add ability to disable nodePort Support #4727
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @jpiper! |
|
Hi @jpiper. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
There was a problem hiding this comment.
Thanks, this PR looks good, is tested and documented 👍 .
As Albert Camus said:
To name things wrongly is to add to the misfortune of the world
If I understand correctly, when external-dns is namespaced, it does not make sense to set ignoreNodePorts to true.
So, 🤔 wdyt of renaming ignore-nodeports cli args into namespaced ?
And so, in the chart, when namespaced is enabled, it would add this --namespaced=true that would disable the informer ?
| }, | ||
| ) | ||
| ) | ||
| } |
There was a problem hiding this comment.
should we warn here in else instead of in Endpoints() ?
I guess it's expected to not flood all day the logs.
Same applies to service
There was a problem hiding this comment.
good point, I've dropped the log level in servive/pod to a debug level and then added warnings here.
It really depends, in an environment where you have access to the node resource, you could still run in the namespaced mode with the nodeinformer enabled, it really depends on your multi-tenancy model of your cluster. I have seen people give tenants access to the node resource, and likewise, multi-tenant clusters where you are not allowed to view the node resource. However, I agree, the naming could be improved. How do we feel about |
|
alternatives I can think of for the flag: |
This comment was marked as resolved.
This comment was marked as resolved.
ah yes, this is my fault, sorry. I am getting confused between how the chart works and how one could theoretically deploy external-dns using a namespace scope but still using cluster resources. The chart doesn't support this deployment mode though so you're right, I can disable the node informer with the helm |
| @@ -123,6 +125,11 @@ func legacyEndpointsFromDNSControllerService(svc *v1.Service, sc *serviceSource) | |||
| // It will use node role label to check if the node has the "node" role. This means control plane nodes and other | |||
| // roles will not be used as targets. | |||
| func legacyEndpointsFromDNSControllerNodePortService(svc *v1.Service, sc *serviceSource) ([]*endpoint.Endpoint, error) { | |||
| if sc.nodeInformer == nil { | |||
| log.Warnf("Unable to extract nodePort targets from service %s/%s as nodePort support is disabled", svc.Namespace, svc.Name) | |||
There was a problem hiding this comment.
Since the user explicitly disabled nodePort support then Info seems more appropriate than Warn.
| log.Warnf("Unable to extract nodePort targets from service %s/%s as nodePort support is disabled", svc.Namespace, svc.Name) | |
| log.Infof("Unable to extract nodePort targets from service %s/%s as nodePort support is disabled", svc.Namespace, svc.Name) |
I've suggested Info level here (and elsewhere Warn is used) but I see other places in the PR where Debug is used.
There was a problem hiding this comment.
I do not thinkg it's an ifo level, but not a warning as well. What this should warn us about?
log.Warn:
- Purpose: Indicates a potential issue or a situation that might lead to problems in the future.
When to Use:
- Unexpected Behavior: When something unexpected happens but the application can still function.
- Resource Limitations: When resources are running low (e.g., disk space, memory).
- Configuration Issues: When encountering unexpected or invalid configuration values.
log.Debug:
- Purpose: Used for detailed information that is primarily helpful for debugging.
When to Use:
- Development and Testing: Useful for tracking the flow of execution, inspecting variable values, and understanding the internal workings of your application.
- Troubleshooting: Helps pinpoint the root cause of issues during development and debugging.
Do you think there is a value in having this log as a warning instead of a debug?
There was a problem hiding this comment.
The message contains as nodePort support is disabled
Is it for cases when nodePort explicitly disabled or accidently and RBAC needs modification?
|
/lgtm |
k8s-ci-robot
added
lgtm
|
/assign @Raffo |
jpiper
force-pushed
the
disable_nodeport
branch
from
7ec6439 to
dee7e8b
Compare
|
New changes are detected. LGTM label has been removed. |
k8s-ci-robot
removed
the
lgtm
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jpiper
force-pushed
the
disable_nodeport
branch
from
dee7e8b to
7d096b5
Compare
k8s-ci-robot
removed
the
needs-rebase
|
I have rebased the PR |
| @@ -24,6 +24,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 | |||
|
|
|||
| - Added ability to configure `imagePullSecrets` via helm `global` value. ([#4667](https://github.com/kubernetes-sigs/external-dns/pull/4667)) _@jkroepke_ | |||
| - Added options to configure `labelFilter` and `managedRecordTypes` via dedicated helm values. ([#4849](https://github.com/kubernetes-sigs/external-dns/pull/4849)) _@abaguas_ | |||
| - Added support for `ignore-nodeports` argument ([#4727](https://github.com/kubernetes-sigs/external-dns/pull/4727)) _@jpiper_ | |||
There was a problem hiding this comment.
Could we move chart modifications to a separate pull request? I do not think this change is even necessary, as it's just adds a single flag, which is supported with args:
Relevant comment from another pull request #4946 (comment)
| @@ -235,6 +235,9 @@ labelFilter: | |||
| # -- Record types to manage (default: A, AAAA, CNAME) | |||
| managedRecordTypes: [] | |||
|
|
|||
| # -- Disable nodePort support (for environments where access to Node resources is forbidden) | |||
| ignoreNodePorts: false | |||
There was a problem hiding this comment.
Does this mean that
gnoreNodePorts: true
This should modify clusterroles and recources["nodes"]? here
| @@ -123,6 +125,11 @@ func legacyEndpointsFromDNSControllerService(svc *v1.Service, sc *serviceSource) | |||
| // It will use node role label to check if the node has the "node" role. This means control plane nodes and other | |||
| // roles will not be used as targets. | |||
| func legacyEndpointsFromDNSControllerNodePortService(svc *v1.Service, sc *serviceSource) ([]*endpoint.Endpoint, error) { | |||
| if sc.nodeInformer == nil { | |||
| log.Warnf("Unable to extract nodePort targets from service %s/%s as nodePort support is disabled", svc.Namespace, svc.Name) | |||
There was a problem hiding this comment.
I do not thinkg it's an ifo level, but not a warning as well. What this should warn us about?
log.Warn:
- Purpose: Indicates a potential issue or a situation that might lead to problems in the future.
When to Use:
- Unexpected Behavior: When something unexpected happens but the application can still function.
- Resource Limitations: When resources are running low (e.g., disk space, memory).
- Configuration Issues: When encountering unexpected or invalid configuration values.
log.Debug:
- Purpose: Used for detailed information that is primarily helpful for debugging.
When to Use:
- Development and Testing: Useful for tracking the flow of execution, inspecting variable values, and understanding the internal workings of your application.
- Troubleshooting: Helps pinpoint the root cause of issues during development and debugging.
Do you think there is a value in having this log as a warning instead of a debug?
| @@ -123,6 +125,11 @@ func legacyEndpointsFromDNSControllerService(svc *v1.Service, sc *serviceSource) | |||
| // It will use node role label to check if the node has the "node" role. This means control plane nodes and other | |||
| // roles will not be used as targets. | |||
| func legacyEndpointsFromDNSControllerNodePortService(svc *v1.Service, sc *serviceSource) ([]*endpoint.Endpoint, error) { | |||
| if sc.nodeInformer == nil { | |||
| log.Warnf("Unable to extract nodePort targets from service %s/%s as nodePort support is disabled", svc.Namespace, svc.Name) | |||
There was a problem hiding this comment.
The message contains as nodePort support is disabled
Is it for cases when nodePort explicitly disabled or accidently and RBAC needs modification?
| cache.ResourceEventHandlerFuncs{ | ||
| AddFunc: func(obj interface{}) { | ||
| if disableNodeInformer { | ||
| log.Infoln("host information (host IP/hostname) for pods is disabled as the node informer is disabled") |
There was a problem hiding this comment.
Same. Is this a debug level? As we explicitly disable it with the flag disableNodeInformer so the user is aware of what is he doing?
| nodeInformer = informerFactory.Core().V1().Nodes() | ||
| nodeInformer.Informer().AddEventHandler( | ||
| cache.ResourceEventHandlerFuncs{ | ||
| AddFunc: func(obj interface{}) { |
There was a problem hiding this comment.
is this function with empty body required for which purpose?
| } else { | ||
| domainList := splitHostnameAnnotation(domainAnnotation) | ||
| for _, domain := range domainList { | ||
| node, _ := ps.nodeInformer.Lister().Get(pod.Spec.NodeName) |
There was a problem hiding this comment.
What if the node not exist by now? Shell we handle error here? Could be a potential panic or CrashLoop for no reason
k8s-ci-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@jpiper Do you think you can rebase and address @ivankatliarchuk review comments ? |
|
Yes I can 1 but I am on holiday for the next week. I can get to it on the 24th Feb!Sent from my iPhoneOn 15 Feb 2025, at 08:42, Michel Loiseleur ***@***.***> wrote:
@jpiper Do you think you can rebase and address @ivankatliarchuk review comments ?—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
mloiseleur left a comment (kubernetes-sigs/external-dns#4727)
@jpiper Do you think you can rebase and address @ivankatliarchuk review comments ?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Description
When running external-dns in a multi-tenant environment (e.g. in
namespaced=truemode in the helm chart), users may not be in a position to give access to theNoderesource to the external-dns deployment. At the moment, external-dns will not function without access to theNoderesource as a Node informer is always created by thePodandServicesources.In this PR I add the flag
--ignore-nodeportsthat disables the Node informer and then ensures thePodandServicesources makes no attempt to try and retrieve any information from theNoderesource.