-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Feature: Multi Cluster TargetGroupBindings #3478
base: main
Are you sure you want to change the base?
New Feature: Multi Cluster TargetGroupBindings #3478
Conversation
…d a new instance cache
Welcome @Alex-Waring! |
Hi @Alex-Waring. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Alex-Waring The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
17c8fc2
to
a8b96e5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change looks huge but most of it is this package. We don't use most of it, but I thought better to keep with standard and inline with the CI
@@ -27,13 +27,15 @@ const ( | |||
flagBackendSecurityGroup = "backend-security-group" | |||
flagEnableEndpointSlices = "enable-endpoint-slices" | |||
flagDisableRestrictedSGRules = "disable-restricted-sg-rules" | |||
flagEnableClusterAwareBindings = "enable-cluster-aware-bindings" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The feature is enabled by a flag on the controller, but it could also be on the binding resource itself.
m.targetsCache.Set(tgARN, targetsCacheItem, m.targetsCacheTTL) | ||
|
||
var parsedTargets []TargetInfo | ||
clusterCIDRs, err := eksInfoResolver.ListCIDRs(ctx) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is resolved every time, as it is possible to change subnets of an EKS cluster, and if the subnets are changed we don't want to have to wait for the cache to clear until new pods can be bound there
@oliviassss @kishorj Would you be able to take a look please |
@oliviassss @kishorj It would be highly appreciated if you could please review the work of @Alex-Waring. This has been pending for a month by now....... |
@M00nF1sh can you take a look please? |
@oliviassss @johngmyers @kishorj Please? |
@Alex-Waring This PR is similar to a previous PR: #1865 Quoting similar comments from the PR:
|
Hi @M00nF1sh, thank you for the response. I think that this leaves two options for this feature request. The first (although I may have miss-understood you) is to merge similar to this PR. It's feature flagged on the controller binary so it can remain a fairly secret feature, with all the caveats attached. Having said that, it does work for multiple clusters in the same VPC, just not the same subnet, which I think is a much less likely patter. The other, and longer but better approach, is to properly track what targets the controller is looking after. As targets have no form of labelling on them, and nothing is in the roadmap, this would mean implementing some form of DB. I guess the two obvious options are config maps and DynamoDB. I am very very hesitant to use config maps to store application data, given the security and latency issues this creates, so DynamoDB seems to make sense to me. Having said that, it's a bit of a larger re-wright that I would split into multiple PRs. Thoughts? |
@Alex-Waring BTW, would you share more details on why you choose to sub-divide a targetGroup between multiple controllers instead of relies on the "weighted load balancing" feature from alb? |
@M00nF1sh Sure, the simple answer is NLBs. I noticed that your original answer included
In reference to weighted target groups, but sadly this hasn't happened yet and I can't see any plan for it happening in the future, so for any use case where NLBs are required (custom protocols, low latency, overlay protocols, mTLS when I wrote this PR but that's now supported by ALBs, EPS) weighted routing isn't possible. |
@Alex-Waring |
I have a need for this functionality as well (particularly with things like doing blue green deploys of cluster upgrades). Were you working on one of the 2 solutions that you had proposed? I'm asking to understand if it's worth taking a stab at this or if I'm just late to the party. |
Hi @hanseltime, it's really a question for @M00nF1sh and team. This PR provides a good starting point for option one, it provides a dirty fix hidden behind a feature flag. Option two requires work by the NLB team and I have no insight into that. |
Just like @hanseltime we hope to see something like this implemented for blue-green cluster upgrades, as we see a bunch of potential risks in upgrading in place. I hope implementing this behind a feature flag is something that can be reconsidered as a short term solution, as I am afraid it will take a long time before the NLB team will come up with something to support said use case. |
@Alex-Waring @M00nF1sh - I've tried to make sure I am understanding where this PR sits. From what I've read: @M00nF1sh - it looks like you want a deterministic way to understand exactly which target group corresponds to the load balancer controller. As it stands right now, the EKS cluster CIDRs issue creates several race conditions where the controller might think some target group is or is not it's own if it's CIDRs change. And it also doesn't support if 2 clusters are running on the same subnets. @Alex-Waring - Please correct me if I misunderstood the functionality of this PR. Here is a solution that I would not mind working if we agree this solves the assumed problems above:
This is definitely a high-level pitch, but if that solves the issues, I am more than willing to work on submitting it in the near future. @M00nF1sh |
Hi @hanseltime I don't think this quite follows. The aim is to bind a targe group to multiple clusters so that traffic to one NLB can be sent to multiple clusters. This means that to manage them in the way you suggest we need to be able to tag not the target groups but the targets themselves. This isn't something that is supported at the moment and that's the blocker, as I really don't like the idea of adding some sort of datastore to this. |
@Alex-Waring - thank you for pointing that out. I was doing this on my lunch break and didn't double check my notes. Apologies for not reading close enough 🙃 I guess I was trying to find a solution to something that you had thoroughly solved on re-reading. @M00nF1sh - does this mean that, if I want to use this functionality, someone needs to publish a brand new controller image and just link people to that repo while keeping it up to date? From the standpoint of scope of concern, a load balancer controller that wipes out other target group targets when it doesn't own the target group feels like a bug worth fixing (even if behind a feature flag). |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
Issue
#2173
Description
This PR attempts to implement the feature requested in the issue linked.
Problem: When running TargetGroupBinding resources on target groups that are managed elsewhere as well (either by another cluster or by manual attachment) the controller will remove any targets it did not add.
Reason: In
defaultResourceManager.reconcileWithIPTargetType
, the targets in an TG are listed, compared with the expected from within the cluster, and those that are not expected are removed. This is so that pods or instances that have been removed from the filter will be deregistered as well.Solution: I have created a new function called ListOwnedTargets, gated behind an option on the controller, that will only return targets that the cluster manages. This is done by looking up the instance tags (all EKS instances must be tagged, so we can use that), or by checking the IP is within the EKS subnets. To do this I have implemented a new EKS client and info resolver to return that information from the cluster.
I have also implemented a new instance Cache, as instances are long lived.
I have not added docs yet, as I would like input that that is a valid solution before I write docs.
The suggested solution in the linked issue was to use a config map to store the targets. Configmaps are limited to 1Mb, and are not designed for large volumes of data. That means that the solution is not scalable and does not work for larger clients.
Checklist
README.md
, or thedocs
directory)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯