Corner Case: upstream name duplication causing ingress pointing to wrong service [following issue template] #11938
Comments
k8s-ci-robot
added
the
needs-triage
|
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@Revolution1 this is a community project so even if bot requested information, you can help others in the community, by providing detailed information, so others can help you better.
|
|
@longwuyuan Anyways, thank you for paying attention. 🙏 |
|
/remove-kind bug |
k8s-ci-robot
added
needs-kind
|
This bug not related to what hostname or path you use, it's only related to servicename and serviceportname. |
|
@Revolution1 I cc'd another contributor
|
|
Maybe the way how it was reproduced looks quite confusing So:
Because that makes
Because in realife, I have:
So then I have 2 ingresses, one points to the old pod, another points to the new pod-container1. # ingress that points to pod
host: fasdfsadfsf
- path: /
backend:
service:
name: pod
port:
name: container1-rpc
# ingress that points to pod-container1
host: wqeqweqwe
- path: /
backend:
service:
name: pod-container1
port:
name: rpcI set nginx ingressClass as my default ingress class, so I omit the ingressClassName, which is irrelevant to this issue. |
|
to fix this bug, just need to modify this file ingress-nginx/internal/ingress/controller/util.go and change one character, like this way: // upstreamName returns a formatted upstream name based on namespace, service, and port
func upstreamName(namespace string, service *networking.IngressServiceBackend) string {
if service != nil {
if service.Port.Number > 0 {
return fmt.Sprintf("%s-%s-%d", namespace, service.Name, service.Port.Number)
}
if service.Port.Name != "" {
// return fmt.Sprintf("%s-%s-%s", namespace, service.Name, service.Port.Name)
return fmt.Sprintf("%s-%s_%s", namespace, service.Name, service.Port.Name)
}
}
return fmt.Sprintf("%s-INVALID", namespace)
} |
|
I may be asking a dumb question here but the reproduce manifest you posted, names the same port number 80 repeatedly. So are you naming the same port number in your real life also ? Or is it different port numbers ? |
|
When the 2 containers are in the same Pod, of course they can only be different port numbers, but same purpose (like rpc, metrics, admin etc.) so we name it by containername-purpose When separated, same port, same name. |
|
I understand that my manifest, especially the naming, looks very confusing. But since these are leagal ingresses and a real-life case, I think it definently need to be fixed. |
|
If a user does not try to give 2 names to same port number then there is no bug ? And your design of your K8S gives 2 different names to same port number ? And you want to use 2 different names for the same port-number concurrently on the same cluster ? So that you can use same port number on 2 different pods, with different unique portnames for each pod (when the actual port number behind those names is the same port number) ? |
|
You can't predict what user inputs, any corner case that's no covered, can call it a bug. We don't usually design that way, it's can be considered a coinsidence on the way of our infra evolution, but indeed a real-life case. Port number does not mean anything, we name ports by their usage. Thus naming a port number with diffrent names is very common. Like 8080 can be HTTP, GRPC, Metrics or whatever. |
|
@Revolution1, thanks for the info. Readers can get a better idea with these info. Basically complexity exists in this project as well and resources are acute shortage. With the information details, the action items become a little more clear. Prioritising becomes a little more possible. I hope you can just make a comment if you are using 2 names for one single port-number ? If yes, then please confirm that based on this requirement of yours, you feel that this is a bug, that the function This kind f summary helps readers and maintainers. |
|
@longwuyuan OK. So, in short: When there are 2 or more DIFFERENT backends of ingress(es)
It will make the upstream in rendered nginx.conf and backend object have the same name, therefore nginx cannot tell the differents between these backends, they will be ended up pointing the same backend (randomly one of them) The effect is service name and port name combined output, not just because "using 2 names for one single port-number". |
|
This is 10000% a bug, don't remove the tag. |
|
Thanks @Revolution1 for the comments. You can apply the label yourself, if you feel better not to wait for the triaging to be completed (or if you think triaging is already completed). I am going to be very very specific. Based on the criteria for the bug that you typed, see below question. And i get the correct How do you explain this ? |
|
|
|
It seems you did not answer my very clear and very specific question. This is a comment on the problem config varied between your test and m test. Its obvious. Let me ask again. My test meets your criteria.
|
|
N(>1) different ingress backends should generate N different upstreams in nginx. |
|
/kind bug |
k8s-ci-robot
added
kind/bug
@Revolution1 My test generated 2 (N) different upstreams in nginx. There are no duplicates. The proof is right there in the details of my test ; So please help out and explain your claim that its generating duplicates. |
|
@Revolution1 your test manifest runs busybox with netcat which is not really a webserver. The relevance here is that the default backend-protocol used is HTTP. So I recreated the test with webserver pods (nginx & tomcat). And my test shows no duplicates in upstream-name. |
|
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach |
github-actions
bot
added
the
lifecycle/frozen
What happened: HTTP returns content from a wrong backend
What you expected to happen: HTTP returns content from a correct backend which the ingress is configured.
What do you think went wrong?:
links to #11937
func upstreamNameoutputs the same upstream name for different ingress backend.NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
v1.11.1 (and the latest main)
Kubernetes version (use
kubectl version):Environment:
Cloud provider or hardware configuration: local
OS (e.g. from /etc/os-release): wsl ubuntu
Kernel (e.g.
uname -a):Install tools:
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.Basic cluster related info:Linux 5.15.146.1-microsoft-standard-WSL2 Basic structure #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
kubectl versionkubectl get nodes -o wideHow was the ingress-nginx-controller installed:
helm ls -A | grep -i ingresshelm -n <ingresscontrollernamespace> get values <helmreleasename>Current State of the controller:
kubectl describe ingressclasseskubectl -n <ingresscontrollernamespace> get all -o widekubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>Current state of ingress object, if applicable:
kubectl -n <appnamespace> get all,ing -o widekubectl -n <appnamespace> describe ing <ingressname>Others:
The full manifests that reproduce this problem:
How to reproduce this issue:
$ curl example.local/service1 Responsing From: pod1 $ curl example.local/service2 Responsing From: pod1 # expected: Responsing From: pod2The text was updated successfully, but these errors were encountered: