Create service with multiple externalIPs, verify that ip is pingable from another node and service is reachable again from another node.

Currently the Netmask for an IP is set in the claimscheduler deployment.
Would it make sense to set it in the externalIp definition when assigning it to something in case there are different possible ip ranges?

If scheduler process will be down while all relevant services will be removed - we will miss deletion events and thus some ipclaims won't be cleared.

• Measure latency for ip failover
• Measure latency for scheduler failover

And propose reasonable numbers. Like 1s for ip and 4s for scheduler.

Currently we are covering partition scenario, e.g node is not responding.

To add:

• remove daemon set by removing certain node from ds selector, controller destroyed (delete existing daemon set), verify that ips were reallocated, bring back daemon set and verify that ips were purged

• ips evenly distributed between nodes, when node is went missing only relevant ips were rescheduled (watch events)

• both nodes are dead - no ips should be purged

Provide options to set custom intervals for controllers heartbeats and scheduler monitor

Host interface, network mask, node filter selection and some other parameters are better to be configurable using ConfigMap.

After repeating these action below, I faced a problem.

• annotate external-ip:auto to service
• delete service
• create service and annotate again

External IP is allocated but loopback address doesn't configured and
other ipclaims aren't rescheduled.
Controller log saids,

controller.go:174] Error fetching node node-002 : json: cannot unmarshal number 1e+06 into Go value of type int64

Is there any way to solve this problem?

Readme is inconsistent now. It is an unstructured set of information about application. Need to define what should be there, make it structured and move some topics into documentation.

In current implementation we support only single replica managed by kubernetes deployment object.
Obviously it won't allow us to utilize multiple nodes with external connectivity.

To make it work we will change method of deployment to daemon sets, and also introduce multiple changes to support load balancing and tolerate network connectivity failures.

Issue will be updated with design proposal

We need to be able to run multiple copies of scheduler and prevent different races

Also consider to rebuild dind cluster on each ./prepare.sh call (dind-down-cluster.sh + dind-up-cluster.sh)

Now IP claims are updated (via k8s API) in several different places and conflicts between updates are possible then. Let's add a queue that will hold update requests (add, update, delete) and process requests consequently.

https://docs.travis-ci.com/user/caching/

• Kubernetes + dind sources
• Docker images for dind cluster

Add a flag for kubeconfig and create client conditionally - https://github.com/kubernetes/client-go/blob/master/examples/out-of-cluster/main.go

In case if our controller will be down we may miss certain ips and never assign them, to prevent such problem - check cache and populate queue with all missed ips.

If user removed manually address from a link - we won't restore it until we we will receive event for service/ipclaim. To workaround such issue we need to pass resync interval for claim/service-based ipcontroller.

If controller went away - ips might be acquired by another controller. We need to enforce recheck in such case, and if they don't fit - purge them from a managed link.

Need to either note this in docs or include "go" into dependencies for non-containerized build.

I am following these directions to setup auto allocation. I am unable to create the claim pool:

$ kubectl create -f ext_ip_pool.yml 
error: unable to recognize "ext_ip_pool.yml": no matches for ipcontroller.ext/, Kind=IpClaimPool

`$ cat ext_ip_pool.yml
apiVersion: ipcontroller.ext/v1
kind: IpClaimPool
metadata:
    name: test-pool
spec:
    cidr: 10.30.118.128/28
    ranges:
        - - 10.30.118.128
          - 10.30.118.129
        - - 10.30.118.130
          - 10.30.118.131

I do not see the ipcontroller.ext extension enabled on my kube-apiserver. I try to enable the extension using the kube-apiserver --runtime-config=extensions/v1beta1/ipcontroller.ext=true flag.

However, I still do not see the ipcontroller.ext extension enabled:

$ curl 127.0.0.1:8080/apis/extensions/v1beta1
{
  "kind": "APIResourceList",
  "groupVersion": "extensions/v1beta1",
  "resources": [
    {
      "name": "daemonsets",
      "namespaced": true,
      "kind": "DaemonSet"
    },
    {
      "name": "daemonsets/status",
      "namespaced": true,
      "kind": "DaemonSet"
    },
    {
      "name": "deployments",
      "namespaced": true,
      "kind": "Deployment"
    },
    {
      "name": "deployments/rollback",
      "namespaced": true,
      "kind": "DeploymentRollback"
    },
    {
      "name": "deployments/scale",
      "namespaced": true,
      "kind": "Scale"
    },
    {
      "name": "deployments/status",
      "namespaced": true,
      "kind": "Deployment"
    },
    {
      "name": "horizontalpodautoscalers",
      "namespaced": true,
      "kind": "HorizontalPodAutoscaler"
    },
    {
      "name": "horizontalpodautoscalers/status",
      "namespaced": true,
      "kind": "HorizontalPodAutoscaler"
    },
    {
      "name": "ingresses",
      "namespaced": true,
      "kind": "Ingress"
    },
    {
      "name": "ingresses/status",
      "namespaced": true,
      "kind": "Ingress"
    },
    {
      "name": "jobs",
      "namespaced": true,
      "kind": "Job"
    },
    {
      "name": "jobs/status",
      "namespaced": true,
      "kind": "Job"
    },
    {
      "name": "networkpolicies",
      "namespaced": true,
      "kind": "NetworkPolicy"
    },
    {
      "name": "replicasets",
      "namespaced": true,
      "kind": "ReplicaSet"
    },
    {
      "name": "replicasets/scale",
      "namespaced": true,
      "kind": "Scale"
    },
    {
      "name": "replicasets/status",
      "namespaced": true,
      "kind": "ReplicaSet"
    },
    {
      "name": "replicationcontrollers",
      "namespaced": true,
      "kind": "ReplicationControllerDummy"
    },
    {
      "name": "replicationcontrollers/scale",
      "namespaced": true,
      "kind": "Scale"
    },
    {
      "name": "thirdpartyresources",
      "namespaced": false,
      "kind": "ThirdPartyResource"
    }
  ]
}

How do you enable the ipcontroller.ext kube-apiserver extension?

I am following these directions to setup an externalIP controller. The logs of the extip-controller pod shows the following error:

E0319 01:36:03.558680       7 reflector.go:214] github.com/Mirantis/k8s-externalipcontroller/vendor/k8s.io/client-go/1.5/tools/cache/reflector.go:109: Failed to list *v1.Service: Get https://10.3.0.1:443/api/v1/services: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-ca")

My kube-apiserver has client cert auth enabled using the client-ca-file config flag. It appears that the extip-controller needs to support k8s-client certificate auth.

We need reliable cleaner for e2e tests. One idea is to use provider based model and use docker exec to purge all leftovers after tests.

Proposed version will have certain benefits in comparison to etcd based one.

• It will be easier to understand. All interactions will be possible to describe using simple flow.
• No 3rd party storage system
• Less messages (for instance in etcd i am using 1 message per ttl for each ip address, in current version it will be possible to use only 1 message per node)
• Easier testing because all data will be accessible from kubernetes in known form
• More extandable (will add more here)
• Integrates nicely with IP auto-allocation (will describe it elsewhere)

Proposed solution includes 2 3rd party resources:

• IPNode (node where we are running controller)
• IPClaim (claim will be source of truth for controller to assign IP)

Processes

Scheduler

• watches service updates/deletion
• creates ipclaims based on service events
• schedules claims onto nodes based on policies (fair round robin as a simplest one)
• watches IPNode events and enforces liveness property onto them, which means...
• reschedule ipclaim if nodes won't update itself in certain period of time
• watches claims and if it doesn't have owner processes it regularly

Controller

• updates IPNode objects (use hostname as unique key)
• watches IPClaim events (add/removes cidr to processing queue based on it)
• during startup checks if ip is owned by someone else and adds it for removal in case it is

Auto-allocator

• adds another configuration object into the picture (IPClaimRange)
• listens to service events
• listens to ipclaimrange events
• if service require ip from range (annotations) - create IPClaim and add ip to a service
• if IPClaimRange removed - purge all claims and externalips from services

WHOLE PICTURE

auto-allocator ---> externalip + ipclaim ---> scheduler (allocates claim) ---> controlller (assigns ip)

If ip is not being used by any service - remove it from a link

Ubuntu size is ~200MB, ipcontroller binary is about ~27MB. For some reasons resulting image is 917 MB, which is strange. Need to debug it and reduce image size to normal one.

After a while, one of the 2 claimscheduler replicas goes into crashloopbackoff and logs :

W0515 12:30:48.936031       1 client_config.go:438] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
F0515 12:30:59.023533       1 scheduler.go:70] URLs for tprs are not registered: json: cannot unmarshal number 1e+06 into Go value of type int64

Version: mirantis/k8s-externalipcontroller:latest on kubernetes 1.5.5 (Coreos/Tectonic).

Work around: Deleting the faulty POD gets a new one rescheduled.

Use queue for processing updates, in a way it is done for all kube controllers loops, it will help to avoid stale data

We need to verify that any TPR can be used after it was registered. From my observation it is async operation and can take some time.

TODO:

Add a client that will try to list resources of created type right after we will create all TPRs

We don't need "ip a" for external IPs when using calico network plugin, we just need to announce route. So we can reuse our update controller class to provide calico support.

Current claim version of ipcontroller will try to split ips evenly between all available instances of ipcontroller. It might be useful to disable such load balancing and assign ips always to the same node, that is currently alive.

All other logic (e.g. resheduling and removal of stale ips) shouldnt be affected.

We need to add a flag which will disable

1. Create controller with rc=1
2. Assign some ips and validate them
3. Destroy node where current replica is running.
4. Wait until replica will be re-spawned on the other node
5. Validate that all ips will be reassigned to this node
6. Verify that arp table for re-assigned ips was updated.

Documentation does not cover some pieces of the functionality including basics.

1. Simple/Daemon set versions.
2. Configuration, parameters.
3. Failover.
4. Cleaning of IPs.
5. Internals: IP claims, scheduler, controller.

Try to use travis with kubernetes-dind-cluster

1. Design how this can be done. One option is to use same uid for all ipcontrollers.
2. Write e2e test for this type of deployment

Need to provide support for auto-allocation (from given pool).

Currently we are using quite hacky way to register options for application. For instance --iface option is global, but it won't take any effect if used with scheduler.

To avoid unnecessary rescheduling - add a condition that current node is alive, if this condition is met - exit from update function.

Integration test which creates controller with fake source and waits until external ip will be assigned on real linux box - fails very often. It shouldn't be very hard to make it reliable. But if the reason won't be clear, we can remove it, cause it is only useful to reduce feedback loop during debugging.

Hi,

When using the latest version with the example yaml files I'm getting this error:

14/12/2016 16:40:31Error: the server has asked for the client to provide credentials (post thirdpartyresources.extensions)

I'm running K8S 1.4.6 on top of Rancher 1.2.0