-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apps wc: Fixed network policy to always allow ingress probe #2284
Conversation
Could you explain why this is only needed for the workload cluster? I would have assumed that the ingress healthcheck is done the same way for both clusters? |
Is this related to the sc→wc probes? |
As @Zash mentions, this is for the sc -> wc probes. So when we use the "new" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Talked offline. I was worried that this would make us miss unnecessary extra hops inside the cluster for ingress traffic. This actually seem to already be the case because we do not make use externalTrafficPolicy: "Local"
which we likely should be able to (since the external loadbalancers should only target nodes that runs the ingress-nginx controller).
I'm fine with merging this now but I'd like this to be removed if we are able to use externalTrafficPolicy: "Local"
instead to prevent in-cluster routing for ingress traffic. Maybe add a TODO comment to re-evaluate this?
38ab1e1
to
a4fdac6
Compare
Warning
This is a public repository, ensure not to disclose:
What kind of PR is this?
Required: Mark one of the following that is applicable:
Optional: Mark one or more of the following that are applicable:
Important
Breaking changes should be marked
kind/admin-change
orkind/dev-change
depending on typeCritical security fixes should be marked with
kind/security
What does this PR do / why do we need this PR?
...
Information to reviewers
On clusters that didn't use host port for nginx, the ingress to nginx health didn't always work (If the request was bounced between nodes). This fixes that.
Checklist
NetworkPolicy Dashboard