Allow specifying ExternalTrafficPolicy for ClusterIP Services with ExternalIPs

When defining a ClusterIP Service, we can specify externalIP, and the
traffic policy of externalIP is subject to externalTrafficPolicy.
However, the policy can't be set when type is not NodePort or
LoadBalancer, and will default to Cluster when kube-proxy processes the
Service.

This commit updates the defaulting and validation of Service to allow
specifying ExternalTrafficPolicy for ClusterIP Services with
ExternalIPs.

Signed-off-by: Quan Tian <qtian@vmware.com>

pkg/api/service/util.go

@@ -67,6 +67,13 @@ func GetLoadBalancerSourceRanges(service *api.Service) (utilnet.IPNetSet, error)
 	return ipnets, nil
 }
 
+// ExternallyAccessible checks if service is externally accessible.
+func ExternallyAccessible(service *api.Service) bool {
+	return service.Spec.Type == api.ServiceTypeLoadBalancer ||
+		service.Spec.Type == api.ServiceTypeNodePort ||
+		(service.Spec.Type == api.ServiceTypeClusterIP && len(service.Spec.ExternalIPs) > 0)
+}
+
 // RequestsOnlyLocalTraffic checks if service requests OnlyLocal traffic.
 func RequestsOnlyLocalTraffic(service *api.Service) bool {
 	if service.Spec.Type != api.ServiceTypeLoadBalancer &&

pkg/api/service/util_test.go

@@ -129,6 +129,49 @@ func TestAllowAll(t *testing.T) {
 	checkAllowAll(true, "192.168.0.1/32", "0.0.0.0/0")
 }
 
+func TestExternallyAccessible(t *testing.T) {
+	checkExternallyAccessible := func(expect bool, service *api.Service) {
+		res := ExternallyAccessible(service)
+		if res != expect {
+			t.Errorf("Expected ExternallyAccessible = %v, got %v", expect, res)
+		}
+	}
+
+	checkExternallyAccessible(false, &api.Service{})
+	checkExternallyAccessible(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeClusterIP,
+		},
+	})
+	checkExternallyAccessible(true, &api.Service{
+		Spec: api.ServiceSpec{
+			Type:        api.ServiceTypeClusterIP,
+			ExternalIPs: []string{"1.2.3.4"},
+		},
+	})
+	checkExternallyAccessible(true, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+		},
+	})
+	checkExternallyAccessible(true, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeNodePort,
+		},
+	})
+	checkExternallyAccessible(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeExternalName,
+		},
+	})
+	checkExternallyAccessible(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type:        api.ServiceTypeExternalName,
+			ExternalIPs: []string{"1.2.3.4"},
+		},
+	})
+}
+
 func TestRequestsOnlyLocalTraffic(t *testing.T) {
 	checkRequestsOnlyLocalTraffic := func(requestsOnlyLocalTraffic bool, service *api.Service) {
 		res := RequestsOnlyLocalTraffic(service)

pkg/api/v1/service/util.go

@@ -67,10 +67,16 @@ func GetLoadBalancerSourceRanges(service *v1.Service) (utilnet.IPNetSet, error)
 	return ipnets, nil
 }
 
-// ExternalPolicyLocal checks if service has ETP = Local.
+// ExternallyAccessible checks if service is externally accessible.
+func ExternallyAccessible(service *v1.Service) bool {
+	return service.Spec.Type == v1.ServiceTypeLoadBalancer ||
+		service.Spec.Type == v1.ServiceTypeNodePort ||
+		(service.Spec.Type == v1.ServiceTypeClusterIP && len(service.Spec.ExternalIPs) > 0)
+}
+
+// ExternalPolicyLocal checks if service is externally accessible and has ETP = Local.
 func ExternalPolicyLocal(service *v1.Service) bool {
-	if service.Spec.Type != v1.ServiceTypeLoadBalancer &&
-		service.Spec.Type != v1.ServiceTypeNodePort {
+	if !ExternallyAccessible(service) {
 		return false
 	}
 	return service.Spec.ExternalTrafficPolicy == v1.ServiceExternalTrafficPolicyLocal

pkg/api/v1/service/util_test.go

@@ -129,6 +129,49 @@ func TestAllowAll(t *testing.T) {
 	checkAllowAll(true, "192.168.0.1/32", "0.0.0.0/0")
 }
 
+func TestExternallyAccessible(t *testing.T) {
+	checkExternallyAccessible := func(expect bool, service *v1.Service) {
+		res := ExternallyAccessible(service)
+		if res != expect {
+			t.Errorf("Expected ExternallyAccessible = %v, got %v", expect, res)
+		}
+	}
+
+	checkExternallyAccessible(false, &v1.Service{})
+	checkExternallyAccessible(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeClusterIP,
+		},
+	})
+	checkExternallyAccessible(true, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type:        v1.ServiceTypeClusterIP,
+			ExternalIPs: []string{"1.2.3.4"},
+		},
+	})
+	checkExternallyAccessible(true, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+		},
+	})
+	checkExternallyAccessible(true, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeNodePort,
+		},
+	})
+	checkExternallyAccessible(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeExternalName,
+		},
+	})
+	checkExternallyAccessible(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type:        v1.ServiceTypeExternalName,
+			ExternalIPs: []string{"1.2.3.4"},
+		},
+	})
+}
+
 func TestExternalPolicyLocal(t *testing.T) {
 	checkExternalPolicyLocal := func(requestsOnlyLocalTraffic bool, service *v1.Service) {
 		res := ExternalPolicyLocal(service)
@@ -144,6 +187,26 @@ func TestExternalPolicyLocal(t *testing.T) {
 			Type: v1.ServiceTypeClusterIP,
 		},
 	})
+	checkExternalPolicyLocal(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type:        v1.ServiceTypeClusterIP,
+			ExternalIPs: []string{"1.2.3.4"},
+		},
+	})
+	checkExternalPolicyLocal(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type:                  v1.ServiceTypeClusterIP,
+			ExternalIPs:           []string{"1.2.3.4"},
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyCluster,
+		},
+	})
+	checkExternalPolicyLocal(true, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type:                  v1.ServiceTypeClusterIP,
+			ExternalIPs:           []string{"1.2.3.4"},
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyLocal,
+		},
+	})
 	checkExternalPolicyLocal(false, &v1.Service{
 		Spec: v1.ServiceSpec{
 			Type: v1.ServiceTypeNodePort,