Inconsistent provider behaviour with API server ports

[randomvariable]

What steps did you take and what happened: [A clear and concise description on how to REPRODUCE the bug.]

A common refrain I have heard from customers:

"As a cluster operator, I may be working in a multi-cloud environment, and also have a directive to always have https endpoints exposed on 443. In the Kubernetes context, this means clients should only ever connect to the API server on port 443."

In Cluster API, we have a number of places where the port can be changed:

• cluster.spec.clusterNetwork.APIServerPort This should be used by infrastructure providers to configure the load balancer port.

• kcp.spec.kubeadmConfigSpec.initConfiguration.localAPIEndpoint.bindPort This will change the port that kube-apiserver will listen on each individual control plane node, and is used by kubeadm

In AWS, CAPA will use cluster.spec.clusterNetwork.APIServerPort to set the LB port and assume kube-apiserver continues to listen on 6443.

In Azure, CAPZ assumes that if cluster.spec.clusterNetwork.APIServerPort isn't 6443, that kube-apiserver is also listening on the different port. This is kind of necessary due to the way the Azure LBs work and the workarounds required for hairpin NAT.

Importantly, in bare-metal / on-prem environments like vSphere/Tinkerbell, we might be using kube-vip to make our control plane highly available. In this circumstance, there is no LB, and cluster.spec.clusterNetwork.APIServerPort is ignored.

What did you expect to happen:

One consistent place.

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Enforcing any particular implied behaviour may break one or more providers as well as clusters on upgrade, so should not be done within a v1beta1 release IMO.

Also, not suggesting we change the default port, but make it easier to change the port and have a defined behaviour.

Environment:

• Cluster-api version:
• Minikube/KIND version:
• Kubernetes version: (use kubectl version):
• OS (e.g. from /etc/os-release):

/kind bug [One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels]

[neolit123]

kubeadm picked the port 6443 as the default for secure serving because that is the default in the kube-apiserver:

--secure-port int     Default: 6443

https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/

this SO post shares some insights why 6443 might have been chosen: https://stackoverflow.com/a/44051315

...not to cause conflicts with the default Application Server domain

but as long as 443 is not occupied using it for the HTTPS seems fine.

if Cluster API wishes to switch to that i would give my tentative -1 (please feel free to ignore), because it will drift from the k8s/kubeadm default. kubeadm which tries to tightly follow the k8s defaults, will likely continue to remain on 6443 until the API server switches.

As a cluster operator, I may be working in a multi-cloud environment, and also have a directive to always have https endpoints exposed on 443. In the Kubernetes context, this means clients should only ever connect to the API server on port 443.

a minor concern here is that a specific deployment requirement (i.e. "we must use 443") should not dictate the port on core CAPI and all providers and instead perhaps that particular deployment should be configured.

[randomvariable]

Not suggesting we switch by default. Sorry, I was talking as a fictional cluster operator in a company. I'll clarify.

In fact, I think organisations who want 443 may be shooting themselves in the foot at a later date for exactly the reasons listed in the stack overflow comment.

[devigned]

In Azure, CAPZ assumes that if cluster.spec.clusterNetwork.APIServerPort isn't 6443, that kube-apiserver is also listening on the different port. This is kind of necessary due to the way the Azure LBs work and the workarounds required for hairpin NAT.

I don't think this needs to behave this way due to any particular Azure infra constraint. We should be able to solve for this. I'll create an issue to expose the API server LB port while keeping the API server backend port 6443, as done in CAPA.

[randomvariable]

/area control-plane

[randomvariable]

I don't think this needs to behave this way due to any particular Azure infra constraint.

Isn't there a case where because of hairpin NAT not existing, there's a hack to /etc/hosts where the LB control plane endpoint is repointed to 127.0.0.1 ?

[fabriziopandini]

/milestone v1.2 /kind api-change

[yastij]

Ideally the users need to be able to configure the local apiServer port through a single field. Today we can't really make the various bindPort in the init and join as part of the bootstrappers contract due to the fact that they're nested into APIs and structs that are kubeadm specific.

we probably also need to disambiguate between cluster.spec.clusterNetwork.APIServerPort and cluster.spec.ControlPlaneEndpoint.Port

An idea could be:

• convert cluster.spec.clusterNetwork.APIServerPort to cluster.spec.ControlPlaneEndpoint.Port and ensure provider reads from it to figure the LB port
• deprecate cluster.spec.clusterNetwork.APIServerPort
• introduce something like cluster.spec.clusterNetwork.LocalAPIServerPort

[fabriziopandini]

@yastij If I got this right we are addressing two problems:

• Ensure our API allows users to express all the use cases in a simple way; the use cases we are discussing are:
  1. Set the ControlPlane port (The load balancer port);
  2. Set the API server BindPort (The port for each API server);
• Ensure all the providers behave consistently

If I look at the current API:

• for use case 1. today we have cluster.spec.ControlPlaneEndpoint.Port; we should probably make it clear in the doc that if the user set the Port value, the infrastructure provider should comply if this value (if supported); similar case could be done for cluster.spec.ControlPlaneEndpoint.Port.
• for use case 2. today we have cluster.spec.clusterNetwork.APIServerPort; we could argue if the name is the right one, but I think the main problems here are:
  • the meaning of this field has been interpreted in different ways by providers, some applying it to the API server as the name suggests, some applying it to the LB only, some to both.
  • CABPK not picking up the value from the Cluster.

In other words, would it work to keep things as they are, improve doc, improve CABPK to make UX simpler, make providers behave consistently? The main problem I see is how to avoid this to have a negative impact on existing Clusters, I need to think a little bit more about this ...

[fabriziopandini]

/reopen pressed the wrong button, sorry

[k8s-ci-robot]

@fabriziopandini: Reopened this issue.

In response to [this](https://github.com/kubernetes-sigs/cluster-api/issues/5517#issuecomment-1031464332): >/reopen >pressed the wrong button, sorry Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[fabriziopandini]

After thinking about avoiding negative impact, I think that a possible way out is to:

• add cluster.spec.clusterNetwork.LocalAPIServerPort or cluster.spec.clusterNetwork.APIServerBindPort to v1beta1 Cluster, setting up a clear semantic about it:
  • it sets the API server BindPort (The port for each API server);
  • make CABPK to automatically use this field for initConfiguration/JoinConfiguration.localAPIEndpoint.bindPort
• deprecate cluster.spec.clusterNetwork.APIServerPort (TBD exact behavior for conversion after removal, might be convert to cluster.spec.ControlPlaneEndpoint.Port if empty)

providers on their side must:

• start using cluster.spec.clusterNetwork.LocalAPIServerPort for load balancers backEnds
• start using cluster.spec.ControlPlaneEndpoint.Port for load balancers FrontEnds (while continue using cluster.spec.clusterNetwork.APIServerPort as override for avoding breaking changes, till the field is removed)

[CecileRobertMichon]

providers on their side must [...] start using cluster.spec.ControlPlaneEndpoint.Port for load balancers FrontEnds

what about the infrastructure provider contract the spec object must have the following fields defined: controlPlaneEndpoint - identifies the endpoint used to connect to the target’s cluster apiserver. ?

https://cluster-api.sigs.k8s.io/developer/architecture/controllers/cluster.html#infrastructure-provider

[fabriziopandini]

@yastij ^^ That's a good point. Taking a step back, we have a couple of user stories, in some cases not mutually exclusive:

• The user does not express opinions on the API server bind port (a default gets applied)
• The user wants to set the API server bind port (the local API server bind port)
• The user does not express opinions on the load balancer port (a default gets applied)
• The user does not express opinions on the load balancer address (the infrastructure provider returns one)
• The user wants to set the load balancer port
• The user wants to set the load balancer port and the load balancer address (and it is not clear to me if this always implicitly means to use an existing load balancer or if in some cases, this means to provide a load balancer with that address)

[sbueringer]

In general it sounds good to me to have fields with a clear semantic that cover our relevant use cases on the Cluster object and then infer the corresponding values in CABPK (if they are set, otherwise use defaults).

[yastij]

/assign /lifecycle active

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[fabriziopandini]

/lifecycle frozen

[fabriziopandini]

/triage accepted

[fabriziopandini]

(doing some cleanup on old issues without updates) /unassign @yastij /help

[k8s-ci-robot]

@fabriziopandini: This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/kubernetes-sigs/cluster-api/issues/5517): >(doing some cleanup on old issues without updates) >/unassign @yastij >/help > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[k8s-triage-robot]

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

[fabriziopandini]

/priority important-longterm

[fabriziopandini]

The current status, with different interpretations of those fields in different providers is not ideal.

We need a volounteer that does some research across providers and come up with some idea (eventually a proposal / an improvement to the contract) to improve the situation. Also the Flexible Managed Kubernetes Endpoints proposal should be taken into account

However, since there is almost no activity on the issue, we are decreasing priority

/priority backlog /triage accepted