K
Q

How to disable port probes for AKS LoadBalancer?

1/18/2019

I'm trying to deploy an ftp server image in Azure AKS. To expose the server to public, I've added a service of type LoadBalancer.

apiVersion: v1
kind: Service
metadata:
  name: test-import-ftp
  namespace: staging
spec:
  loadBalancerIP: 168.63.x.x
  type: LoadBalancer
  ports:
  - port: 21
    name: ftp-control
    targetPort: 21
  - port: 50000
    name: ftp-data-0
  - port: 50001
    name: ftp-data-1
  - port: 50002
    name: ftp-data-2
  - port: 50003
    name: ftp-data-3
  - port: 50004
    name: ftp-data-4
  - port: 50005
    name: ftp-data-5
  - port: 50006
    name: ftp-data-6
  - port: 50007
    name: ftp-data-7
  - port: 50008
    name: ftp-data-8
  - port: 50009
    name: ftp-data-9 
  selector:
    app: test-import-ftp

It works fine for the control port but not for the data ports. Reason is, that it configures probes for all ports and ftp servers don't listen on data ports. These ports will be opened "on demand".

How can I disable health checks for data ports?

-- Christoph Lütjen
azure
azure-aks
azure-kubernetes
azure-load-balancer
kubernetes

Similar Questions

ImagePullBackOff error in Kubernetes (in AKS) while pulling image from ACR and all pods are Evicted
Attaching secret to running pod
Error message when trying to connect to cluster endpoint
Kubernetes wait that apiVersion and kind exists before trying to apply resource using those

2 Answers

1/18/2019

AFAIK, you cannot disable health checks, but you can make them work with FTP servers.

Adapt your configuration like so:

[...]
spec:
  loadBalancerIP: 168.63.x.x
  type: LoadBalancer
  healthCheckNodePort: 30021
  externalTrafficPolicy: Local
  ports: [...]

So, you need to set healthCheckNodePort to a port in the legal nodePort range, and set externalTrafficPolicy to Local.

This will make the service open up a nodePort, and the LoadBalancer will now only check that port to determine availability. The drawback is that your health check now only checks that the node is up, not that the ftp service is running.

For this to work, you MUST set externalTrafficPolicy to Local. This means that the container will see the actual client source ip as the traffic source, not the internal kubernetes source. Adjust any of your service settings accordingly. For FTP, however, this is desirable, as it allows the server to check that a passive data connection attempt is done by the same client as the original control connection.

See https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/, section "Preserving the client source IP"

-- adhominem
Source: StackOverflow
1/18/2019

that's not possible. you can go and manually switch those listeners to use probe that's scanning port 21. but looking at the code it might amend you manual changes on the next service update

you can check all the available annotations: https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/azure/azure_loadbalancer.go

-- 4c74356b41
Source: StackOverflow