stackitcloud
UDP traffic forwarded to nodes with no healthy pods matching selector
Expected behavior: When managing a service object of type LoadBalancer and externalTrafficPolicy: Local, the associated load balancer only forwards its UDP traffic to nodes with healthy pods allocated to them matching the selector.
Actual behavior: The load balancer round-robin assigns UDP traffic to all nodes, independent of whether or not they have matching healthy pod assigned to them.
Steps to reproduce Cluster-side:
- 4 nodes
- 1 deployment, with replicas=1
- running netcat on UDP port 22333 (
nc -lkvu 22333)
- running netcat on UDP port 22333 (
- 1 svc
-
type: LoadBalancer -
ExternalTrafficPolicy: Local - ports: [udp:22333]
-
Client-side:
- Open a netcat connection to the IP that was allocated to the service object, and UDP port 22333
-
nc -vu $IP 22333
-
- Repeat a couple times, and you should see on the server side, that only every 4th connection attempt succeeds
Hi @gnarlex you are correct. Yawol uses envoy health checks to determine what nodes should get the traffic. This health check is only supported for TCP traffic. Yawol always configures envoy to target all nodes of the cluster to reduce reconfigurations of the LB.
When a service has externalTrafficPolicy: Local kube-proxy adds rules that drop all packets to the NodePort on nodes where the pods don't reside.
Patches welcome 🙂
