Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Disable session affinity for internal kuberntes service
Under following conditions session affinity leads to a deadlock:
- Self hosted controller-manager, where it talks to API servers
via kubernetes service ClusterIP
- default master-count reconcilier is used
- --apiserver-count is set to >1 according to the help message
- number of responsive APIServers goes below `apiserver-count`
- all controller-managers happen to be hashed to APIServers which
are down.
What then happens is that controller managers never be able to
contact APIServer, despite correctly working APIServer available.
Less serious outages also possible for other consumers of kubernetes
service, such as operators, kube-dns, flannel & calico, etc. There is
always non zero chance, that given consumer is hashed to an apiserver
which is down.
This reverts PR https://github.com/kubernetes/kubernetes/pull/23129
/sig api-machinery
CCing:
- author and approver of reverted PR: @mikedanese, @lavalamp
- other affected users which spoke up: @jsravn, @tatsuhiro-t
```release-note
NONE
```
Under following conditions session affinity leads to a deadlock:
- Self hosted controller-manager, where it talks to API servers
via kubernetes service ClusterIP
- default master-count reconcilier is used
- --apiserver-count is set to >1 according to the help message
- number of responsive APIServers goes below `apiserver-count`
- all controller-managers happen to be hashed to APIServers which
are down.
What then happens is that controller managers never be able to
contact APIServer, despite correctly working APIServer available.
Less serious outages also possible for other consumers of kubernetes
service, such as operators, kube-dns, flannel & calico, etc. There is
always non zero chance, that given consumer is hashed to an apiserver
which is down.
Revert "give the kubernetes service client ip session affinity"
This reverts commit e21ebbcac4.
Automatic merge from submit-queue
fix service spec for kube api server
For the auto generated kube api-server service, the service spec re-uses the service port itself. The endpoint is created correctly using public port. Fix the service also because there are some plugin controllers that react to service spec itself.
Before fix:
```
sh-4.2# kubectl get endpoints
NAME ENDPOINTS AGE
kubernetes 172.17.0.2:8443,172.17.0.2:8053,172.17.0.2:8053 20h
sh-4.2# kubectl get services kubernetes -o json
...
...
"spec": {
"clusterIP": "172.30.0.1",
"ports": [
{
"name": "https",
"port": 443,
"protocol": "TCP",
"targetPort": 443 ## <--- same as port, even if the endpoint really means 8443
},
{
"name": "dns",
"port": 53,
"protocol": "UDP",
"targetPort": 8053
},
{
"name": "dns-tcp",
...
```
After fix:
```
"spec": {
"clusterIP": "172.30.0.1",
"ports": [
{
"name": "https",
"port": 443,
"protocol": "TCP",
"targetPort": 8443 # <-- fixed, now matches the endpoint object
},
{
"name": "dns",
"port": 53,
"protocol": "UDP",
"targetPort": 8053
},
{
"name": "dns-tcp",
``
checkEndpointSubsetFormat ensures that,
1. the current master's IP is in the list of addresses
2. the number of IPs in the list exactly matches the master count
This is problematic while masters are in the process of starting
because it causes frequent updates to the kubernetes endpoints until
all masters have started and added themselves to the list.
checkEndpointSubsetFormat should report success if the current
master's IP is found and the count of addresses is less than or equal
to the expected count.
Dr. Stefan Schimanski