Open costinm opened 4 months ago
costinm
commented
4 months ago My suggestion is to allow all IPs associated with a Service ( externalIPs, IPs in status assigned for LoadBalancers , etc) to be used by clients, and specify that for IPs that are shared (which is possible for externalIPs and LoadBalancer IPs) to use the 'authority' header.
costinm
commented
4 months ago For context: the intent is to allow mesh implementations of HttpRoute for Services that use shared infra ( like multi-tenant servers) that reuse an IP address for multiple hostnames and services, and run outside of the cluster ( so 'cluster IP' for a particular K8S cluster is not practical ). Shared IPs can be used for HttpRoute and TLSRoute - not for TCP services.
The secondary intent is to allow clients that use the other IPs associated with the service - externalIPs or IPs assigned by the LBs. Current spec prevents the use of any other address except the cluster IP ( which is also undefined or may overlap with IPs in other K8S clusters in the general multi-cluster case).
k8s-triage-robot
commented
1 month ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
k8s-triage-robot
commented
1 week ago The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle rotten/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
GEP 1426 text about routes is:
" This is determined based on the ClusterIP (for Service) and ClusterSetIP (for ServiceImport) matching, and for "transparent proxy" mesh implementations would match all requests to foo.svc.cluster.local (or arbitrary custom suffix, as the hostname is not specified manually) from within the same namespace, all requests to foo.store.svc.cluster.local from other namespaces, and all requests to foo.store.svc.clusterset.local for multicluster services, within the scope of the service mesh."
It is a bit confusing: for Service it seems to imply that ONLY the ClusterIP can be used for routing decisions. Headless services would be excluded - and any request for NodePort or the LoadBalancerIP would not be allowed.
The second part 'transparent proxy' is also not very clear - it seems to allow hostname-based (standard) routing, but it is treated as a separate case - I read it as Service must use ClusterIP, ServiceImport ( which is not defined in the GEP as a parentRef !) would use ClusterSetIP - and the host header would be used for some other unspecified case.