kubernetes: ServicePort -> DNS SRV does not allow services with same name but different protocol
What happened:
Creating a service with two ports that have the same name, but different protocol, fails:
$ cat service-test.yaml
apiVersion: v1
kind: Service
metadata:
name: service-test
labels:
app: service-test
spec:
selector:
app: service-test
clusterIP: None
ports:
- name: ldap
protocol: TCP
port: 389
- name: kerberos
protocol: TCP
port: 88
- name: kerberos
protocol: UDP
port: 88
$ oc replace -f service-test.yaml
The Service "service-test" is invalid:
spec.ports[2].name: Duplicate value: "kerberos"
This is an important use case for some applications, and the limitation is surprising. More information in my blog post: https://frasertweedale.github.io/blog-redhat/posts/2020-12-08-k8s-srv-limitation.html#kubernetes-srv-limitation
What you expected to happen:
Such Service objects should be accepted, and should result in the creation of the corresponding DNS SRV records that have the same service name, but different protocol ID, e.g., from the object above:
_ldap._tcp.<service>.<ns>.svc.<zone>. ...
_kerberos._tcp.<service>.<ns>.svc.<zone>. ...
_kerberos._udp.<service>.<ns>.svc.<zone>. ...
How to reproduce it (as minimally and precisely as possible):f
As shown above.
Anything else we need to know?:
I’m happy to file a KEP if it is deemed necessary. However, all that is required conceptually is to relax the uniqueness check to the name/protocol pairs instead of service name only. I hope it could be addressed without adding new fields, i.e. aligning the ServicePort semantics with the established semantics of SRV records.
Environment:
- Kubernetes version (use
kubectl version):
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2+ad738ba", GitCommit:"ad738ba548b6d6b5cd2e83351951ccd7019afa4c", GitTreeState:"clean", BuildDate:"2020-11-25T00:18:44Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}
-
Cloud provider or hardware configuration:
-
OS (e.g:
cat /etc/os-release):
sh-4.4# cat /etc/os-release
NAME="Red Hat Enterprise Linux CoreOS"
VERSION="47.83.202011252347-0"
VERSION_ID="4.7"
OPENSHIFT_VERSION="4.7"
RHEL_VERSION="8.3"
PRETTY_NAME="Red Hat Enterprise Linux CoreOS 47.83.202011252347-0 (Ootpa)"
ID="rhcos"
ID_LIKE="rhel fedora"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
REDHAT_BUGZILLA_PRODUCT_VERSION="4.7"
REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
REDHAT_SUPPORT_PRODUCT_VERSION="4.7"
OSTREE_VERSION='47.83.202011252347-0'
-
Kernel (e.g.
uname -a): -
Install tools:
-
Network plugin and version (if this is a network-related bug):
-
Others:
About this issue
- Original URL
- State: open
- Created 4 years ago
- Comments: 43 (25 by maintainers)
From my POV, though I have not tested it (I really have no idea how to build and test Kubernetes locally with my own changes), if you relax the uniqueness constraint from ServicePort “name” to the pair of “name” and “protocol”, that might be enough. It would seem to be backwards compatible, up to any other part of Kubernetes, or third party programs, not handling the possibility of ServicePorts with duplicate names. Certainly there would be no change to the behaviour for any currently-accepted Service spec. If there are other parts of Kubernetes (including docs) that need changing to handle the possibility of duplicate Service name, they can be changed.
But there might not even be much else that needs changing. EndpointPort handles duplicate names fine, as does the OpenShift cluster-dns-operator (or whatever is the component in OpenShift that turns Endpoints into SRV records). See https://frasertweedale.github.io/blog-redhat/posts/2020-12-08-k8s-srv-limitation.html#endpoints-do-not-have-the-limitation for proof.