Hello Antonio/Tim,
Looks like we have an issue in how we compare K8s service's spec.Port.targetPort and
endpointslice.port.name, in this code below:
-------8<-----------8<---------
// Get the targeted port
tgtPort := int32(svcPort.TargetPort.IntValue())
// If this is a string, it will return 0
// it has to match the port name
// otherwise, it has to match the port number
if (tgtPort == 0 && svcPort.TargetPort.String() != *port.Name) ||
(tgtPort > 0 && tgtPort != *port.Port) {
continue
}
-------8<-----------8<---------
So, with EndpointSlice Controller enabled, we were seeing an issue wherein a ClusterIP with endpoints was still having Reject ACL defined.
A K8s service of type ClusterIP is defined like below:
-------8<-----------8<---------
spec:
clusterIP: 10.223.119.217
ports:
- name: tcp-redis
port: 6379
protocol: TCP
targetPort: redis
- name: tcp-sentinel
port: 26379
protocol: TCP
targetPort: redis-sentinel <--- matching field
-------8<-----------8<---------
It basically says, any packet to 10.223.119.217 at port 26379 will be forwarded to targetPort named `redis-sentinel`. The integer targetPort is then derived by looking at the matching Pod's Ports definitions:
-------8<-----------8<---------
$ kubectl get pods -o yaml redis-node-0
<output snipped>
name: sentinel
ports:
- containerPort: 26379
name: redis-sentinel <--- matching field
protocol: TCP
readinessProbe:
podIP: 10.192.8.62
so packets to
10.223.119.217:26379 ---- will be forwarded to --> 10.192.8.62
-------8<-----------8<---------
However, with endpoint slices we have an endpoint port defined to be:
-------8<-----------8<---------
$ kubectl get endpointslices -n nq-sjc6c-03-pm -o yaml
ports:
- name: tcp-redis
port: 6379
protocol: TCP
- name: tcp-sentinel
port: 26379
protocol: TCP
-------8<-----------8<---------
Then, we have this code in OVN K8s that is currently broken
-------8<-----------8<---------
// Get the targeted port
tgtPort := int32(svcPort.TargetPort.IntValue())
// If this is a string, it will return 0
// it has to match the port name
// otherwise, it has to match the port number
if (tgtPort == 0 && svcPort.TargetPort.String() != *port.Name) ||
(tgtPort > 0 && tgtPort != *port.Port) {
continue
}
-------8<-----------8<---------
We are checking for service's TargetPort value of `redis-sentinel` with EndpointSlice Port's name of `tcp-sentinel` and they will never match and we end up adding `Reject` ACL or set `reject=true` on the LoadBalancer
Regards,
~Girish