search

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers
https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Apache License 2.0
3.89k stars 1.45k forks source link

aws-load-balancer-controller not registering targets for cilium gateway API service when the nlb-target-type is ip #3754

Closed liyihuang closed 2 months ago

liyihuang commented 3 months ago

Describe the bug the aws-load-balancer-controller just not registering targets for cilium gateway API service when the nlb-target-type is ip.

I have the following services some of them comming from cilium gateway with gateway API, details service are just normal service.

the aws aws-load-balancer-controller just not creating the actual backend for the 1st one when using service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip, but this annotation works fine with details service.

(⎈|arn:aws:eks:ca-central-1:679388779924:cluster/image-learning-liyi-2:default)~ k get svc cilium-gateway-ext-gateway -o yaml 
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-type: external
  creationTimestamp: "2024-06-25T19:41:32Z"
  finalizers:
  - service.kubernetes.io/load-balancer-cleanup
  - service.k8s.aws/resources
  labels:
    io.cilium.gateway/owning-gateway: ext-gateway
  name: cilium-gateway-ext-gateway
  namespace: default
  ownerReferences:
  - apiVersion: gateway.networking.k8s.io/v1
    controller: true
    kind: Gateway
    name: ext-gateway
    uid: 34460546-8cc2-420f-b88a-299b796c08be
  resourceVersion: "123219"
  uid: b50c751d-ca40-455f-9f84-a910a8514fad
spec:
  allocateLoadBalancerNodePorts: true
  clusterIP: 172.20.81.57
  clusterIPs:
  - 172.20.81.57
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: port-80
    nodePort: 31724
    port: 80
    protocol: TCP
    targetPort: 80
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - hostname: k8s-default-ciliumga-013f537c1f-783ed19cab41b3c0.elb.ca-central-1.amazonaws.com 

--------------------------------
(⎈|arn:aws:eks:ca-central-1:679388779924:cluster/image-learning-liyi-2:default)~ k get svc details -o yaml 
apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"details","service":"details"},"name":"details","namespace":"default"},"spec":{"ports":[{"name":"http","port":9080}],"selector":{"app":"details"}}}
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-type: external
  creationTimestamp: "2024-06-25T13:51:50Z"
  finalizers:
  - service.kubernetes.io/load-balancer-cleanup
  - service.k8s.aws/resources
  labels:
    app: details
    service: details
  name: details
  namespace: default
  resourceVersion: "125553"
  uid: 54c5557f-7acd-45f7-bd3e-19a82363d676
spec:
  allocateLoadBalancerNodePorts: true
  clusterIP: 172.20.101.53
  clusterIPs:
  - 172.20.101.53
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    nodePort: 31256
    port: 9080
    protocol: TCP
    targetPort: 9080
  selector:
    app: details
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - hostname: k8s-default-details-0eea4d42c5-c4698a46fe95c56f.elb.ca-central-1.amazonaws.com
----------------------------
(⎈|arn:aws:eks:ca-central-1:679388779924:cluster/image-learning-liyi-2:default)~ k get svc cilium-gateway-int-gateway -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
    service.beta.kubernetes.io/aws-load-balancer-type: external
  creationTimestamp: "2024-06-25T19:41:12Z"
  finalizers:
  - service.kubernetes.io/load-balancer-cleanup
  - service.k8s.aws/resources
  labels:
    io.cilium.gateway/owning-gateway: int-gateway
  name: cilium-gateway-int-gateway
  namespace: default
  ownerReferences:
  - apiVersion: gateway.networking.k8s.io/v1
    controller: true
    kind: Gateway
    name: int-gateway
    uid: 6a2c1620-f599-44fb-8e07-a9e488b7b34b
  resourceVersion: "123081"
  uid: 93aa077e-25b6-449a-8d72-d8f395c955be
spec:
  allocateLoadBalancerNodePorts: true
  clusterIP: 172.20.27.113
  clusterIPs:
  - 172.20.27.113
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: port-80
    nodePort: 31562
    port: 80
    protocol: TCP
    targetPort: 80
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - hostname: k8s-default-ciliumga-0ce7ccd28a-af29e321251e3573.elb.ca-central-1.amazonaws.com

In the logs LB controller logs, you can see it just dont have the registering targets messages that I usually see for other types.

"level":"debug","ts":"2024-06-25T21:21:35Z","logger":"backend-sg-provider","msg":"Queriying existing SG","vpc-id":"vpc-018d1e43af26bd1cc","name":"k8s-traffic-imagelearningliyi2-bc95b1ddac"}
{"level":"debug","ts":"2024-06-25T21:21:35Z","logger":"backend-sg-provider","msg":"creating securityGroup","name":"k8s-traffic-imagelearningliyi2-bc95b1ddac"}
{"level":"info","ts":"2024-06-25T21:21:35Z","logger":"backend-sg-provider","msg":"created SecurityGroup","name":"k8s-traffic-imagelearningliyi2-bc95b1ddac","id":"sg-0752b7187c5870561"}
{"level":"info","ts":"2024-06-25T21:21:35Z","logger":"controllers.service","msg":"successfully built model","model":"{\"id\":\"default/cilium-gateway-ext-gateway\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-default-ciliumga-be7277315b\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::Listener\":{\"80\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":80,\"protocol\":\"TCP\",\"defaultActions\":[{\"type\":\"forward\",\"forwardConfig\":{\"targetGroups\":[{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/default/cilium-gateway-ext-gateway:80/status/targetGroupARN\"}}]}}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-default-ciliumga-189cdc0745\",\"type\":\"network\",\"scheme\":\"internet-facing\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-021d6521e04964526\"},{\"subnetID\":\"subnet-048f15e9328a5ec83\"},{\"subnetID\":\"subnet-0ca3edd00f09498ef\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"},\"sg-0752b7187c5870561\"]}}},\"AWS::ElasticLoadBalancingV2::TargetGroup\":{\"default/cilium-gateway-ext-gateway:80\":{\"spec\":{\"name\":\"k8s-default-ciliumga-e277ee118e\",\"targetType\":\"ip\",\"port\":80,\"protocol\":\"TCP\",\"ipAddressType\":\"ipv4\",\"healthCheckConfig\":{\"port\":\"traffic-port\",\"protocol\":\"TCP\",\"intervalSeconds\":10,\"timeoutSeconds\":10,\"healthyThresholdCount\":3,\"unhealthyThresholdCount\":3},\"targetGroupAttributes\":[{\"key\":\"proxy_protocol_v2.enabled\",\"value\":\"false\"}]}}},\"K8S::ElasticLoadBalancingV2::TargetGroupBinding\":{\"default/cilium-gateway-ext-gateway:80\":{\"spec\":{\"template\":{\"metadata\":{\"name\":\"k8s-default-ciliumga-e277ee118e\",\"namespace\":\"default\",\"creationTimestamp\":null},\"spec\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/default/cilium-gateway-ext-gateway:80/status/targetGroupARN\"},\"targetType\":\"ip\",\"serviceRef\":{\"name\":\"cilium-gateway-ext-gateway\",\"port\":80},\"networking\":{\"ingress\":[{\"from\":[{\"securityGroup\":{\"groupID\":\"sg-0752b7187c5870561\"}}],\"ports\":[{\"protocol\":\"TCP\",\"port\":80}]}]},\"ipAddressType\":\"ipv4\"}}}}}}}"}
{"level":"info","ts":"2024-06-25T21:21:35Z","logger":"controllers.service","msg":"creating securityGroup","resourceID":"ManagedLBSecurityGroup"}
{"level":"info","ts":"2024-06-25T21:21:36Z","logger":"controllers.service","msg":"created securityGroup","resourceID":"ManagedLBSecurityGroup","securityGroupID":"sg-0870b64cc8f47b5c6"}
{"level":"info","ts":"2024-06-25T21:21:36Z","msg":"authorizing securityGroup ingress","securityGroupID":"sg-0870b64cc8f47b5c6","permission":[{"FromPort":80,"IpProtocol":"tcp","IpRanges":[{"CidrIp":"0.0.0.0/0","Description":""}],"Ipv6Ranges":null,"PrefixListIds":null,"ToPort":80,"UserIdGroupPairs":null}]}
{"level":"info","ts":"2024-06-25T21:21:36Z","msg":"authorized securityGroup ingress","securityGroupID":"sg-0870b64cc8f47b5c6"}
{"level":"info","ts":"2024-06-25T21:21:36Z","logger":"controllers.service","msg":"creating targetGroup","stackID":"default/cilium-gateway-ext-gateway","resourceID":"default/cilium-gateway-ext-gateway:80"}
{"level":"info","ts":"2024-06-25T21:21:36Z","logger":"controllers.service","msg":"created targetGroup","stackID":"default/cilium-gateway-ext-gateway","resourceID":"default/cilium-gateway-ext-gateway:80","arn":"arn:aws:elasticloadbalancing:ca-central-1:679388779924:targetgroup/k8s-default-ciliumga-e277ee118e/d146409bb38fb617"}
{"level":"info","ts":"2024-06-25T21:21:36Z","logger":"controllers.service","msg":"creating loadBalancer","stackID":"default/cilium-gateway-ext-gateway","resourceID":"LoadBalancer"}
{"level":"info","ts":"2024-06-25T21:21:37Z","logger":"controllers.service","msg":"created loadBalancer","stackID":"default/cilium-gateway-ext-gateway","resourceID":"LoadBalancer","arn":"arn:aws:elasticloadbalancing:ca-central-1:679388779924:loadbalancer/net/k8s-default-ciliumga-189cdc0745/60f0e10c225a743f"}
{"level":"info","ts":"2024-06-25T21:21:37Z","logger":"controllers.service","msg":"creating listener","stackID":"default/cilium-gateway-ext-gateway","resourceID":"80"}
{"level":"info","ts":"2024-06-25T21:21:37Z","logger":"controllers.service","msg":"created listener","stackID":"default/cilium-gateway-ext-gateway","resourceID":"80","arn":"arn:aws:elasticloadbalancing:ca-central-1:679388779924:listener/net/k8s-default-ciliumga-189cdc0745/60f0e10c225a743f/d9989be3d13786a9"}
{"level":"info","ts":"2024-06-25T21:21:37Z","logger":"controllers.service","msg":"creating targetGroupBinding","stackID":"default/cilium-gateway-ext-gateway","resourceID":"default/cilium-gateway-ext-gateway:80"}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/validate-elbv2-k8s-aws-v1beta1-targetgroupbinding","UID":"baed2357-b298-4edc-89a2-b5ecd4552f67","kind":"elbv2.k8s.aws/v1beta1, Kind=TargetGroupBinding","resource":{"group":"elbv2.k8s.aws","version":"v1beta1","resource":"targetgroupbindings"}}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"validating_handler","msg":"validating webhook request","request":{"uid":"baed2357-b298-4edc-89a2-b5ecd4552f67","kind":{"group":"elbv2.k8s.aws","version":"v1beta1","kind":"TargetGroupBinding"},"resource":{"group":"elbv2.k8s.aws","version":"v1beta1","resource":"targetgroupbindings"},"requestKind":{"group":"elbv2.k8s.aws","version":"v1beta1","kind":"TargetGroupBinding"},"requestResource":{"group":"elbv2.k8s.aws","version":"v1beta1","resource":"targetgroupbindings"},"name":"k8s-default-ciliumga-e277ee118e","namespace":"default","operation":"CREATE","userInfo":{"username":"system:serviceaccount:kube-system:aws-load-balancer-controller","uid":"d8a8ed05-6c16-429a-9c9c-5733cdd0afc5","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["aws-load-balancer-controller-5c5d6f7bd8-npj74"],"authentication.kubernetes.io/pod-uid":["86309f5e-f416-4ced-8a1d-455c77c58670"]}},"object":{"apiVersion":"elbv2.k8s.aws/v1beta1","kind":"TargetGroupBinding","metadata":{"creationTimestamp":"2024-06-25T21:21:37Z","generation":1,"labels":{"service.k8s.aws/stack-name":"cilium-gateway-ext-gateway","service.k8s.aws/stack-namespace":"default"},"managedFields":[{"apiVersion":"elbv2.k8s.aws/v1beta1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:service.k8s.aws/stack-name":{},"f:service.k8s.aws/stack-namespace":{}}},"f:spec":{".":{},"f:ipAddressType":{},"f:networking":{".":{},"f:ingress":{}},"f:serviceRef":{".":{},"f:name":{},"f:port":{}},"f:targetGroupARN":{},"f:targetType":{}}},"manager":"controller","operation":"Update","time":"2024-06-25T21:21:37Z"}],"name":"k8s-default-ciliumga-e277ee118e","namespace":"default","uid":"bdc2b763-4435-46b8-9644-2522b07da075"},"spec":{"ipAddressType":"ipv4","networking":{"ingress":[{"from":[{"securityGroup":{"groupID":"sg-0752b7187c5870561"}}],"ports":[{"port":80,"protocol":"TCP"}]}]},"serviceRef":{"name":"cilium-gateway-ext-gateway","port":80},"targetGroupARN":"arn:aws:elasticloadbalancing:ca-central-1:679388779924:targetgroup/k8s-default-ciliumga-e277ee118e/d146409bb38fb617","targetType":"ip"}},"oldObject":null,"dryRun":false,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}}}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"validating_handler","msg":"validating webhook response","response":{"Patches":null,"uid":"","allowed":true,"status":{"metadata":{},"code":200}}}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/validate-elbv2-k8s-aws-v1beta1-targetgroupbinding","code":200,"reason":"","UID":"baed2357-b298-4edc-89a2-b5ecd4552f67","allowed":true}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"controllers.targetGroupBinding","msg":"Reconcile request","name":"k8s-default-ciliumga-e277ee118e"}
{"level":"info","ts":"2024-06-25T21:21:37Z","logger":"controllers.service","msg":"created targetGroupBinding","stackID":"default/cilium-gateway-ext-gateway","resourceID":"default/cilium-gateway-ext-gateway:80","targetGroupBinding":{"namespace":"default","name":"k8s-default-ciliumga-e277ee118e"}}
{"level":"info","ts":"2024-06-25T21:21:37Z","logger":"controllers.service","msg":"successfully deployed model","service":{"namespace":"default","name":"cilium-gateway-ext-gateway"}}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"controller-runtime.webhook.webhooks","msg":"received request","webhook":"/validate-elbv2-k8s-aws-v1beta1-targetgroupbinding","UID":"cb330703-2df9-4b91-89b3-85d6c10c492d","kind":"elbv2.k8s.aws/v1beta1, Kind=TargetGroupBinding","resource":{"group":"elbv2.k8s.aws","version":"v1beta1","resource":"targetgroupbindings"}}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"validating_handler","msg":"validating webhook request","request":{"uid":"cb330703-2df9-4b91-89b3-85d6c10c492d","kind":{"group":"elbv2.k8s.aws","version":"v1beta1","kind":"TargetGroupBinding"},"resource":{"group":"elbv2.k8s.aws","version":"v1beta1","resource":"targetgroupbindings"},"requestKind":{"group":"elbv2.k8s.aws","version":"v1beta1","kind":"TargetGroupBinding"},"requestResource":{"group":"elbv2.k8s.aws","version":"v1beta1","resource":"targetgroupbindings"},"name":"k8s-default-ciliumga-e277ee118e","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:serviceaccount:kube-system:aws-load-balancer-controller","uid":"d8a8ed05-6c16-429a-9c9c-5733cdd0afc5","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["aws-load-balancer-controller-5c5d6f7bd8-npj74"],"authentication.kubernetes.io/pod-uid":["86309f5e-f416-4ced-8a1d-455c77c58670"]}},"object":{"apiVersion":"elbv2.k8s.aws/v1beta1","kind":"TargetGroupBinding","metadata":{"creationTimestamp":"2024-06-25T21:21:37Z","finalizers":["elbv2.k8s.aws/resources"],"generation":1,"labels":{"service.k8s.aws/stack-name":"cilium-gateway-ext-gateway","service.k8s.aws/stack-namespace":"default"},"managedFields":[{"apiVersion":"elbv2.k8s.aws/v1beta1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:finalizers":{".":{},"v:\"elbv2.k8s.aws/resources\"":{}},"f:labels":{".":{},"f:service.k8s.aws/stack-name":{},"f:service.k8s.aws/stack-namespace":{}}},"f:spec":{".":{},"f:ipAddressType":{},"f:networking":{".":{},"f:ingress":{}},"f:serviceRef":{".":{},"f:name":{},"f:port":{}},"f:targetGroupARN":{},"f:targetType":{}}},"manager":"controller","operation":"Update","time":"2024-06-25T21:21:37Z"}],"name":"k8s-default-ciliumga-e277ee118e","namespace":"default","resourceVersion":"150013","uid":"bdc2b763-4435-46b8-9644-2522b07da075"},"spec":{"ipAddressType":"ipv4","networking":{"ingress":[{"from":[{"securityGroup":{"groupID":"sg-0752b7187c5870561"}}],"ports":[{"port":80,"protocol":"TCP"}]}]},"serviceRef":{"name":"cilium-gateway-ext-gateway","port":80},"targetGroupARN":"arn:aws:elasticloadbalancing:ca-central-1:679388779924:targetgroup/k8s-default-ciliumga-e277ee118e/d146409bb38fb617","targetType":"ip"}},"oldObject":{"apiVersion":"elbv2.k8s.aws/v1beta1","kind":"TargetGroupBinding","metadata":{"creationTimestamp":"2024-06-25T21:21:37Z","generation":1,"labels":{"service.k8s.aws/stack-name":"cilium-gateway-ext-gateway","service.k8s.aws/stack-namespace":"default"},"managedFields":[{"apiVersion":"elbv2.k8s.aws/v1beta1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:service.k8s.aws/stack-name":{},"f:service.k8s.aws/stack-namespace":{}}},"f:spec":{".":{},"f:ipAddressType":{},"f:networking":{".":{},"f:ingress":{}},"f:serviceRef":{".":{},"f:name":{},"f:port":{}},"f:targetGroupARN":{},"f:targetType":{}}},"manager":"controller","operation":"Update","time":"2024-06-25T21:21:37Z"}],"name":"k8s-default-ciliumga-e277ee118e","namespace":"default","resourceVersion":"150013","uid":"bdc2b763-4435-46b8-9644-2522b07da075"},"spec":{"ipAddressType":"ipv4","networking":{"ingress":[{"from":[{"securityGroup":{"groupID":"sg-0752b7187c5870561"}}],"ports":[{"port":80,"protocol":"TCP"}]}]},"serviceRef":{"name":"cilium-gateway-ext-gateway","port":80},"targetGroupARN":"arn:aws:elasticloadbalancing:ca-central-1:679388779924:targetgroup/k8s-default-ciliumga-e277ee118e/d146409bb38fb617","targetType":"ip"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"validating_handler","msg":"validating webhook response","response":{"Patches":null,"uid":"","allowed":true,"status":{"metadata":{},"code":200}}}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"controller-runtime.webhook.webhooks","msg":"wrote response","webhook":"/validate-elbv2-k8s-aws-v1beta1-targetgroupbinding","code":200,"reason":"","UID":"cb330703-2df9-4b91-89b3-85d6c10c492d","allowed":true}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"events","msg":"Successfully reconciled","type":"Normal","object":{"kind":"Service","namespace":"default","name":"cilium-gateway-ext-gateway","uid":"fc160805-21bf-4b86-8c65-a6e006fa534d","apiVersion":"v1","resourceVersion":"150014"},"reason":"SuccessfullyReconciled"}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"controllers.targetGroupBinding","msg":"Reconcile request","name":"k8s-default-ciliumga-e277ee118e"}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"events","msg":"Successfully reconciled","type":"Normal","object":{"kind":"TargetGroupBinding","namespace":"default","name":"k8s-default-ciliumga-e277ee118e","uid":"bdc2b763-4435-46b8-9644-2522b07da075","apiVersion":"elbv2.k8s.aws/v1beta1","resourceVersion":"150018"},"reason":"SuccessfullyReconciled"}
{"level":"debug","ts":"2024-06-25T21:21:37Z","logger":"events","msg":"Successfully reconciled","type":"Normal","object":{"kind":"TargetGroupBinding","namespace":"default","name":"k8s-default-ciliumga-e277ee118e","uid":"bdc2b763-4435-46b8-9644-2522b07da075","apiVersion":"elbv2.k8s.aws/v1beta1","resourceVersion":"150018"},"reason":"SuccessfullyReconciled"}
e277ee118e

here is the aws console screenshot

image

Steps to reproduce

  1. install the EKS
  2. install cilium and enable the gateway API(https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/gateway-api/#gs-gateway-api) Please change gateway.networking.k8s.io_gateways.yaml from standard to experimental since the annotation require experimental API
  3. follow the cilium doc to install the demo app
  4. install the aws LB controller
  5. apply cilium the following gateway API 
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: ext-gateway
spec:
  infrastructure:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
      service.beta.kubernetes.io/aws-load-balancer-type: "external"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
  gatewayClassName: cilium
  listeners:
  - protocol: HTTP
    port: 80
    name: web-gw
    allowedRoutes:
      namespaces:
        from: Same
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: http-app-ext
spec:
  parentRefs:
  - name: ext-gateway
    namespace: default
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /details
    backendRefs:
    - name: details
      port: 9080
---

Expected outcome the AWS LB controller should registering targets

Environment

Additional Context: I'm from the cilium team and will try my best to figure it out if that's caused by cilium

oliviassss commented 3 months ago

@liyihuang, interesting, thanks for the report. Since you're using cillium, I suppose you don't have vpc cni in your cluster right? check if you're hitting this? https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/how-it-works/#ip-mode

IP mode Ingress traffic starts at the ALB and reaches the Kubernetes pods directly. CNIs must support directly accessible POD ip via secondary IP addresses on ENI.

liyihuang commented 3 months ago

no, I have removed the AWS CNI in the EKS environment.

Cilium has the ENI mode which it will manage IP from VPC and will assign them as the secondary IP on the NIC(https://docs.cilium.io/en/latest/network/concepts/ipam/eni/).

I think I might know why while I'm typing here. Cilium is the CNI with the EKS, and the cilium agent is not a normal pod with the pod IP address but the IP from the host. AWS LB controller will not be able to find the "endpoint IP" it's looking for like the others. I was going to throw the dlv to the aws-lb-controller but it looks like it's not necessary.

(⎈|arn:aws:eks:ca-central-1:679388779924:cluster/image-learning-liyi-2:default)~/go/bin k get pods -n kube-system -o wide
NAME                                            READY   STATUS    RESTARTS      AGE   IP           NODE                                          NOMINATED NODE   READINESS GATES
aws-load-balancer-controller-775bc4868f-9xckb   1/1     Running   0             42m   10.6.1.79    ip-10-6-1-188.ca-central-1.compute.internal   <none>           <none>
cilium-2rwtv                                    1/1     Running   0             57m   10.6.0.83    ip-10-6-0-83.ca-central-1.compute.internal    <none>           <none>
cilium-bd5bq                                    1/1     Running   0             57m   10.6.2.181   ip-10-6-2-181.ca-central-1.compute.internal   <none>           <none>
cilium-kcdz8                                    1/1     Running   0             57m   10.6.1.188   ip-10-6-1-188.ca-central-1.compute.internal   <none>           <none>
cilium-operator-67bc84576c-6gp59                1/1     Running   0             57m   10.6.1.63    ip-10-6-1-63.ca-central-1.compute.internal    <none>           <none>
cilium-operator-67bc84576c-ptzjf                1/1     Running   0             57m   10.6.0.83    ip-10-6-0-83.ca-central-1.compute.internal    <none>           <none>
cilium-pvcxs                                    1/1     Running   0             57m   10.6.1.63    ip-10-6-1-63.ca-central-1.compute.internal    <none>           <none>
coredns-68c6b7b454-6gmx2                        1/1     Running   0             70m   10.6.1.128   ip-10-6-1-63.ca-central-1.compute.internal    <none>           <none>
coredns-68c6b7b454-mfb6t                        1/1     Running   0             70m   10.6.1.142   ip-10-6-1-63.ca-central-1.compute.internal    <none>           <none>
hubble-relay-665f995b56-2ps5x                   1/1     Running   1 (57m ago)   63m   10.6.1.137   ip-10-6-1-63.ca-central-1.compute.internal    <none>           <none>
hubble-relay-665f995b56-7c7dh                   1/1     Running   1 (57m ago)   63m   10.6.1.132   ip-10-6-1-63.ca-central-1.compute.internal    <none>           <none>
hubble-relay-665f995b56-jm8vx                   1/1     Running   1 (57m ago)   63m   10.6.1.131   ip-10-6-1-63.ca-central-1.compute.internal    <none>           <none>
my-external-dns-94658f555-vblj4                 1/1     Running   0             63m   10.6.1.140   ip-10-6-1-63.ca-central-1.compute.internal    <none>           <none>

As you can see here cilium-agent is on the host NS using the same host IP address.