Document the workaround for kube-proxy's mishandled "hostname-override" flag #9878
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit ea74837 https://deploy-preview-9878--kubernetes-io-master-staging.netlify.com |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
This looks good. Thanks for adding the explanatory notes @seh. I do find the JSON patch to be easier to understand, but I think that's no big deal 😄. |
| @@ -201,41 +200,66 @@ Error from server: Get https://10.19.0.41:10250/containerLogs/default/mysql-ddc6 | |||
|
|
|||
| ## Services with externalTrafficPolicy=Local are not reachable | |||
|
|
|||
| On nodes where the hostname for the kubelet is overridden using the `--hostname-override` option, kube-proxy will default to treating 127.0.0.1 as the node IP, which results in rejecting connections for Services configured for `externalTrafficPolicy=Local`. This situation can be verified by checking the output of `kubectl -n kube-system logs <kube-proxy pod name>`: | |||
| On machines where the node name for the kubelet is overridden using the `--hostname-override` option, such that the node name no longer matches the machine's hostname, kube-proxy will default to treating 127.0.0.1 as the node's IP address, which results in rejecting connections for Services configured for `externalTrafficPolicy=Local`. This situation can be verified by checking the output of `kubectl -n kube-system logs <kube-proxy pod name>`: | |||
There was a problem hiding this comment.
There's an extra space between "in" and "rejecting." I can push an update to fix that.
At present kube-proxy does not honor its --hostname-override flag when used in concert with its --config flag; though it reads the former flag value, it overrides its with values read from the specified configuration file. In this case that file's "hostnameOverride" field's value takes precedence, even when absent, yielding an empty value. Replace the previous documented workaround with one that customizes a copy of the configuration file acquired from the ConfigMap.
Capitalize each item as a sentence, and restore intended hanging indentation of the cgroup driver-related item.
seh
force-pushed
the
doc-workaround-for-kube-proxy-hostname
branch
from
e601116 to
ea74837
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
There was a problem hiding this comment.
@seh Great start! ✨ Some feedback for docs quality, otherwise LGTM.
| 1. Install docker again following instructions | ||
|
|
||
| 1. Install Docker again following instructions |
There was a problem hiding this comment.
Change this paragraph to:
1. Re-install [Docker](/docs/setup/independent/install-kubeadm/#installing-docker).
So:
- Re-install Docker.
There was a problem hiding this comment.
That's a fine suggestion, here and in what follows, but note that I was just trying to adjust the formatting and capitalization here. This is the unfortunate phenomenon of drawing focus only to what one touches, at the expense of all the other parts that were ignored.
Still, I appreciate that you did think through your suggestions, so I'll take them into account when I can make another editing pass here.
| [Configure cgroup driver used by kubelet on Master Node](/docs/setup/independent/install-kubeadm/#configure-cgroup-driver-used-by-kubelet-on-master-node) | ||
| for detailed instructions. | ||
| 1. Change the kubelet config to match the Docker cgroup driver manually. | ||
| You can refer to [Configure cgroup driver used by kubelet on Master Node](/docs/setup/independent/install-kubeadm/#configure-cgroup-driver-used-by-kubelet-on-master-node) for detailed instructions. |
There was a problem hiding this comment.
Change to:
See "[Configure cgroup driver used by kubelet on Master Node](/docs/setup/independent/install-kubeadm/#configure-cgroup-driver-used-by-kubelet-on-master-node)" for detailed instructions.
So:
See "Configure cgroup driver used by kubelet on Master Node" for detailed instructions.
|
|
||
| - control plane Docker containers are crashlooping or hanging. You can check this by running `docker ps` and investigating each container by running `docker logs`. | ||
| - Control plane Docker containers are crashlooping or hanging. |
There was a problem hiding this comment.
Change to:
- Control plane Docker containers crash or hang.
| @@ -201,41 +200,65 @@ Error from server: Get https://10.19.0.41:10250/containerLogs/default/mysql-ddc6 | |||
|
|
|||
| ## Services with externalTrafficPolicy=Local are not reachable | |||
|
|
|||
| On nodes where the hostname for the kubelet is overridden using the `--hostname-override` option, kube-proxy will default to treating 127.0.0.1 as the node IP, which results in rejecting connections for Services configured for `externalTrafficPolicy=Local`. This situation can be verified by checking the output of `kubectl -n kube-system logs <kube-proxy pod name>`: | |||
| On machines where the node name for the kubelet is overridden using the `--hostname-override` option, such that the node name no longer matches the machine's hostname, kube-proxy will default to treating 127.0.0.1 as the node's IP address, which results in rejecting connections for Services configured for `externalTrafficPolicy=Local`. This situation can be verified by checking the output of `kubectl -n kube-system logs <kube-proxy pod name>`: | |||
There was a problem hiding this comment.
Replace with:
On machines where the `--hostname-override` option overrides the node name so that the kubelet no longer matches the machine's hostname, kube-proxy defaults to treating 127.0.0.1 as the node's IP address, which results in rejecting connections for Services configured for `externalTrafficPolicy=Local`. You can verify this situation by checking the output of `kubectl -n kube-system logs <kube-proxy pod name>`:
So:
On machines where the
--hostname-overrideoption overrides the node name so that the kubelet no longer matches the machine's hostname, kube-proxy defaults to treating 127.0.0.1 as the node's IP address, which results in rejecting connections for Services configured forexternalTrafficPolicy=Local. You can verify this situation by checking the output ofkubectl -n kube-system logs <kube-proxy pod name>:
|
|
||
| ```sh | ||
| W0507 22:33:10.372369 1 server.go:586] Failed to retrieve node info: nodes "ip-10-0-23-78" not found | ||
| W0507 22:33:10.372474 1 proxier.go:463] invalid nodeIP, initializing kube-proxy with 127.0.0.1 as nodeIP | ||
| ``` | ||
|
|
||
| A workaround for this is to modify the kube-proxy DaemonSet in the following way: | ||
| Just as the kubelet accepts a `--hostname-override` flag to use a different name for the node, so too does kube-proxy. Unfortunately, though, due to an unresolved defect, kube-proxy does not honor that flag's value when used in combination with the `--config` flag specifying a configuration file. Hence we can't use kube-proxy's `--hostname-override` flag to tell it the proper name of our node. |
There was a problem hiding this comment.
Replace with:
{{< caution >}}
**Caution:** Do not use kube-proxy's `--hostname-override` flag to indicate the name of a node.
While kube-proxy also accepts a `--hostname-override` flag, an unresolved defect causes kube-proxy not to honor that flag's value when used in combination with the `--config` flag specifying a configuration file.
{{< /caution >}}
So:
Caution: Do not use kube-proxy's
--hostname-overrideflag to indicate the name of a node.While kube-proxy also accepts a
--hostname-overrideflag, an unresolved defect causes kube-proxy not to honor that flag's value when used in combination with the--configflag specifying a configuration file.
|
@seh I got a PR merged which fixes this problem in |
Almost a month later, @stevesloka, I finally had the opportunity to put your patch to use this morning, and it worked! Thank you for the fix. I still had to patch the DaemonSet for kube-proxy that kubeadm creates, but at least it's less messy alteration. @anguslees is on to something with his suggestion here. |
|
We'd love to accept this, but it has some pending feedback and needs to be rebased to resolve conflicts. Thanks! /hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
@MistyHacks, as of version 1.13.0, this workaround is no longer necessary. It was pertinent for a few months before then, but not now. I suggest we abandon the change. |
Following up from @dlipovetsky's earlier #9663, with all credit due to him for the core idea, offer a shell script workaround for kube-proxy when run on machines whose hostname must differ from the node name, such as when running in AWS with the corresponding cloud provider enabled. kubernetes/kubeadm#857 captures the problem in more detail.
See here for preceding discussion of this approach, refined here slightly.