Merge pull request #126 from qiangzii/master

add externalTrafficPolicy feature support for service

Author: cumirror

cmd/main.go

@@ -27,7 +27,7 @@ import (
 
 	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/cloud-provider"
+	cloudprovider "k8s.io/cloud-provider"
 	"k8s.io/cloud-provider/app"
 	"k8s.io/cloud-provider/app/config"
 	"k8s.io/cloud-provider/options"
@@ -36,8 +36,11 @@ import (
 	_ "k8s.io/component-base/metrics/prometheus/clientgo" // load all the prometheus client-go plugins
 	_ "k8s.io/component-base/metrics/prometheus/version"  // for version metric registration
 	"k8s.io/klog/v2"
+
 	// For existing cloud providers, the option to import legacy providers is still available.
 	// e.g. _"k8s.io/legacy-cloud-providers/<provider>"
+	"github.com/yunify/qingcloud-cloud-controller-manager/pkg/controllers/clusternode"
+	"github.com/yunify/qingcloud-cloud-controller-manager/pkg/controllers/endpoint"
 	_ "github.com/yunify/qingcloud-cloud-controller-manager/pkg/qingcloud"
 )
 
@@ -50,7 +53,7 @@ func main() {
 	}
 
 	fss := cliflag.NamedFlagSets{}
-	command := app.NewCloudControllerManagerCommand(ccmOptions, cloudInitializer, app.DefaultInitFuncConstructors, fss, wait.NeverStop)
+	command := app.NewCloudControllerManagerCommand(ccmOptions, cloudInitializer, controllerInitializers(), fss, wait.NeverStop)
 
 	// TODO: once we switch everything over to Cobra commands, we can go back to calling
 	// utilflag.InitFlags() (by removing its pflag.Parse() call). For now, we have to set the
@@ -87,3 +90,10 @@ func cloudInitializer(config *config.CompletedConfig) cloudprovider.Interface {
 	}
 	return cloud
 }
+
+func controllerInitializers() map[string]app.InitFuncConstructor {
+	controllerInitializers := app.DefaultInitFuncConstructors
+	controllerInitializers["endpoint"] = endpoint.StartEndpointControllerWrapper
+	controllerInitializers["clusternode"] = clusternode.StartClusterNodeControllerWrapper
+	return controllerInitializers
+}

deploy/kube-cloud-controller-manager.yaml

@@ -48,6 +48,7 @@ rules:
   resources:
   - services
   verbs:
+  - get
   - list
   - patch
   - update
@@ -80,7 +81,7 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - endpoints
+  - pods
   verbs:
   - create
   - get

docs/configure.md

@@ -148,6 +148,89 @@ spec:
 ```
 监听器参数说明：https://docsv3.qingcloud.com/network/loadbalancer/api/listener/modify_listener_attribute/
 
+## 五、配置LB监听器backend
+### 如何配置
+根据 `service` 的 `externalTrafficPolicy` 字段的取值，决定LB监听器backend的添加策略
+  - `Local`: 只会添加提供服务pod所在的Worker节点为LB监听器的backend
+  - `Cluster`: 如果`service`中不显式指定 `externalTrafficPolicy` 字段的值，则默认为`Cluster`；这种模式下，可以通过给服务添加相关注解来指定LB监听器backend的添加规则
+
+`Cluster`模式下，目前支持的 `service` 注解有：
+- 使用指定Label的Worker节点作为后端服务器， `service.beta.kubernetes.io/qingcloud-lb-backend-label`，可以指定多个Label，多个Label以逗号分隔。例如：`key1=value1,key2=value2`，多个Label之间是And关系。同时，在需要成为后端服务器的Worker节点打上`key1=value1,key2=value2`的Label；只有服务指定的所有Label的key和value都和Worker节点匹配时，Worker节点会被选为服务的后端服务器；没有此注解则添加所有Worker节点为backend
+
+### 参考示例
+#### Local模式
+将服务的`externalTrafficPolicy`指定为`Local`，只添加pod所在Worker节点为backend
+
+```yaml
+kind: Service
+apiVersion: v1
+metadata:
+  name:  reuse-lb
+  annotations:
+    service.beta.kubernetes.io/qingcloud-load-balancer-eip-strategy: "reuse-lb"
+    service.beta.kubernetes.io/qingcloud-load-balancer-id: "lb-oglqftju"
+spec:
+  externalTrafficPolicy: Local
+  selector:
+    app:  mylbapp
+  type:  LoadBalancer
+  ports:
+  - name:  http
+    port:  8090
+    protocol: TCP
+    targetPort:  80
+```
+
+#### Cluster模式
+将服务的`externalTrafficPolicy`指定为`Cluster`，并在服务的注解`service.beta.kubernetes.io/qingcloud-lb-backend-label`中指定要添加为backend的worker节点的label:
+
+```yaml
+kind: Service
+apiVersion: v1
+metadata:
+  name:  reuse-lb
+  annotations:
+    service.beta.kubernetes.io/qingcloud-load-balancer-eip-strategy: "reuse-lb"
+    service.beta.kubernetes.io/qingcloud-load-balancer-id: "lb-oglqftju"
+    service.beta.kubernetes.io/qingcloud-lb-backend-label: "test-label-key1=value1,test-label-key2=value2"
+spec:
+  externalTrafficPolicy: Cluster
+  selector:
+    app:  mylbapp
+  type:  LoadBalancer
+  ports:
+  - name:  http
+    port:  8090
+    protocol: TCP
+    targetPort:  80
+```
+
+Worker节点如果要添加为上述服务的backend,则必须同时有下面两个label；注意只有其中一个label并不会添加为上述服务的backend:
+
+```yaml
+apiVersion: v1
+kind: Node
+metadata:
+  annotations:
+    csi.volume.kubernetes.io/nodeid: '{"csi-qingcloud":"i-k5rl67a6"}'
+    node.alpha.kubernetes.io/ttl: "0"
+    node.beta.kubernetes.io/instance-id: i-k5rl67a6
+  creationTimestamp: "2022-07-15T07:59:59Z"
+  labels:
+    test-label-key1: value1
+    test-label-key2: value2
+  name: worker-p001
+  resourceVersion: "13094827"
+  uid: b711ce74-9785-41bf-b0ac-777e3c9c0c34
+spec:
+  podCIDR: 10.10.1.0/24
+  podCIDRs:
+  - 10.10.1.0/24
+status:
+  ...
+```
+
+
 ## 配置内网负载均衡器
 ### 已知问题
 k8s在ipvs模式下，kube-proxy会把内网负载均衡器的ip绑定在ipvs接口上，这样会导致从LB过来的包被drop（进来的是主网卡，但是出去的时候发现ipvs有这么一个ip，路由不一致）故目前无法在IPVS模式下使用内网负载均衡器。参考[issue](https://github.com/kubernetes/kubernetes/issues/79783)

go.mod

@@ -12,6 +12,7 @@ require (
 	k8s.io/client-go v0.21.1
 	k8s.io/cloud-provider v0.21.1
 	k8s.io/component-base v0.21.1
+	k8s.io/controller-manager v0.21.1
 	k8s.io/klog v1.0.0
 	k8s.io/klog/v2 v2.9.0
 )

pkg/apis/types.go

@@ -84,6 +84,7 @@ type LoadBalancerListenerSpec struct {
 	ListenerPort             *int      `json:"listener_port" name:"listener_port"`
 	ListenerProtocol         *string   `json:"listener_protocol" name:"listener_protocol"`
 	LoadBalancerListenerName *string   `json:"loadbalancer_listener_name" name:"loadbalancer_listener_name"`
+	LoadBalancerListenerID   *string   `json:"loadbalancer_listener_id" name:"loadbalancer_listener_id"`
 	LoadBalancerID           *string   `json:"loadbalancer_id" name:"loadbalancer_id"`
 	HealthyCheckMethod       *string   `json:"healthy_check_method" name:"healthy_check_method"`
 	HealthyCheckOption       *string   `json:"healthy_check_option" name:"healthy_check_option"`

pkg/controllers/clusternode/cluster_node_controller.go

@@ -0,0 +1,210 @@
+package clusternode
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	coreinformers "k8s.io/client-go/informers/core/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	corelisters "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+	cloudprovider "k8s.io/cloud-provider"
+	cloudproviderapp "k8s.io/cloud-provider/app"
+	cloudcontrollerconfig "k8s.io/cloud-provider/app/config"
+	genericcontrollermanager "k8s.io/controller-manager/app"
+	"k8s.io/klog"
+
+	"github.com/yunify/qingcloud-cloud-controller-manager/pkg/qingcloud"
+)
+
+const (
+	clusterNodeRunWorkerPeriod = 1 * time.Second
+	clusterNodeWorkers         = 1
+)
+
+type ClusterNodeController struct {
+	cloud cloudprovider.Interface
+
+	// svc
+	serviceLister       corelisters.ServiceLister
+	serviceListerSynced cache.InformerSynced
+
+	// clusternode
+	nodeLister       corelisters.NodeLister
+	nodeListerSynced cache.InformerSynced
+	nodeQueue        workqueue.RateLimitingInterface
+}
+
+func StartClusterNodeControllerWrapper(completedConfig *cloudcontrollerconfig.CompletedConfig, cloud cloudprovider.Interface) cloudproviderapp.InitFunc {
+	return func(ctx genericcontrollermanager.ControllerContext) (http.Handler, bool, error) {
+		return startClusterNodeController(completedConfig, cloud, ctx.Stop)
+	}
+}
+
+func startClusterNodeController(ctx *cloudcontrollerconfig.CompletedConfig, cloud cloudprovider.Interface, stopCh <-chan struct{}) (http.Handler, bool, error) {
+	// Start the endpoint controller
+	clusterNodeController, err := New(
+		cloud,
+		ctx.ClientBuilder.ClientOrDie("clusternode-controller"),
+		ctx.SharedInformers.Core().V1().Services(),
+		ctx.SharedInformers.Core().V1().Nodes(),
+	)
+	if err != nil {
+		// This error shouldn't fail. It lives like this as a legacy.
+		klog.Errorf("Failed to start endpoint controller: %v", err)
+		return nil, false, nil
+	}
+
+	go clusterNodeController.Run(stopCh, clusterNodeWorkers)
+
+	return nil, true, nil
+}
+
+func New(
+	cloud cloudprovider.Interface,
+	kubeClient clientset.Interface,
+	serviceInformer coreinformers.ServiceInformer,
+	nodeInformer coreinformers.NodeInformer,
+) (*ClusterNodeController, error) {
+
+	cnc := &ClusterNodeController{
+		cloud:               cloud,
+		serviceLister:       serviceInformer.Lister(),
+		serviceListerSynced: serviceInformer.Informer().HasSynced,
+		nodeLister:          nodeInformer.Lister(),
+		nodeListerSynced:    nodeInformer.Informer().HasSynced,
+		nodeQueue:           workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "cluster-node"),
+	}
+
+	nodeInformer.Informer().AddEventHandler(
+		cache.ResourceEventHandlerFuncs{
+			UpdateFunc: func(old, cur interface{}) {
+				oldNode, ok1 := old.(*corev1.Node)
+				curNode, ok2 := cur.(*corev1.Node)
+				if ok1 && ok2 && cnc.needsUpdate(oldNode, curNode) {
+					cnc.enqueueNode(cur)
+				}
+			},
+		},
+	)
+
+	return cnc, nil
+}
+
+//check if node label changed
+func (cnc *ClusterNodeController) needsUpdate(old, new *corev1.Node) bool {
+
+	if len(old.Labels) != len(new.Labels) {
+		return true
+	}
+
+	for newLabelKey, newLabelValue := range new.Labels {
+		oldLabelValuk, ok := old.Labels[newLabelKey]
+		if !ok || newLabelValue != oldLabelValuk {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (cnc *ClusterNodeController) enqueueNode(obj interface{}) {
+	key, err := cache.MetaNamespaceKeyFunc(obj)
+	if err != nil {
+		runtime.HandleError(fmt.Errorf("couldn't get key for object %#v: %v", obj, err))
+		return
+	}
+	cnc.nodeQueue.Add(key)
+}
+
+func (cnc *ClusterNodeController) Run(stopCh <-chan struct{}, workers int) {
+	defer runtime.HandleCrash()
+	defer cnc.nodeQueue.ShutDown()
+
+	klog.Info("Starting cluster node controller")
+	defer klog.Info("Shutting down cluster node controller")
+
+	if !cache.WaitForCacheSync(stopCh, cnc.serviceListerSynced, cnc.nodeListerSynced) {
+		return
+	}
+
+	for i := 0; i < workers; i++ {
+		go wait.Until(cnc.worker, clusterNodeRunWorkerPeriod, stopCh)
+	}
+
+	<-stopCh
+}
+
+func (cnc *ClusterNodeController) worker() {
+	for cnc.processNextWorkItem() {
+	}
+}
+
+func (cnc *ClusterNodeController) processNextWorkItem() bool {
+	key, quit := cnc.nodeQueue.Get()
+	if quit {
+		return false
+	}
+	defer cnc.nodeQueue.Done(key)
+
+	err := cnc.handleNodesUpdate(key.(string))
+	if err == nil {
+		cnc.nodeQueue.Forget(key)
+		return true
+	}
+
+	runtime.HandleError(fmt.Errorf("error processing cluster node %v (will retry): %v", key, err))
+	cnc.nodeQueue.AddRateLimited(key)
+
+	return true
+}
+
+// handleNodesUpdate handle service backend according to node lables
+func (cnc *ClusterNodeController) handleNodesUpdate(key string) error {
+	startTime := time.Now()
+	defer func() {
+		klog.V(4).Infof("Finished handleNodesUpdate  %q (%v)", key, time.Since(startTime))
+	}()
+
+	// 1. get node list
+	var nodes []*corev1.Node
+	nodeList, err := cnc.nodeLister.List(labels.NewSelector())
+	if err != nil {
+		return fmt.Errorf("get node list error: %v", err)
+	}
+	for i, _ := range nodeList {
+		nodes = append(nodes, nodeList[i])
+	}
+
+	// 2. list all service
+	svcs, err := cnc.serviceLister.List(labels.NewSelector())
+	if err != nil {
+		return fmt.Errorf("list service  error: %v", err)
+	}
+
+	// 3. filter service which externalTrafficPolicy=cluster and has annotation service.beta.kubernetes.io/qingcloud-lb-backend-label
+	for _, svc := range svcs {
+		_, ok := svc.Annotations[qingcloud.ServiceAnnotationBackendLabel]
+		if ok && svc.Spec.Type == corev1.ServiceTypeLoadBalancer &&
+			svc.Spec.ExternalTrafficPolicy == corev1.ServiceExternalTrafficPolicyTypeCluster {
+			klog.Infof("service %s serviceType = %s, externalTrafficPolicy = %s, also has backend label annotation , going to update loadbalancer", svc.Name, svc.Spec.Type, svc.Spec.ExternalTrafficPolicy)
+
+			// 4. update lb
+			lbInterface, _ := cnc.cloud.LoadBalancer()
+			err = lbInterface.UpdateLoadBalancer(context.TODO(), "", svc, nodes)
+			if err != nil {
+				return fmt.Errorf("update loadbalancer for service %s/%s  error: %v", svc.Namespace, svc.Name, err)
+			}
+			klog.Infof("update loadbalancer for service %s/%s success", svc.Namespace, svc.Name)
+		}
+	}
+
+	return nil
+}