EndpointSlices and RejectACLs

[Girish Moodalbail]

Hello Antonio/Tim,

Looks like we have an issue in how we compare K8s service's spec.Port.targetPort and endpointslice.port.name, in this code below:

-------8<-----------8<---------
// Get the targeted port
tgtPort := int32(svcPort.TargetPort.IntValue())
// If this is a string, it will return 0
// it has to match the port name
// otherwise, it has to match the port number
if (tgtPort == 0 && svcPort.TargetPort.String() != *port.Name) ||
(tgtPort > 0 && tgtPort != *port.Port) {
continue
}
-------8<-----------8<---------

So, with EndpointSlice Controller enabled, we were seeing an issue wherein a ClusterIP with endpoints was still having Reject ACL defined.

A K8s service of type ClusterIP is defined like below:
-------8<-----------8<---------
spec:
clusterIP: 10.223.119.217
ports:
- name: tcp-redis
port: 6379
protocol: TCP
targetPort: redis
- name: tcp-sentinel
port: 26379
protocol: TCP
targetPort: redis-sentinel <--- matching field
-------8<-----------8<---------

It basically says, any packet to 10.223.119.217 at port 26379 will be forwarded to targetPort named `redis-sentinel`. The integer targetPort is then derived by looking at the matching Pod's Ports definitions:

-------8<-----------8<---------
$ kubectl get pods -o yaml redis-node-0
<output snipped>
name: sentinel
ports:
- containerPort: 26379
name: redis-sentinel <--- matching field
protocol: TCP
readinessProbe:
podIP: 10.192.8.62
so packets to 10.223.119.217:26379 ---- will be forwarded to --> 10.192.8.62
-------8<-----------8<---------

However, with endpoint slices we have an endpoint port defined to be:

-------8<-----------8<---------
$ kubectl get endpointslices -n nq-sjc6c-03-pm -o yaml
ports:
- name: tcp-redis
port: 6379
protocol: TCP
- name: tcp-sentinel
port: 26379
protocol: TCP
-------8<-----------8<---------

Then, we have this code in OVN K8s that is currently broken

-------8<-----------8<---------
// Get the targeted port
tgtPort := int32(svcPort.TargetPort.IntValue())
// If this is a string, it will return 0
// it has to match the port name
// otherwise, it has to match the port number
if (tgtPort == 0 && svcPort.TargetPort.String() != *port.Name) ||
(tgtPort > 0 && tgtPort != *port.Port) {
continue
}
-------8<-----------8<---------

We are checking for service's TargetPort value of `redis-sentinel` with EndpointSlice Port's name of `tcp-sentinel` and they will never match and we end up adding `Reject` ACL or set `reject=true` on the LoadBalancer

Regards,
~Girish

[Antonio Ojea]

It is my fault, I misinterpreted the API, targetPort is a selector for the endpoints/endpointslices controller to create the endpoints based on that container port name, It is not meant to be used in the Service implementation.

The relation is ServicePort.Name - EndpointPort.Name, however, for ServicePort.Name is only required for multiple ports and this was confusing me. 

If the endpoint matches the service and there is no name, that means that is a single port service and there is only one endpoint.

Sorry and thanks for the detailed explanation, I've submitted the fix

https://github.com/ovn-org/ovn-kubernetes/pull/2187

--
You received this message because you are subscribed to the Google Groups "ovn-kubernetes" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ovn-kubernete...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ovn-kubernetes/97538951-D591-4A81-802E-FAD82885BFFC%40nvidia.com.

[Girish Moodalbail]

No worries Antonio. Really appreciate your quick turnaround on this issue.

 

Thank you.

 

Regards,

~Girish

 

From: Antonio Ojea <ao...@redhat.com>
Date: Friday, April 23, 2021 at 1:03 AM
To: Girish Moodalbail <gmood...@nvidia.com>
Cc: "ovn-kub...@googlegroups.com" <ovn-kub...@googlegroups.com>
Subject: Re: EndpointSlices and RejectACLs

 

External email: Use caution opening links or attachments