Skip to content

[occm] Add node-address-type annotation to control LB member IP selection#3130

Open
carterpewpew wants to merge 1 commit into
kubernetes:masterfrom
carterpewpew:fix/occm-node-address-type-annotation
Open

[occm] Add node-address-type annotation to control LB member IP selection#3130
carterpewpew wants to merge 1 commit into
kubernetes:masterfrom
carterpewpew:fix/occm-node-address-type-annotation

Conversation

@carterpewpew

@carterpewpew carterpewpew commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

What this PR does / why we need it:

When nodes have multiple network interfaces, nodeAddressForLB always prefers InternalIP for load balancer pool members. If the user configures loadbalancer.openstack.org/member-subnet-id pointing to a subnet that corresponds to the node's ExternalIP, the pool members end up with an IP outside that subnet because the Octavia API lets the address field take precedence over subnet_id.

This PR adds a new service annotation loadbalancer.openstack.org/node-address-type that allows users to set ExternalIP to reverse the address selection priority. When set, ExternalIP is tried first with a fallback to InternalIP. Default behavior (InternalIP first) is unchanged.

Which issue this PR fixes(if applicable):
fixes #3090

Special notes for reviewers:

  1. The annotation accepts the string ExternalIP (matching corev1.NodeExternalIP). Any other value (including empty/absent) preserves existing behavior.
  2. getSubnetIDForLB intentionally passes "" for the new parameter since it auto-detects the subnet and should always use InternalIP for that purpose.
  3. The applyNodeSecurityGroupIDForLB caller is also updated so the security group is applied to the port matching the address actually used for the pool member.

Release note:

[openstack-cloud-controller-manager] Add `loadbalancer.openstack.org/node-address-type` annotation to control which node address type (InternalIP or ExternalIP) is used for load balancer pool members.

@carterpewpew
[occm] Add node-address-type annotation to control LB member IP selec…
670fe5a 
…tion

When nodes have multiple network interfaces, the existing behavior of
always preferring InternalIP for load balancer pool members can result
in members being created with an IP address that does not belong to the
configured member-subnet-id. This causes a mismatch because the Octavia
API lets the address field take precedence over subnet_id.

Add a new service annotation `loadbalancer.openstack.org/node-address-type`
that allows users to set `ExternalIP` to reverse the address selection
priority. When set, ExternalIP is tried first with a fallback to
InternalIP. Default behavior (InternalIP first) is unchanged.

Signed-off-by: Jathavedhan M <jathavedhan.m@ibm.com>
@k8s-ci-robot k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label Jun 16, 2026
@k8s-ci-robot

k8s-ci-robot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign stephenfin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from anguslees and kayrus June 16, 2026 08:48
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 16, 2026
@k8s-ci-robot

k8s-ci-robot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Hi @carterpewpew. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anguslees anguslees Awaiting requested review from anguslees

@kayrus kayrus Awaiting requested review from kayrus

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

2 participants

@carterpewpew @k8s-ci-robot