Closed timoreimann closed 5 years ago
timoreimann
commented
5 years ago The issue has been brought forward in the SIG Networking meeting from 4. April 2019 (recording). It wasn't completely clear why the requested routing pattern isn't supported by default.
There was agreement in submitting a PR that changes the behavior and continue discussions based on that.
timoreimann
commented
5 years ago AWS manages to support this case by means of using ingress hostnames, which is something that we currently cannot do at DigitalOcean. (See also this comment.)
timoreimann
commented
5 years ago If anyone is willing to work on a PR please let us know. Otherwise, someone at the DOKS team is going to try to work on that.
timoreimann
commented
5 years ago /cc @jcodybaker
timoreimann
commented
5 years ago Closing this one in favor of #8 that was transferred over from the CCM repo.
Several users have expressed the need to have an internal pod reach reach out a service by running through an external load-balancer. Reasons for the extra routing step are to have the proxy handle TLS and/or Proxy Protocol in a consistent manner.
The reason for the described behavior is that kube-proxy explicitly implements a bypassing logic. There is already an upstream issue describing this as a problem for users.
A workaround is outlined in the originating CCM issue. The only other alternative is to have pods speak to the service natively, which often isn't desired.
We should look into ways to support external routing one way or another in DOKS.