From 3cb9ee4e676135454d51bd7dc4b668fb6b131fbf Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Fri, 16 Jul 2021 15:55:16 -0400 Subject: [PATCH 1/2] Document the ProxyTerminatingEndpoints feature Document Service Traffic Policies Signed-off-by: Andrew Sy Kim Reviewed-by: Victor Palade --- .../concepts/services-networking/service.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md index 011e1d395f..5eaf8bd978 100644 --- a/content/en/docs/concepts/services-networking/service.md +++ b/content/en/docs/concepts/services-networking/service.md @@ -384,6 +384,40 @@ The IP address that you choose must be a valid IPv4 or IPv6 address from within If you try to create a Service with an invalid clusterIP address value, the API server will return a 422 HTTP status code to indicate that there's a problem. +## Traffic policies + +### External traffic policy + +You can set the `spec.externalTrafficPolicy` field to control how traffic from external sources is routed. +Valid values are `Cluster` and `Local`. Set the field to `Cluster` to route external traffic to all ready endpoints +and `Local` to only route to ready node-local endpoints. If the traffic policy is `Local` and there are are no node-local +endpoints, the kube-proxy does not forward any traffic for the relevant Service. + +{{< note >}} +{{< feature-state for_k8s_version="v1.22" state="alpha" >}} +If you enable the `ProxyTerminatingEndpoints` +[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) +`ProxyTerminatingEndpoints` for the kube-proxy, the kube-proxy checks if the node +has local endpoints and whether or not all the local endpoints are marked as terminating. +If there are local endpoints and **all** of those are terminating, then the kube-proxy ignores +any external traffic policy of `Local`. Instead, whilst the node-local endpoints remain as all +terminating, the kube-proxy forwards traffic for that Service to healthy endpoints elsewhere, +as if the external traffic policy were set to `Cluster`. +This forwarding behavior for terminating endpoints exists to allow external load balancers to +gracefully drain connections that are backed by `NodePort` Services, even when the health check +node port starts to fail. Otherwise, traffic can be lost between the time a node is still in the node pool of a load +balancer and traffic is being dropped during the termination period of a pod. +{{< /note >}} + +### Internal traffic policy + +{{< feature-state for_k8s_version="v1.22" state="beta" >}} + +You can set the `spec.internalTrafficPolicy` field to control how traffic from internal sources is routed. +Valid values are `Cluster` and `Local`. Set the field to `Cluster` to route internal traffic to all ready endpoints +and `Local` to only route to ready node-local endpoints. If the traffic policy is `Local` and there are are no node-local +endpoints, traffic is dropped by kube-proxy. + ## Discovering services Kubernetes supports 2 primary modes of finding a Service - environment From 02fbd11727539eef7c7d4caffe4e8608003ed22a Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Thu, 29 Jul 2021 23:40:15 +0100 Subject: [PATCH 2/2] Fix grammar --- content/en/docs/concepts/services-networking/service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md index 5eaf8bd978..f24a664e75 100644 --- a/content/en/docs/concepts/services-networking/service.md +++ b/content/en/docs/concepts/services-networking/service.md @@ -415,7 +415,7 @@ balancer and traffic is being dropped during the termination period of a pod. You can set the `spec.internalTrafficPolicy` field to control how traffic from internal sources is routed. Valid values are `Cluster` and `Local`. Set the field to `Cluster` to route internal traffic to all ready endpoints -and `Local` to only route to ready node-local endpoints. If the traffic policy is `Local` and there are are no node-local +and `Local` to only route to ready node-local endpoints. If the traffic policy is `Local` and there are no node-local endpoints, traffic is dropped by kube-proxy. ## Discovering services