Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

set config.BindAddress to IPv4 address "127.0.0.1" if not specified #83822

Merged
merged 1 commit into from
Oct 25, 2019
Merged

set config.BindAddress to IPv4 address "127.0.0.1" if not specified #83822

merged 1 commit into from
Oct 25, 2019

Conversation

zouyee
Copy link
Member

@zouyee zouyee commented Oct 12, 2019

SetDefaults_KubeProxyConfiguration will set config.BindAddress to IPv4 address "0.0.0.0" if not specified

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #83791

Special notes for your reviewer:
SetDefaults_KubeProxyConfiguration will set config.BindAddress to IPv4 address "0.0.0.0" if not specified

Does this PR introduce a user-facing change?:

set config.BindAddress to IPv4 address "127.0.0.1" if not specified

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/ipvs sig/network Categorizes an issue or PR as relevant to SIG Network. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 12, 2019
@zouyee
Copy link
Member Author

zouyee commented Oct 12, 2019

/sig network
/cc @liggitt
/assign @MrHohn @freehan

@zouyee
Copy link
Member Author

zouyee commented Oct 12, 2019

/kind bug

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 12, 2019
@zouyee
Copy link
Member Author

zouyee commented Oct 12, 2019

/retest

@@ -278,11 +278,6 @@ func NewProxier(ipt utiliptables.Interface,
masqueradeValue := 1 << uint(masqueradeBit)
masqueradeMark := fmt.Sprintf("%#08x/%#08x", masqueradeValue, masqueradeValue)

if nodeIP == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been present for ~4 years (1acaa1d#diff-d51765b83fe795b469e8a86276b12dc9R218-R221). Can you explain why this is correct to remove?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt I think #77167 introduced a breaking change where kube-proxy exits if nodeIP is nil. Before v1.16, if nodeIP is nil kube-proxy continues assuming later it would default node IP to 127.0.0.1.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been present for ~4 years (1acaa1d#diff-d51765b83fe795b469e8a86276b12dc9R218-R221). Can you explain why this is correct to remove?

At first, I thought that iptables.NewProxier was only used here, if so, it might be redundant to validate nodeIP again. Later, I found that it was used by https://github.com/kubernetes/kubernetes/blob/master/pkg/kubemark/hollow_proxy.go#L82, so I withdrew the modification here

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this different from simply rolling back #77167 ? I thought the point of that was to force kube-proxy not to proceed with a wrong IP address?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#77167 also adds exponential back-off which fixes #37414 where kube-proxy would try to get the node IP before the node is registered. IMO removing the nodeIP check entirely and having the proxy implementations fall back to use 127.0.0.1 is better.

@liggitt
Copy link
Member

liggitt commented Oct 14, 2019

/assign @bowei @thockin
as original reviewers of #77167

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 19, 2019
@zouyee zouyee changed the title remove check Because SetDefaults_KubeProxyConfiguration will set default address set config.BindAddress to IPv4 address "127.0.0.1" if not specified Oct 19, 2019
@zouyee
Copy link
Member Author

zouyee commented Oct 19, 2019

/assign @freehan

@@ -137,7 +137,8 @@ func newProxyServer(
if nodeIP.IsUnspecified() {
nodeIP = utilnode.GetNodeIP(client, hostname)
if nodeIP == nil {
return nil, fmt.Errorf("unable to get node IP for hostname %s", hostname)
klog.Warning("invalid nodeIP, initializing kube-proxy with 127.0.0.1 as nodeIP")
nodeIP = net.ParseIP("127.0.0.1")
Copy link
Member

@andrewsykim andrewsykim Oct 19, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proxier implementations already sets node IP to 127.0.0.1 if it's nil, wondering if it makes more sense to remove this nil check altogether (see #84071 -- closed in favor of this PR).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change may now impact ipvs.NewProxier() (I can't tell for sure currently as I'm on mobile only) which used to not necessarily come with a set node IP.

Is there a reason we cannot just drop line 140 without adding anything else? That's what the code originally used to do, so it seems like the cleaner approach to me with regards to addressing the bug.

Copy link
Member

@andrewsykim andrewsykim Oct 19, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IPVS proxier has the same behavior as iptables for nil nodeIP (see https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/proxier.go#L406-L409) so agreed with @timoreimann this can just be

if nodeIP.IsUnspecified() {
       nodeIP = utilnode.GetNodeIP(client, hostname)
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we remove the code in NewProxier implementations that checks for and handles nil? This is kind of a contract change - they can assume it is non-nil.

So I guess from a compat POV this is correct. From a correctness POV, this is wrong. At least the iptables module will make a wrong decision based on this information. IPVS seems only to log it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having the user set the --bind-address seems like the RIGHT answer, but I acknowledge that this is a breaking change and we should fix it.

Can we enhance the log message to say something like:

    klog.V(0).Infof("can't determine this node's IP, assuming 127.0.0.1; if this is incorrect, set the --bind-address flag")
```

Of course, flags are passe and config files are vogue, and it's harder to reference config file fields.  This is also wrongish in the case of IPv6.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we remove the code in NewProxier implementations that checks for and handles nil? This is kind of a contract change - they can assume it is non-nil.

If iptables.NewProxier was only used here, it might be redundant to validate nodeIP nil again. But, I found that it was used by https://github.com/kubernetes/kubernetes/blob/master/pkg/kubemark/hollow_proxy.go#L82, so I withdrew the modification here

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we fix that do explicitly pass 127.0.0.1 and remove it from NewProxier?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we fix that do explicitly pass 127.0.0.1 and remove it from NewProxier?

Done.PTAL

@andrewsykim
Copy link
Member

/priority important-soon

@k8s-ci-robot k8s-ci-robot added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Oct 21, 2019
@k8s-ci-robot k8s-ci-robot removed sig/node Categorizes an issue or PR as relevant to SIG Node. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. do-not-merge/contains-merge-commits Indicates a PR which contains merge commits. sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API labels Oct 24, 2019
@k8s-ci-robot
Copy link
Contributor

@zouyee: Those labels are not set on the issue: area/dependency, kind/feature, area/code-generation

In response to this:

/remove-area apiserver
/remove-area cloudprovider
/remove-area dependency
/remove-area e2e-test-framework
/remove-area ipvs
/remove-area kubeadm
/remove-area kubectl kubelet test
/remove-kind feature
/remove-sig api-machinery apps auth cli cloud-provider cluster-lifecycle network storage testing

/remove-sig node instrumentation scheduling
/remove-kind api-change
/remove-area code-generation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot
Copy link
Contributor

@zouyee: Those labels are not set on the issue: area/apiserver, area/cloudprovider, area/dependency, area/e2e-test-framework, area/ipvs, area/kubeadm, area/kubectl, area/kubelet, area/test, kind/feature, sig/api-machinery, sig/apps, sig/auth, sig/cli, sig/cloud-provider, sig/cluster-lifecycle, sig/network, sig/storage, sig/testing, sig/node, sig/instrumentation, sig/scheduling, kind/api-change, area/code-generation

In response to this:

/remove-area apiserver
/remove-area cloudprovider
/remove-area dependency
/remove-area e2e-test-framework
/remove-area ipvs
/remove-area kubeadm
/remove-area kubectl kubelet test
/remove-kind feature
/remove-sig api-machinery apps auth cli cloud-provider cluster-lifecycle network storage testing

/remove-sig node instrumentation scheduling
/remove-kind api-change
/remove-area code-generation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the sig/network Categorizes an issue or PR as relevant to SIG Network. label Oct 24, 2019
@k8s-ci-robot
Copy link
Contributor

@zouyee: The label(s) sig/networking cannot be applied. These labels are supported: api-review, community/discussion, community/maintenance, community/question, cuj/build-train-deploy, cuj/multi-user, platform/aws, platform/azure, platform/gcp, platform/minikube, platform/other

In response to this:

/remove-si autoscaling
/sig networking

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot removed the sig/autoscaling Categorizes an issue or PR as relevant to SIG Autoscaling. label Oct 24, 2019
@k8s-ci-robot
Copy link
Contributor

@zouyee: The label(s) sig/networking cannot be applied. These labels are supported: api-review, community/discussion, community/maintenance, community/question, cuj/build-train-deploy, cuj/multi-user, platform/aws, platform/azure, platform/gcp, platform/minikube, platform/other

In response to this:

/remove-sig autoscaling
/sig networking

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

1 similar comment
@k8s-ci-robot
Copy link
Contributor

@zouyee: The label(s) sig/networking cannot be applied. These labels are supported: api-review, community/discussion, community/maintenance, community/question, cuj/build-train-deploy, cuj/multi-user, platform/aws, platform/azure, platform/gcp, platform/minikube, platform/other

In response to this:

/remove-sig autoscaling
/sig networking

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@zouyee
Copy link
Member Author

zouyee commented Oct 24, 2019

/retest

Signed-off-by: Zou Nengren <zouyee1989@gmail.com>
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. area/ipvs and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 25, 2019
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 25, 2019
@thockin thockin added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 25, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: thockin, zouyee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 1732b43 into kubernetes:master Oct 25, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Oct 25, 2019
@andrewsykim
Copy link
Member

@zouyee can you cherry-pick this to v1.16 please?

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Oct 25, 2019
k8s-ci-robot added a commit that referenced this pull request Nov 26, 2019
…-upstream-release-1.16

Automated cherry pick of #83822: set config.BindAddress to IPv4 address "127.0.0.1" if not
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ipvs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
9 participants