gateway-api: Missing serviceName behavior
I had another question on how we should handle errors (sorry for all the spam, but implementing is causing me to think about all these edge cases).
If I have an HTTPRoute like the following example, and one of the forwardTos are invalid (say the service is missing from the cluster). The docs say I should raise a ResolvedRefs condition and the route must be dropped.
My question is should the entire route be dropped or just that Match? If I had multiple matches for other paths, I’d ideally want to keep those serving traffic, but looking to be consistent since setting Admitted: false for a partial route also doesn’t make sense.
The Implementation Guide also says we should strive to serve traffic. I did have a quick conversation on Slack with @hbagdi regarding this (https://kubernetes.slack.com/archives/CR0H13KGA/p1612459180030400), so wanted to see what others thought on how to handle.
If the referent cannot be found, the route must be dropped from the Gateway. The controller should raise the “ResolvedRefs” condition on the Gateway with the “DegradedRoutes” reason. The gateway status for this route should be updated with a condition that describes the error more specifically.
Example:
kind: HTTPRoute
apiVersion: networking.x-k8s.io/v1alpha1
metadata:
name: http-filter-1
namespace: projectcontour-roots
labels:
type: http
spec:
gateways:
allow: All
hostnames:
- local.projectcontour.io
rules:
- matches:
- path:
type: Prefix
value: /
forwardTo:
- serviceName: validservice # <--- valid serviceName/match
port: 80
- matches:
- path:
type: Prefix
value: /blog
forwardTo:
- serviceName: boohiss # <--- invalid serviceName
port: 80
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (15 by maintainers)
Commits related to this issue
- Clarify docs on invalid serviceName Fixes https://github.com/kubernetes-sigs/gateway-api/issues/638 — committed to howardjohn/gateway-api by howardjohn 3 years ago
- Clarify docs on invalid serviceName (#756) * Clarify docs on invalid serviceName Fixes https://github.com/kubernetes-sigs/gateway-api/issues/638 * update for comments * Wrap — committed to kubernetes-sigs/gateway-api by howardjohn 3 years ago
For a data point, in Istio we just configure the envoy routes to point to what they told us to, unconditionally. So if the Service is missing (and therefor envoy cluster is missing), you would get some error (503 “NR”). If the Service is present but has no endpoints it would be an error as well (503 “UH”).
This seems like something that would be a huge issue, but surprisingly I don’t recall any instances of this being an issue for folks. I would be a bit worried about transparently dropping parts due to what Rob mentioned (Endpoints that were intended to serve <1% of traffic may end up receiving 100%). If we do this, it also makes implementations more difficult as routing configuration and upstream service configuration cannot be decoupled.
I checked out https://github.com/servicemeshinterface/smi-spec/blob/main/apis/traffic-split/v1alpha3/traffic-split.md and didn’t see any mention one way or the other
Completely understand that. I think it makes the most sense to recommend what @howardjohn suggested above: If a Service/backend does not exist, traffic that would otherwise be destined for it should receive a 503. Does that match up with what others were thinking?
I don’t feel that I understand it enough to write docs @robscott. I understand everyone’s comments, but they don’t all align up with how I understand the API. 😞