2

I'm trying to deploy an ftp server image in Azure AKS. To expose the server to public, I've added a service of type LoadBalancer.

apiVersion: v1
kind: Service
metadata:
  name: test-import-ftp
  namespace: staging
spec:
  loadBalancerIP: 168.63.x.x
  type: LoadBalancer
  ports:
  - port: 21
    name: ftp-control
    targetPort: 21
  - port: 50000
    name: ftp-data-0
  - port: 50001
    name: ftp-data-1
  - port: 50002
    name: ftp-data-2
  - port: 50003
    name: ftp-data-3
  - port: 50004
    name: ftp-data-4
  - port: 50005
    name: ftp-data-5
  - port: 50006
    name: ftp-data-6
  - port: 50007
    name: ftp-data-7
  - port: 50008
    name: ftp-data-8
  - port: 50009
    name: ftp-data-9 
  selector:
    app: test-import-ftp

It works fine for the control port but not for the data ports. Reason is, that it configures probes for all ports and ftp servers don't listen on data ports. These ports will be opened "on demand".

How can I disable health checks for data ports?

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
Christoph Lütjen
  • 5,403
  • 2
  • 24
  • 33
  • Try healthCheckNodePort: 21. Maybe it is supported by Azure. Doc: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip – Jan Garaj Jan 18 '19 at 12:17
  • @JanGaraj - thx, saw it but docs say "It only has an effect when … externalTrafficPolicy is set to “Local”" and I think that's not what I have? Also I normally don't know the nodePort - or should I know? – Christoph Lütjen Jan 18 '19 at 12:23

2 Answers2

6

AFAIK, you cannot disable health checks, but you can make them work with FTP servers.

Adapt your configuration like so:

[...]
spec:
  loadBalancerIP: 168.63.x.x
  type: LoadBalancer
  healthCheckNodePort: 30021
  externalTrafficPolicy: Local
  ports: [...]

So, you need to set healthCheckNodePort to a port in the legal nodePort range, and set externalTrafficPolicy to Local.

This will make the service open up a nodePort, and the LoadBalancer will now only check that port to determine availability. The drawback is that your health check now only checks that the node is up, not that the ftp service is running.

For this to work, you MUST set externalTrafficPolicy to Local. This means that the container will see the actual client source ip as the traffic source, not the internal kubernetes source. Adjust any of your service settings accordingly. For FTP, however, this is desirable, as it allows the server to check that a passive data connection attempt is done by the same client as the original control connection.

See https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/, section "Preserving the client source IP"

adhominem
  • 1,104
  • 9
  • 24
  • Ok, but I assume "somewhere" I have to define that nodePort 30021 is mapped to my pods port 21? – Christoph Lütjen Jan 18 '19 at 16:40
  • No. The nodePort is open on the node, not on the pod. It is not mapped to anything. All the load balancer now does is check that the node lives. – adhominem Jan 18 '19 at 16:46
1

that's not possible. you can go and manually switch those listeners to use probe that's scanning port 21. but looking at the code it might amend you manual changes on the next service update

you can check all the available annotations: https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/azure/azure_loadbalancer.go

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • Thanks. I manually changed it to check if probes are my problem but as you said, I fear that it will reset the setting and - it takes about 2 minutes per port to change it - I need about 200 ports. Is there perhaps a better approach for deploying services with "on demand ports" in aks? – Christoph Lütjen Jan 18 '19 at 12:31
  • you can create a script that would change all those in a minute. sorry, i'm not aware if there is such a mechanism. maybe it exists. but I'm not aware of it – 4c74356b41 Jan 18 '19 at 12:36