deis-bot
commented
8 years ago @sgoings, @mboersma and @krancour are potential reviewers of this pull request based on my analysis of git blame information. Thanks @bacongobbler!
Closed bacongobbler closed 8 years ago
deis-bot
commented
8 years ago @sgoings, @mboersma and @krancour are potential reviewers of this pull request based on my analysis of git blame information. Thanks @bacongobbler!
bacongobbler
commented
8 years ago For context, this was spawned from the conversation in #community this morning: https://deis.slack.com/archives/community/p1466790066001057
krancour
commented
8 years ago @bacongobbler this is a tricky one.
I think we do want the pod's port 9090 mapped to a node port because some people might like to edit their external load balancer's healthchecks to use HTTP GET /healthz (instead of TCP) and that should be done against that node port (which will offer a guarantee that PROXY protocol is never used, since LB healthchecks may not support that; ELBs certainly do not).
On the flip side, there's no reason for the external load balancer (e.g. ELB) to expose this port to the rest of the world.
So we're caught up on a limitation of k8s here-- trapped between two inseparable behaviors where we want one and do not want the other.
Personally, I would opt for closing this.
bacongobbler
commented
8 years ago Given that port 9090 is nothing but a router healtcheck, I agree.
port 9090 is only used internally for healthchecks, and as far as I know no other components have a reliance on router's uptime for their healthchecks. Therefore we should keep this internal and not expose it to the ELB.
ping @krancour for correctness. Are you aware of any other platform components that rely on the router's port 9090 being exposed in the service?