-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should pod IP be immutable? #108281
Comments
/assign @kubernetes/api-reviewers |
The status is intentionally mutable. I'll defer to @kubernetes/sig-network-api-reviews on whether there are known/expected scenarios where the IP changes during a pod's lifetime. Write access to pod status is only granted to system components like scheduler, kubelets, and node-controller by default. Cluster superusers can also write to status but are also able to do disruptive things to cluster objects. |
@shyamjvs: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This conversation is related to this topic, specially interesting this comment from @smarterclayton
|
I recommend opening a documentation issue about making this behavior / risk clear to readers. |
Separately, does anyone want to suggest a feature gate that people can disable if they want to make Pod IP assignments immutable? |
yeah, I was going through the code and I still don't have clear all the ramifications of this, host-network and network pods behave differently, there are also a lot of things that depend on the podIPs that are only created at start time , like environment variables and /etc/hosts file on the pods.
@thockin @khenidak this was discussed on the latest sig-network meeting, the doubt we had is what happens to the host network pods if the kubelet restarts kubernetes/pkg/kubelet/kubelet_pods.go Lines 1507 to 1528 in 296bf4f
I think kubelet rebuilds the current status, and the host network pods reflect the right IPs ... that I think is the correct behavior, otherwise, |
This is by design, for the following reason: Pod API object is tied to a sandbox (network namespace) on a node. The sandbox itself can restart/crash/deleted and come back with a different IPs. Node restart will cause recreation of sandboxes and hence new set of IPs. The pod object itself didn't change but its representation on the node (aka status) has changed. What you are seeing is kubelet figuring api-server pod.status.IPs != curret-IPs so it must be patched. As for risks, I don't think there are any per-se because everything that operates on PodIPs is designed with mutability in mind. Specifically DNS, Endpoint, and EndpointSlice controllers. The comment made by @aojea above is related to host-net pod and the impact of a node changing its IP (and thus pod IPs much change as well) today we don't do that and we want to. |
100%
I don't think we should do that. If you have untrusted actors setting that
I don't think we are really saying that the IP can change underneath a running
Exactly. Consider:
|
Closing for now - working as intended |
What happened?
Today in k8s the IP assigned to a pod, which is a part of the pod status, is mutable. Changing the field through
kubectl edit
doesn't seem to take effect, but the object can be changed through a json patch directly (more under repro steps below). While the IP is again reset back to the original value as part of the next pod status update (done by kubelet periodically), the change itself goes through.I've cut this issue to understand the reason (if there's one) for letting the pod IP be mutable even after the value is set initially as part of pod creation. For e.g is it allowed to change through the lifetime of a pod?
/sig network
/sig api-machinery
What did you expect to happen?
Pod IP shouldn't have changed on attempting the patch. Maybe the API call itself should've been rejected?
How can we reproduce it (as minimally and precisely as possible)?
Typically within few seconds, the IP is again reset back to the original value as part of kubelet's periodic pod status update. But the changed value is present in the interim.
Anything else we need to know?
No response
Kubernetes version
Not version-specific AFAIU.
Cloud provider
N/A
OS version
Install tools
Container runtime (CRI) and and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: