Comments (24)
The wanted feature here seems to be to accept connects on lo
only. A good way is to bind the listen socket to the device using the SO_BINDTODEVICE
sockopt. Now, I don't propose this as a solution in this case, but the function may come in handy in some other cases, so I figured out how it's done in go
.
tcp-server.go
// Tcp server that binds to "lo"
package main
import (
"context"
"log"
"net"
"os"
"syscall"
)
func main() {
if len(os.Args) < 2 {
log.Fatal("No address")
}
lconfig := net.ListenConfig{
Control: listenControl,
}
listener, err := lconfig.Listen(context.TODO(), "tcp", os.Args[1])
if err != nil {
log.Fatal(err)
}
defer listener.Close()
conn, err := listener.Accept()
if err != nil {
log.Fatal(err)
}
conn.Write([]byte("Bye...\n"))
defer conn.Close()
}
func listenControl(network, address string, c syscall.RawConn) error {
return c.Control(setIf)
}
func setIf(fd uintptr) {
if err := syscall.BindToDevice(int(fd), "lo"); err != nil {
log.Fatal(err)
}
}
./tcp-server :7000
nc -v 127.4.5.6 7000 # works
nc -v ::1 7000 # works
nc -v 172.17.0.1 7000 # Connection refused
As you can see, any address on lo
works, but not local address on another interface (172.17.0.1 is on docker0)
from kubernetes.
Um, come to think of it, a device may be better than two addresses here. Unless the addresses are "any" or loopback, they must be different on all nodes. While this can be done, a common configmap makes it hard. An option might be something like:
healthzBindAddress: "[::]:10256" healthzBindInterface: "lo"
kubernetes/enhancements#4337 (comment)
from kubernetes.
See also:
from kubernetes.
/sig network
from kubernetes.
I think that's doubtful, 0.0.0.0 and :: also bind to both families in kube-apiserver
How does kube-apiserver work for headlthz-bind-address? I think if it defaults to "0.0.0.0:10256", we can access to the service with ipv4 or ipv6 address.
when a server is told to listen on 0.0.0.0 that means "listen on every available network interface".
from kubernetes.
Just FYI, I tested to "scope" ipv6 localhost with [::%lo]:10256
. It is accepted by go
(but not by kube-proxy), but alas, the scope is simply ignored for non-link-local addresses ๐
from kubernetes.
@sanmai-NL we are planning to add v1alpha2 kube-proxy configuration which will accept a dual-stack CIDR pair of healthz and metrics addresses.
(we are moving towards CIDR to allow users to provide the network instead of just address, healthz and metrics server will be exposed on nodesIPs which belong to that CIDR range)
(ref: https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/784-kube-proxy-component-config#following-fields-will-be-changed)
from kubernetes.
Um, come to think of it, a device may be better than two addresses here. Unless the addresses are "any" or loopback, they must be different on all nodes. While this can be done, a common configmap makes it hard. An option might be something like:
healthzBindAddress: "[::]:10256"
healthzBindInterface: "lo"
from kubernetes.
Thanks for the pointer. Actually I think an interface may be better than a CIDR. Interfaces are more stable. It may be easier to guess the interface than the CIDR some infra-structure provider will use for nodes.
from kubernetes.
Thanks for the pointer. Actually I think an interface may be better than a CIDR. Interfaces are more stable. It may be easier to guess the interface than the CIDR some infra-structure provider will use for nodes.
But people can assign non-loopback addresses to a loopback interface and this would break.
from kubernetes.
A network interface can be named variously depending on node OS config or hot-swapping NICs. They are less stable than, e.g., a pair of loopback CIDR blocks ::1/128,127.0.0.1/8.
from kubernetes.
And CIDRs can change because of DHCP lease, or a new /64 segment for SLAAC. But, I agree with Dan that CIDRs are a more "more-kube-proxy-like approach".
from kubernetes.
And CIDRs can change because of DHCP lease
IPs will change because of the DHCP lease not CIDR, right?
CIDR will be configured with the DHCP server itself, no?
from kubernetes.
@uablrek For the use case I mentioned, CIDR subnets are stable. I think working with devices and supporting zone indexes in IPv6 addresses is interesting and potentially useful, but the requested functionality shouldn't be designed around that.
from kubernetes.
@shaneutt: The label(s) triage/accept
cannot be applied, because the repository doesn't have them.
In response to this:
/assign @shaneutt
In the meeting today we discussed this and it sounds like we're in favor of moving forward:
/triage accept
@aroradaman it appears that you already have active progress on this one, is that correct? May we assign you?
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
from kubernetes.
/assign @danwinship
from kubernetes.
/triage accepted
from kubernetes.
I feel like we have danced around this area a bunch of times. Can we clarify what the real requirment is and implement it one time that we can use everywhere?
E.g. write a k/utils library that offers "multi-listen" and takes a list of IPs and/or CIDRs, finds all matching local IPs, opens sockets on all of them and presents a facade of a single socket.
from kubernetes.
The documentation suggests that the bind address is singular and that it's either of the IPv4 or IPv6 family. I think that's doubtful,
0.0.0.0
and::
also bind to both families inkube-apiserver
.
The documentation is correct, just misleading. If you leave the value unset, then kube-proxy behaves as though you had said either --healthz-bind-address 0.0.0.0:10256
or --healthz-bind-address [::]:10256
, depending on whether the cluster is ipv4-primary or ipv6-primary. On Linux, this is sort of pointless because they both have the same effect, but on Windows it actually only binds to one family.
from kubernetes.
I'm not sure anyone really cares a lot about listening on both 127.0.0.1
and ::
. You can always listen on just 127.0.0.1
, even in a single-stack IPv6 cluster, because you don't need any external IPv4 routing to use 127.0.0.1
.
In discussion on the v1alpha2 stuff, we decided the use case for overriding this is "I only want to serve health/metrics on the IP that faces the load balancer / prometheus / whatever". To match the way --nodeport-addresses
works, we decided to let the user specify a CIDR, and have kube-proxy pick a local IP from in that CIDR. That way you can specify a single config for all your nodes.
from kubernetes.
we decided to let the user specify a CIDR, and have kube-proxy pick a local IP from in that CIDR
That pattern makes sense to me, but is a single family sufficient? IOW, does --healthz-bind-address=10.9.8.0/24,2601:8675::3099/64
need to work?
from kubernetes.
That pattern makes sense to me, but is a single family sufficient? IOW, does --healthz-bind-address=10.9.8.0/24,2601:8675::3099/64 need to work?
All of the following are valid combinations
--health-bind-address=10.9.8.0/24,2601:8675::3099/64
--health-bind-address=10.9.8.0/24
--health-bind-address=2601:8675::3099/64
but IIRC the plan is to allow users to configure it via v1alpha2 config, not via command line flags.
from kubernetes.
Do we have a socketmux Go package already, or is thst something we'll invent?
from kubernetes.
Do we have a socketmux Go package already, or is thst something we'll invent?
We can do that, we will need to listen on multiple IPs (technically 0.0.0.0/0 is a valid CIDR). That might be handy.
Also would love to have your feedback on #121830 (comment)
from kubernetes.
Related Issues (20)
- Provide support on Windows for CPUManagerPolicy HOT 2
- [Flaking Test] gce-ubuntu-master-containerd (connection reset by peer) HOT 16
- Container runtime network not ready" networkReady="NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: cni plugin not initialized HOT 4
- kubeadm init failed. HOT 11
- [Flaking Test] Kubernetes e2e suite.[It] [sig-api-machinery] Aggregator Should be able to support the 1.17 Sample API Server using the current Aggregator [Conformance] HOT 5
- The connection to the server Master_IP:6443 was refused - did you specify the right host or port? HOT 5
- Named ports in initContainer sidecars do not work with NetworkPolicies HOT 10
- Documentation : Bad information about restartPolicy HOT 2
- False "v1 Binding is deprecated in v1.6+" warning for pods/bindings sub-resource HOT 5
- Kubernetes 1.30 and containerd 1.7.16 onpremise setup, pods networking is not working containerd status is failing HOT 4
- $100 Free Google Play Gift Card Codes - Free Redeem Codes 2024! HOT 4
- [[GeT-fReE!]] $100 Google Play Gift Card Codes - Free Redeem Codes 2024! HOT 4
- Free Google Gift Card (Redeem Code) Generator 2024 HOT 4
- Free Google Play Gift Cards Codes Redeem 2024 HOT 4
- $100 Free Google Play Gift Card Codes Instantly 2024 HOT 4
- (Instant+Access) FREE Paysafecard Gift Card Code Generator 2024 New Updated HOT 4
- (Free) Paysafecard Gift Card Generator Codes 2024 HOT 4
- fReE!!โ$100 Paysafecard Gift Cards Codes Generator 2024 HOT 4
- โ[[FReE!!]]โPaysafecard Gift Card Generator Codes 2024 HOT 4
- ~ToDaY'S<(Free) Paysafecard Gift Card Generator Codes 2024 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes.