From 18e5736b0ff9f956b180d7be217da835b8ef9603 Mon Sep 17 00:00:00 2001 From: Brad Hoekstra Date: Fri, 2 Nov 2018 11:09:15 -0400 Subject: [PATCH 1/3] Filter out services with alternate service proxy --- cmd/kube-proxy/app/server.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go index 04189b98d30..8af7384da7f 100644 --- a/cmd/kube-proxy/app/server.go +++ b/cmd/kube-proxy/app/server.go @@ -30,6 +30,7 @@ import ( "k8s.io/api/core/v1" apimachineryconfig "k8s.io/apimachinery/pkg/apis/config" + v1meta "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apimachinery/pkg/runtime/serializer/json" @@ -560,7 +561,10 @@ func (s *ProxyServer) Run() error { } } - informerFactory := informers.NewSharedInformerFactory(s.Client, s.ConfigSyncPeriod) + informerFactory := informers.NewSharedInformerFactoryWithOptions(s.Client, s.ConfigSyncPeriod, + informers.WithTweakListOptions(func(options *v1meta.ListOptions) { + options.LabelSelector = "!service.kubernetes.io/service-proxy-name" + })) // Create configs (i.e. Watches for Services and Endpoints) // Note: RegisterHandler() calls need to happen before creation of Sources because sources From ae49bf645838abcfadd83c8b5380a9bbb369318f Mon Sep 17 00:00:00 2001 From: Brad Hoekstra Date: Fri, 30 Nov 2018 16:29:52 -0500 Subject: [PATCH 2/3] Add e2e test for service.kubernetes.io/service-proxy-name --- test/e2e/network/service.go | 61 +++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/test/e2e/network/service.go b/test/e2e/network/service.go index a1b85257b8a..20b34554efa 100644 --- a/test/e2e/network/service.go +++ b/test/e2e/network/service.go @@ -1687,6 +1687,67 @@ var _ = SIGDescribe("Services", func() { svc.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyTypeCluster execAffinityTestForLBService(f, cs, svc, true) }) + + It("should implement service.kubernetes.io/service-proxy-name", func() { + // this test uses framework.NodeSSHHosts that does not work if a Node only reports LegacyHostIP + framework.SkipUnlessProviderIs(framework.ProvidersWithSSH...) + // this test does not work if the Node does not support SSH Key + framework.SkipUnlessSSHKeyPresent() + + ns := f.Namespace.Name + numPods, servicePort := 3, defaultServeHostnameServicePort + serviceProxyNameLabels := map[string]string{"service.kubernetes.io/service-proxy-name": "foo-bar"} + + // We will create 2 services to test creating services in both states and also dynamic updates + // svcDisabled: Created with the label, will always be disabled. We create this early and + // test again late to make sure it never becomes available. + // svcToggled: Created without the label then the label is toggled verifying reachability at each step. + + By("creating service-disabled in namespace " + ns) + svcDisabled := getServeHostnameService("service-disabled") + svcDisabled.ObjectMeta.Labels = serviceProxyNameLabels + _, svcDisabledIP, err := framework.StartServeHostnameService(cs, internalClientset, svcDisabled, ns, numPods) + Expect(err).NotTo(HaveOccurred()) + + By("creating service in namespace " + ns) + svcToggled := getServeHostnameService("service") + podToggledNames, svcToggledIP, err := framework.StartServeHostnameService(cs, internalClientset, svcToggled, ns, numPods) + Expect(err).NotTo(HaveOccurred()) + + jig := framework.NewServiceTestJig(cs, svcToggled.ObjectMeta.Name) + + hosts, err := framework.NodeSSHHosts(cs) + Expect(err).NotTo(HaveOccurred()) + if len(hosts) == 0 { + framework.Failf("No ssh-able nodes") + } + host := hosts[0] + + By("verifying service is up") + framework.ExpectNoError(framework.VerifyServeHostnameServiceUp(cs, ns, host, podToggledNames, svcToggledIP, servicePort)) + + By("verifying service-disabled is not up") + framework.ExpectNoError(framework.VerifyServeHostnameServiceDown(cs, host, svcDisabledIP, servicePort)) + + By("adding service-proxy-name label") + jig.UpdateServiceOrFail(ns, svcToggled.ObjectMeta.Name, func(svc *v1.Service) { + svc.ObjectMeta.Labels = serviceProxyNameLabels + }) + + By("verifying service is not up") + framework.ExpectNoError(framework.VerifyServeHostnameServiceDown(cs, host, svcToggledIP, servicePort)) + + By("removing service-proxy-name annotation") + jig.UpdateServiceOrFail(ns, svcToggled.ObjectMeta.Name, func(svc *v1.Service) { + svc.ObjectMeta.Labels = nil + }) + + By("verifying service is up") + framework.ExpectNoError(framework.VerifyServeHostnameServiceUp(cs, ns, host, podToggledNames, svcToggledIP, servicePort)) + + By("verifying service-disabled is still not up") + framework.ExpectNoError(framework.VerifyServeHostnameServiceDown(cs, host, svcDisabledIP, servicePort)) + }) }) // TODO: Get rid of [DisabledForLargeClusters] tag when issue #56138 is fixed. From 284cc82e71cf5b1089f77ccc6434a43116ca699d Mon Sep 17 00:00:00 2001 From: Brad Hoekstra Date: Wed, 5 Dec 2018 16:43:07 -0500 Subject: [PATCH 3/3] Update bazel --- cmd/kube-proxy/app/BUILD | 1 + 1 file changed, 1 insertion(+) diff --git a/cmd/kube-proxy/app/BUILD b/cmd/kube-proxy/app/BUILD index b99cf2ca155..f76d4542965 100644 --- a/cmd/kube-proxy/app/BUILD +++ b/cmd/kube-proxy/app/BUILD @@ -43,6 +43,7 @@ go_library( "//pkg/version/verflag:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/config:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/serializer/json:go_default_library",