internal traffic policy has been that it is too restrictive.
It seems like tuning it to fall in line with the local internal traffic policy is too restrictive. This commit changes that posture, by equating the service.local annotation with External Traffic Policy Local and Internal Traffic Policy Cluster.
This means that when service.local is set the following will be true:
For anyone desiring the original functionality of the service.local annotation that has been in place since kube-router v2.1.0, all that would need to be done is to set
internalTrafficPolicyto Local as described here: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/