LoadBalancer&NodePort service cannot access after upgrade from 1.20 to 1.22

[BSWANG]

What happened?

LoadBalancer&NodePort service cannot access after upgrade from 1.20 to 1.22.
The NodeName field in v1.endpointslice.endpoint missed.

The convertion in apiserver emit the field Topology in v1beta1.endpointslice and not convert to field NodeName in v1.endpointslice.

And the kube-proxy on 1.22 only use the NodeName field to judge whether the endpoint is Local. So kube-proxy on each node removed the endpoint from NodePort. Then LoadBalancer&NodePort network broken.

What did you expect to happen?

The LoadBalancer&NodePort network should not broken duration upgrade.

How can we reproduce it (as minimally and precisely as possible)?

1. Create 1.20 cluster.
2. Craete LoadBalancer Service with ExterernalTrafficPolicy setting to Local
3. Upgrade the cluster.
4. Observe the cluster's LoadBalancer networking.

Anything else we need to know?

No response

Kubernetes version

Details

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.3-aliyun.1", GitCommit:"7a509a37c6f3b8f82175df3fb149974999882a54", GitTreeState:"clean", BuildDate:"2022-05-24T08:59:55Z", GoVersion:"go1.16.9", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider

Details

alibabacloud

OS version

Details

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Details

Container runtime (CRI) and version (if applicable)

Details

Related plugins (CNI, CSI, ...) and versions (if applicable)

Details

[BSWANG]

/sig network

[BSWANG]

https://stackoverflow.com/questions/70803653/kube-proxy-upgrade-from-1-21-to-1-22-insert-wrong-iptables-rule

[aojea]

We need a few more details on the reproducer

1. Create 1.20 cluster.
2. Create LoadBalancer Service with ExterernalTrafficPolicy setting to Local
3. Upgrade the cluster.
4. Observe the cluster's LoadBalancer networking.

Are you upgrading directly from 1.20 to 1.22? I don't know if there is something written about that but I don't remember that skipping versions are supported, we should double check it

Precisely, the migration of the topology field was done in 1.21 https://github.com/kubernetes/kubernetes/blob/20deba3dcd274b237d3199fde1d4bb187cc4ee9b/CHANGELOG/CHANGELOG-1.21.md

The EndpointSlice Controllers are now GA. The EndpointSliceController will not populate the deprecatedTopology field and will only provide topology information through the zone and nodeName fields. (#99870, @swetharepakula)

The EndpointSlice API is now GA. The EndpointSlice topology field has been removed from the GA API and will be replaced by a new per Endpoint Zone field. If the topology field was previously used, it will be converted into an annotation in the v1 Resource. The discovery.k8s.io/v1alpha1 API is removed. (#99662, @swetharepakula)

If you can provide a more exact reproducer we should be able to determine if is a real bug or a consequence of a deprecated field

[BSWANG]

@aojea Thank for your reply.
The EndpointSliceNodeName is the migration mechanism in 1.21 version. But EndpointSliceNodeName only take effort on endpointslice changing(Add|Update).

If the upgrade step follow 1.20->1.21->1.22. And we do nothing to make the endpointslice change on the 1.21 stage. The nodename field will still not be populated. And we will also meet this issue after upgraded to 1.22.

The issue on stackoverflow which another one met is from 1.21 to 1.22:
https://stackoverflow.com/questions/70803653/kube-proxy-upgrade-from-1-21-to-1-22-insert-wrong-iptables-rule

[aojea]

@liggitt does it mean that we have to do the same that we did here #108198 on reads?

[BSWANG]

#108198 convert others endpoints on endpointslice updating. IMO, we should convert topology on get&watch to prevent kube-proxy|cloud-controller-manager obtain wrong nodename info.

[liggitt]

I think it means kube-proxy should still be using the topology[hostname] label if the nodeName field is empty (which it dropped in 1.22)

[BSWANG]

I think it means kube-proxy should still be using the topology[hostname] label if the nodeName field is empty

The topology field become deprecated and will be removed someday.

The topology[zone] label will be converted to zone fiele on "get|watch". But topology[hostname] not converted 😅.

https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/discovery/v1beta1/conversion.go#L38-L41

		// Move zone from the topology map into a field
		if zone, ok := in.Topology[corev1.LabelTopologyZone]; ok {
			out.Zone = &zone
			delete(out.DeprecatedTopology, corev1.LabelTopologyZone)
		}