Project

Profile

Help

Issue #8833

API Server binds a NodePort (out of the default range) on OpenShift

Added by tumido about 2 months ago. Updated 11 days ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
Operator
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Master
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

When deploying Pulp via Operator on OpenShift we've encountered an issue [1] with API Server Service resource.

Operator is creating a Service resource that binds a nodePort 24817 (specified [2])). This node port is outside the default Kubernetes/OpenShift range 30000-32767. While changing this range is possible in OCP it requires coordination on multiple levels of cloud operator and goes beyond simple cluster administration - since nodePort means a real port on each of the nodes, it requires to be allowed in firewalls across the infrastructure, which makes it especially challenging to deploy on bare metal deployments.

Additionally binding a nodePort (a physical port on the nodes) makes a resource a singleton on the cluster. No other resource can bind the same port anymore. This makes Pulp API server service resource a singleton on the cluster and limits users from deploying more than one Pulp resource on the whole cluster. I think this is also an very unwanted and undocumented side effect limiting multi tenancy - while Pulp resource is a namespaced resource that can be deployed to any namespace, it behaves as a cluster scoped singleton in the end because the operator tries to bind the same node port for every Pulp api server service instance.

[1] https://github.com/operate-first/support/issues/176#issuecomment-848939903 [2] https://github.com/pulp/pulp-operator/blob/221c7652118d6c1c6dcda785fe5d651f14e0b101/roles/pulp-api/templates/pulp-api.service.yaml.j2#L26 [3] https://docs.openshift.com/container-platform/4.7/networking/configuring-node-port-service-range.html

Associated revisions

Revision 4f134106 View on GitHub
Added by chambridge 23 days ago

Use nodeport flow only when defined, otherwise supply svc.cluster.local option

  • Don't attempt nodeport settings if not selected
  • Use status.hostIP from downward API to get node where web pod is running https://stackoverflow.com/a/52047845
  • Only set nodeport for web service
  • Allow user to specify nodeport or take cluster default in range

fixes #8833 https://pulp.plan.io/issues/8833

History

#1 Updated by chambridge 23 days ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to chambridge

#2 Updated by pulpbot 23 days ago

  • Status changed from ASSIGNED to POST

#3 Updated by chambridge 23 days ago

  • Status changed from POST to MODIFIED

#4 Updated by fao89 11 days ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF