Fix auto-evaluated API access endpoint for bind IP #2086
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
ci check this |
k8s-ci-robot
added
the
size/S
k8s-ci-robot
added
size/M
docs/ha-mode.md
Outdated
| | No ext/int LB | http://lc:p | https://m[0].aip:sp | | ||
| | External LB, and internal LB | https://lb:lp | https://lc:nsp | | ||
| | No ext/int LB, bind 0.0.0.0 | http://lc:sp | https://m[0].aip:sp | | ||
| | No ext/int LB, a custom bind | http://bip:sp | https://m[0].aip:sp | |
There was a problem hiding this comment.
If you are wondering how these apply to the automagic evaluation, here it is:
(given the 1st number represents rows, and the 2nd number stands for columns of that table):
kube_apiserver_endpoint: |-
12/32{% if not is_kube_master and loadbalancer_apiserver_localhost -%}
https://localhost: nginx_kube_apiserver_port|default(kube_apiserver_port)
51{%- elif is_kube_master and not loadbalancer_apiserver_localhost and not loadbalancer_apiserver is defined and kube_apiserver_bind_address != '0.0.0.0' -%}
https:// kube_apiserver_bind_address : kube_apiserver_port
11/41{%- elif is_kube_master and not loadbalancer_apiserver is defined -%}
https://127.0.0.1: kube_apiserver_port
{%- else -%}
21/22/31{%- if loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%}
https:// apiserver_loadbalancer_domain_name|default('lb-apiserver.kubernetes.local') : loadbalancer_apiserver.port|default(kube_apiserver_port)
42/52{%- else -%}
https:// first_kube_master : kube_apiserver_port
{%- endif -%}
{%- endif %}
yeah, it's hard to follow those 10 if..else cases, IKR
|
Retriggered the CI pipeline |
bogdando
changed the title
|
I'm not sure the masters should be using the external LB access point when deployed with localhost LB as well, let's consider alternatives |
|
My first thought is let masters contact their local apiserver. It's highly unlikely to go down and it reduces latency that might be introduced in going host->lb->host |
|
Yes we just discussed on IRC, maybe we could explore a setup where masters talk to themselves directly, and we only use the external LB for access from hosts which aren't part of the Kubernetes cluster. This way even if the external LB goes down, we would still be able to talk to k8s API within the cluster at least. |
|
We should make the logic so that it uses the LB if the LB defined and loadbalancer_apiserver_localhost is false. If loadbalancer_apiserver_localhost is true, nodes don't touch it at all. The only gray area is should masters use the LB ever or not. |
bogdando
changed the title
|
I'll split this into a two parts |
Auto configure API access endpoint with a custom bind IP, if provided. Fix HA docs' http URLs are https in fact, clarify the insecure vs secure API access modes as well. Closes: #issues/2051 Signed-off-by: Bogdan Dobrelya <[email protected]>
k8s-ci-robot
added
size/S
bogdando
changed the title
API access modes as well.
Closes #2051
Signed-off-by: Bogdan Dobrelya [email protected]