Problem
The CCM does not set the ipMode field on LoadBalancerIngress entries. Without this, kube-proxy binds the LoadBalancer IP to every node and intercepts traffic destined for it, bypassing the NodeBalancer entirely for
cluster-internal requests.
This causes a well-known class of failures when proxy protocol is enabled on the NodeBalancer: internal traffic (e.g. cert-manager HTTP01 validation, in-cluster requests to LoadBalancer IPs) reaches the ingress controller
without the expected PROXY protocol header, resulting in broken header errors and failed requests.
See: cert-manager/cert-manager#466
The current workaround is deploying hairpin-proxy, which intercepts DNS and injects PROXY protocol headers for internal traffic. This shouldn't be necessary.
Solution
KEP-1860 added an ipMode field to LoadBalancerIngress with two values:
VIP: kube-proxy binds the LB IP to nodes (current default behavior)Proxy: kube-proxy does not intercept LB traffic, forcing it through the actual LoadBalancer
The CCM should set this field based on proxy protocol configuration. When all ports on a service use proxy protocol, ipMode should be Proxy so that kube-proxy doesn't short-circuit traffic around the NodeBalancer.
Otherwise it should be VIP.
A manual override annotation (service.beta.kubernetes.io/linode-loadbalancer-ip-mode) would also be useful for edge cases.
Reference implementation
I've put together an implementation in this commit that:
- Adds a
getIPMode() helper that auto-detects from proxy protocol config or reads an annotation override
- Sets
IPMode on all LoadBalancerIngress entries in makeLoadBalancerStatus() (all three return paths: hostname-only, IPv6, default)
- Includes tests and documentation
The Kubernetes API types (LoadBalancerIPModeVIP, LoadBalancerIPModeProxy) are already available in the k8s.io/api version used by this project.
Problem
The CCM does not set the
ipModefield onLoadBalancerIngressentries. Without this, kube-proxy binds the LoadBalancer IP to every node and intercepts traffic destined for it, bypassing the NodeBalancer entirely forcluster-internal requests.
This causes a well-known class of failures when proxy protocol is enabled on the NodeBalancer: internal traffic (e.g. cert-manager HTTP01 validation, in-cluster requests to LoadBalancer IPs) reaches the ingress controller
without the expected PROXY protocol header, resulting in
broken headererrors and failed requests.See: cert-manager/cert-manager#466
The current workaround is deploying hairpin-proxy, which intercepts DNS and injects PROXY protocol headers for internal traffic. This shouldn't be necessary.
Solution
KEP-1860 added an
ipModefield toLoadBalancerIngresswith two values:VIP: kube-proxy binds the LB IP to nodes (current default behavior)Proxy: kube-proxy does not intercept LB traffic, forcing it through the actual LoadBalancerThe CCM should set this field based on proxy protocol configuration. When all ports on a service use proxy protocol,
ipModeshould beProxyso that kube-proxy doesn't short-circuit traffic around the NodeBalancer.Otherwise it should be
VIP.A manual override annotation (
service.beta.kubernetes.io/linode-loadbalancer-ip-mode) would also be useful for edge cases.Reference implementation
I've put together an implementation in this commit that:
getIPMode()helper that auto-detects from proxy protocol config or reads an annotation overrideIPModeon allLoadBalancerIngressentries inmakeLoadBalancerStatus()(all three return paths: hostname-only, IPv6, default)The Kubernetes API types (
LoadBalancerIPModeVIP,LoadBalancerIPModeProxy) are already available in the k8s.io/api version used by this project.