-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(NLB): Introduce Service annotation to allow ICMP for Path MTU Discovery #3939
base: main
Are you sure you want to change the base?
Conversation
Hi @chriswachira. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
47d0bc4
to
45aa281
Compare
docs/guide/service/annotations.md
Outdated
|
||
!!!example | ||
``` | ||
service.beta.kubernetes.io/aws-load-balancer-enable-icmp-for-path-mtu-discovery: on |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the sample is incorrect, we need to surround the boolean value with quotes:
service.beta.kubernetes.io/aws-load-balancer-enable-icmp-for-path-mtu-discovery: "on"
otherwise we get this error:
error: unable to decode "/Users/nixozach/echoserver/svc.yaml": json: cannot unmarshal bool into Go struct field ObjectMeta.metadata.annotations of type string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've made this fix, kindly test.
@@ -84,6 +97,18 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(ctx | |||
}, | |||
}, | |||
}) | |||
if icmpForPathMtuConfigured { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems that once the rules are added, they can't be removed using:
service.beta.kubernetes.io/aws-load-balancer-enable-icmp-for-path-mtu-discovery: "off"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a check to make sure it only adds the security group rules if the annotation value is "on", kindly test.
45aa281
to
6ed4baf
Compare
6ed4baf
to
0ccf48d
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: chriswachira, zac-nixon The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/ok-to-test |
0ccf48d
to
33e1738
Compare
/retest |
33e1738
to
64e498f
Compare
Issue
#3897
Description
It might be necessary for some environments to allow Path MTU discovery for negotiation of MTU between two hosts. If a receiving host has a smaller MTU than the sending host, the receiving host sends an ICMP message to instruct the sending host to split the payload into multiple smaller packets and retransmit them:
Destination Unreachable: Fragmentation Needed and Don't Fragment was Set
(Type 3, Code 4) for IPv4 networks.ICMPv6 Packet Too Big (PTB)
(Type 2) for IPv6 networks.This work introduces a Service annotation (below) that when configured, will automatically add a security group rule to the managed security group, depending on the IP address type.
For IPv4 VPCs, an explicit rule is added to the managed security group to allow ICMPv4 Type 3 Code 4.
For dual stack VPCs, an explicit rule is added to the managed security group to allow both ICMPv4 Type 3 Code 4 and ICMPv6 Type 2 Code 0.
If the
service.beta.kubernetes.io/load-balancer-source-ranges
annotation is also present, it will also create an explicit rule for each source range.Checklist
README.md
, or thedocs
directory)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯