Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the way to scrape kubelet metrics via kube-apiserver network proxy. #1246

Open
cndoit18 opened this issue Apr 13, 2023 · 10 comments
Open

Add the way to scrape kubelet metrics via kube-apiserver network proxy. #1246

cndoit18 opened this issue Apr 13, 2023 · 10 comments
Assignees
@yangjunmyfm192085
Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@cndoit18
Copy link

cndoit18 commented Apr 13, 2023
edited
Loading

What would you like to be added:

Add the way to scrape kubelet metrics via kube-apiserver network proxy.

Why is this needed:

The current kubelet scraping is not suitable for situations where the master network and the node network are isolated.

https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1281-network-proxy#proposal

/kind feature
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 13, 2023
@yangjunmyfm192085
Copy link
Contributor

metrics-serverscrapes data from kubelet directly .
may be It is also an good option to support data fetching through apiserver network proxy.
I think it's worth , and it shouldn't affect performance.

@yangjunmyfm192085
Copy link
Contributor

/assign

@serathius
Copy link
Contributor

serathius commented Apr 14, 2023
edited
Loading

As it was discovered by Prometheus community, apiserver proxy was not designed to handle large traffic like metrics collection. I would be opposed to this idea if there are no other arguments then "it should do it". Even in the proxy design it mentioned that for performance proxy should be bypassed.

@cndoit18
Copy link
Author

cndoit18 commented Apr 14, 2023
edited
Loading

As it was discovered by Prometheus community, apiserver proxy was not designed to handle large traffic like metrics collection. I would be opposed to this idea if there are no other arguments then "it should do it". Even in the proxy design it mentioned that for performance proxy should be bypassed.

In our use case, we deploy both the metrics-server and HPA on the master, while the actual business logic runs on the node. However, these two networks are isolated, which prevents us from using the HPA. therefore, we want to add a functional switch that can be used to get the metrics through the tunnel.

@serathius
Copy link
Contributor

This is a bad idea due to blast radius. Sharing konnectivity proxy between apiserver and proxy could result in metrics-server starving your apiserver connections. Metrics server traffic is very very very bursty and as it was not designed to work through proxy. It has high chance of interrupting your apiserver webhook execution and taking down whole cluster. I would strongly recommend to not bind reliability of critical components like apiserver with non-critical one like metrics-server.

/cc @mborsz

Fact that you can configure your K8s cluster like this doesn't mean you should.

@cndoit18
Copy link
Author

This is a bad idea due to blast radius. Sharing konnectivity proxy between apiserver and proxy could result in metrics-server starving your apiserver connections. Metrics server traffic is very very very bursty and as it was not designed to work through proxy. It has high chance of interrupting your apiserver webhook execution and taking down whole cluster. I would strongly recommend to not bind reliability of critical components like apiserver with non-critical one like metrics-server.

/cc @mborsz

Fact that you can configure your K8s cluster like this doesn't mean you should.

Is it possible to explore an alternative solution by supporting a connection to konnectivity-server, rather than using kube-apiserver, to address this issue?

@serathius
Copy link
Contributor

serathius commented May 24, 2023
edited
Loading

Is it possible to explore an alternative solution by supporting a connection to konnectivity-server, rather than using kube-apiserver, to address this issue?

As long as information on how to connect to Kubelet via konnectivity-server is published on Kubernetes Node object. This is how it currently works that Kubelet publishes it's address to Node object status and metrics server just reads it. It allows Kubelet to publish both InternalIP and externalIP and metrics server have a flag to pick which it should use.

@dashpole
Copy link

/triage accpeted

@k8s-ci-robot
Copy link
Contributor

@dashpole: The label(s) triage/accpeted cannot be applied, because the repository doesn't have them.

In response to this:

/triage accpeted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dashpole
Copy link

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yangjunmyfm192085 yangjunmyfm192085

Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dashpole @serathius @k8s-ci-robot @cndoit18 @yangjunmyfm192085